Jump to content

Phishing for Root: Using Shell Functions Against Mac and Linux


Recommended Posts

I would just like to preface by saying that I won't be here to read or respond to comments.  I apologize for that, but I am spending as much time as I can focusing on research and learning everything I can.  This is a time I would consider to be my intellectual prime and I really want to use this time as best I can in that regard, so I hope you can understand why I won't be actively engaging as a user in general.


This is a script that pretends to be sudo and /usr/bin/sudo, acts like the password prompt, steals the password and deletes traces of itself, including the shell history of running the script itself.  The specific ducky script in this post is for Ubuntu with Unity, but it could easily be tweaked to work with other desktops, distros, and even Mac OS X.

The idea for this came when I was in the early stages of the research project I'm currently working on involving U2F security tokens (I'll make a post here about that later after I get a POC and blog post up).  After testing out some commands for the project, the thought "Could I alias sudo?" came to mind and I decided to try it.  Sure enough, it worked flawlessly.  I then checked to see if I could alias sudo and call sudo at the end, essentially injecting commands into sudo.  That worked flawlessly as well.  Figuring these things out opened more questions and I ended up in a rabbit hole thinking about what I could do with it.  After getting some other work done, I decided to start working on the ideas about 2 or 3 days ago after figuring out the same can be said about shell functions as aliases and came up with this.

The ducky script is in the blog post, but also at https://gist.github.com/ViGrey/a988c76c87898a2156da7724c57f16b4#file-rootphisher-ducky.  Go ahead and tinker with it; make it better.  I know there are probably better ways to handle some edge cases that can arise, but I leave that as a exercise for you all and possibly myself in the future to look at.  I just had fun working on this.

Apologies for any confusing parts or spelling errors in the blog post.  I wrote that post in a bit of a rush so I could get back to my current research project.

Have fun with it!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...