Added a bash shell artifact to support linux. (#292)

Velocidex · Mar 28, 2020 · e28411f · e28411f
1 parent 78bdb34
commit e28411f
Show file tree

Hide file tree

Showing 9 changed files with 104 additions and 10 deletions.
diff --git a/artifacts/assets/ab0x.go b/artifacts/assets/ab0x.go
diff --git a/artifacts/definitions/Linux/Sys/BashShell.yaml b/artifacts/definitions/Linux/Sys/BashShell.yaml
@@ -0,0 +1,24 @@
+name: Linux.Sys.BashShell
+description: |
+  This artifact allows running arbitrary commands through the system
+  shell.
+
+  Since Velociraptor typically runs as root, the commands will also
+  run as root.
+
+  This is a very powerful artifact since it allows for arbitrary
+  command execution on the endpoints. Therefore this artifact requires
+  elevated permissions (specifically the `EXECVE`
+  permission). Typically it is only available with the `administrator`
+  role.
+
+required_permissions:
+  - EXECVE
+
+parameters:
+  - name: Command
+    default: "ls -l /"
+
+sources:
+  - query: |
+      SELECT * FROM execve(argv=["/bin/bash", "-c", Command])
diff --git a/bin/shell.go b/bin/shell.go
@@ -41,8 +41,10 @@ var (
 	shell_client = shell.Arg("client_id", "The client id to run the shell for.").
 			Required().String()
 
-	shell_artifact = shell.Flag("type", "The type of shell to run").Default("cmd").
-			Enum("cmd", "powershell")
+	shell_artifact = shell.Flag("type", "The type of shell to run (cmd, powershell, bash)").
+			Default("cmd").Enum("cmd", "powershell", "bash")
+
+	shell_alt_artifact = shell.Flag("artifact", "An alternative artifact to run").String()
 )
 
 func shell_executor(config_obj *config_proto.Config,
@@ -56,12 +58,18 @@ func shell_executor(config_obj *config_proto.Config,
 
 	artifact_name := "Windows.System.CmdShell"
 	switch *shell_artifact {
+	case "bash":
+		artifact_name = "Linux.Sys.BashShell"
 	case "cmd":
 		artifact_name = "Windows.System.CmdShell"
 	case "powershell":
 		artifact_name = "Windows.System.PowerShell"
 	}
 
+	if *shell_alt_artifact != "" {
+		artifact_name = *shell_alt_artifact
+	}
+
 	fmt.Printf("Running %v on %v\n", t, client_id)
 	client, closer := grpc_client.Factory.GetAPIClient(ctx, config_obj)
 	defer closer()

diff --git a/config/config.go b/config/config.go
@@ -75,9 +75,9 @@ func GetDefaultConfig() *config_proto.Config {
 			LocalBuffer: &config_proto.RingBufferConfig{
 				MemorySize:      50 * 1024 * 1024,
 				DiskSize:        1024 * 1024 * 1024,
-				FilenameLinux:   "/tmp/Velociraptor_Buffer.bin",
+				FilenameLinux:   "/var/tmp/Velociraptor_Buffer.bin",
 				FilenameWindows: "$TEMP/Velociraptor_Buffer.bin",
-				FilenameDarwin:  "/tmp/Velociraptor_Buffer.bin",
+				FilenameDarwin:  "/var/tmp/Velociraptor_Buffer.bin",
 			},
 
 			// Specific instructions for the
@@ -131,15 +131,15 @@ func GetDefaultConfig() *config_proto.Config {
 				"Generic.Client.Stats",
 			},
 			ExpectedClients: 10000,
-			PublicPath:      "/tmp/public",
+			PublicPath:      "/var/tmp/velociraptor/public",
 		},
 		Datastore: &config_proto.DatastoreConfig{
 			Implementation: "FileBaseDataStore",
 
 			// Users would probably need to change
 			// this to something more permanent.
-			Location:           "/tmp/velociraptor",
-			FilestoreDirectory: "/tmp/velociraptor",
+			Location:           "/var/tmp/velociraptor",
+			FilestoreDirectory: "/var/tmp/velociraptor",
 		},
 		Writeback: &config_proto.Writeback{},
 		Mail:      &config_proto.MailConfig{},

diff --git a/datastore/filebased.go b/datastore/filebased.go
@@ -205,7 +205,7 @@ func listChildren(config_obj *config_proto.Config,
 		return nil, err
 	}
 	dirname := strings.TrimSuffix(filename, ".db")
-	children, err := ioutil.ReadDir(dirname)
+	children, err := utils.ReadDir(dirname)
 	if err != nil {
 		if os.IsNotExist(err) {
 			return []os.FileInfo{}, nil

diff --git a/file_store/file_store.go b/file_store/file_store.go
@@ -39,7 +39,6 @@ package file_store
 import (
 	"compress/gzip"
 	"io"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"runtime"
@@ -116,7 +115,7 @@ func (self *DirectoryFileStore) ListDirectory(dirname string) (
 	listCounter.Inc()
 
 	file_path := self.FilenameToFileStorePath(dirname)
-	files, err := ioutil.ReadDir(file_path)
+	files, err := utils.ReadDir(file_path)
 	if err != nil {
 		return nil, err
 	}

diff --git a/utils/file_darwin.go b/utils/file_darwin.go
@@ -0,0 +1,12 @@
+// +build darwin
+
+package utils
+
+import (
+	"io/ioutil"
+	"os"
+)
+
+func ReadDir(dirname string) ([]os.FileInfo, error) {
+	return ioutil.ReadDir(dirname)
+}
diff --git a/utils/file_linux.go b/utils/file_linux.go
@@ -1,3 +1,5 @@
+// +build linux
+
 /*
    Velociraptor - Hunting Evil
    Copyright (C) 2019 Velocidex Innovations.

diff --git a/utils/file_windows.go b/utils/file_windows.go
@@ -0,0 +1,12 @@
+// +build windows
+
+package utils
+
+import (
+	"io/ioutil"
+	"os"
+)
+
+func ReadDir(dirname string) ([]os.FileInfo, error) {
+	return ioutil.ReadDir(dirname)
+}