Thanks for fixing this!

from reptile.

Hi,
There are also some (old) comments:

crashes kernel due to thread safety issues.
doesn't check that all kernel buffers are successfully allocated before use, leading to a crash under certain conditions.

Link: https://www.reddit.com/r/netsec/comments/7a4ehh/reptile_a_lkm_rootkit_for_evil_purposes/

from reptile.

Hi @corefx,

thank you for your reporting. I didnt do many tests before publishing, so I would appreciate any help to testing this. I will take a look at this bug, and I will look all this points mentioned at this (old) comments.

About detection, I thought in writing some obfuscations, but since this rootkit is public, this always will be detected. So I prefer keep the better techniques in priv8 to avoid detections.

do you know this guy that mentioned he is working on a pull request to do some fixings?

from reptile.

Hi,

do you know this guy that mentioned he is working on a pull request to do some fixings?

I don't know him.

from reptile.

I am trying to get this crash, to see what is going on, but I havent got this crash.

What conditions do you having this? Can you help me to understand that?

from reptile.

Hi,
sometimes the remote backdoor works just fine but sometimes I get this crash. I have only tested Reptile on the Virtualbox not on the real hardware. I noticed that the reboot command always triggers the crash at least on the Ubuntu 18.04 server.

from reptile.

hey guys,

got the same error on a kali linux vmware.
But it also crashes in real world :(

https://pastebin.com/4ZkvkWuQ

from reptile.

from reptile.

if you are facing this error you can check if /reptile/reptile_shell exists.

but i think that the problem that i've described below is serious too.

to reproduce the error rename your /module/module_shell to something else.

in the decode_n_spawn()
strsep(buf) modifies buf..
so, you can't kfree(buf)
i've tried to make a copy of buf before using it in strsep but then my ip in the shell_execer() is messed up.. it looks like \xffffffff0\xffffffffff8\168.1.13(just an exemple).
i am not a C coder so i can't figure it out.

from reptile.

Hello guys, sorry my delay, I am very busy lately.

So I have written a standalone module to just run the backdoor, and It works fine without crashing. I did a fast verification, and the backdoor in some way was conflicting with l33t_getdents function, and crashing there.

I got another crash too, with l33t_read function. So, I have to do more tests.

@pbr3s, about decode_n_spawn error, you got the point at kfree(buf), but I did a lot of tests with buffer, and the IP is being decoded right. If you are having problems, I need to know more about.

About reptile_shell exists, I saw your pull request, and I will comment it there.

Thanks

from reptile.

Guys, I just commit some things, and I didnt get l33t_getdents crash anymore. I update if(kdir) kfree(kdir); at the end of this function.

But I am still having l33t_read crash, and vfs_read is unexported in kernel 4.14+, then I will think another way to do that feature.

Thanks

from reptile.

Don't worry about the buffer thing.. it only ocorred when i tried to copy the buffer and use the copy in the strsed.. with your code it decodes fine.
I only tried to modify that because i wanted to properly free the buffer.

from reptile.

Hello guys,

can someone test if Reptile is crashing now? After my last commits I didnt get any crash yet.

thanks

from reptile.

No crashes here. Fedora Server 26 4.11.8-300.fc26.x86_64

from reptile.

No crashes. Tested on:
Ubuntu 18.04 (4.15.0-20-generic)
Ubuntu 16.04.4 (4.4.0-125-generic)
Ubuntu 13.04 (3.8.0-35-generic)
(all 64 bit)

from reptile.

That's nice guys.

I am glad this crashes was solved!

Thank you helping this!

from reptile.

@corefx, can you close this issue if it is really have solved?

from reptile.