-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathcheckdoor.py
executable file
·162 lines (137 loc) · 4.1 KB
/
checkdoor.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""
_____, ___
'+ .;
, ;
.
.
.;.
.;
:
,
┌─[checkdoor]
└──╼ VainlyStrain
"""
import sys
import os
import re
import subprocess
# some colors
RB = '\033[48;2;58;49;58m'
RC = '\033[0m\033[38;2;58;49;58m\033[3m'
RD = '\033[0m\033[38;2;58;49;58m'
R = '\033[0m\033[38;2;58;49;58m\033[1m'
WB = '\033[48;2;255;255;255m\033[38;2;58;49;58m\033[1m'
G = '\033[0m\033[48;2;85;72;85m\033[38;2;225;214;225m'
version = "1.5.1"
class color:
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
CURSIVE = '\033[3m'
END = '\033[0m'
C = color.END + color.BOLD
# helper script executed by subprocess
helper = os.path.dirname(os.path.realpath(__file__)) + "/phase1.sh"
# has anything suspicious been detected?
globalfail = False
# display stuff
subprocess.run(["clear"])
vaile = '''{0} |
:
|
.
.
.
____, __ .|
+ ; .|
.{1}:,
’
. /
+ ; :,
;. /,
{0} ; /;' ;
; /;{2}|{0} : ^
’ / {2}:{0} ;.’ °
'/; \\
./ '. \\ {2}|{0}
'. ’· __\\,_
{1} '. {0}\\{1}`{2};{0}{1}
\\ {0}\\ {1}
.\\. {0}V{1}
\\.
.,.
.'.
''.;:
.|.
| .
.
'''.format(color.END, color.BOLD, color.CURSIVE)
print(vaile)
verbose = False
'''
Phase 1: searches for aliases and functions in local bash files using regex
if you are not using bash, modify the phase1.sh script to your respective config files
'''
if verbose:
print("{}Phase 1: {}maliciovs aliases{}".format(RC, color.END + RB, color.END))
response = subprocess.check_output(["bash", helper])
response = response.decode("utf-8")
parsed = response.replace(" ", "").lower()
fail = False
if "sudo()" in parsed:
print("{}[!]{} Potentially maliciovs alias detected\n".format(RD, color.END))
alias = re.split("sudo\s*\(\)", response)[1].split("}")[0]
lines = alias.split("\n")
print(" {}sudo(){}".format(WB, color.END) + lines[0])
for line in lines[1::]:
if line != "":
line = line.replace("\'", "'")
print(" " + line)
print(" }\n")
fail = True
if "aliassudo" in parsed:
print("{}[!]{} Potentially maliciovs alias detected\n".format(RD, color.END))
for i in response.split("\n"):
if "aliassudo" in i.replace(" ", ""):
print(i)
print()
fail = True
if fail:
globalfail = True
elif verbose:
print(RD + "[+]" + C + " Clean." + color.END)
'''
Phase 2: checks if a malicious binary has been appended at the beginning of $PATH,
thus being executed instead of the real sudo
uses the which command
'''
if verbose:
print("{}Phase 2: {}$PATH hijacking{}".format(RC, color.END + RB, color.END))
response = subprocess.check_output(["which", "sudo"])
path = response.decode("utf-8").strip()
if path != "/usr/bin/sudo":
print("{}[!]{} Potentially maliciovs path detected!\n{}".format(RD, color.END, path))
globalfail = True
elif verbose:
print(RD + "[+]" + C + " Clean." + color.END)
'''
Phase 3: checks if the binary's owner & group is root and if the permissions are
correct
'''
if verbose:
print("{}Phase 3: {}Owner&permissions{}".format(RC, color.END + RB, color.END))
response = subprocess.check_output(["ls", "-l", path])
response = response.decode("utf-8")
parsed = re.split("\s+", response)
if parsed[0] != "---s--x--x." and parsed[2] != "root" and parsed[3] != "root":
print("{}[!]{} File permissions and ownership do not match expectations.\n{}".format(RD, color.END, response))
globalfail = True
elif verbose:
print(RD + "[+]" + C + " Clean." + color.END)
if not verbose:
print("{}checkdoor: {}CLEAN{}".format(RC, color.END + RB, color.END))
print(" Done.")
# exit with failure when backdoor found. useful for && concatenation
if globalfail:
sys.exit(1)