Fork: 1
miura250 / linux_kernel_hacking
Download ZIP 55 commits
Transfer to URL with SHA
linux_kernel_hacking / 3_RootkitTechniques / 3.3_set_root /
latest commit 3b5e18a158
@Harvey Phillips Harvey Phillips authored on 25 Aug 2020
..
Makefile make a process root 5 years ago
README.md rewrite module using ftrace 5 years ago
ftrace_helper.h add check for x64 to correct syscall name 5 years ago
rootkit.c update version number 5 years ago
README.md

Linux Kernel Hacking

3.3: Custom Signals To Give Root Privileges To A Process

Updated to use ftrace instead of directly modifying kernel memory

Similar to Section 3.2, we can abuse hooking sys_kill to trigger a function that gives root to any process that sends a 64 signal to a process (as before, signal 64 is normally unused).

According to credentials.rst, we can only modify the cred struct of our own process, and not that of any other process. This means that we can't give an already running process root privileges unless we send the 64 signal from that process! Quite a clever security feature!

All we have to do is send signal 64 to any process (as before, the signal isn't actually sent anywhere!) and we end up being root!

To use:

  • Build with make
  • Load with insmod rootkit.ko
  • Confirm that you currently are not root with whoami
  • Send signal 64 to any pid, e.g. kill -64 1
    • Note that the signal won't actually be sent to the pid you specify, so any number will do!
  • Check whoami again, and observe that you are now root!
  • Unload with rmmod rootkit