rcs-backdoor 8.0.1

data/lib/rcs-backdoor/config.rb

@@ -0,0 +1,42 @@
+#
+# Configuration parser
+#
+
+# RCS::Common
+require 'rcs-common/trace'
+require 'rcs-common/crypt'
+
+module RCS
+  
+class Config
+  include Crypt
+  include RCS::Tracer
+  @content = ""
+  
+  def initialize(backdoor, buff)
+    @backdoor = backdoor
+    @content = buff
+    trace :info, "Configuration size is #{@content.length}"
+  end
+  
+  def dump_to_file
+    
+    # dump the configuration still encrypted
+    str = './' + @backdoor.id + "_config.enc"
+    f = File.new(str, File::CREAT | File::TRUNC | File::RDWR, 0644)
+    f.write @content
+    f.close
+    trace :debug, str + " created."
+    
+    # dump the configuration in clear
+    str = './' + @backdoor.id + "_config.dec"
+    f = File.new(str, File::CREAT | File::TRUNC | File::RDWR, 0644)
+    f.write aes_decrypt(@content, @backdoor.conf_key)
+    f.close
+    trace :debug, str + " created."
+    
+  end
+  
+end
+
+end # RCS::

data/lib/rcs-backdoor/protocol.rb

@@ -0,0 +1,108 @@
+#
+# Implementation of the communication protocol
+#
+
+# Relatives
+require_relative 'transport.rb'
+require_relative 'command.rb'
+
+# RCS::Common
+require 'rcs-common/trace'
+
+# System
+require 'ostruct'
+
+module RCS
+module Backdoor
+  
+class Protocol
+  include Tracer
+  include Command 
+  
+  # used by the Command module
+  attr_reader :transport
+  attr_accessor :sync
+  
+  def initialize(type, sync)
+    case type
+      when :REST
+        trace :debug, "REST Protocol selected"
+        @transport = Transport.new(:HTTP)
+      when :RESTS
+        trace :debug, "REST SSL Protocol selected"
+        @transport = Transport.new(:HTTPS)
+      when :ASP, :RSSM
+        trace :warn, "#{type} Protocol selected..."
+        raise "You must be kidding... :)"
+      else
+        raise "Unsupported Protocol"
+    end  
+    @sync = sync
+  end
+  
+  def perform(host)
+
+    begin
+
+      start = Time.now
+
+      # connection to the remote host
+      @transport.connect_to host
+      
+      # Mixed-in functions
+      
+      # authenticate with the Collector
+      # this step will produce the cryptographic session key
+      # we can also receive an uninstall command
+      authenticate @sync.backdoor
+      
+      # send the deviceID, userID, sourceID
+      # we will receive the list of available element on the collector 
+      available = send_id @sync.backdoor
+      
+      # receive the new configuration
+      receive_config @sync.backdoor if available.include? PROTO_CONF
+
+      # ask for the purge
+      receive_purge if available.include? PROTO_PURGE
+
+      # receive the upgrade
+      receive_upgrade if available.include? PROTO_UPGRADE
+
+      # receive the files in the upload queue
+      receive_uploads if available.include? PROTO_UPLOAD
+
+      # receive the list of commands to be executed
+      receive_exec if available.include? PROTO_EXEC
+
+      # receive the list of files to be downloaded
+      receive_downloads if available.include? PROTO_DOWNLOAD
+      
+      # receive the list of paths to be scanned
+      receive_filesystems if available.include? PROTO_FILESYSTEM
+
+      # send the size of the evidence queue
+      send_evidence_size @sync.backdoor.evidences
+
+      # send the agent's collected evidences
+      send_evidence @sync.backdoor.evidences unless @sync.backdoor.evidences.empty?
+      
+      # terminate the protocol
+      bye
+      
+      # clean up
+      @transport.disconnect
+
+      trace :warn, "Total Time is #{Time.now - start} sec"
+
+    rescue Exception => detail
+      trace :fatal, "ERROR: " << detail.to_s
+      raise
+    end
+    
+  end
+
+end
+
+end # Backdoor::
+end # RCS::

data/lib/rcs-backdoor/sync.rb

@@ -0,0 +1,41 @@
+#
+# The sync object is responsible for the synchronization
+# with the RCSCollector
+#
+
+# RCS::Common
+require 'rcs-common/trace'
+
+# System
+require 'ostruct'
+
+module RCS
+module Backdoor
+  
+class Sync
+  include Tracer
+  attr_accessor :backdoor
+  
+  def initialize(protocol, backdoor)
+    @protocol = Protocol.new(protocol, self)  
+    @backdoor = backdoor
+  end
+  
+  # for now the sync is a mere wrapper to protocol
+  # in the future it could contain other actions
+  def perform(host)
+    trace :info, "Synching with " << host
+    
+    # setup the parameters
+    @protocol.sync = self
+    
+    # execute the sync protocol
+    @protocol.perform host
+    
+    trace :info, "Sync ended"
+  end
+  
+end
+
+end # Backdoor::
+end # RCS::

data/lib/rcs-backdoor/transport.rb

@@ -0,0 +1,113 @@
+#
+# Implementation of the transport layer (HTTP in our case)
+#
+
+# RCS::Common
+require 'rcs-common/trace'
+
+# System
+require 'net/http'
+require 'timeout'
+
+module RCS
+module Backdoor
+
+class Transport
+  include Tracer
+
+  OPEN_TIMEOUT = 600
+  READ_TIMEOUT = 600
+
+  def initialize(param)
+    trace :debug, "Protocol initialized #{param}"
+    @host_param = param
+    init_host(param)
+  end
+
+  def init_host(param)
+    case param
+      when :HTTP
+        @host = "http://"
+        @ssl = false
+      when :HTTPS
+        @host = "https://"
+        @ssl = true
+      else
+        raise "Unsupported Transport"
+    end
+  end
+
+  # connection to the remote host
+  # for the REST protocol (HTTP) we don't have a persistent connection
+  # to the sync server, just instantiate the objects here and make
+  # an HTTP request every message
+  def connect_to(host)
+    Net::HTTP.version_1_2
+    init_host(@host_param)
+    @host << host << "/service"
+    
+    trace_named_put(:host, @host)
+    
+    @uri = URI.parse(@host)
+    trace :info, "Connecting to: " << @host
+    @cookie = nil
+        
+    # the HTTP connection (better to instantiate it here, only once)
+    @http = Net::HTTP.new(@uri.host, @uri.port)
+    @http.use_ssl = @ssl
+    @http.open_timeout = OPEN_TIMEOUT
+    @http.read_timeout = READ_TIMEOUT
+    #@http.set_debug_output $stderr
+    # start the HTTP connection (needed for keep-alive option)
+    # without this, the connection will be closed after the first request
+    # see this: http://redmine.ruby-lang.org/issues/4522
+    @http.start
+  end
+
+  # every message is an HTTP POST request.
+  # the protocol is always write and read.
+  def message(msg)
+    
+    # the REST protocol is always a POST
+    request = Net::HTTP::Post.new(@uri.request_uri)
+    
+    # the message body
+    request.body = msg
+    request['Content-Type'] = "application/octet-stream"
+    
+    # set the cookie if we already have it (got from the Auth phase)
+    request['Cookie'] = @cookie unless @cookie.nil?
+
+    # keep the connection open for faster communication
+    request['Connection'] = 'Keep-Alive'
+
+    #request['X-Forwarded-For'] = '1.2.3.4'
+
+    res = nil
+
+    # fire !
+    Timeout::timeout(READ_TIMEOUT) do
+      res = @http.request(request)
+    end
+    
+    #trace :debug, "Cookie: " << res['Set-Cookie'] unless res['Set-Cookie'].nil?
+    
+    # save the cookie for later use
+    @cookie = res['Set-Cookie'] unless res['Set-Cookie'].nil?
+    trace_named_put(:cookie, @cookie)
+    
+    return res.body
+  end
+
+  # nothing to do here for HTTP connections
+  def disconnect
+    @cookie = nil
+    trace_named_remove(:cookie)
+    trace_named_remove(:host)
+    trace :info, "End point closed: " << @host
+  end
+
+end
+
+end # Backdoor::
+end # RCS::

data/lib/rcs-backdoor/version.rb

@@ -0,0 +1,5 @@
+module RCS
+  module Backdoor
+    VERSION = "8.0.1"
+  end
+end

data/rcs-backdoor.gemspec

@@ -0,0 +1,28 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "rcs-backdoor/version"
+
+Gem::Specification.new do |s|
+  s.name        = "rcs-backdoor"
+  s.version     = RCS::Backdoor::VERSION
+  s.authors     = ["alor"]
+  s.email       = ["alor@hackingteam.it"]
+  s.homepage    = ""
+  s.summary     = %q{rcs-backdoor}
+  s.description = %q{Simulate a backdoor in ruby}
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+
+  s.add_development_dependency "pry"
+  s.add_development_dependency "test-unit"
+  s.add_development_dependency "colorize"
+
+  s.add_dependency "mail"
+  s.add_dependency "log4r", ">= 1.1.9"
+  s.add_dependency "rcs-common"
+  s.add_dependency "bdb"
+  s.add_dependency "sbdb"
+end

metadata

@@ -0,0 +1,182 @@
+--- !ruby/object:Gem::Specification
+name: rcs-backdoor
+version: !ruby/object:Gem::Version
+  version: 8.0.1
+platform: ruby
+authors:
+- alor
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-07-07 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: test-unit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: colorize
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: mail
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: log4r
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.1.9
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.1.9
+- !ruby/object:Gem::Dependency
+  name: rcs-common
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bdb
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: sbdb
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Simulate a backdoor in ruby
+email:
+- alor@hackingteam.it
+executables:
+- binary.yaml
+- config.yaml
+- ident.yaml
+- rcs-backdoor
+- rcs-backdoor-add
+- rcs-backdoor-multi
+- trace.yaml
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- Gemfile
+- LICENSE.txt
+- Rakefile
+- bin/binary.yaml
+- bin/config.yaml
+- bin/ident.yaml
+- bin/rcs-backdoor
+- bin/rcs-backdoor-add
+- bin/rcs-backdoor-multi
+- bin/trace.yaml
+- lib/rcs-backdoor.rb
+- lib/rcs-backdoor/backdoor.rb
+- lib/rcs-backdoor/command.rb
+- lib/rcs-backdoor/config.rb
+- lib/rcs-backdoor/protocol.rb
+- lib/rcs-backdoor/sync.rb
+- lib/rcs-backdoor/transport.rb
+- lib/rcs-backdoor/version.rb
+- rcs-backdoor.gemspec
+homepage: ''
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.8
+signing_key: 
+specification_version: 4
+summary: rcs-backdoor
+test_files: []