Last active
March 12, 2024 09:01
-
-
Save CaptainBoggle/25aeceb34f55348c30d3f468e96b4f8e to your computer and use it in GitHub Desktop.
Unix post-exploitation evasion tool. Uses syscall_intercept to create an LD_PRELOAD that you can use to have any program prompt you before performing actions that you may want to avoid.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <dlfcn.h> | |
| #include <errno.h> | |
| #include <execinfo.h> | |
| #include <fcntl.h> | |
| #include <libsyscall_intercept_hook_point.h> | |
| #include <signal.h> | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <string.h> | |
| #include <syscall.h> | |
| #include <unistd.h> | |
| #define RED "\033[1;31m" | |
| #define YELLOW "\033[1;33m" | |
| #define RESET "\033[0m" | |
| // Enabled on startup by default | |
| int enabled = 1; | |
| void write_stdout(const char *str) { | |
| int result; | |
| syscall_no_intercept(SYS_write, STDOUT_FILENO, str, strlen(str), 0, 0, 0, 0, | |
| &result); | |
| } | |
| void handler(int sig) { | |
| write_stdout("Toggling hook\n"); | |
| enabled = !enabled; | |
| } | |
| void get(char *str) { | |
| syscall_no_intercept(SYS_read, STDIN_FILENO, str, 1, 0, 0, 0, 0, &str[0]); | |
| // this is a hack that seems to work | |
| if (*str == '\n') { | |
| get(str); | |
| } | |
| } | |
| int confirmed(const char *prompt, const char *arg) { | |
| write_stdout(prompt); | |
| write_stdout(arg); | |
| write_stdout("\n" RESET); | |
| char c; | |
| get(&c); | |
| return c == 'y'; | |
| } | |
| static int hook(long syscall_number, long arg0, long arg1, long arg2, long arg3, | |
| long arg4, long arg5, long *result) { | |
| if (!enabled) { | |
| return 1; | |
| } | |
| const char *prompt = NULL; | |
| const char *arg = NULL; | |
| if (syscall_number == SYS_write && arg0 != 1) { | |
| prompt = RED "Are you sure you want to write to a file? (y/n)\n" YELLOW | |
| "We are writing the following to the file: "; | |
| arg = (const char *)arg1; | |
| } else if ((syscall_number == SYS_open || syscall_number == SYS_openat) && | |
| (arg2 & O_CREAT)) { | |
| prompt = RED "Are you sure you want to create a file? (y/n)\n" YELLOW | |
| "We are creating the file: "; | |
| arg = (const char *)arg1; | |
| } else if (syscall_number == SYS_mkdir) { | |
| prompt = | |
| RED "Are you sure you want to create a directory? (y/n)\n" YELLOW | |
| "We are creating the directory: "; | |
| arg = (const char *)arg1; | |
| } else if (syscall_number == SYS_unlink || syscall_number == SYS_rmdir) { | |
| prompt = RED "Are you sure you want to delete a file or directory? " | |
| "(y/n)\n" YELLOW "We are deleting the file or directory: "; | |
| arg = (const char *)arg0; | |
| } else if (syscall_number == SYS_syslog) { | |
| prompt = RED "Are you sure you want to interact with the system log? " | |
| "(y/n)\n" YELLOW "We are performing action number: "; | |
| arg = (const char *)arg0; | |
| } else if (syscall_number == SYS_creat) { | |
| prompt = RED "Are you sure you want to create a file? (y/n)\n" YELLOW | |
| "We are creating the file: "; | |
| arg = (const char *)arg0; | |
| } else if (syscall_number == SYS_utime || syscall_number == SYS_utimes || | |
| syscall_number == SYS_utimensat || | |
| syscall_number == SYS_futimesat) { | |
| prompt = RED "Are you sure you want to change the access time of a " | |
| "file? (y/n)\n" YELLOW | |
| "We are changing the access time of the file: "; | |
| arg = (const char *)arg0; | |
| } else if (syscall_number == SYS_chmod || syscall_number == SYS_fchmodat) { | |
| prompt = RED "Are you sure you want to change the permissions of a " | |
| "file? (y/n)\n" YELLOW | |
| "We are changing the permissions of the file: "; | |
| arg = (const char *)arg0; | |
| } else if (syscall_number == SYS_chown || syscall_number == SYS_lchown || | |
| syscall_number == SYS_fchownat) { | |
| prompt = RED "Are you sure you want to change the owner of a file? " | |
| "(y/n)\n" YELLOW "We are changing the owner of the file: "; | |
| arg = (const char *)arg0; | |
| } else if (syscall_number == SYS_link || syscall_number == SYS_symlink || | |
| syscall_number == SYS_symlinkat) { | |
| prompt = RED "Are you sure you want to create a link? (y/n)\n" YELLOW | |
| "We are creating a link to the file: "; | |
| arg = (const char *)arg0; | |
| } else if (syscall_number == SYS_rename || syscall_number == SYS_renameat) { | |
| prompt = RED "Are you sure you want to rename a file? (y/n)\n" YELLOW | |
| "We are renaming the file: "; | |
| arg = (const char *)arg0; | |
| } | |
| if (prompt != NULL) { | |
| if (!confirmed(prompt, arg)) { | |
| *result = -EACCES; | |
| return 0; | |
| } | |
| } | |
| return 1; | |
| } | |
| static __attribute__((constructor)) void init(void) { | |
| intercept_hook_point = hook; | |
| // kill -34 PID to toggle hook | |
| signal(34, handler); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
USAGE:
$ LD_LIBRARY_PATH=. LD_PRELOAD=SafeSecs.so whatever