father
The Father LD_PRELOAD rootkit requires to compile the config settings into the binary.
This command compiles the binary and stores the path in the variable LAST_FATHER_PATH.
If local_path is not defined, the command will create a temporary directory and copy
the sources into the directory before compiling the rootkit.
Father can be found at this GitHub-Page
commands:
- type: father
cmd: generate
hiddenport: 2222
shell_pass: "superpass"
env_var: "norkt"
- type: debug
cmd: ""
varstore: True
# {'LAST_FATHER_PATH': '/tmp/tmpuou9rb0a/Father/rk.so', 'RESULT_STDOUT': 'Saved to /tmp/tmpuou9rb0a/Father/rk.so', 'RESULT_RETURNCODE': '0'}
- gid
The group id under which the rootkit will operate. All processes of this gid will be hidden.
- Type:
int
- Default:
1337- Required:
False
- srcport
The magic port number that allows to connect to the accept-backdoor of father.
- Type:
int
- Default:
54321- Required:
False
- epochtime
Time for
timebomb()to go off, in seconds since 1970-01-01.- Type:
int
- Default:
0000000000- Required:
False
- env_var
Magic environment variable for Local Privilege Escalation (LPE). If this environment variable is set, it is possible to escalate privileges using sudo or gpasswd
- Type:
str
- Default:
lobster- Required:
False
- file_prefix
Magic prefix for hidden files.
- Type:
str
- Default:
lobster- Required:
False
- preload_file
Hide this preload file (hide the rootkit).
- Type:
str
- Default:
ld.so.preload- Required:
False
Port to remove from netstat output, etc
- Type:
str(hex)
- Default:
D431- Required:
False
- shell_pass
Password for
accept()backdoor shell.- Type:
str
- Default:
lobster- Required:
False
- install_path
Location of rootkit on disk.
- Type:
str
- Default:
/lib/selinux.so.3- Required:
False
- local_path
Copy the rootkit to this local path before compiling it. If not set, the builder will generate a temporary path.
- Type:
str
- Required:
False
- arch
Target arch to compile the rootkit to. Currently only amd64 is supported.
- Type:
str
- Default:
amd64- Required:
False
- build_command
Use this command to build the rootkit. This setting might be useful for compiling the rootkit in a chroot-environment.
- Type:
str
- Default:
make- Required:
False