The Truth about Windows Malware Wine and Ubuntu Part 2 (All you do is hurt me)

Posted: October 20, 2011 in Random pontifications
Tags: , , ,

If you haven’t read the article the truth about wine , windows malware and Ubuntu I highly suggest you do so now, as this is a follow up to most of the things discussed there.

A few weeks ago, I talked about how far you could get with a backdoored Windows executable under Wine in Ubuntu. While I’m sure that shocked the “Linux is perfect” crowd it’s not anything anyone didn’t know already. I’ve seen a few more debates talking about it and quite a few people have quoted my little exercise since that time. So I figured it was about time to expound on the original topic. So we can get a Windows meterpreter session? So what, we’re stuck in the home directory with little room for escalation with our gimped Windows meterpreter shell.

Au Contraire!

Now I’m going to show you how it’s possible to start out in Wine, and end up In Ubuntu with a fully functional meterpreter shell and begin the process of escalation (if needed). Oh yeah, did I mention we’re going to bypass AV and survive a reboot?

So if you were sketpical about this whole Wine being able to effect Ubuntu thing, hold on to your hats because here we go 🙂

Everything starts simple

The whole process starts simple, again with our Windows meterpreter shell and our malicious Putty.exe application

This putty is one real bad motorscooter

Windows meterpreter again.

Now we need to get out of this silly Windows meterpreter and get an actual linux shell, we know that our typical run of the mill “execute -f /bin/bash -i” is going to fail miserably here. Since we’re once again using Windows meterpreter and stuck in Wine…Or are we?

Cool Meterpreter Trick

This is where all the magic is going to happen. We’re going to utilize our Windows Meterpreter’s upload function, to upload two files. The first will be a Linux Meterpreter shell, we’re calling it .bash_bd for the sake of this exercise, the second will be a .profile that will contain the following

/home/dangertux/.bash_bd &

note: the & is very important, if we don’t do this they will see that their desktop environment hangs until meterpreter is closed, this will most certainly cause them to become suspicious, the & will cause the process to fork and script execution to continue normally.

Now if the user in question already has something in their .profile, you need to append this to the end, simply cat their existing .profile and upload an ammended version.

uploading .profile.

Survive the reboot

Now when our victim reboots, we will be presented with a new meterpreter shell, a Linux payload this time 🙂

Here’s the reboot…












And… Look it’s Linux Meterpreter











As promised this method will bypass most if not all Anti-Malware solutions (shikata_ga_nai encoding for both binaries) for Linux/Ubuntu. Just be careful if you start key-logging with your Linux meterpreter shell as there is a good chance AV will pick that up.


Yes you can fully break out of Wine into Ubuntu from a Windows application. I hope it puts to rest the debate about whether or not it is possible 🙂

Apparmor confinement won’t really help this one either, due to the fact you won’t have an Apparmor profile for the second application, though you may be able to confine Wine tightly enough to not let this happen (I wasn’t able to keep Wine Server functional with a profile that would prevent this) so if anyone has any luck with that please post and let me know.

Almost the weekend 🙂


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s