RCS phones home!

My last post ended with a bit of a scare when the build script (written in Ruby) attempted to connect to a server called rcs-castore on port 433.

Luckily, I didn't have rcs-castore in my hosts file (because really, why would I?), but it did give me a chance to stop and think about how far I've actually got in the build process.

Looking at the main Makefile, it seems like it's building a subproject called dropper, then another called core, then sleeping for 5 seconds and making build with the argument upload. My build output earlier showed a 5-second timeout, so I'd guess that dropper and core built correctly.

Looking at the Makefile for build, it looks like upload is a "phony" target to run ./script/rcs-core.rb with a couple of arguments. (Phony arguments indicate that upload is a command make should run, as opposed to a file it should compile).

The filename rcs-core.rb sounds promising: RCS, or Remote Control System, is the main service provided by Hacking Team to governments. According to their informational materials, it allows recording from microphones, cameras, keylogging and a whole lot more.

After looking through rcs-core.rb, although I'm not familiar with Ruby, I think I can safely say it relies on a web server that I don't have available to me, to do some or all of the following:

  • Authorise a login over HTTPS
  • Log back out again
  • Retrieve a list of "cores"
  • Retrieve a specific "core", and write it to a binary file
  • Retrieve a core's "content", whatever that may be
  • Replace a core on the web server with one stored locally
  • Add a file to a given core
  • Remove a file from a given core
  • Delete a core by name
  • Retrieve and save a "factory" - looks like this is verified by the MD5 signature of the server's response to a GET request for "/signature/agent".
  • Configure an "agent" by POST-ing the contents of param_file to "/agent/add_config"
  • Upload parameters to "/upload"
  • Build an "agent" by taking a param_file as input, then POST-ing it (formatted as JSON) to "/build"

The main body of the program parses options from the command-line by using Ruby's OptionParser. Running the script with argument -h displays a full list of the options available:

(Click here for the raw file.)

There's a lot of references to a JSON-formatted param_file in the code, so it couldn't hurt to have a look at the default params.json in the build directory:

{"platform": "linux",
 "binary": {"demo": false},
 "melt": {"admin": false}}

Not much there to comment on, but one at least hopes the "demo" field wasn't the only thing separating trial verions of the software from full releases... although, from what people have been finding in the 400GB torrent (passwords like "p4ssword", etc.), it wouldn't surprise me.

Anyway: my plan now is to set up my own rcs-castore mirror and provide it as an argument to rcs-core.rb; hopefully the source to their webapp is in this mass of repositories somewhere.