Skip to content

Commit

Permalink
Merge pull request #29 from Aegrah/several-fixes-and-improvements
Browse files Browse the repository at this point in the history 
[Improvements] Several improvements and fixes for PANIX v2.0.1 release
  • Loading branch information
@Aegrah
Aegrah authored Dec 19, 2024
2 parents ae404d5 + ca88d6a commit 2d2c118
Show file tree
Hide file tree
Showing 9 changed files with 554 additions and 508 deletions.
88 changes: 44 additions & 44 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,52 +14,52 @@ PANIX provides a versatile suite of features for simulating and researching Linu

| **Feature** | **Description** |**Root**|**User**|
|----------------------------------|-----------------------------------------------------------------------------------------|--------|--------|
| **At Job Persistence** | Implements persistence by adding entries to system jobs. | ✔️ | ✔️ |
| **Authorized Keys** | Adds a public key to the authorized_keys file for SSH access. | ✔️ | ✔️ |
| **Backdoor User** | Creates a backdoor user with `UID=0` (root privileges). | ✔️ ||
| **Backdoored /etc/passwd** | Directly adds a malicious user entry to `/etc/passwd`. | ✔️ ||
| **Backdoored /etc/init.d** | Establishes persistence via SysVinit (`/etc/init.d`). | ✔️ ||
| **Backdoored /etc/rc.local** | Establishes persistence via run control (`/etc/rc.local`). | ✔️ ||
| **Bind Shell** | Runs a pre-compiled/LOLBin bind shell for remote access. | ✔️ | ✔️ |
| **Capabilities Backdoor** | Adds specific capabilities to binaries to maintain persistence. | ✔️ ||
| **Cron Job Persistence** | Sets up cron jobs to ensure persistence across reboots. | ✔️ | ✔️ |
| **Create User** | Creates a new user account on the system. | ✔️ ||
| **Diamorphine Rootkit** | Installs the Diamorphine Loadable Kernel Module Rootkit. | ✔️ ||
| **Git Persistence** | Utilizes Git hooks or pagers to persist within Git repositories. | ✔️ | ✔️ |
| **Generator Persistence** | Leverages systemd generators to create persistent services. | ✔️ ||
| **Malicious Container** | Deploys a Docker container designed to host escape. | ✔️ | ✔️ |
| **Malicious Package** | Installs a `DPKG/RPM` package to achieve persistence. | ✔️ ||
| **LD_PRELOAD Backdoor** | Uses `LD_PRELOAD` to inject malicious libraries for persistence. | ✔️ ||
| **LKM Backdoor** | Loads a Loadable Kernel Module to maintain persistence. | ✔️ ||
| **MOTD Backdoor** | Alters Message of the Day (MOTD) to establish persistence. | ✔️ ||
| **Package Manager** | Manipulates `APT/YUM/DNF` to establish persistence on usage. | ✔️ ||
| **PAM Persistence** | Installs a PAM backdoor using a rogue module or pam_exec. | ✔️ ||
| **Password Change** | Changes user passwords to secure backdoor accounts. | ✔️ ||
| **Reverse Shell** | Establishes a reverse shell (supporting multiple LOLBins). | ✔️ | ✔️ |
| **Shell Profile Persistence** | Modifies shell profiles to execute scripts upon user login. | ✔️ | ✔️ |
| **SSH Key Persistence** | Manipulates SSH keys to maintain persistent access via SSH. | ✔️ | ✔️ |
| **Sudoers Backdoor** | Alters the `/etc/sudoers` file to grant elevated privileges. | ✔️ ||
| **SUID Backdoor** | Backdoors binaries by setting the SUID bit. | ✔️ ||
| **System Binary Backdoor** | Wraps system binaries to include backdoor functionality. | ✔️ ||
| **Systemd Service** | Creates systemd services that ensure persistence on reboot. | ✔️ | ✔️ |
| **Udev Persistence** | Utilizes drivers to persist at the hardware interaction level. | ✔️ ||
| **Web Shell Persistence** | Deploys web servers for remote access via web interfaces. | ✔️ | ✔️ |
| **XDG Autostart Persistence** | Employs XDG autostart directories to persist upon user login. | ✔️ | ✔️ |
| **At Job Persistence** | Implements persistence by adding entries to system jobs. | | |
| **Authorized Keys** | Adds a public key to the authorized_keys file for SSH access. | | |
| **Backdoor User** | Creates a backdoor user with `UID=0` (root privileges). | ||
| **Backdoored /etc/passwd** | Directly adds a malicious user entry to `/etc/passwd`. | ||
| **Backdoored /etc/init.d** | Establishes persistence via SysVinit (`/etc/init.d`). | ||
| **Backdoored /etc/rc.local** | Establishes persistence via run control (`/etc/rc.local`). | ||
| **Bind Shell** | Runs a pre-compiled/LOLBin bind shell for remote access. | | |
| **Capabilities Backdoor** | Adds specific capabilities to binaries to maintain persistence. | ||
| **Cron Job Persistence** | Sets up cron jobs to ensure persistence across reboots. | | |
| **Create User** | Creates a new user account on the system. | ||
| **Diamorphine Rootkit** | Installs the Diamorphine Loadable Kernel Module Rootkit. | ||
| **Git Persistence** | Utilizes Git hooks or pagers to persist within Git repositories. | | |
| **Generator Persistence** | Leverages systemd generators to create persistent services. | ||
| **Malicious Container** | Deploys a Docker container designed to host escape. | | |
| **Malicious Package** | Installs a `DPKG/RPM` package to achieve persistence. | ||
| **LD_PRELOAD Backdoor** | Uses `LD_PRELOAD` to inject malicious libraries for persistence. | ||
| **LKM Backdoor** | Loads a Loadable Kernel Module to maintain persistence. | ||
| **MOTD Backdoor** | Alters Message of the Day (MOTD) to establish persistence. | ||
| **Package Manager** | Manipulates `APT/YUM/DNF` to establish persistence on usage. | ||
| **PAM Persistence** | Installs a PAM backdoor using a rogue module or pam_exec. | ||
| **Password Change** | Changes user passwords to secure backdoor accounts. | ||
| **Reverse Shell** | Establishes a reverse shell (supporting multiple LOLBins). | | |
| **Shell Profile Persistence** | Modifies shell profiles to execute scripts upon user login. | | |
| **SSH Key Persistence** | Manipulates SSH keys to maintain persistent access via SSH. | | |
| **Sudoers Backdoor** | Alters the `/etc/sudoers` file to grant elevated privileges. | ||
| **SUID Backdoor** | Backdoors binaries by setting the SUID bit. | ||
| **System Binary Backdoor** | Wraps system binaries to include backdoor functionality. | ||
| **Systemd Service** | Creates systemd services that ensure persistence on reboot. | | |
| **Udev Persistence** | Utilizes drivers to persist at the hardware interaction level. | ||
| **Web Shell Persistence** | Deploys web servers for remote access via web interfaces. | | |
| **XDG Autostart Persistence** | Employs XDG autostart directories to persist upon user login. | | |

![](https://i.imgur.com/waxVImv.png)

# Support
PANIX offers comprehensive support across various Linux distributions.

| **Distribution** | **Support** | **Tested Version** |
|------------------|---------|-------------------------------------------|
| **Debian** | ✔️ | Debian 11 & 12 |
| **Ubuntu** | ✔️ | Ubuntu 22.04 (Diamorphine unavailable) |
| **RHEL** | ✔️ | RHEL 9 (MOTD unavailable) |
| **CentOS** | ✔️ | CentOS Stream 9 & 7 (MOTD unavailable) |
| **Fedora** | ✔️ | Not fully tested |
| **Arch Linux** | ✔️ | Not fully tested |
| **OpenSUSE** | ✔️ | Not fully tested |
| **Distribution** | **Support** | **Tested Version** |
|------------------|-----------|----------------------------------------|
| **Debian** | | Debian 11 & 12 |
| **Ubuntu** | | Ubuntu 22.04 (Diamorphine unavailable) |
| **RHEL** | | RHEL 9 (MOTD unavailable) |
| **CentOS** | | CentOS Stream 9 & 7 (MOTD unavailable) |
| **Fedora** | | Not fully tested |
| **Arch Linux** | | Not fully tested |
| **OpenSUSE** | | Not fully tested |

Custom or outdated Linux distributions may have different configurations or lack specific features, causing mechanisms to fail on untested versions. If a default command fails, use the `--custom` flag available in most features to adjust paths and commands for your environment. If that doesn't resolve the issue, review and modify the script to suit your needs.

Expand Down Expand Up @@ -97,15 +97,15 @@ This streamlined structure promotes efficient development, testing, and deployme
![](https://i.imgur.com/waxVImv.png)

# Getting Started
Getting PANIX up-and-running is as simple as downloading the script from the [release page](https://github.com/Aegrah/PANIX/releases/tag/panix-v2.0.0) and executing it:
Getting PANIX up-and-running is as simple as downloading the script from the [release page](https://github.com/Aegrah/PANIX/releases/tag/panix-v2.0.1) and executing it:
```
curl -sL https://github.com/Aegrah/PANIX/releases/download/panix-v2.0.0/panix.sh | bash
curl -sL https://github.com/Aegrah/PANIX/releases/download/panix-v2.0.1/panix.sh | bash
```
Or download it and execute it manually:
```
# Download through curl or wget
curl -sL https://github.com/Aegrah/PANIX/releases/download/panix-v2.0.0/panix.sh -o panix.sh
wget https://github.com/Aegrah/PANIX/releases/download/panix-v2.0.0/panix.sh -O panix.sh
curl -sL https://github.com/Aegrah/PANIX/releases/download/panix-v2.0.1/panix.sh -o panix.sh
wget https://github.com/Aegrah/PANIX/releases/download/panix-v2.0.1/panix.sh -O panix.sh
# Grant execution permissions and execute the script.
chmod +x panix.sh
Expand Down
6 changes: 6 additions & 0 deletions modules/revert/revert_lkm.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,12 @@ revert_lkm() {
echo "[-] Temporary directory '${lkm_compile_dir}' not found."
fi

# Remove panix from /etc/modules, /etc/modules-load.d/panix.conf and /usr/lib/modules-load.d/panix.conf
echo "[+] Removing panix from /etc/modules, /etc/modules-load.d/ and /usr/lib/modules-load.d/..."
sed -i '/panix/d' /etc/modules
rm -f /etc/modules-load.d/panix.conf
rm -f /usr/lib/modules-load.d/panix.conf

# Update module dependencies
echo "[+] Updating module dependencies..."
depmod -a
Expand Down
165 changes: 86 additions & 79 deletions modules/revert/revert_malicious_package.sh
View file
Original file line number Diff line number Diff line change
@@ -1,93 +1,100 @@
revert_malicious_package() {
usage_revert_malicious_package() {
echo "Usage: ./panix.sh --revert malicious-package"
echo "Reverts any changes made by the setup_malicious_package module."
}
usage_revert_malicious_package() {
echo "Usage: ./panix.sh --revert malicious-package"
echo "Reverts any changes made by the setup_malicious_package module."
}

echo "[+] Reverting malicious package..."
echo "[+] Reverting malicious package..."

if ! check_root; then
echo "Error: This function can only be run as root."
return 1
fi
if ! check_root; then
echo "Error: This function can only be run as root."
return 1
fi

local mechanism=""
local PACKAGE_NAME="panix"
local mechanism=""
local PACKAGE_NAME="panix"

# Detect if RPM or DPKG was used
if command -v rpm &> /dev/null && rpm -qa | grep -q "^${PACKAGE_NAME}"; then
mechanism="rpm"
elif command -v dpkg &> /dev/null && dpkg -l | grep -q "^ii ${PACKAGE_NAME} "; then
mechanism="dpkg"
else
echo "[-] Malicious package '${PACKAGE_NAME}' not found via RPM or DPKG. No action needed."
fi
# Detect if RPM or DPKG was used
if command -v rpm &> /dev/null && rpm -qa | grep -q "^${PACKAGE_NAME}"; then
mechanism="rpm"
elif command -v dpkg &> /dev/null && dpkg -l | grep -q "^ii ${PACKAGE_NAME} "; then
mechanism="dpkg"
else
echo "[-] Malicious package '${PACKAGE_NAME}' not found via RPM or DPKG. No action needed."
fi

if [[ "$mechanism" == "rpm" ]]; then
echo "[+] Removing RPM package '${PACKAGE_NAME}'..."
rpm -e --noscripts "${PACKAGE_NAME}"
if [[ $? -eq 0 ]]; then
echo "[+] RPM package '${PACKAGE_NAME}' removed successfully."
else
echo "[-] Failed to remove RPM package '${PACKAGE_NAME}'."
fi
if [[ "$mechanism" == "rpm" ]]; then
echo "[+] Removing RPM package '${PACKAGE_NAME}'..."
rpm -e --noscripts "${PACKAGE_NAME}"
if [[ $? -eq 0 ]]; then
echo "[+] RPM package '${PACKAGE_NAME}' removed successfully."
else
echo "[-] Failed to remove RPM package '${PACKAGE_NAME}'."
fi

# Remove the RPM file from /var/lib/rpm
if [[ -f "/var/lib/rpm/${PACKAGE_NAME}.rpm" ]]; then
echo "[+] Removing RPM file '/var/lib/rpm/${PACKAGE_NAME}.rpm'..."
rm -f "/var/lib/rpm/${PACKAGE_NAME}.rpm"
echo "[+] RPM file removed."
else
echo "[-] RPM file '/var/lib/rpm/${PACKAGE_NAME}.rpm' not found."
fi
# Remove the RPM file from /var/lib/rpm
if [[ -f "/var/lib/rpm/${PACKAGE_NAME}.rpm" ]]; then
echo "[+] Removing RPM file '/var/lib/rpm/${PACKAGE_NAME}.rpm'..."
rm -f "/var/lib/rpm/${PACKAGE_NAME}.rpm"
echo "[+] RPM file removed."
else
echo "[-] RPM file '/var/lib/rpm/${PACKAGE_NAME}.rpm' not found."
fi

elif [[ "$mechanism" == "dpkg" ]]; then
echo "[+] Removing DPKG package '${PACKAGE_NAME}'..."
dpkg --purge "${PACKAGE_NAME}"
if [[ $? -eq 0 ]]; then
echo "[+] DPKG package '${PACKAGE_NAME}' removed successfully."
else
echo "[-] Failed to remove DPKG package '${PACKAGE_NAME}'."
fi
fi
elif [[ "$mechanism" == "dpkg" ]]; then
echo "[+] Removing DPKG package '${PACKAGE_NAME}'..."
dpkg --purge "${PACKAGE_NAME}"
if [[ $? -eq 0 ]]; then
echo "[+] DPKG package '${PACKAGE_NAME}' removed successfully."
else
echo "[-] Failed to remove DPKG package '${PACKAGE_NAME}'."
fi
fi

# Remove the cron job added by the setup function
echo "[+] Removing cron job associated with '${PACKAGE_NAME}'..."
# Create a temporary file to store the current crontab
crontab -l > /tmp/current_cron$$ 2>/dev/null
if [[ $? -ne 0 ]]; then
echo "[-] No crontab for user $(whoami). No action needed."
rm -f /tmp/current_cron$$
else
# Remove lines containing the malicious package commands
grep -v ".*${PACKAGE_NAME}.*" /tmp/current_cron$$ > /tmp/new_cron$$
# Install the new crontab
crontab /tmp/new_cron$$
echo "[+] Cron job removed."
# Clean up temporary files
rm -f /tmp/current_cron$$ /tmp/new_cron$$
fi
# Remove the cron job added by the setup function
echo "[+] Removing cron job associated with '${PACKAGE_NAME}'..."
# Create a temporary file to store the current crontab
crontab -l > /tmp/current_cron$$ 2>/dev/null
if [[ $? -ne 0 ]]; then
echo "[-] No crontab for user $(whoami). No action needed."
rm -f /tmp/current_cron$$
else
# Remove lines containing the malicious package commands
grep -v ".*${PACKAGE_NAME}.*" /tmp/current_cron$$ > /tmp/new_cron$$
# Install the new crontab
crontab /tmp/new_cron$$
echo "[+] Cron job removed."
# Clean up temporary files
rm -f /tmp/current_cron$$ /tmp/new_cron$$
fi

# Clean up any remaining build directories (RPM)
if [[ -d "~/rpmbuild" ]]; then
echo "[+] Removing RPM build directory '~/rpmbuild'..."
rm -rf ~/rpmbuild
echo "[+] RPM build directory removed."
fi
# Clean up any remaining build directories (RPM)
if [[ -d "~/rpmbuild" ]]; then
echo "[+] Removing RPM build directory '~/rpmbuild'..."
rm -rf ~/rpmbuild
echo "[+] RPM build directory removed."
fi

# Clean up any remaining package directories (DPKG)
if [[ -d "${PACKAGE_NAME}" ]]; then
echo "[+] Removing package directory '${PACKAGE_NAME}'..."
rm -rf "${PACKAGE_NAME}"
echo "[+] Package directory removed."
fi
# Clean up any remaining package directories (DPKG)
if [[ -d "${PACKAGE_NAME}" ]]; then
echo "[+] Removing package directory '${PACKAGE_NAME}'..."
rm -rf "${PACKAGE_NAME}"
echo "[+] Package directory removed."
fi

# Remove any lingering files in /var/lib/dpkg/info (DPKG)
if [[ -d "/var/lib/dpkg/info" ]]; then
echo "[+] Cleaning up '/var/lib/dpkg/info'..."
rm -f "/var/lib/dpkg/info/${PACKAGE_NAME}."*
echo "[+] Cleanup completed."
fi
# Remove any lingering files in /var/lib/dpkg/info (DPKG)
if [[ -d "/var/lib/dpkg/info" ]]; then
echo "[+] Cleaning up '/var/lib/dpkg/info'..."
rm -f "/var/lib/dpkg/info/${PACKAGE_NAME}."*
echo "[+] Cleanup completed."
fi

return 0
# Remove any package files left in the home directory
if [[ -f "~/${PACKAGE_NAME}.deb" || -f "~/${PACKAGE_NAME}.rpm" ]]; then
echo "[+] Removing package files '~/${PACKAGE_NAME}.deb' and/or '~/${PACKAGE_NAME}.rpm'..."
rm -f ~/${PACKAGE_NAME}.deb ~/${PACKAGE_NAME}.rpm
echo "[+] Package files removed."
fi

return 0
}
Loading

0 comments on commit 2d2c118

Please sign in to comment.