Infect target with .deb package

I. Tactic?

II. Tools

  • devscripts to build package
  • dh-make to make Debian package quickly
  • metasploit-framework for backdoor
  • neo-vim as text editor

III. Walkthrough

1. Create malware

2. Create debian package

3. Start packaging

a. Write installation path of malware

b. Make control file

c. edit copyright file (to make package be a valid Debian’s package)

d. Edit changelog file (to make package has valid Debian’s package)

e. Remove some unused scripts

4. Test build package, got dh_strip error

Fix dh_strip in rules

Test build again. Success

Test execute malware at demo/debian/demo/opt/. Malware runs and msf catches the session

5. Infect machine

Create a file postinst to run malware after package was installed

Build and install package

Get connection

Meterpreter has root’s permission

In rule file, attacker can put the & to make script runs in background

The installation wont hang anymore

The connect after install

How it looks with apt

Further: Persistence

Attacker can:

  • Write scripts to startup (Create launcher at /etc/xdg/autostart/)? → Desktop users who have DE
  • Create cronjob

Further: Real life attack

  • Repackage any valid packages from Debian
1 Like