search

cowrie / cowrie

Cowrie SSH/Telnet Honeypot https://cowrie.readthedocs.io
https://www.cowrie.org/
Other
5.23k stars 893 forks source link

Cowrie hangs on multi-command busybox #950

Closed JacobPimental closed 6 years ago

JacobPimental commented 6 years ago

Describe the bug Hi all, I was analyzing logs from Cowrie and noticed that it wasn't downloading a lot of the Mirai botnet variants out there. They would run the command /bin/busybox wget; /bin/busybox tftp; /bin/busybox ECCHI and then cowrie would freeze until connection times out.

To Reproduce Steps to reproduce the behavior:

  1. Connect to cowrie honeypot
  2. Run command /bin/busybox wget; /bin/busybox tftp; /bin/busybox ECCHI
  3. Cowrie hangs

Expected behavior Running this in a normal Linux environment produces the results:

# /bin/busybox wget; /bin/busybox tftp; /bin/busybox ECCHI
BusyBox v1.22.1 (Debian 1:1.22.0-19+b3) multi-call binary.

Usage: wget [-c|--continue] [-s|--spider] [-q|--quiet] [-O|--output-document FILE]
        [--header 'header: value'] [-Y|--proxy on/off] [-P DIR]
        [-U|--user-agent AGENT] URL...

Retrieve files via HTTP or FTP

        -s      Spider mode - only check file existence
        -c      Continue retrieval of aborted transfer
        -q      Quiet
        -P DIR  Save to DIR (default .)
        -O FILE Save to FILE ('-' for stdout)
        -U STR  Use STR for User-Agent header
        -Y      Use proxy ('on' or 'off')

BusyBox v1.22.1 (Debian 1:1.22.0-19+b3) multi-call binary.

Usage: tftp [OPTIONS] HOST [PORT]

Transfer a file from/to tftp server

        -l FILE Local FILE
        -r FILE Remote FILE
        -g      Get file
        -p      Put file
        -b SIZE Transfer blocks of SIZE octets

ECCHI: applet not found

Server (please complete the following information):

JacobPimental commented 6 years ago

Breaking this down I found it's an issue with tftp. When run without an argument it crashes. Looking into it now to try to come up with a fix.