Fork: 1
21a5032 / linux_kernel_hacking
forked from miura250/linux_kernel_hacking
Transfer to URL with SHA Find file
Newer
Older
linux_kernel_hacking / 3_RootkitTechniques / 3.3_set_root / README.md
@Harvey Phillips Harvey Phillips on 24 Mar 2021 1 KB added further info links and missed credits
Raw Blame History

Linux Kernel Hacking

3.3: Custom Signals To Give Root Privileges To A Process

Updated to use ftrace instead of directly modifying kernel memory

There is now a blog post explaining this module in more detail! Check it out here!

Similar to Section 3.2, we can abuse hooking sys_kill to trigger a function that gives root to any process that sends a 64 signal to a process (as before, signal 64 is normally unused).

According to credentials.rst, we can only modify the cred struct of our own process, and not that of any other process. This means that we can't give an already running process root privileges unless we send the 64 signal from that process! Quite a clever security feature!

All we have to do is send signal 64 to any process (as before, the signal isn't actually sent anywhere!) and we end up being root!

To use:

  • Build with make
  • Load with insmod rootkit.ko
  • Confirm that you currently are not root with whoami
  • Send signal 64 to any pid, e.g. kill -64 1
    • Note that the signal won't actually be sent to the pid you specify, so any number will do!
  • Check whoami again, and observe that you are now root!
  • Unload with rmmod rootkit

Inspired, in part, by the Diamorphine repo.