From ea80d99bfef4598e616895534a00f58a6892bf6b Mon Sep 17 00:00:00 2001 From: mak Date: Thu, 12 Nov 2015 04:24:30 +0100 Subject: [PATCH 1/3] basic support for busybox --- cowrie/commands/__init__.py | 3 ++- cowrie/commands/busybox.py | 49 +++++++++++++++++++++++++++++++++++++ 2 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 cowrie/commands/busybox.py diff --git a/cowrie/commands/__init__.py b/cowrie/commands/__init__.py index f971ac4..e5ffa5c 100644 --- a/cowrie/commands/__init__.py +++ b/cowrie/commands/__init__.py @@ -24,5 +24,6 @@ __all__ = [ 'iptables', 'ethtool', 'ifconfig', - 'nohup' + 'nohup', + 'busybox' ] diff --git a/cowrie/commands/busybox.py b/cowrie/commands/busybox.py new file mode 100644 index 0000000..460a437 --- /dev/null +++ b/cowrie/commands/busybox.py @@ -0,0 +1,49 @@ +from kippo.core.honeypot import HoneyPotCommand +from twisted.python import log +commands = {} + +busybox_help=(''' +BusyBox v1.20.2 (Debian 1:1.20.0-7) multi-call binary. +Copyright (C) 1998-2011 Erik Andersen, Rob Landley, Denys Vlasenko +and others. Licensed under GPLv2. +See source distribution for full notice. + +Usage: busybox [function] [arguments]... + or: busybox --list[-full] + or: busybox --install [-s] [DIR] + or: function [arguments]... + + BusyBox is a multi-call binary that combines many common Unix + utilities into a single executable. Most people will create a + link to busybox for each function they wish to use and BusyBox + will act like whatever it was invoked as. + +Currently defined functions: + [, [[, adjtimex, ar, arp, arping, ash, awk, basename, blockdev, brctl, bunzip2, bzcat, bzip2, cal, cat, chgrp, chmod, chown, chroot, chvt, clear, cmp, cp, cpio, cttyhack, cut, date, dc, dd, deallocvt, depmod, df, + diff, dirname, dmesg, dnsdomainname, dos2unix, du, dumpkmap, dumpleases, echo, egrep, env, expand, expr, false, fgrep, find, fold, free, freeramdisk, ftpget, ftpput, getopt, getty, grep, groups, gunzip, gzip, halt, + head, hexdump, hostid, hostname, httpd, hwclock, id, ifconfig, init, insmod, ionice, ip, ipcalc, kill, killall, klogd, last, less, ln, loadfont, loadkmap, logger, login, logname, logread, losetup, ls, lsmod, lzcat, + lzma, md5sum, mdev, microcom, mkdir, mkfifo, mknod, mkswap, mktemp, modinfo, modprobe, more, mount, mt, mv, nameif, nc, netstat, nslookup, od, openvt, patch, pidof, ping, ping6, pivot_root, poweroff, printf, ps, pwd, + rdate, readlink, realpath, reboot, renice, reset, rev, rm, rmdir, rmmod, route, rpm, rpm2cpio, run-parts, sed, seq, setkeycodes, setsid, sh, sha1sum, sha256sum, sha512sum, sleep, sort, start-stop-daemon, stat, + strings, stty, swapoff, swapon, switch_root, sync, sysctl, syslogd, tac, tail, tar, taskset, tee, telnet, test, tftp, time, timeout, top, touch, tr, traceroute, traceroute6, true, tty, udhcpc, udhcpd, umount, uname, + uncompress, unexpand, uniq, unix2dos, unlzma, unxz, unzip, uptime, usleep, uudecode, uuencode, vconfig, vi, watch, watchdog, wc, wget, which, who, whoami, xargs, xz, xzcat, yes, zcat +''').strip().split('\n') + +class command_busybox(HoneyPotCommand): + + def help(self): + for ln in bosybox_help: + self.writeln(ln) + + def call(self): + args =list(self.args) + line = ' '.join(args) + cmd = args[0] + args = args[1:] + cmdclass = self.protocol.getCommand(cmd, self.env['PATH'].split(':')) + if cmdclass: + log.msg(eventid='KIPP0005', input=line, format='Command found: %(input)s') + #self.protocol.logDispatch('Command found: %s' % (line,)) + self.protocol.call_command(cmdclass, *args) + else: + self.help() +commands['busybox'] = command_busybox From 513934755efcb498ab8837ee5681c953387bd91e Mon Sep 17 00:00:00 2001 From: lelonek1 Date: Fri, 13 Nov 2015 16:42:00 -0500 Subject: [PATCH 2/3] Corrected package name and mixed tab/spaces indentation --- cowrie/commands/busybox.py | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/cowrie/commands/busybox.py b/cowrie/commands/busybox.py index 460a437..b60b1a4 100644 --- a/cowrie/commands/busybox.py +++ b/cowrie/commands/busybox.py @@ -1,4 +1,4 @@ -from kippo.core.honeypot import HoneyPotCommand +from cowrie.core.honeypot import HoneyPotCommand from twisted.python import log commands = {} @@ -31,19 +31,19 @@ Currently defined functions: class command_busybox(HoneyPotCommand): def help(self): - for ln in bosybox_help: - self.writeln(ln) + for ln in bosybox_help: + self.writeln(ln) def call(self): - args =list(self.args) - line = ' '.join(args) - cmd = args[0] - args = args[1:] - cmdclass = self.protocol.getCommand(cmd, self.env['PATH'].split(':')) - if cmdclass: + args =list(self.args) + line = ' '.join(args) + cmd = args[0] + args = args[1:] + cmdclass = self.protocol.getCommand(cmd, self.env['PATH'].split(':')) + if cmdclass: log.msg(eventid='KIPP0005', input=line, format='Command found: %(input)s') #self.protocol.logDispatch('Command found: %s' % (line,)) self.protocol.call_command(cmdclass, *args) - else: - self.help() + else: + self.help() commands['busybox'] = command_busybox From 500b6143293a4015a979383cb87b098b0c4a57f6 Mon Sep 17 00:00:00 2001 From: lelonek1 Date: Fri, 13 Nov 2015 17:01:35 -0500 Subject: [PATCH 3/3] Corrected typo in help command and adjusted the maximum line length of the command list so it looks correct in a standard 80 character wide terminal --- cowrie/commands/busybox.py | 52 +++++++++++++++++++++++++------------- 1 file changed, 35 insertions(+), 17 deletions(-) diff --git a/cowrie/commands/busybox.py b/cowrie/commands/busybox.py index b60b1a4..39a3fea 100644 --- a/cowrie/commands/busybox.py +++ b/cowrie/commands/busybox.py @@ -19,31 +19,49 @@ Usage: busybox [function] [arguments]... will act like whatever it was invoked as. Currently defined functions: - [, [[, adjtimex, ar, arp, arping, ash, awk, basename, blockdev, brctl, bunzip2, bzcat, bzip2, cal, cat, chgrp, chmod, chown, chroot, chvt, clear, cmp, cp, cpio, cttyhack, cut, date, dc, dd, deallocvt, depmod, df, - diff, dirname, dmesg, dnsdomainname, dos2unix, du, dumpkmap, dumpleases, echo, egrep, env, expand, expr, false, fgrep, find, fold, free, freeramdisk, ftpget, ftpput, getopt, getty, grep, groups, gunzip, gzip, halt, - head, hexdump, hostid, hostname, httpd, hwclock, id, ifconfig, init, insmod, ionice, ip, ipcalc, kill, killall, klogd, last, less, ln, loadfont, loadkmap, logger, login, logname, logread, losetup, ls, lsmod, lzcat, - lzma, md5sum, mdev, microcom, mkdir, mkfifo, mknod, mkswap, mktemp, modinfo, modprobe, more, mount, mt, mv, nameif, nc, netstat, nslookup, od, openvt, patch, pidof, ping, ping6, pivot_root, poweroff, printf, ps, pwd, - rdate, readlink, realpath, reboot, renice, reset, rev, rm, rmdir, rmmod, route, rpm, rpm2cpio, run-parts, sed, seq, setkeycodes, setsid, sh, sha1sum, sha256sum, sha512sum, sleep, sort, start-stop-daemon, stat, - strings, stty, swapoff, swapon, switch_root, sync, sysctl, syslogd, tac, tail, tar, taskset, tee, telnet, test, tftp, time, timeout, top, touch, tr, traceroute, traceroute6, true, tty, udhcpc, udhcpd, umount, uname, - uncompress, unexpand, uniq, unix2dos, unlzma, unxz, unzip, uptime, usleep, uudecode, uuencode, vconfig, vi, watch, watchdog, wc, wget, which, who, whoami, xargs, xz, xzcat, yes, zcat + [, [[, adjtimex, ar, arp, arping, ash, awk, basename, blockdev, brctl, + bunzip2, bzcat, bzip2, cal, cat, chgrp, chmod, chown, chroot, chvt, + clear, cmp, cp, cpio, cttyhack, cut, date, dc, dd, deallocvt, depmod, + df, diff, dirname, dmesg, dnsdomainname, dos2unix, du, dumpkmap, + dumpleases, echo, egrep, env, expand, expr, false, fgrep, find, fold, + free, freeramdisk, ftpget, ftpput, getopt, getty, grep, groups, gunzip, + gzip, halt, head, hexdump, hostid, hostname, httpd, hwclock, id, + ifconfig, init, insmod, ionice, ip, ipcalc, kill, killall, klogd, last, + less, ln, loadfont, loadkmap, logger, login, logname, logread, losetup, + ls, lsmod, lzcat, lzma, md5sum, mdev, microcom, mkdir, mkfifo, mknod, + mkswap, mktemp, modinfo, modprobe, more, mount, mt, mv, nameif, nc, + netstat, nslookup, od, openvt, patch, pidof, ping, ping6, pivot_root, + poweroff, printf, ps, pwd, rdate, readlink, realpath, reboot, renice, + reset, rev, rm, rmdir, rmmod, route, rpm, rpm2cpio, run-parts, sed, seq, + setkeycodes, setsid, sh, sha1sum, sha256sum, sha512sum, sleep, sort, + start-stop-daemon, stat, strings, stty, swapoff, swapon, switch_root, + sync, sysctl, syslogd, tac, tail, tar, taskset, tee, telnet, test, tftp, + time, timeout, top, touch, tr, traceroute, traceroute6, true, tty, + udhcpc, udhcpd, umount, uname, uncompress, unexpand, uniq, unix2dos, + unlzma, unxz, unzip, uptime, usleep, uudecode, uuencode, vconfig, vi, + watch, watchdog, wc, wget, which, who, whoami, xargs, xz, xzcat, yes, + zcat ''').strip().split('\n') class command_busybox(HoneyPotCommand): def help(self): - for ln in bosybox_help: + for ln in busybox_help: self.writeln(ln) def call(self): - args =list(self.args) - line = ' '.join(args) - cmd = args[0] - args = args[1:] - cmdclass = self.protocol.getCommand(cmd, self.env['PATH'].split(':')) - if cmdclass: - log.msg(eventid='KIPP0005', input=line, format='Command found: %(input)s') - #self.protocol.logDispatch('Command found: %s' % (line,)) - self.protocol.call_command(cmdclass, *args) + args = list(self.args) + if len(args) > 0: + line = ' '.join(args) + cmd = args[0] + args = args[1:] + cmdclass = self.protocol.getCommand(cmd, self.env['PATH'].split(':')) + if cmdclass: + log.msg(eventid='KIPP0005', input=line, format='Command found: %(input)s') + #self.protocol.logDispatch('Command found: %s' % (line,)) + self.protocol.call_command(cmdclass, *args) + else: + self.help() else: self.help() commands['busybox'] = command_busybox