Closed corefx closed 6 years ago
Hi, There are also some (old) comments:
crashes kernel due to thread safety issues. doesn't check that all kernel buffers are successfully allocated before use, leading to a crash under certain conditions.
Link: https://www.reddit.com/r/netsec/comments/7a4ehh/reptile_a_lkm_rootkit_for_evil_purposes/
Hi @corefx,
thank you for your reporting. I didnt do many tests before publishing, so I would appreciate any help to testing this. I will take a look at this bug, and I will look all this points mentioned at this (old) comments.
About detection, I thought in writing some obfuscations, but since this rootkit is public, this always will be detected. So I prefer keep the better techniques in priv8 to avoid detections.
do you know this guy that mentioned he is working on a pull request to do some fixings?
Hi,
do you know this guy that mentioned he is working on a pull request to do some fixings?
I don't know him.
I am trying to get this crash, to see what is going on, but I havent got this crash.
What conditions do you having this? Can you help me to understand that?
Hi,
sometimes the remote backdoor works just fine but sometimes I get this crash. I have only tested Reptile on the Virtualbox not on the real hardware. I noticed that the reboot
command always triggers the crash at least on the Ubuntu 18.04 server.
hey guys,
got the same error on a kali linux vmware. But it also crashes in real world :(
Hey man,
it happens on connect through the Shell, otherwise the Module run stable...
Von meinem iPhone gesendet
Am 16.05.2018 um 01:06 schrieb Ighor Augusto notifications@github.com<mailto:notifications@github.com>:
can you tell me what exactly are you doing to take this crash?
thanks
— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/f0rb1dd3n/Reptile/issues/17#issuecomment-389342138, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AIZv2tPueFJhnKUY4AJcYfZrHd1XJbaPks5ty19jgaJpZM4T5_vb.
but i think that the problem that i've described below is serious too.
to reproduce the error rename your /module/module_shell to something else.
in the decode_n_spawn() strsep(buf) modifies buf.. so, you can't kfree(buf) i've tried to make a copy of buf before using it in strsep but then my ip in the shell_execer() is messed up.. it looks like \xffffffff0\xffffffffff8\168.1.13(just an exemple). i am not a C coder so i can't figure it out.
Hello guys, sorry my delay, I am very busy lately.
So I have written a standalone module to just run the backdoor, and It works fine without crashing. I did a fast verification, and the backdoor in some way was conflicting with l33t_getdents function, and crashing there.
I got another crash too, with l33t_read function. So, I have to do more tests.
@pbr3s, about decode_n_spawn error, you got the point at kfree(buf), but I did a lot of tests with buffer, and the IP is being decoded right. If you are having problems, I need to know more about.
About reptile_shell exists, I saw your pull request, and I will comment it there.
Thanks
Guys, I just commit some things, and I didnt get l33t_getdents crash anymore. I update if(kdir) kfree(kdir);
at the end of this function.
But I am still having l33t_read crash, and vfs_read is unexported in kernel 4.14+, then I will think another way to do that feature.
Thanks
Don't worry about the buffer thing.. it only ocorred when i tried to copy the buffer and use the copy in the strsed.. with your code it decodes fine. I only tried to modify that because i wanted to properly free the buffer.
Hello guys,
can someone test if Reptile is crashing now? After my last commits I didnt get any crash yet.
thanks
No crashes here. Fedora Server 26 4.11.8-300.fc26.x86_64
No crashes. Tested on: Ubuntu 18.04 (4.15.0-20-generic) Ubuntu 16.04.4 (4.4.0-125-generic) Ubuntu 13.04 (3.8.0-35-generic) (all 64 bit)
That's nice guys.
I am glad this crashes was solved!
Thank you helping this!
@corefx, can you close this issue if it is really have solved?
Thanks for fixing this!
Hello, I was testing the new remote backdoor (it's very nice) when I encountered this kernel crash (it happens quite quickly after using the remote backdoor). I was using Ubuntu 16.04.4 server (on virtualbox) for testing. Similiar crash also happened on Ubuntu 18.04 server. Details: crash.txt