WTF

A sample of hiding a payload in UEFI vars that persists in initramfs and then injects into auditd to make malicious processes invisible.

How to Play

on attacker machine
1. make
2. copy splat to target
on target
1. run splat as root
2. reboot target
3. use timerslack.pl to set your timerslack and become invisible to auditd

Moving Parts

ORDER/order.h - ORDER for hooks

ORDER is a file in initramfs that specifies order of hooks, but in this case, runs stage1

splat - Infection Utility

Run to infect system. Everything needed for infection is included:

stage1
stage2
- payload

injected.so - Injected Dyanmic Library Payload to auditd

Clobbers the fprintf symbol and keeps your tagged processes out of the audit log.

payload.asm - Shellcode Injected into auditd

Fixup registers due to internal libc dlopen required 16byte aligned stack entry.
call glibc's __libc_dlopen_mode
jmp back to return value

stage2d - Daemon Spawned in initramfs

The executable stage2.

survive MS_MOVE in initramfs
fanotify on systemd-sysctl
ptrace inject into autid
host injected.so in memfd
coerce auditd to dlopen() injected.so in memfd
exit

stage1

Takes stage2 out of UEFI var, uncompresses, jams it into memfd, and execs stage2

stage2

Gzipped stage2d executable

loader.c - Loader Contained in Stage2d to Inject into auditd

This code uses code adapted from https://github.com/eklitzke/ptrace-call-userspace, a fantastic bit of code from Evan Klitzke used under the ISC license.

ptrace auditd
coerce auitd to call memfd_create
find __libc_dlopen_mode
write injected.so into auditd's memfd
coerce auditd to call mmap
write payload into page returned from mmap
set rip to point to shellcode
release process

libptrace_do.[ch]

Fantastic lib from @emptymonkey. https://github.com/emptymonkey/ptrace_do

Used under terms in MIT license

busybox.h - a Literal Copy of Static busybox

Used in debugging to get a shell in the initramfs. You will need to have installed busyboxy-static package. Enable by defining EMBED_SHELL to 1 and get a local bind shell on port 1111. Note that it will no longer fit into a UEFI variable because busyboxy is gigantic. Use make install and debug_utils/install.sh infect.

z.[ch] - Simple Wrapper Around zlib

Just a simple convenience function around zlib

timerslack.pl - Perl Script to Set Your timerslack

Simple wrapper around the prtcl(PR_SET_TIMERSLACK). Scoff all you want, but chances are, perl is there when you land.

Get an operator friendly version like so:

echo "use the following:"
echo -n "echo '"
cat timerslack.pl|tr -d '\n'
echo "'|perl"

Which produces:

use the following:
echo 'require("syscall.ph");syscall(&SYS_prctl,29,50001);exec("/bin/bash");'|perl

fengjixuchui / linooxmalware Goto Github PK

linooxmalware's Introduction

WTF