kernel: general protection fault: 0000 [#1] SMP

[corefx]

Hello, I was testing the new remote backdoor (it's very nice) when I encountered this kernel crash (it happens quite quickly after using the remote backdoor). I was using Ubuntu 16.04.4 server (on virtualbox) for testing. Similiar crash also happened on Ubuntu 18.04 server. Details: crash.txt

[corefx]

Hi, There are also some (old) comments:

crashes kernel due to thread safety issues. doesn't check that all kernel buffers are successfully allocated before use, leading to a crash under certain conditions.

Link: https://www.reddit.com/r/netsec/comments/7a4ehh/reptile_a_lkm_rootkit_for_evil_purposes/

[f0rb1dd3n]

Hi @corefx,

thank you for your reporting. I didnt do many tests before publishing, so I would appreciate any help to testing this. I will take a look at this bug, and I will look all this points mentioned at this (old) comments.

About detection, I thought in writing some obfuscations, but since this rootkit is public, this always will be detected. So I prefer keep the better techniques in priv8 to avoid detections.

do you know this guy that mentioned he is working on a pull request to do some fixings?

[corefx]

Hi,

do you know this guy that mentioned he is working on a pull request to do some fixings?

I don't know him.

[f0rb1dd3n]

I am trying to get this crash, to see what is going on, but I havent got this crash.

What conditions do you having this? Can you help me to understand that?

[corefx]

Hi, sometimes the remote backdoor works just fine but sometimes I get this crash. I have only tested Reptile on the Virtualbox not on the real hardware. I noticed that the reboot command always triggers the crash at least on the Ubuntu 18.04 server.

[S4NE]

hey guys,

got the same error on a kali linux vmware. But it also crashes in real world :(

https://pastebin.com/4ZkvkWuQ

[S4NE]

Hey man,

it happens on connect through the Shell, otherwise the Module run stable...

Von meinem iPhone gesendet

Am 16.05.2018 um 01:06 schrieb Ighor Augusto notifications@github.com<mailto:notifications@github.com>:

can you tell me what exactly are you doing to take this crash?

thanks

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/f0rb1dd3n/Reptile/issues/17#issuecomment-389342138, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AIZv2tPueFJhnKUY4AJcYfZrHd1XJbaPks5ty19jgaJpZM4T5_vb.

[pbr3s]

if you are facing this error you can check if /reptile/reptile_shell exists.

but i think that the problem that i've described below is serious too.

to reproduce the error rename your /module/module_shell to something else.

in the decode_n_spawn() strsep(buf) modifies buf.. so, you can't kfree(buf) i've tried to make a copy of buf before using it in strsep but then my ip in the shell_execer() is messed up.. it looks like \xffffffff0\xffffffffff8\168.1.13(just an exemple). i am not a C coder so i can't figure it out.

[f0rb1dd3n]

Hello guys, sorry my delay, I am very busy lately.

So I have written a standalone module to just run the backdoor, and It works fine without crashing. I did a fast verification, and the backdoor in some way was conflicting with l33t_getdents function, and crashing there.

I got another crash too, with l33t_read function. So, I have to do more tests.

@pbr3s, about decode_n_spawn error, you got the point at kfree(buf), but I did a lot of tests with buffer, and the IP is being decoded right. If you are having problems, I need to know more about.

About reptile_shell exists, I saw your pull request, and I will comment it there.

Thanks

[f0rb1dd3n]

Guys, I just commit some things, and I didnt get l33t_getdents crash anymore. I update if(kdir) kfree(kdir); at the end of this function.

But I am still having l33t_read crash, and vfs_read is unexported in kernel 4.14+, then I will think another way to do that feature.

Thanks

[pbr3s]

Don't worry about the buffer thing.. it only ocorred when i tried to copy the buffer and use the copy in the strsed.. with your code it decodes fine. I only tried to modify that because i wanted to properly free the buffer.

[f0rb1dd3n]

Hello guys,

can someone test if Reptile is crashing now? After my last commits I didnt get any crash yet.

thanks

[pbr3s]

No crashes here. Fedora Server 26 4.11.8-300.fc26.x86_64

[corefx]

No crashes. Tested on: Ubuntu 18.04 (4.15.0-20-generic) Ubuntu 16.04.4 (4.4.0-125-generic) Ubuntu 13.04 (3.8.0-35-generic) (all 64 bit)

[f0rb1dd3n]

That's nice guys.

I am glad this crashes was solved!

Thank you helping this!

[f0rb1dd3n]

@corefx, can you close this issue if it is really have solved?

[corefx]

Thanks for fixing this!