Infecting loadable kernel modules: kernel versions 2.6.x/3.0.x

Hi.
“Infecting loadable kernel modules: kernel versions 2.6.x/3.0.x” is the title of my last paper that has been published on phrack #68. You can read the paper here.

Many thanks to:
– blackb1rd (a phrack reviewer) who helped me in writing the paper.
– All the phrack staff for publishing the paper.
– emdel for … mmmh … Hi, emdel!

Any comments or suggestions would be (obviously) appreciated.
Bye.

How to install NetBSD on Linux Virtualbox

Hi. In this post I show you a workaround that allows you to install (and run) NetBSD on Linux Virtualbox.
If you have tried to install NetBSD on Virtualbox probably the installation failed with an error like this:

...
acpiacad0: AC adapter online.
uvm_fault(0xc09e6a40, 0, 2) -> 0xe
fatal page fault in supervisor mode
trap type 6 code 2 eip c0100d69 cs 8 eflags 10246 cr2 0 ilevel 0
kernel: supervisor trap page fault, code=0
Stopped in pid 0.15 (system) at netbsd:spllower+0x29:  addl %eax,0(%eax)
db{0}>

The following workaround allows you to install and run NetBSD on Virtualbox. If the name of the NetBSD machine is “NetBSD”, you have to run this command in your shell:

$ vboxsdl --norawr0 --startvm NetBSD

That’s all!
Bye bye.

Syscall Hijacking: Dynamically obtain syscall table address (kernel 2.6.x) #2

Hi. In this brief post I’ll show you another way to get the syscall table address dinamically.
This post is only an expansion of this one. Read more…

Syscall Hijacking: Anti Fork-Bomb LKM (kernel 2.6.x)

Hi. In this post I’ll show you how to implement a simple anti fork-bomb LKM.
There is already a kernel method to prevent the fork bomb: you can search online about this stuff.
Instead I’ll show you how prevent a fork bomb attack through a simple loadable kernel module, in order to better understand how a new process is created and how we can prevent its creation. Read more…

Syscall Hijacking: Dynamically obtain syscall table address (kernel 2.6.x)

Hi. In this post I’ll show you how to obtain dynamically the syscall table address. In the last posts (this and this) I wrote codes in which the syscall table address was hardcoded (as suggested by sj).
Now I’ll show you how to dinamically obtain it. Read more…

Syscall Hijacking: Simple Rootkit (kernel 2.6.x)

Hi. In this post I’ll show you how to change the process credentials through kernel modules. In a such way you can make your own rootkit(s): i.e. when you performs a pre-established action, the module will give you a root access.
First of all we need to know where these credentials are kept: in the kernel versions < 2.6.29 we find all this informations in the “task_struct” structure. This structure is defined in “linux/sched.h”: Read more…

Syscall Hijacking: Kernel 2.6.* systems

In this guide I will explain how to hijack the syscall in kernel 2.6.*: in particular how to bypass the kernel write protection and the “protected mode” bit of the CR0 CPUs register.
I don’t explain what is a syscall or syscall table: I assume you know what it is.
Read more…

GNU C: Extensions to the C Language Family

Hi. Today I’ll talk about the extensions to the C language family introduced by the GNU C.
The GNU C provides several language features not found in ANSI standard C. These extensions are available both in C and C++. The `-pedantic’ option directs GNU CC to print a warning message if any of these features is used.
The list of these features is very long: often we use them implicitly. I will show to you only those I consider most useful and “strange”: Read more…

Port-knocking Backdoor

Hi.
In this post I’ll explain to you how to make a *unix backdoor using a “port knocking” scheme. That is, if we’ll “knock” to some TCP ports that we have initially decided, our program will open a backdoor for us (but only for us :) ).
How does the “port knocking” scheme work? The attacker decides a particular sequence of packets that will be sent to a compromised server where the backdoor is running. When the backdoor program will receive this particular sequence then it will give to the attacker the server’s shell.
Read more…

Bash http_proxy: from a user environment to sudo one

Hi. Sometimes you can’t connect directly to internet, because you have to go through a proxy (i.e. working environment).
Did you ever have to set up an http proxy on linux shell in order to (i.e) download a new package or manually update your distribution with a packet manager?
If so, you need to be a superuser. If you use the “sudo” command, you will probably stumbled across the inability to export variables from the user environment to the “sudo” one.
Read more…