h3xduck
|
ff0f34c6a4
|
Included new library version with support for tcp src port paylaod injection
|
2022-05-09 18:57:23 -04:00 |
|
h3xduck
|
ff2868846f
|
Fixed a big bug in previous client terminals, also made the new multi-triggered backdoor to work completely and connect to encrypted session
|
2022-05-09 17:48:02 -04:00 |
|
h3xduck
|
073e1d3129
|
Completed new backdoor packet stream parsing for V3 backdoor using hidden payloads in TCP and IP header positions
|
2022-05-09 16:36:39 -04:00 |
|
h3xduck
|
ba19537ec1
|
Added new packet stream payload mode in client for V3 backdoor
|
2022-05-07 20:45:02 -04:00 |
|
h3xduck
|
5746ac5efb
|
Added new hidden packets, commands and rest of structure to activate and deactivate hooks from the backdoor
|
2022-05-07 19:16:33 -04:00 |
|
h3xduck
|
ce7d36371d
|
Finished encrypted interactive shell and encrypted protocol implementation, V2 rootkit now fully functional
|
2022-05-07 17:55:27 -04:00 |
|
h3xduck
|
f6a4c1daa0
|
Finished execve hijacking, added new last checks and discovered why sometimes it fails. New detached process at the userspace. Other fixes
|
2022-05-07 10:36:46 -04:00 |
|
h3xduck
|
cceca23478
|
Completed message sharing, starting with protocol now
|
2022-05-05 22:14:28 -04:00 |
|
h3xduck
|
213e30ba3b
|
Fixed keys of trigger packet V1, added sample servers, fixed client bug
|
2022-05-05 17:52:58 -04:00 |
|
h3xduck
|
0553ad777f
|
Completed message passing of commands to userspace via ebpf ringbuffer
|
2022-05-05 13:22:47 -04:00 |
|
h3xduck
|
2deebf1b9e
|
Added V1 command sending via secret trigger on backdoor
|
2022-05-05 12:59:02 -04:00 |
|
h3xduck
|
ead4a4ca68
|
Completed checks for V1 trigger
|
2022-05-04 08:54:21 -04:00 |
|
h3xduck
|
073a911f74
|
Included new version of custom lib. Added checks for backdoor triggering
|
2022-05-04 04:40:25 -04:00 |
|
h3xduck
|
25ef3acc5a
|
Updating doc, adding makefile and preparing document
|
2022-04-27 21:56:37 -04:00 |
|
h3xduck
|
8be536fb6f
|
Added locking mechanism for execve_hijack. Incorporated new library rawtcp with latest version without bug.
|
2022-04-14 13:24:43 -04:00 |
|
h3xduck
|
a9f0ae17f7
|
Completed client payload generation
|
2022-04-14 09:49:08 -04:00 |
|
h3xduck
|
e8abc7415a
|
Advancements on payload recognition. Now proceeding to build protocol
|
2022-04-14 07:54:21 -04:00 |
|
h3xduck
|
43ccb6cd3d
|
Added packet parsing and bound checking
|
2022-04-13 20:46:06 -04:00 |
|
h3xduck
|
c3bffb6f84
|
Completed packet parsing at tc hook
|
2022-04-13 16:56:17 -04:00 |
|
h3xduck
|
7157729334
|
Added forked routine to execve_hijack. Improved argv modification and made it work. Working now.
|
2022-04-13 08:57:33 -04:00 |
|
h3xduck
|
805fa760cf
|
Corrected issues of opening directories without permission in execve helper
|
2022-02-24 19:53:11 -05:00 |
|
h3xduck
|
b182ac1eeb
|
Added new TC module, updates to the exec hooking system and the userland module
|
2022-02-20 16:50:15 -05:00 |
|
h3xduck
|
1ec4ed8486
|
Now the execve hijacker works without needing a canalizer. Removed it. Also some additional tweaks to the c&c launching of the helper
|
2022-02-19 11:57:32 -05:00 |
|
h3xduck
|
8e97624326
|
Improved the pricvesc module which used sudo, now correctly working when the user already has sudo with password capabilities. Now the rootkit userspace helper is correctly launching with root permissions
|
2022-02-19 11:08:56 -05:00 |
|
h3xduck
|
130364e6ab
|
Added support for integrating the execution hijacker via the rootkit. Still some work to do, also changed some config from fs which needs to be reverted
|
2022-02-18 09:08:54 -05:00 |
|
h3xduck
|
0e022a8385
|
Completed execution of arbitrary commands sent from the backdoor client
|
2022-02-18 04:06:18 -05:00 |
|
h3xduck
|
b68e01c057
|
Finished pseudo-connection between client and rootkit backdoor. Updated library to latest version.
|
2022-02-18 03:32:07 -05:00 |
|
h3xduck
|
9a47a2b15a
|
Completed client integration with new c&c module.
|
2022-02-17 06:21:09 -05:00 |
|
h3xduck
|
431a019931
|
Updated my RawTCPLib library with newest version supporting sniffing for payloads. Also new data in preparation for complete RCE module
|
2022-02-16 19:38:39 -05:00 |
|
h3xduck
|
2ae705f037
|
Added new map structure, in preparation for new internal maps storing requested commands via the network backdoor
|
2022-02-14 20:08:30 -05:00 |
|
h3xduck
|
edbaf09c06
|
Completed execve hijacking, as with special error cases that arise and that are documented in the code.
|
2022-02-14 17:45:07 -05:00 |
|
h3xduck
|
044c85f3ff
|
Initial version of the RCE scheme- Added complete execve hook, helper and modifying capabilities for the filename called. Works still needs to be done
|
2022-02-06 14:15:57 -05:00 |
|
h3xduck
|
05baa8fb8a
|
Added new helper program to be used with the execve hijacking module
|
2022-02-05 19:00:25 -05:00 |
|
h3xduck
|
41ef733520
|
Completed faking that an user is in the sudoers file. Now user 'test' can use sudo without being there
|
2022-02-05 14:10:12 -05:00 |
|
h3xduck
|
643783004a
|
Added new hooks and updated map fields to support new sudo module.
|
2022-02-05 13:49:20 -05:00 |
|
h3xduck
|
2b50d376a6
|
Updated function and configurator manager names to the used hook.
|
2022-01-26 13:04:23 -05:00 |
|
Marcos S. Bajo
|
9b366810b5
|
Merge pull request #18 from h3xduck/output_modifier
Basic user memory manipulation + Control over rootkit modules and probes + Basic communication system
|
2022-01-16 13:36:12 +01:00 |
|
h3xduck
|
e10f5183b3
|
Updated readme with new PoC
|
2022-01-16 07:03:07 -05:00 |
|
h3xduck
|
3832d99af1
|
Updated file names and directory structure to the new multi-modules rootkit
|
2022-01-16 06:56:54 -05:00 |
|
h3xduck
|
fc0d30f06f
|
Completed output modification of sys_read. Created a simple PoC
|
2022-01-16 06:45:45 -05:00 |
|
h3xduck
|
99e9fd4277
|
FS module now can overwrite the buffer of read syscalls, effectively modifying what is returned as a result. Small PoC included now which modifies any first char in a string to 'O'. Use under discretion, may crash some programs, not enough checks implemented yet.
|
2022-01-15 16:16:30 -05:00 |
|
h3xduck
|
945e2f2def
|
Added new probe to read the previously extracted params and overwrite user memory. Still now fully working, just a backup
|
2022-01-14 22:05:08 -05:00 |
|
h3xduck
|
106f141c7e
|
Added new kprobe to the filesystem ebpf section. Now receiving read events, and storing them in a map for later use, along with a reference to the user-space memory buffer
|
2022-01-14 21:18:51 -05:00 |
|
h3xduck
|
193d9ec28f
|
Fixed the whole header setup, now correctly using the kernel headers instead of normal development ones. Ready to go on with original plan of file system hooking
|
2022-01-06 13:31:52 -05:00 |
|
h3xduck
|
4882ce790c
|
[BUILD FAILING] Checkpoint for backup, added new hook for file system, tweaked makefile for real kernel header files inclusion, still not working. Commiting for periodic backup
|
2022-01-05 20:34:53 -05:00 |
|
h3xduck
|
f8774ac9cf
|
[BUILD IS FAILING] Added file system hooks and other improvements. Uploading because of needing to backup
|
2022-01-04 20:09:59 -05:00 |
|
h3xduck
|
74873dbca5
|
Completed configuration module which enables to change the running ebpf modules in the rootkit at runtime. Minor changes and updated code structure
|
2022-01-04 13:26:13 -05:00 |
|
h3xduck
|
40da6b300b
|
Capability of attaching/detaching as many times as we want is finished. Now rootkit is fully cusotmizable from the userland (and thus remotely throught the backdoor)
|
2022-01-02 16:02:23 -05:00 |
|
h3xduck
|
adaf909781
|
Completed detachment of probes, enabling to attach and detach at will. Work needs to be done with xdp tho
|
2022-01-02 06:28:45 -05:00 |
|
h3xduck
|
d18b0aa23c
|
Further improvements in the rootkit configuration by the user
|
2021-12-31 12:02:35 -05:00 |
|