otreva Posted November 29, 2012 Share Posted November 29, 2012 Date: ===== 2012-11-21 Introduction: ============= Unix/Darbe-A is a new kernel rootkit based /proc file system., modification is made in order to support kernel 2.6.x Detected ======== This is the hidden content, please Sign In or Sign Up Analysis ========= analiz@server:/tmp$ uname -a Linux server 3.2.0-32-generic #51-Ubuntu SMP Wed Sep 26 21:32:50 UTC 2012 i686 i686 i386 GNU/Linux analiz@server:/tmp$ lsmod Module Size Used by security 13046 0 <--- Linux Kernel Module ??? What is the task? vsock 47098 0 rfcomm 37291 4 bnep 17711 2 analiz@server:/tmp$ ./kontrol Sistem yetki unitesi Kullanim: ./kontrol What is the meaning of the word "sifre"? - it is not an english word? ~ comes from the Turkish. In English it means "password" analiz@server:/tmp$ gdb ./kontrol GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2) 7.4-2012.04 (gdb) r sifre <- run Starting program: /tmp/kontrol sifre Bir Bulutla KI$ Gelmez! < -- Turkish sentence [inferior 1 (process 3314) exited with code 01] <-----------Anti debug ??? analiz@server:/tmp$ ./kontrol password Sifre yanlis! <--? Wrong Password. analiz@server:/tmp$ objdump -s ./kontrol | grep sifre 80c5b30 3c736966 72653e20 0a0a2000 66616272 .. .fabr <--??* fabr?? analiz@server:/tmp$ objdump --start-address=0x80c5b30 --stop-address=0x80c5b50 -s ./kontrol ./kontrol: file format elf32-i386 Contents of section .rodata: 80c5b30 3c736966 72653e20 0a0a2000 66616272 .. .fabr <---- fabrika ?? 80c5b40 696b6100 0a536966 72652079 616e6c69 ika..Sifre yanli analiz@server:/tmp:/tmp$ ./kontrol fabrika <--- pass is fabrika # id <--- ?? upss.. #root# uid=0(root) gid=0(root) groups=0(root) Linux Kernel Module(security.ko) has been injected into the system, control program(./kontrol fabrika) makes a normal user to root. Descargar: This is the hidden content, please Sign In or Sign Up Link to comment Share on other sites More sharing options...
Recommended Posts