h3xduck
|
757a480de9
|
Completed work on deployer, previous to cron persistence
|
2022-05-16 12:52:25 -04:00 |
|
h3xduck
|
82fa056955
|
Added hide directory capabilities for the rootkit
|
2022-05-16 11:24:59 -04:00 |
|
h3xduck
|
4044d7994c
|
Added sys_openat for the injection module, fully working!
|
2022-05-16 08:02:38 -04:00 |
|
h3xduck
|
78b3132687
|
Updated some files for eveything to work now that it is all together. Execve hijacker and clients in particular
|
2022-05-15 20:47:58 -04:00 |
|
h3xduck
|
4a292f0f7a
|
Merged master and develop, now all changes together. Fully tested and working.
|
2022-05-15 20:46:35 -04:00 |
|
h3xduck
|
ce3b267d01
|
Fixed phantom shell, added ips for all types of backdoor triggers so that we can use different interfaces
|
2022-05-15 16:45:47 -04:00 |
|
h3xduck
|
d509f20974
|
Completed command passing for phantom shell
|
2022-05-15 14:44:16 -04:00 |
|
h3xduck
|
ad4f9b2504
|
Completed phantom shell protocol, added new checksum correctors
|
2022-05-11 20:27:52 -04:00 |
|
h3xduck
|
28ed530aea
|
Completed the TC Hook and payload enlargment and substitution mechanisms. Only the packet recognition on the client side remains to work
|
2022-05-11 17:31:38 -04:00 |
|
h3xduck
|
567d8d706c
|
Further completed the phantom shell routine and added more checks in TC, still not finished, payload rewriting remains, but the rest is fully ready
|
2022-05-10 23:04:19 -04:00 |
|
h3xduck
|
f2c3624e8b
|
Added test on tc clasiffier, added pinned maps, and obtaining the fd from other maps in order to synchronize between programs
|
2022-05-10 19:09:52 -04:00 |
|
h3xduck
|
4211d0b5d5
|
Updated all components with phantom shell
|
2022-05-09 22:06:29 -04:00 |
|
h3xduck
|
5320f35d01
|
Added new hidden payload stream mode, now triggered using the source port. Fully integrated already, can select between that and seqnum in client. Both launch live encrypted shell via v3 backdoor
|
2022-05-09 20:16:13 -04:00 |
|
h3xduck
|
ff2868846f
|
Fixed a big bug in previous client terminals, also made the new multi-triggered backdoor to work completely and connect to encrypted session
|
2022-05-09 17:48:02 -04:00 |
|
h3xduck
|
073e1d3129
|
Completed new backdoor packet stream parsing for V3 backdoor using hidden payloads in TCP and IP header positions
|
2022-05-09 16:36:39 -04:00 |
|
h3xduck
|
5746ac5efb
|
Added new hidden packets, commands and rest of structure to activate and deactivate hooks from the backdoor
|
2022-05-07 19:16:33 -04:00 |
|
h3xduck
|
ce7d36371d
|
Finished encrypted interactive shell and encrypted protocol implementation, V2 rootkit now fully functional
|
2022-05-07 17:55:27 -04:00 |
|
h3xduck
|
f6a4c1daa0
|
Finished execve hijacking, added new last checks and discovered why sometimes it fails. New detached process at the userspace. Other fixes
|
2022-05-07 10:36:46 -04:00 |
|
h3xduck
|
213e30ba3b
|
Fixed keys of trigger packet V1, added sample servers, fixed client bug
|
2022-05-05 17:52:58 -04:00 |
|
h3xduck
|
0553ad777f
|
Completed message passing of commands to userspace via ebpf ringbuffer
|
2022-05-05 13:22:47 -04:00 |
|
h3xduck
|
2deebf1b9e
|
Added V1 command sending via secret trigger on backdoor
|
2022-05-05 12:59:02 -04:00 |
|
h3xduck
|
ead4a4ca68
|
Completed checks for V1 trigger
|
2022-05-04 08:54:21 -04:00 |
|
h3xduck
|
073a911f74
|
Included new version of custom lib. Added checks for backdoor triggering
|
2022-05-04 04:40:25 -04:00 |
|
h3xduck
|
8be536fb6f
|
Added locking mechanism for execve_hijack. Incorporated new library rawtcp with latest version without bug.
|
2022-04-14 13:24:43 -04:00 |
|
h3xduck
|
7157729334
|
Added forked routine to execve_hijack. Improved argv modification and made it work. Working now.
|
2022-04-13 08:57:33 -04:00 |
|
h3xduck
|
e881502ffa
|
Now control flow is redirected back to the syscall after running the shared library constructor instead of skipping it
|
2022-04-09 14:17:09 -04:00 |
|
h3xduck
|
621e42e2e8
|
Changed shellcode to include backup of registers and stuck. Now prevents stack smashing detection via the stack canaries
|
2022-04-07 19:47:53 -04:00 |
|
h3xduck
|
be5605db5f
|
Introduced shellcode and finished code cave writing and injection. RELRO working
|
2022-04-07 11:54:24 -04:00 |
|
h3xduck
|
3438f5846f
|
Finished injection module at userspace using /proc/<pid>/maps, enables to overwrite the GOT section with RELRO activated
|
2022-04-07 07:11:28 -04:00 |
|
h3xduck
|
96cfda8c1f
|
Finished RELRO adaptation.
|
2022-04-04 18:04:34 -04:00 |
|
h3xduck
|
748062f464
|
Adapted memory analysis to larger memory addresses inside the virtual address space. Solved bugs and others, adapting code for RELRO.
|
2022-04-04 17:07:45 -04:00 |
|
h3xduck
|
8f28c3a883
|
Updated helpers and added resources to help with lib injection
|
2022-03-24 15:40:05 -04:00 |
|
h3xduck
|
9dff5e71dc
|
Included offset and extraction of interesting functions
|
2022-03-17 21:41:40 -04:00 |
|
h3xduck
|
0fbcb8bdf7
|
Fixed probe not probing correct syscall entry
|
2022-03-17 19:36:25 -04:00 |
|
h3xduck
|
fcf43ff180
|
Finished extraction of return address from the stack, and libc syscall adress
|
2022-03-17 19:32:32 -04:00 |
|
h3xduck
|
9647972531
|
Finished extraction of stack return address
|
2022-03-17 13:18:19 -04:00 |
|
h3xduck
|
671e2d671d
|
Added extraction of original jump instruction and opcodes
|
2022-03-15 18:36:59 -04:00 |
|
h3xduck
|
0c88d5baa9
|
Successfully added uprobes calculation and hooking at arbitrary function of execve_hijack.
|
2022-03-03 05:53:51 -05:00 |
|
h3xduck
|
e64839f080
|
Added new libc symbols extraction
|
2022-03-02 19:00:50 -05:00 |
|
h3xduck
|
805fa760cf
|
Corrected issues of opening directories without permission in execve helper
|
2022-02-24 19:53:11 -05:00 |
|
h3xduck
|
b182ac1eeb
|
Added new TC module, updates to the exec hooking system and the userland module
|
2022-02-20 16:50:15 -05:00 |
|
h3xduck
|
1ec4ed8486
|
Now the execve hijacker works without needing a canalizer. Removed it. Also some additional tweaks to the c&c launching of the helper
|
2022-02-19 11:57:32 -05:00 |
|
h3xduck
|
8e97624326
|
Improved the pricvesc module which used sudo, now correctly working when the user already has sudo with password capabilities. Now the rootkit userspace helper is correctly launching with root permissions
|
2022-02-19 11:08:56 -05:00 |
|
h3xduck
|
130364e6ab
|
Added support for integrating the execution hijacker via the rootkit. Still some work to do, also changed some config from fs which needs to be reverted
|
2022-02-18 09:08:54 -05:00 |
|
h3xduck
|
2ae705f037
|
Added new map structure, in preparation for new internal maps storing requested commands via the network backdoor
|
2022-02-14 20:08:30 -05:00 |
|
h3xduck
|
edbaf09c06
|
Completed execve hijacking, as with special error cases that arise and that are documented in the code.
|
2022-02-14 17:45:07 -05:00 |
|
h3xduck
|
044c85f3ff
|
Initial version of the RCE scheme- Added complete execve hook, helper and modifying capabilities for the filename called. Works still needs to be done
|
2022-02-06 14:15:57 -05:00 |
|
h3xduck
|
41ef733520
|
Completed faking that an user is in the sudoers file. Now user 'test' can use sudo without being there
|
2022-02-05 14:10:12 -05:00 |
|
h3xduck
|
643783004a
|
Added new hooks and updated map fields to support new sudo module.
|
2022-02-05 13:49:20 -05:00 |
|
h3xduck
|
2b50d376a6
|
Updated function and configurator manager names to the used hook.
|
2022-01-26 13:04:23 -05:00 |
|