rcs-backdoor 8.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/.gitignore +56 -0
- data/Gemfile +6 -0
- data/LICENSE.txt +20 -0
- data/Rakefile +21 -0
- data/bin/binary.yaml +16 -0
- data/bin/config.yaml +2 -0
- data/bin/ident.yaml +12 -0
- data/bin/rcs-backdoor +16 -0
- data/bin/rcs-backdoor-add +115 -0
- data/bin/rcs-backdoor-multi +25 -0
- data/bin/trace.yaml +32 -0
- data/lib/rcs-backdoor.rb +2 -0
- data/lib/rcs-backdoor/backdoor.rb +326 -0
- data/lib/rcs-backdoor/command.rb +567 -0
- data/lib/rcs-backdoor/config.rb +42 -0
- data/lib/rcs-backdoor/protocol.rb +108 -0
- data/lib/rcs-backdoor/sync.rb +41 -0
- data/lib/rcs-backdoor/transport.rb +113 -0
- data/lib/rcs-backdoor/version.rb +5 -0
- data/rcs-backdoor.gemspec +28 -0
- metadata +182 -0
@@ -0,0 +1,42 @@
|
|
1
|
+
#
|
2
|
+
# Configuration parser
|
3
|
+
#
|
4
|
+
|
5
|
+
# RCS::Common
|
6
|
+
require 'rcs-common/trace'
|
7
|
+
require 'rcs-common/crypt'
|
8
|
+
|
9
|
+
module RCS
|
10
|
+
|
11
|
+
class Config
|
12
|
+
include Crypt
|
13
|
+
include RCS::Tracer
|
14
|
+
@content = ""
|
15
|
+
|
16
|
+
def initialize(backdoor, buff)
|
17
|
+
@backdoor = backdoor
|
18
|
+
@content = buff
|
19
|
+
trace :info, "Configuration size is #{@content.length}"
|
20
|
+
end
|
21
|
+
|
22
|
+
def dump_to_file
|
23
|
+
|
24
|
+
# dump the configuration still encrypted
|
25
|
+
str = './' + @backdoor.id + "_config.enc"
|
26
|
+
f = File.new(str, File::CREAT | File::TRUNC | File::RDWR, 0644)
|
27
|
+
f.write @content
|
28
|
+
f.close
|
29
|
+
trace :debug, str + " created."
|
30
|
+
|
31
|
+
# dump the configuration in clear
|
32
|
+
str = './' + @backdoor.id + "_config.dec"
|
33
|
+
f = File.new(str, File::CREAT | File::TRUNC | File::RDWR, 0644)
|
34
|
+
f.write aes_decrypt(@content, @backdoor.conf_key)
|
35
|
+
f.close
|
36
|
+
trace :debug, str + " created."
|
37
|
+
|
38
|
+
end
|
39
|
+
|
40
|
+
end
|
41
|
+
|
42
|
+
end # RCS::
|
@@ -0,0 +1,108 @@
|
|
1
|
+
#
|
2
|
+
# Implementation of the communication protocol
|
3
|
+
#
|
4
|
+
|
5
|
+
# Relatives
|
6
|
+
require_relative 'transport.rb'
|
7
|
+
require_relative 'command.rb'
|
8
|
+
|
9
|
+
# RCS::Common
|
10
|
+
require 'rcs-common/trace'
|
11
|
+
|
12
|
+
# System
|
13
|
+
require 'ostruct'
|
14
|
+
|
15
|
+
module RCS
|
16
|
+
module Backdoor
|
17
|
+
|
18
|
+
class Protocol
|
19
|
+
include Tracer
|
20
|
+
include Command
|
21
|
+
|
22
|
+
# used by the Command module
|
23
|
+
attr_reader :transport
|
24
|
+
attr_accessor :sync
|
25
|
+
|
26
|
+
def initialize(type, sync)
|
27
|
+
case type
|
28
|
+
when :REST
|
29
|
+
trace :debug, "REST Protocol selected"
|
30
|
+
@transport = Transport.new(:HTTP)
|
31
|
+
when :RESTS
|
32
|
+
trace :debug, "REST SSL Protocol selected"
|
33
|
+
@transport = Transport.new(:HTTPS)
|
34
|
+
when :ASP, :RSSM
|
35
|
+
trace :warn, "#{type} Protocol selected..."
|
36
|
+
raise "You must be kidding... :)"
|
37
|
+
else
|
38
|
+
raise "Unsupported Protocol"
|
39
|
+
end
|
40
|
+
@sync = sync
|
41
|
+
end
|
42
|
+
|
43
|
+
def perform(host)
|
44
|
+
|
45
|
+
begin
|
46
|
+
|
47
|
+
start = Time.now
|
48
|
+
|
49
|
+
# connection to the remote host
|
50
|
+
@transport.connect_to host
|
51
|
+
|
52
|
+
# Mixed-in functions
|
53
|
+
|
54
|
+
# authenticate with the Collector
|
55
|
+
# this step will produce the cryptographic session key
|
56
|
+
# we can also receive an uninstall command
|
57
|
+
authenticate @sync.backdoor
|
58
|
+
|
59
|
+
# send the deviceID, userID, sourceID
|
60
|
+
# we will receive the list of available element on the collector
|
61
|
+
available = send_id @sync.backdoor
|
62
|
+
|
63
|
+
# receive the new configuration
|
64
|
+
receive_config @sync.backdoor if available.include? PROTO_CONF
|
65
|
+
|
66
|
+
# ask for the purge
|
67
|
+
receive_purge if available.include? PROTO_PURGE
|
68
|
+
|
69
|
+
# receive the upgrade
|
70
|
+
receive_upgrade if available.include? PROTO_UPGRADE
|
71
|
+
|
72
|
+
# receive the files in the upload queue
|
73
|
+
receive_uploads if available.include? PROTO_UPLOAD
|
74
|
+
|
75
|
+
# receive the list of commands to be executed
|
76
|
+
receive_exec if available.include? PROTO_EXEC
|
77
|
+
|
78
|
+
# receive the list of files to be downloaded
|
79
|
+
receive_downloads if available.include? PROTO_DOWNLOAD
|
80
|
+
|
81
|
+
# receive the list of paths to be scanned
|
82
|
+
receive_filesystems if available.include? PROTO_FILESYSTEM
|
83
|
+
|
84
|
+
# send the size of the evidence queue
|
85
|
+
send_evidence_size @sync.backdoor.evidences
|
86
|
+
|
87
|
+
# send the agent's collected evidences
|
88
|
+
send_evidence @sync.backdoor.evidences unless @sync.backdoor.evidences.empty?
|
89
|
+
|
90
|
+
# terminate the protocol
|
91
|
+
bye
|
92
|
+
|
93
|
+
# clean up
|
94
|
+
@transport.disconnect
|
95
|
+
|
96
|
+
trace :warn, "Total Time is #{Time.now - start} sec"
|
97
|
+
|
98
|
+
rescue Exception => detail
|
99
|
+
trace :fatal, "ERROR: " << detail.to_s
|
100
|
+
raise
|
101
|
+
end
|
102
|
+
|
103
|
+
end
|
104
|
+
|
105
|
+
end
|
106
|
+
|
107
|
+
end # Backdoor::
|
108
|
+
end # RCS::
|
@@ -0,0 +1,41 @@
|
|
1
|
+
#
|
2
|
+
# The sync object is responsible for the synchronization
|
3
|
+
# with the RCSCollector
|
4
|
+
#
|
5
|
+
|
6
|
+
# RCS::Common
|
7
|
+
require 'rcs-common/trace'
|
8
|
+
|
9
|
+
# System
|
10
|
+
require 'ostruct'
|
11
|
+
|
12
|
+
module RCS
|
13
|
+
module Backdoor
|
14
|
+
|
15
|
+
class Sync
|
16
|
+
include Tracer
|
17
|
+
attr_accessor :backdoor
|
18
|
+
|
19
|
+
def initialize(protocol, backdoor)
|
20
|
+
@protocol = Protocol.new(protocol, self)
|
21
|
+
@backdoor = backdoor
|
22
|
+
end
|
23
|
+
|
24
|
+
# for now the sync is a mere wrapper to protocol
|
25
|
+
# in the future it could contain other actions
|
26
|
+
def perform(host)
|
27
|
+
trace :info, "Synching with " << host
|
28
|
+
|
29
|
+
# setup the parameters
|
30
|
+
@protocol.sync = self
|
31
|
+
|
32
|
+
# execute the sync protocol
|
33
|
+
@protocol.perform host
|
34
|
+
|
35
|
+
trace :info, "Sync ended"
|
36
|
+
end
|
37
|
+
|
38
|
+
end
|
39
|
+
|
40
|
+
end # Backdoor::
|
41
|
+
end # RCS::
|
@@ -0,0 +1,113 @@
|
|
1
|
+
#
|
2
|
+
# Implementation of the transport layer (HTTP in our case)
|
3
|
+
#
|
4
|
+
|
5
|
+
# RCS::Common
|
6
|
+
require 'rcs-common/trace'
|
7
|
+
|
8
|
+
# System
|
9
|
+
require 'net/http'
|
10
|
+
require 'timeout'
|
11
|
+
|
12
|
+
module RCS
|
13
|
+
module Backdoor
|
14
|
+
|
15
|
+
class Transport
|
16
|
+
include Tracer
|
17
|
+
|
18
|
+
OPEN_TIMEOUT = 600
|
19
|
+
READ_TIMEOUT = 600
|
20
|
+
|
21
|
+
def initialize(param)
|
22
|
+
trace :debug, "Protocol initialized #{param}"
|
23
|
+
@host_param = param
|
24
|
+
init_host(param)
|
25
|
+
end
|
26
|
+
|
27
|
+
def init_host(param)
|
28
|
+
case param
|
29
|
+
when :HTTP
|
30
|
+
@host = "http://"
|
31
|
+
@ssl = false
|
32
|
+
when :HTTPS
|
33
|
+
@host = "https://"
|
34
|
+
@ssl = true
|
35
|
+
else
|
36
|
+
raise "Unsupported Transport"
|
37
|
+
end
|
38
|
+
end
|
39
|
+
|
40
|
+
# connection to the remote host
|
41
|
+
# for the REST protocol (HTTP) we don't have a persistent connection
|
42
|
+
# to the sync server, just instantiate the objects here and make
|
43
|
+
# an HTTP request every message
|
44
|
+
def connect_to(host)
|
45
|
+
Net::HTTP.version_1_2
|
46
|
+
init_host(@host_param)
|
47
|
+
@host << host << "/service"
|
48
|
+
|
49
|
+
trace_named_put(:host, @host)
|
50
|
+
|
51
|
+
@uri = URI.parse(@host)
|
52
|
+
trace :info, "Connecting to: " << @host
|
53
|
+
@cookie = nil
|
54
|
+
|
55
|
+
# the HTTP connection (better to instantiate it here, only once)
|
56
|
+
@http = Net::HTTP.new(@uri.host, @uri.port)
|
57
|
+
@http.use_ssl = @ssl
|
58
|
+
@http.open_timeout = OPEN_TIMEOUT
|
59
|
+
@http.read_timeout = READ_TIMEOUT
|
60
|
+
#@http.set_debug_output $stderr
|
61
|
+
# start the HTTP connection (needed for keep-alive option)
|
62
|
+
# without this, the connection will be closed after the first request
|
63
|
+
# see this: http://redmine.ruby-lang.org/issues/4522
|
64
|
+
@http.start
|
65
|
+
end
|
66
|
+
|
67
|
+
# every message is an HTTP POST request.
|
68
|
+
# the protocol is always write and read.
|
69
|
+
def message(msg)
|
70
|
+
|
71
|
+
# the REST protocol is always a POST
|
72
|
+
request = Net::HTTP::Post.new(@uri.request_uri)
|
73
|
+
|
74
|
+
# the message body
|
75
|
+
request.body = msg
|
76
|
+
request['Content-Type'] = "application/octet-stream"
|
77
|
+
|
78
|
+
# set the cookie if we already have it (got from the Auth phase)
|
79
|
+
request['Cookie'] = @cookie unless @cookie.nil?
|
80
|
+
|
81
|
+
# keep the connection open for faster communication
|
82
|
+
request['Connection'] = 'Keep-Alive'
|
83
|
+
|
84
|
+
#request['X-Forwarded-For'] = '1.2.3.4'
|
85
|
+
|
86
|
+
res = nil
|
87
|
+
|
88
|
+
# fire !
|
89
|
+
Timeout::timeout(READ_TIMEOUT) do
|
90
|
+
res = @http.request(request)
|
91
|
+
end
|
92
|
+
|
93
|
+
#trace :debug, "Cookie: " << res['Set-Cookie'] unless res['Set-Cookie'].nil?
|
94
|
+
|
95
|
+
# save the cookie for later use
|
96
|
+
@cookie = res['Set-Cookie'] unless res['Set-Cookie'].nil?
|
97
|
+
trace_named_put(:cookie, @cookie)
|
98
|
+
|
99
|
+
return res.body
|
100
|
+
end
|
101
|
+
|
102
|
+
# nothing to do here for HTTP connections
|
103
|
+
def disconnect
|
104
|
+
@cookie = nil
|
105
|
+
trace_named_remove(:cookie)
|
106
|
+
trace_named_remove(:host)
|
107
|
+
trace :info, "End point closed: " << @host
|
108
|
+
end
|
109
|
+
|
110
|
+
end
|
111
|
+
|
112
|
+
end # Backdoor::
|
113
|
+
end # RCS::
|
@@ -0,0 +1,28 @@
|
|
1
|
+
# -*- encoding: utf-8 -*-
|
2
|
+
$:.push File.expand_path("../lib", __FILE__)
|
3
|
+
require "rcs-backdoor/version"
|
4
|
+
|
5
|
+
Gem::Specification.new do |s|
|
6
|
+
s.name = "rcs-backdoor"
|
7
|
+
s.version = RCS::Backdoor::VERSION
|
8
|
+
s.authors = ["alor"]
|
9
|
+
s.email = ["alor@hackingteam.it"]
|
10
|
+
s.homepage = ""
|
11
|
+
s.summary = %q{rcs-backdoor}
|
12
|
+
s.description = %q{Simulate a backdoor in ruby}
|
13
|
+
|
14
|
+
s.files = `git ls-files`.split("\n")
|
15
|
+
s.test_files = `git ls-files -- {test,spec,features}/*`.split("\n")
|
16
|
+
s.executables = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
|
17
|
+
s.require_paths = ["lib"]
|
18
|
+
|
19
|
+
s.add_development_dependency "pry"
|
20
|
+
s.add_development_dependency "test-unit"
|
21
|
+
s.add_development_dependency "colorize"
|
22
|
+
|
23
|
+
s.add_dependency "mail"
|
24
|
+
s.add_dependency "log4r", ">= 1.1.9"
|
25
|
+
s.add_dependency "rcs-common"
|
26
|
+
s.add_dependency "bdb"
|
27
|
+
s.add_dependency "sbdb"
|
28
|
+
end
|
metadata
ADDED
@@ -0,0 +1,182 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: rcs-backdoor
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 8.0.1
|
5
|
+
platform: ruby
|
6
|
+
authors:
|
7
|
+
- alor
|
8
|
+
autorequire:
|
9
|
+
bindir: bin
|
10
|
+
cert_chain: []
|
11
|
+
date: 2015-07-07 00:00:00.000000000 Z
|
12
|
+
dependencies:
|
13
|
+
- !ruby/object:Gem::Dependency
|
14
|
+
name: pry
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
16
|
+
requirements:
|
17
|
+
- - ">="
|
18
|
+
- !ruby/object:Gem::Version
|
19
|
+
version: '0'
|
20
|
+
type: :development
|
21
|
+
prerelease: false
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
23
|
+
requirements:
|
24
|
+
- - ">="
|
25
|
+
- !ruby/object:Gem::Version
|
26
|
+
version: '0'
|
27
|
+
- !ruby/object:Gem::Dependency
|
28
|
+
name: test-unit
|
29
|
+
requirement: !ruby/object:Gem::Requirement
|
30
|
+
requirements:
|
31
|
+
- - ">="
|
32
|
+
- !ruby/object:Gem::Version
|
33
|
+
version: '0'
|
34
|
+
type: :development
|
35
|
+
prerelease: false
|
36
|
+
version_requirements: !ruby/object:Gem::Requirement
|
37
|
+
requirements:
|
38
|
+
- - ">="
|
39
|
+
- !ruby/object:Gem::Version
|
40
|
+
version: '0'
|
41
|
+
- !ruby/object:Gem::Dependency
|
42
|
+
name: colorize
|
43
|
+
requirement: !ruby/object:Gem::Requirement
|
44
|
+
requirements:
|
45
|
+
- - ">="
|
46
|
+
- !ruby/object:Gem::Version
|
47
|
+
version: '0'
|
48
|
+
type: :development
|
49
|
+
prerelease: false
|
50
|
+
version_requirements: !ruby/object:Gem::Requirement
|
51
|
+
requirements:
|
52
|
+
- - ">="
|
53
|
+
- !ruby/object:Gem::Version
|
54
|
+
version: '0'
|
55
|
+
- !ruby/object:Gem::Dependency
|
56
|
+
name: mail
|
57
|
+
requirement: !ruby/object:Gem::Requirement
|
58
|
+
requirements:
|
59
|
+
- - ">="
|
60
|
+
- !ruby/object:Gem::Version
|
61
|
+
version: '0'
|
62
|
+
type: :runtime
|
63
|
+
prerelease: false
|
64
|
+
version_requirements: !ruby/object:Gem::Requirement
|
65
|
+
requirements:
|
66
|
+
- - ">="
|
67
|
+
- !ruby/object:Gem::Version
|
68
|
+
version: '0'
|
69
|
+
- !ruby/object:Gem::Dependency
|
70
|
+
name: log4r
|
71
|
+
requirement: !ruby/object:Gem::Requirement
|
72
|
+
requirements:
|
73
|
+
- - ">="
|
74
|
+
- !ruby/object:Gem::Version
|
75
|
+
version: 1.1.9
|
76
|
+
type: :runtime
|
77
|
+
prerelease: false
|
78
|
+
version_requirements: !ruby/object:Gem::Requirement
|
79
|
+
requirements:
|
80
|
+
- - ">="
|
81
|
+
- !ruby/object:Gem::Version
|
82
|
+
version: 1.1.9
|
83
|
+
- !ruby/object:Gem::Dependency
|
84
|
+
name: rcs-common
|
85
|
+
requirement: !ruby/object:Gem::Requirement
|
86
|
+
requirements:
|
87
|
+
- - ">="
|
88
|
+
- !ruby/object:Gem::Version
|
89
|
+
version: '0'
|
90
|
+
type: :runtime
|
91
|
+
prerelease: false
|
92
|
+
version_requirements: !ruby/object:Gem::Requirement
|
93
|
+
requirements:
|
94
|
+
- - ">="
|
95
|
+
- !ruby/object:Gem::Version
|
96
|
+
version: '0'
|
97
|
+
- !ruby/object:Gem::Dependency
|
98
|
+
name: bdb
|
99
|
+
requirement: !ruby/object:Gem::Requirement
|
100
|
+
requirements:
|
101
|
+
- - ">="
|
102
|
+
- !ruby/object:Gem::Version
|
103
|
+
version: '0'
|
104
|
+
type: :runtime
|
105
|
+
prerelease: false
|
106
|
+
version_requirements: !ruby/object:Gem::Requirement
|
107
|
+
requirements:
|
108
|
+
- - ">="
|
109
|
+
- !ruby/object:Gem::Version
|
110
|
+
version: '0'
|
111
|
+
- !ruby/object:Gem::Dependency
|
112
|
+
name: sbdb
|
113
|
+
requirement: !ruby/object:Gem::Requirement
|
114
|
+
requirements:
|
115
|
+
- - ">="
|
116
|
+
- !ruby/object:Gem::Version
|
117
|
+
version: '0'
|
118
|
+
type: :runtime
|
119
|
+
prerelease: false
|
120
|
+
version_requirements: !ruby/object:Gem::Requirement
|
121
|
+
requirements:
|
122
|
+
- - ">="
|
123
|
+
- !ruby/object:Gem::Version
|
124
|
+
version: '0'
|
125
|
+
description: Simulate a backdoor in ruby
|
126
|
+
email:
|
127
|
+
- alor@hackingteam.it
|
128
|
+
executables:
|
129
|
+
- binary.yaml
|
130
|
+
- config.yaml
|
131
|
+
- ident.yaml
|
132
|
+
- rcs-backdoor
|
133
|
+
- rcs-backdoor-add
|
134
|
+
- rcs-backdoor-multi
|
135
|
+
- trace.yaml
|
136
|
+
extensions: []
|
137
|
+
extra_rdoc_files: []
|
138
|
+
files:
|
139
|
+
- ".gitignore"
|
140
|
+
- Gemfile
|
141
|
+
- LICENSE.txt
|
142
|
+
- Rakefile
|
143
|
+
- bin/binary.yaml
|
144
|
+
- bin/config.yaml
|
145
|
+
- bin/ident.yaml
|
146
|
+
- bin/rcs-backdoor
|
147
|
+
- bin/rcs-backdoor-add
|
148
|
+
- bin/rcs-backdoor-multi
|
149
|
+
- bin/trace.yaml
|
150
|
+
- lib/rcs-backdoor.rb
|
151
|
+
- lib/rcs-backdoor/backdoor.rb
|
152
|
+
- lib/rcs-backdoor/command.rb
|
153
|
+
- lib/rcs-backdoor/config.rb
|
154
|
+
- lib/rcs-backdoor/protocol.rb
|
155
|
+
- lib/rcs-backdoor/sync.rb
|
156
|
+
- lib/rcs-backdoor/transport.rb
|
157
|
+
- lib/rcs-backdoor/version.rb
|
158
|
+
- rcs-backdoor.gemspec
|
159
|
+
homepage: ''
|
160
|
+
licenses: []
|
161
|
+
metadata: {}
|
162
|
+
post_install_message:
|
163
|
+
rdoc_options: []
|
164
|
+
require_paths:
|
165
|
+
- lib
|
166
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
167
|
+
requirements:
|
168
|
+
- - ">="
|
169
|
+
- !ruby/object:Gem::Version
|
170
|
+
version: '0'
|
171
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
172
|
+
requirements:
|
173
|
+
- - ">="
|
174
|
+
- !ruby/object:Gem::Version
|
175
|
+
version: '0'
|
176
|
+
requirements: []
|
177
|
+
rubyforge_project:
|
178
|
+
rubygems_version: 2.4.8
|
179
|
+
signing_key:
|
180
|
+
specification_version: 4
|
181
|
+
summary: rcs-backdoor
|
182
|
+
test_files: []
|