I’ve made available a ‘bogus’ version (since it is intended for educational purposes only) of our LKM Linux rootkit, the one which was the subject of my talking at Sacicon 2013 .
The source code can be found here.
Made my GIT public: https://github.com/carloslack
VMCI isn’t default since VMWare workstation 6 but happens that with my version 9 it is enabled.
With my kernel 3.8.0-29 it is breaking during modules compilation at driver.c, an open-vm-tools file. Few syntax errors like missing data types (declaration) and so on.
I could simply disable VCMI or fix the problem correctly, but this is my own computer at my home so I decided that it woudn’t be fun enough.
VMCI should get the file from:
But for some reason it is messing things up and using another file or re-generating some other shit.
The solution was to brute force it
Here is a tip that may save a couple of hours: If you want to connect to a different MySQL’s port other than default 3306, do not use “localhost” as $host because mysqli_connect and deprecated mysql_connect will both ignore port argument.
Use instead “127.0.0.1”.
Lame but useful.
Our papers are available at: http://www.ccppbrasil.org/wiki/Grupo:Encontro_X .
Recently, while playing with ELF images inside of Linux kernel > 2.6.35 I was, by accident, surprised by a message from syslog, after having my module Killed:
kernel tried to execute NX-protected page – exploit attempt? (uid: 1000)
Now I am wondering if is possible to toggle off NX (NX stands for Never eXecute) bit, just like we can do with the 16th bit of cr0 for read-only pages…