fr33project

projects

languages

English / Ingles

Spanish / Español

sections

advisories / exploits

LO/LS/OT_SC+STDEINSU_GV

Written By David Reguera García
Saturday, 21 July 2006
DOWNLOAD LO/LS/OT_SC+STDEINSU_GV is a tool designed to exchange and escalate privileges in GNU/Linux, infecting ELF files. The infection method and the concept it is based in infR3s.s from sha0 (badchedksum.net), but its focus and functionality is different. (There are more screenshots at the end of the article) Is capable to infect following some infection filters; examples: 1) infect all the ELFs from root were we have written permissions. 2) Infect all the ELFs with guid 303, were we have written permissions, that are in the /home/dreg directory. To list the directories the tool locate and ls is used recursively (thanks to Daniel Moll). In the servers that use locate (no slocate) we can use it to list ELFs that can not be listed due to directory permissions, increasing our probability to infect more ELFs in a system. When an infected ELF is executed with _startinfector, we copy de file previously selected for the infection to a directory previously selected with the bit suid, such a way that if we choose a shushi or a chmod, we will have the privileges of the user that executes the ELF, then we normaly execute the ELF. The tool is designed to be used in shell and hosting servers with enough movement. Only ELFs with user writting permissions can be infected; that only happens when the creator of the file is absent-minded/inexpert. The technic used with this tool into servers is as follows: 1) Obtained a user with not too many privileges, for example: nobody. 2) The script locale.sh is used through all the directory tree to infect all the system ELFs that can be written. 3) Once any user executes any ELFs they obtain their credentials witha shushi suid and any possible files are infected from the new user ( and so on). 4) There will be a time were we have plenty of credentials to escalate privileges much faster, even to be root. 5) Once root credentials are obtained, all the ELFs are desinfected and we try a more elegant way to preserve the access. Personally I have used it and it works, some administrators at /root they have an o+x and because nobody can list what there is, they do not care about ELF permissions and they can be written, after they index them in LOCATE database, after you infect them and you gain root access. nobody -> normal user -> other users credentials -> root There are administrators (inexpert) that execute ELFs (psybnc, emech) from other users when they are not working properly and if it is infected, we have root privileges. LO/LS/OT_SC+STDEINSU_GV includes all the necessary tools to do what was mention above plus other things. The tool creates the file ELF with suid, with the nomenclature that we want or request, ending up at the users uid, in such a way that we can simulate the names of the files suid with similar ones in other directorie (for example at /tmp when it has execute permissions). _startInfector ------ Tool programmed in C, infects the ELF that we indicate. Use: ./_startInfector file_to_be_infected file_rute saved_files_rute Example: ./_startInfector ./example /bin/chmod /tmp/un If the user Dreg with UID 283, executes example a copy will be created of /bin/chmod en: /tmp/ with nomenclature unUID, in this case: /tmp/un283 _startDesInfector ------ Tool programmed in C, desinfects an ELF infected with _startInfector Uso: ./_startDesInfector file_to_be_desinfected Ejemplo: ./_startDesInfector ./example ./example will stay as it was before it was infected. locate.sh ------ Tool written in bash, by Daniel moll for the proyect. Uses the LOCATE tool and LS recursively to obtain the maximum possible files of a system. Ideal to show directory files were we do not have permissions to show them, but they are indexed in locate's database. WARNING: Using this script with slocate is absurd. infector.sh & Others Scripts ------ infector.sh script is a wrapper of others, its function is to use locate.sh to infect all the possible ELFs of a directory using the indicated filter by filter.sh, all the files that we will try to infect will be kept at log_infector.lg, such a way that later they can be desinfected with _startDesInfector. At loader.sh the name of the infector is found and the right call to it. Log.sh it is responsible of dumping the result of the infection to log_infector.lg I N T E R N A L S ------ Some details of the internal operation of the tool: The ELF _start is infected and is copied to the overwritten file at the end of the file, once is executed, the viral code is executed, the file is opened, the overwritten part is restored by the virus with a routine copied just before the stack and it jumps at the beginning of the original program. The overlapped segments are used to introduce the virus, such a way that we increase the chances of infection at the ELFs, in such a way that if the contiguous segment/s meet: elf32_phdr[i].p_filesz == elf32_phdr[i].p_memsz, it can also be used to introduce the virus (in case that it does not enter in the one before). The field p_offset of the ELF is not used, some packers leave it to 0, without disrupting the operation of p_offset (like UPX), so the best option is to obtain the real p_offset taking as reference e_phoff field, that is essential for the correct functioning. To obtain the segment that is at _start, a similar technic is used as the one in PE32, checking segment ranks. Viral API: It has been splitted totally the infection (asm) from the infector (C), in such a way that the infection links (.o) with the infector and obtains the necessary information to introduce in the ELF using calls to functions of .o I N S T A L A T I O N / D E S I N S T A L A T I O N ------ The proyect includes a Makefile, so to create the infector and the desinfector with: make all And the infector: _startInfector will be created & the desinfector: _startDesInfector To desinstall: make clean To make a test to check the functioning of the infector and desinfector: make test this option: - Compile example.c - Infects example - Creates the directory ./chmods/ - ./example is executed and it shows the ./chmods/ wer it will be found. a file setuided with the name, the user UID and it will be a copy of /bin/chmod. - ./example will be desinfected - suid file will be deleted. - ./example will be executed. - ./chmods/ will be shown (and nothing should come up). - ./chmods/ is deleted and its contents If all this steps are completed with success, the tool will be 100% ready to be used. P.D.: The order could not be exactly the same. T O D O ------ - Improve the scripts - Create a virus, that does the same and that interaction is not necessary so it can extend with the user credentials that the host executes (at4r's idea). - Create a virus like the one above, but that has inside a shushi and does not copy anything from any file (at4r's idea). - Improve the infection system. T H A N K S ------ - Virii-scene: pluf, griyo, zert, xezaw ... - and specially to: sha0 & at4r. S C R E E N S H O T S ------ Desinfecting a file strace of an infected file strace of the same file not infected chmod suid created after executing the infected ELF LS vs LOCATE.sh over /root Masive infection over a directory using INFECTOR.SH
Last update( Saturday, 21 july 2006 )