Adding system() C function alike function in Linux Kernel programming, in order to open a new bash/sh prompt

[reveng007]

This rootkit is capable of providing rootshell to only bash and sh shell, not others. Although, it is possible for other shells as well but with some tricks. We can use system() C function alike function in Linux Kernel programming, so that we 1st trigger a bash/sh shell then offer rootshell to the attacker. I haven't got that type of kernel function till now, but as soon as I get it, I will add it up. If anybody viewing this know about this, or interested to contribute, are most welcome to make a pull request.

[loneicewolf]

How will the operator(the person who controls the rootkit) "get" the root shell? for example, is the below what you expect or ?

• You maybe use a chardev to "write commands to"
• and then compare the written data with some pre-(hard coded)-command names (such as, "give_me_root_shell" or something)
• if you write $ echo "give_me_root_shell | md5sum" > /dev/rootkit it gives you a root shell?

note, I just made this example up. There is loads of ways to "do this" and I just wanted to make sure I understood the goal you wanted to achieve. :)

if this is incorrect, maybe you could make a 1,2,3 list of what the function will do? like

1. read input
2. do (something with input )..
3. get root

---

[reveng007]

Okay... I tried that scenario i.e. using chardev to get root priv. But I was unable to do so. I performed system call interception to achieve this in reveng_rtkit, to get root shell

You can refer to my blog: https://reveng007.github.io/blog/2022/03/08/reveng_rkit_detailed.html (Move down to part 6)

[loneicewolf]

@reveng007 Okay, thanks, ill check that 🍵.