megas.c

megas.c: Posted Oct 7, 1999; Authored by Pmsac; Module to retrieve privilege to processes.; systems | linux; SHA-256 | 3c1a53d2029af8aaf19ab04983497d4575d25c39406d48c1321172829309cb20; Download | Favorite | View

megas.c

/*
 * megas.c, by pmsac@toxyn.org, 1998
 *
 * Just another ripp off from:
 * - cocain.c, by pmsac@toxyn.org, 1998, which is a rip off:
 *  - heroin.c, by Runar Jensen, zarq@opaque.org, 1998(?), from BugTraq
 *  - itf.c v0.8, by plaguez, dube0866@eurobretagne.fr, 1997, from Phrack52
 *
 * gcc -Wall -O3 -fomit-frame-pointer -c megas.c
 *
 */

#define MODULE
#define __KERNEL__
#define VERSION_COUNT sn199807290335

#include <linux/proc_fs.h>
#include <linux/module.h>
#include <linux/limits.h>
#include <sys/syscall.h>

/* Examine, Allow */
#define EXAMINE 0
#define ALLOW 1
char *TASKSTR[][2] = {
  { "pine", NULL },
  { "pine", "joe" },
  { "bash", "ls" },
  { "bash", "rmmod" },
  { NULL, NULL }
};

#define PID 0
#define SIGDEBUG 31
#define SIGSANE 10
#define SIGCOUNT 0

extern void *sys_call_table[];

int errno;
int VERSION_COUNT = 0;
int debug = 0;
int __NR_myexecve;
#define TMPBINMAXLEN (PATH_MAX + 1)


int (*oldKill)(pid_t, int);
int (*oldExecve)(const char *, const char *[], const char *[]);
void cleanup_module(void);

#define DEBUG(X); if (debug) printk(X);
#define DEBUG2(X,Y); if (debug) printk(X,Y);
#define DEBUG3(X,Y,Z); if (debug) printk(X,Y,Z);



int newKill(pid_t pid, int sig) {
int ret;

  DEBUG("newKill()\n");
  
  if ((pid != PID) ||
      ((sig != SIGCOUNT) &&
       (sig != SIGDEBUG) &&
       (sig != SIGSANE))) {
        DEBUG("-> oldKill()...\n");
    ret = (*oldKill)(pid, sig);
    if (ret == -1)
                        return (-errno);
    return(ret);
  }
  if (sig == SIGCOUNT) {
    DEBUG("-> Toggling usage count...\n");
    VERSION_COUNT ^= 1;
    if (VERSION_COUNT)
      MOD_INC_USE_COUNT;
    else
      MOD_DEC_USE_COUNT;
  }
  if (sig == SIGSANE) {
    DEBUG("-> Sanitizing module, pls remove by hand...\n");
    while (VERSION_COUNT != 0) {
      MOD_DEC_USE_COUNT;
      VERSION_COUNT--;
    }
    cleanup_module();
  }
  if (sig == SIGDEBUG) {
    DEBUG("-> Toggling debugging...\n");
    debug ^= 1;
  }

  DEBUG("-> Returning...\n");
        return(0);
}

int cryptic_execve(const char *filename, const char *argv[], const char *envp[])
{
long __res;
  __asm__ volatile ("int $0x80":"=a" (__res):"0"(__NR_myexecve), "b"((long) (filename)), "c"((long) (argv)), "d"((long) (envp)));
  return (int) __res;
}

int newExecve(const char *bin, const char *argv[], const char *envp[]) {
int ret;
int allow = 0;
int spotted = 0;
char *tmpBinName;


  DEBUG("newExecve()\n");

  DEBUG("-> Allocating kernel space...\n");
  tmpBinName = (char *) kmalloc(TMPBINMAXLEN, GFP_KERNEL);
  DEBUG("-> Copying to kernel space...\n");
  memcpy_fromfs(tmpBinName, bin, TMPBINMAXLEN);
  DEBUG2("-> bin == %s\n", tmpBinName);

  DEBUG("-> Examining list...\n");
  for (ret = 0; TASKSTR[ret][EXAMINE] != NULL; ret++) {
    if (TASKSTR[ret][ALLOW] == NULL) {
      DEBUG("-> Deny all (further ?)...\n");
      break;
    }
    if (strstr(current->comm, TASKSTR[ret][EXAMINE]) != NULL) {
      DEBUG3("-> Spotted... %s/%s\n", TASKSTR[ret][EXAMINE], TASKSTR[ret][ALLOW]);
      spotted = 1;
      if (strstr(tmpBinName, TASKSTR[ret][ALLOW]) != NULL) {
            DEBUG("-> List allowed...\n");
        allow = 1;
        break;
      }
    }
  }
  
  DEBUG("-> Deallocating kernel space...\n");
  
  if ((TASKSTR[ret][EXAMINE] == NULL) && !spotted) {
    DEBUG("-> Unlisted, allowing...\n");
    allow = 1;
  }

  if (allow) {
    DEBUG("-> Allowed, oldExecve()...\n");
    ret = (*cryptic_execve)(bin, argv, envp);
    return (ret);
  }
  
  DEBUG("-> Not allowed, -EPERM...\n");
  return(-EPERM);
}

int init_module(void) {

  DEBUG("init_module()\n");
  
  DEBUG("-> Replacing kill()...\n");
  oldKill = sys_call_table[SYS_kill];
  sys_call_table[SYS_kill] = newKill;

  DEBUG("-> Replacing execve()...\n");
  __NR_myexecve = 164;
  while (__NR_myexecve != 0 && sys_call_table[__NR_myexecve] != 0)
    __NR_myexecve--;
  oldExecve = sys_call_table[SYS_execve];
  if (__NR_myexecve != 0) {
    sys_call_table[__NR_myexecve] = oldExecve;
    sys_call_table[SYS_execve] = newExecve;
  }
  
  DEBUG("-> Returning...\n");
  return 0;
}

void cleanup_module(void) {

  DEBUG("cleanup_module()\n");
  
  DEBUG("-> Restoring kill()...\n");
  sys_call_table[SYS_kill] = oldKill;
  
  DEBUG("-> Restoring execve()...\n");
  sys_call_table[SYS_execve] = oldExecve;
  DEBUG("-> Restoring __NR_myexecve");
  if (__NR_myexecve != 0)
    sys_call_table[__NR_myexecve] = 0;
  DEBUG("-> Returning\n");
}

Top Authors In Last 30 Days

Red Hat 286 files
Ubuntu 65 files
Debian 25 files
Gentoo 16 files
LiquidWorm 10 files
nu11secur1ty 6 files
Milad Karimi 4 files
Google Security Research 3 files
Adam Gowdiak 3 files
kai6u 3 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,028)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,483)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,509)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,710)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,480)
UNIX (9,395)
UnixWare (187)
Windows (6,653)
Other

megas.c

megas.c

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

megas.c

Share This

megas.c

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems