Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /*
- GID inconsistency bruteforcer
- This can be used to detect LD_PRELOAD rootkit that hide fds, procs and files based on GID
- Since GID is an unsigned int, it is finite and thus bruteforceable, however it might take a while.
- This took less than 20mins on my system, this may vary based on your setup.
- NOTE: the rkit could detect it is under GID bruteforce attack and switch GIDs, however this is not easy to perform.
- This will detect Umbreon and other GID based rkits
- Have fun!
- gcc fuckumbreon.c -o fuckumbreon
- */
- #include <fcntl.h>
- #include <sys/stat.h>
- #include <stdio.h>
- #include <limits.h>
- #include <stdlib.h>
- #include <errno.h>
- #include <time.h>
- int main()
- {
- if(getuid() != 0) //maybe not getuid?
- {
- printf("You must run this program as root.");
- return 0;
- }
- unsigned int i, overflow_value = (UINT_MAX + 1);
- int fd;
- double time_diff;
- double percent_done;
- char tmp_template[] = "/dev/shm/tmp.XXXXXXXX";
- time_t start_time = time(0);
- time_t last_time = time(0);
- fd = mkstemp(tmp_template);
- for (i = 1; i != overflow_value; i++)
- {
- if((i % 100000) == 0)
- {
- time_t now = time(0);
- time_diff = (double) difftime(now, last_time);
- if (time_diff > 0)
- {
- time_diff = (double) difftime(now, start_time);
- percent_done = (double)((double)i / (double)UINT_MAX) * (double)100;
- printf("Elapsed seconds: %g, current gid %u, %f percent complete\n", time_diff, i, percent_done);
- last_time = time(0);
- }
- }
- int resp = fchown(fd, geteuid(), i);
- if (resp == -1 || errno == ENOENT)
- {
- printf("GID-based fd hiding detected (GID: %u)\n", i);
- return 1;
- }
- }
- int resp = fchown(fd, geteuid(), 0);
- if(resp == -1) // this is repetitive
- {
- printf("GID-based fd hiding detected (probably GID %u)\n", UINT_MAX);
- return 1;
- }
- printf("No inconsistencies detected\n");
- return 0;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement