rcs-backdoor 8.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: fcc4702d14c3b715b9804ba55c711ac85b1e4fe4
+  data.tar.gz: 80df4d159e0df208e1587b92d1aacfff9c84b3ed
+SHA512:
+  metadata.gz: dcac7da44c6ddbd0722ce434818284ea40183338d9d0c782a6eb974b4d10e5d52764052dd3a6b5cb1c9964a52b467ba624fed69228ceaf07a0ff30cd9f1be1be
+  data.tar.gz: 879003d4e72fd9a487bd4dfef841842b9a47e74ca7a5b9a4faa350c32a86bef99085a500ba41021b9dcdad218f799a6a8aefa10de01e9bccc0fcbb34bf785f3e

data/.gitignore

@@ -0,0 +1,56 @@
+# rcov generated
+coverage
+
+# rdoc generated
+rdoc
+
+# yard generated
+doc
+.yardoc
+
+# bundler
+.bundle
+
+# jeweler generated
+pkg
+
+# Have editor/IDE/OS specific files you need to ignore? Consider using a global gitignore: 
+#
+# * Create a file at ~/.gitignore
+# * Include files you want ignored
+# * Run: git config --global core.excludesfile ~/.gitignore
+#
+# After doing this, these files will be ignored in all your git projects,
+# saving you from having to 'pollute' every project you touch with them
+#
+# Not sure what to needs to be ignored for particular editors/OSes? Here's some ideas to get you started. (Remember, remove the leading # of the line)
+#
+# For MacOS:
+#
+.DS_Store
+#
+# For TextMate
+#*.tmproj
+#tmtags
+#
+# For emacs:
+#*~
+#\#*
+#.\#*
+#
+# For vim:
+*.swp
+
+# For RubyMine
+.idea
+
+Gemfile.lock
+
+#evidences
+evidence
+
+# RVM gemset
+.ruby-gemset
+
+*_config.dec
+*_config.enc

data/Gemfile

@@ -0,0 +1,6 @@
+source "http://rubygems.org"
+
+gem "rcs-common", :path => "../rcs-common"
+
+# Specify your gem's dependencies in rcs-backdoor.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,20 @@
+Copyright (c) 2010 ALoR
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile

@@ -0,0 +1,21 @@
+require "bundler/gem_tasks"
+
+def execute(message)
+  print message + '...'
+  STDOUT.flush
+  if block_given? then
+    yield
+  end
+  puts ' ok'
+end
+
+desc "Housekeeping for the project"
+task :clean do
+  execute "Cleaning the evidence directory" do
+    Dir['./evidences/*'].each do |f|
+      File.delete(f)
+    end
+  end
+end
+
+Rake::Task["release"].clear

data/bin/binary.yaml

@@ -0,0 +1,16 @@
+---
+default:
+  BACKDOOR_ID: ALoR0000000001
+  BACKDOOR_TYPE: OSX
+  CONF_KEY: -HcIbnSmrnaXFk6peeZJMx8HFcJPg9Hx
+  EVIDENCE_KEY: Ez2vdMwu6VNQxsSj2OmUhbOzoPwsgJTP
+  SIGNATURE: 4yeN5zu0+il3Jtcb5a1sBcAdjYFcsD9z
+  VERSION: 2013090401
+
+minotauro:
+  BACKDOOR_ID: RCS_0000041952
+  BACKDOOR_TYPE: OSX
+  CONF_KEY: vzDkDLNyjGhs8_DHEZgz0i9RWK7dlHrw
+  EVIDENCE_KEY: 7bzcX8cccAXnpm27DxN84_NnNDHWX688
+  SIGNATURE: 7faa628b44f45e6e1cf1289b87eed01d
+  VERSION: 2013103101

data/bin/config.yaml

@@ -0,0 +1,2 @@
+--- 
+SYNC_HOST: 192.168.1.169

data/bin/ident.yaml

@@ -0,0 +1,12 @@
+---
+default:
+  INSTANCE_ID: 20110602007B6A910E7ECC2E987060DB2FF06CD8
+  USERID: ALoR
+  DEVICEID: 
+  SOURCEID:
+
+minotauro:
+  INSTANCE_ID: 20110602007B6A910E7ECC2E987060DB2FF06CD8
+  USERID: ALoR
+  DEVICEID: 
+  SOURCEID:

data/bin/rcs-backdoor

@@ -0,0 +1,16 @@
+#!/usr/bin/env ruby
+$LOAD_PATH.unshift File.join(File.dirname(__FILE__), '..', 'lib')
+
+require 'bundler/setup'
+
+#begin
+#  Bundler.setup(:default, :development)
+#rescue Bundler::BundlerError => e
+#  $stderr.puts e.message
+#  $stderr.puts "Run `bundle install` to install missing gems"
+#  exit e.status_code
+#end
+
+require 'rcs-backdoor'
+
+exit RCS::Backdoor::Application.run!(*ARGV)

data/bin/rcs-backdoor-add

@@ -0,0 +1,115 @@
+#!/usr/bin/env ruby
+# encoding: utf-8
+
+require 'yaml'
+require 'pry'
+require 'json'
+require 'moped'
+require 'digest/sha1'
+require 'optparse'
+
+ARGV << "--help" if ARGV.empty?
+
+$options = {db_addr: 'localhost'}
+
+OptionParser.new do |parser|
+  parser.banner = "Add configuration entry for a new backdoor"
+
+  parser.on("-d", "--db ADDR", "Default is localhost. Specify db addr") do |addr|
+    $options[:db_addr] = addr
+  end
+
+  parser.on("-n", "--name FACTORY_NAME", "Specify the factory name") do |name|
+    $options[:factory_name] = name
+  end
+end.parse!
+
+def db_address
+  "#{db_host}:27017"
+end
+
+def db_host
+  $options[:db_addr]
+end
+
+def session
+  @session ||= begin
+    session = Moped::Session.new([db_address])
+    session.use('rcs')
+    session
+  end
+end
+
+def can_reach_db?
+  session.collections.count rescue nil
+end
+
+def factory_name
+  $options[:factory_name]
+end
+
+def factory
+  @factory ||= session['items'].find({_kind: 'factory', name: factory_name}).first
+end
+
+def signature
+  doc = session['signatures'].find(scope: 'agent').first
+  doc['value'].to_s if doc
+end
+
+def append_configuration(filename, hash)
+  path = File.expand_path("../#{filename}", __FILE__)
+  raise("Unable to find file #{path}") unless File.exists?(path)
+  raise("#{filename} already has an entry named #{entry_name.inspect}") if File.read(path) =~ /#{entry_name}/i
+
+  File.open(path, 'a') do |f|
+    f.write("\n")
+    f.write("#{entry_name}:\n")
+    hash.each { |key, value| f.write("  #{key}: #{value}\n") }
+  end
+end
+
+def entry_name
+  "fac_" << factory_name.to_s.downcase.gsub(/[^a-z0-9]/, '').strip
+end
+
+def update_binary_yaml
+  hash = {
+    :BACKDOOR_ID    => factory['ident'],
+    :BACKDOOR_TYPE  => 'OSX',
+    :CONF_KEY       => factory['confkey'],
+    :EVIDENCE_KEY   => factory['logkey'],
+    :SIGNATURE      => signature,
+    :VERSION        => 2013103101
+  }
+
+  append_configuration('binary.yaml', hash)
+end
+
+def instance_id
+  @instance_id ||= Digest::SHA1.hexdigest(rand(1E20).to_s)
+end
+
+def update_ident_yaml
+  hash = {
+    :INSTANCE_ID  => instance_id,
+    :USERID       => "topac#{rand(1E5)}",
+    :DEVICEID     => '',
+    :SOURCEID     => '',
+  }
+
+  append_configuration("ident.yaml", hash)
+end
+
+raise "Unable to connect to database #{db_address.inspect}" unless can_reach_db?
+raise "Unable to find factory name #{factory_name.inspect}" unless factory
+raise "Unable to find agent signature in db #{db_address.inspect}" unless signature
+
+update_binary_yaml
+update_ident_yaml
+
+puts "Configuration entry added to binary.yaml and ident.yaml"
+cmd = "./bin/rcs-backdoor -s #{db_host} -c #{entry_name}"
+puts "Try to sync with the command #{cmd} (the command has been copied on clipboard)"
+
+exec("echo '#{cmd}' | pbcopy")

data/bin/rcs-backdoor-multi

@@ -0,0 +1,25 @@
+#!/usr/bin/env ruby
+BINPATH = File.join(File.dirname(__FILE__), 'rcs-backdoor')
+
+count = ARGV[0].to_i
+
+exit(1) if count <= 0
+
+args_for_backdoor = ARGV[1..-1].join(' ')
+
+require 'colorize'
+
+$threads = []
+
+count.times do |i|
+  $threads << Thread.new do
+    puts "Thread #{i}: sleeping".colorize(:red)
+    sleep(rand(0..30))
+
+    cmd = "#{BINPATH} #{args_for_backdoor} --tag TAG#{i}"
+    puts "Thread #{i}: #{cmd}".colorize(:yellow)
+    system(cmd)
+  end
+end
+
+$threads.map &:join

data/bin/trace.yaml

@@ -0,0 +1,32 @@
+#
+# Available name trace:
+#	:cookie - the cookie of the current session 
+#	:host   - the server for the sync
+
+log4r_config:
+  pre_config:
+    global:
+      level: DEBUG
+    root  :
+      level: DEBUG
+
+  loggers:
+    - name      : rcslogger
+      level     : DEBUG
+      additive  : 'false'
+      trace     : 'false'      
+      outputters:
+        - stderr
+   
+
+  outputters:
+    - type     : StderrOutputter
+      name     : stderr 
+      level    : DEBUG
+      formatter:
+      # take a look at this: http://log4r.rubyforge.org/rdoc/Log4r/PatternFormatter.html
+        date_pattern: '%Y-%m-%d %H:%M:%S'
+        pattern     : '%d [%l]: %x %m'
+        type        : PatternFormatter
+
+        

data/lib/rcs-backdoor.rb

@@ -0,0 +1,2 @@
+require 'rcs-backdoor/backdoor.rb'
+require "rcs-backdoor/version"

data/lib/rcs-backdoor/backdoor.rb

@@ -0,0 +1,326 @@
+#
+#  The main file of the backdoor
+#
+
+# relatives
+require_relative 'sync.rb'
+require_relative 'protocol.rb'
+
+# from RCS::Common
+require 'rcs-common/trace'
+require 'rcs-common/crypt'
+require 'rcs-common/evidence'
+
+# from System
+require 'digest/md5'
+require 'digest/sha1'
+require 'ostruct'
+require 'yaml'
+require 'optparse'
+require 'fileutils'
+
+module RCS
+module Backdoor
+#
+# This is the Backdoor object
+# it needs the backdoor_id, instance and conf_key to be created
+# all those parameters need to be passed as string taken from the db
+#
+
+class Backdoor
+  include Tracer
+  
+  attr_reader :id
+  attr_reader :instance
+  attr_reader :type
+  attr_reader :conf_key
+  attr_reader :evidence_key
+  attr_reader :signature
+  attr_reader :version
+  
+  attr_reader :userid
+  attr_reader :deviceid
+  attr_reader :sourceid
+  
+  attr_reader :evidences
+
+  attr_accessor :scout
+  attr_accessor :soldier
+
+  #setup all the backdoor parameters
+  def initialize(binary_file, ident_file, options = {})
+    @options = options
+
+    # parse the parameters from the binary patched constants
+    trace :debug, "Parsing binary data..."
+    binary = load_yaml(binary_file)
+
+    # instantiate le empty log queue
+    @evidences = []
+    
+    # plain string 'RCS_000000000x'
+    @id = binary['BACKDOOR_ID']
+    
+    # the subtype of the backdoor (eg: WIN32, BLACKBERRY...)
+    @type = binary['BACKDOOR_TYPE']
+    
+    # the conf key is passed as a string taken from the db
+    # we need to calculate the MD5 and use it in binary form
+    @conf_key = Digest::MD5.digest binary['CONF_KEY']
+    
+    # the log key is passed as a string taken from the db
+    # we need to calculate the MD5 and use it in binary form
+    @evidence_key = Digest::MD5.digest binary['EVIDENCE_KEY']
+    
+    # the backdoor signature is passed as a string taken from the db
+    # we need to calculate the MD5 and use it in binary form
+    @signature = Digest::MD5.digest binary['SIGNATURE']
+    
+    # the backdoor version
+    @version = binary['VERSION']
+    
+    ident = load_yaml(ident_file)
+    ident['INSTANCE_ID'] = ident['INSTANCE_ID'][0..-((@options[:tag].size)+2)]+"_"+@options[:tag] if @options[:tag]
+    # the instance is passed as a string taken from the db
+    # we need to convert to binary
+    @instance = [ident['INSTANCE_ID']].pack('H*')
+
+    # directory where evidence files are be stored
+    @evidence_dir = File.join(Dir.pwd, 'evidence', ident['INSTANCE_ID'])
+    
+    @userid = ident['USERID'] || ''
+    @deviceid = ident['DEVICEID'] || ''
+    @sourceid = ident['SOURCEID'] || ''
+
+    @info = { :device_id => @deviceid, :user_id => @userid, :source_id => @sourceid }
+
+    trace :debug, "Backdoor instantiated: " << @id << @instance.unpack('H*').to_s
+    trace :debug, "Backdoor ident: [#{@userid}] [#{@deviceid}] [#{@sourceid}]"
+
+    @scout = false
+
+    begin
+      # instantiate the sync object with the protocol to be used
+      # and a reference to the backdoor
+      @sync = Sync.new(:REST, self)
+    rescue Exception => detail
+      trace :fatal, "ERROR: " << detail.to_s
+      raise
+    end
+  end
+
+  def load_yaml(path)
+    File.open(path, "r") do |f|
+      hash = YAML.load(f.read)
+      is_single_config = hash.keys.include?("INSTANCE_ID")
+      return hash if is_single_config
+      config_name = @options[:config_name] || "default"
+      hash[config_name] || raise("Unable to find configuration #{config_name.inspect} in file #{File.basename(path)}")
+      return hash[config_name]
+    end
+  rescue Exception => ex
+    trace :fatal, "Cannot load yaml file #{File.basename(path)}: #{ex.message}"
+    exit(1)
+  end
+
+  # perform the synchronization with the server
+  def sync(host, delete_evidence = true)
+    trace :debug, "Loading evidences in memory ..."
+    # retrieve the evidence from the local dir
+    Dir["#{@evidence_dir}/*"].each do |f|
+      @evidences << Evidence.new(@evidence_key).load_from_file(f)
+    end
+
+    trace :debug, "Synchronizing ..."
+    # perform the sync
+    @sync.perform host
+
+    if delete_evidence
+      trace :debug, "Deleting evidences ..."
+      # delete all evidence sent
+      Dir["#{@evidence_dir}/*"].each do |f|
+        File.delete(f)
+      end
+    end
+
+  end
+  
+  # create some evidences
+  def create_evidences(num, type = :RANDOM)
+    # ensure the directory is created
+
+    FileUtils.rm_rf(@evidence_dir)
+
+    FileUtils.mkpath(@evidence_dir) if not File.directory?(@evidence_dir)
+    
+    real_type = type
+    
+    # generate the evidence
+    num.times do
+      #real_type = RCS::EVIDENCE_TYPES.values.sample if type == :RANDOM
+      real_type = [:APPLICATION, :DEVICE, :CHAT, :CLIPBOARD, :CAMERA, :INFO, :KEYLOG, :SCREENSHOT, :MOUSE, :FILEOPEN, :FILECAP].sample if type == :RANDOM
+      Evidence.new(@evidence_key).generate(real_type, @info).dump_to_file(@evidence_dir)
+    end
+  end
+end
+
+# this module is used only form bin/rcs-backdoor as a wrapper to
+# execute the backdoor from command line
+class Application
+  include RCS::Tracer
+
+  def run_backdoor(path_to_binary, path_to_ident, options)
+    b = RCS::Backdoor::Backdoor.new(path_to_binary, path_to_ident, options)
+
+    # set the scout flag if specified
+    b.scout = true if options[:scout]
+    b.soldier = true if options[:soldier]
+
+    if options[:generate] then
+      trace :info, "Creating #{options[:gen_num]} fake evidences..."
+      b.create_evidences(options[:gen_num], options[:gen_type])
+    end
+    
+    while true
+      if options[:sync] then
+        b.sync options[:sync_host], !(options[:randomize] or options[:loop]) # delete evidences if not randomizing
+      end
+      
+      break unless options[:loop]
+      
+      options[:loop_delay].times do |n|
+        sleep 1
+        trace :info, "#{options[:loop_delay] - n} seconds to next synchronization." if n % 5 == 0
+      end 
+    end
+  rescue Interrupt
+    trace :info, "User asked to exit. Bye bye!"
+    return 0
+  rescue Exception => e
+    trace :fatal, "FAILURE: " << e.to_s
+    trace :fatal, "EXCEPTION: " + e.backtrace.join("\n")
+    return 1
+  end
+  
+  def run(options)
+
+    # if we can't find the trace config file, default to the system one
+    if File.exist?('trace.yaml') then
+      load_path = Dir.pwd
+      trace_yaml = 'trace.yaml'
+    else
+      load_path = File.dirname(File.dirname(File.dirname(__FILE__))) + "/bin"
+      trace_yaml = load_path + "/trace.yaml"
+      puts "Cannot find 'trace.yaml' using the default one (#{trace_yaml})"
+    end
+    
+    # initialize the tracing facility
+    begin
+      trace_init load_path, trace_yaml
+    rescue Exception => e
+      puts e
+      exit
+    end
+
+    unless options[:randomize].nil?
+      binary = begin
+        File.open(load_path + '/ident.yaml', "r") do |f|
+          binary = YAML.load(f.read)
+        end
+      rescue
+        trace :fatal, "Cannot open binary patched file"
+        exit
+      end
+
+      threads = []
+      options[:randomize].times do |n|
+        binary["INSTANCE_ID"] = Digest::SHA1.hexdigest(n.to_s).upcase
+        path_to_yaml = load_path + "/ident#{n}.yaml"
+        File.open(path_to_yaml, "w") {|f| f.write(binary.to_yaml)}
+        trace :info, "Spawned backdoor #{path_to_yaml}"
+        threads << Thread.new { run_backdoor(load_path + '/binary.yaml', path_to_yaml, options)}
+      end
+
+      begin
+        threads.each do |th|
+          th.join
+        end
+      rescue Interrupt
+        trace :info, "User asked to exit. Bye bye!"
+        return 0
+      end
+
+    else
+      run_backdoor(load_path + '/binary.yaml', load_path + '/ident.yaml', options)
+    end
+
+    # concluded successfully
+    return 0
+  end
+
+  # since we cannot use trace from a class method
+  # we instantiate here an object and run it
+  def self.run!(*argv)
+    # This hash will hold all of the options parsed from the command-line by OptionParser.
+    options = {}
+
+    srand(Time.now.to_i)
+    
+    types = [:RANDOM] + RCS::EVIDENCE_TYPES.values
+    
+    optparse = OptionParser.new do |opts|
+      # Set a banner, displayed at the top of the help screen.
+      opts.banner = "Usage: rcs-backdoor [options] arg1 arg2 ..."
+
+      # Define the options, and what they do
+      opts.on( '-r', '--randomize NUM', Integer, 'Randomize NUM instances') do |num|
+        options[:randomize] = num
+      end
+      opts.on( '-g', '--generate NUM', Integer, 'Generate NUM evidences' ) do |num|
+        options[:generate] = true
+        options[:gen_num] = num
+      end
+      opts.on( '-t', '--type TYPE', types, 'Generate evidences of type TYPE' ) do |type|
+        options[:gen_type] = type
+      end
+      opts.on( '-s', '--sync HOST', 'Synchronize with remote HOST' ) do |host|
+        options[:sync] = true
+        options[:sync_host] = host
+      end
+      opts.on('--tag STRING', 'Append to instance string' ) do |tag|
+        options[:tag] = tag
+      end
+      opts.on( '-l', '--loop DELAY', Integer, 'Loop synchronization every DELAY seconds') do |seconds|
+        options[:loop] = true
+        options[:loop_delay] = seconds
+      end
+      opts.on( '-c', '--config CONFIGURATION', String, 'Configuration/environment name') do |value|
+        options[:config_name] = value
+      end
+      opts.on( '--scout', 'Auth like a scout' ) do
+        options[:scout] = true
+      end
+      opts.on( '--soldier', 'Auth like a soldier' ) do
+        options[:soldiers] = true
+      end
+
+      # This displays the help screen, all programs are assumed to have this option.
+      opts.on( '-h', '--help', 'Display this screen' ) do
+        puts opts
+        exit
+      end
+    end
+
+    optparse.parse(argv)
+
+    return Application.new.run(options)
+  end
+
+end # Application::
+
+end # Backdoor::
+end # RCS::
+
+if __FILE__ == $0
+  RCS::Backdoor::Application.run!(*ARGV)
+end