LSP2

Author: x90c
Designed the syswatch LKM that host-based intrusion protection
system that LKM in 2004-2005. It's a linux kernel protection to
support userland security from kernelland. The LKM protects race
condtion bug ptrace, gain root shell, chroot break, socketcall
listen ACL

the LKM support to protect general hacking attacks on userland, for
instance buffer overflow, heap overflow, and other local privilege
escalation exploits to gain root shell

I also tested isec's linux kernel exploits within do_brk exploit to be
protected by the LKM. It protected as well. In the meantime, the kernel
exploits are favorite to the script kiddies in the underground

The design goal is -to reduce the linux boxes security risk
via protect all general hacking attacks, to make the linux boxes
similar with secure OS

STEP 1) MySQL Server Install..
STEP 2) Create Databases of "syswatch"
STEP 3) Editing Source
----------------------------------------------------------------
root@testbed:~/wrap_en# ls
CHANGELOG README bin inst syswatch.c
root@testbed:~/wrap_en# cd bin
root@testbed:~/wrap_en/bin# ls
build_ldev drop_db.c logmon.c lshack.c make_db.c start

root@testbed:~/wrap_en/bin# head -n 4 drop_db.c
#define DB_HOST "127.0.0.1"
#define DB_USER "root"
#define DB_PASS "1234"
#define DB_NAME "syswatch"
root@testbed:~/wrap_en/bin#

root@testbed:~/wrap_en/bin# head -n 4 lshack.c
#define DB_HOST "127.0.0.1"
#define DB_USER "root"
#define DB_PASS "1234"
#define DB_NAME "syswatch"

root@testbed:~/wrap_en/bin# head -n 4 make_db.c
#define DB_HOST "127.0.0.1"
#define DB_USER "root"
#define DB_PASS "1234"
#define DB_NAME "syswatch"
root@testbed:~/wrap_en/bin#

Editing DB information..

----------------------------------------------------------------
STEP 4) Mysqld start..

root@testbed:~/wrap_en# mysqld &
[1] 509
root@testbed:~/wrap_en# Starting mysqld daemon with databases from /usr/local/mysql/data

root@testbed:~/wrap_en# ps
PID TTY TIME CMD
289 pts/0 00:00:01 bash
509 pts/0 00:00:00 mysqld
533 pts/0 00:00:00 ps
root@testbed:~/wrap_en#

----------------------------------------------------------------
STEP 4) Main Program Compile & Execute..

root@testbed:~/wrap_en# ./inst
Clean State..

logmon: no process killed
syswatch.c:399: warning: initialization from incompatible pointer type
syswatch.c:400: warning: initialization from incompatible pointer type
syswatch.c:404: warning: initialization from incompatible pointer type
Log Character Device (/dev/logwatch) Special Object Created.

Compiling..

bin/logmon.c: In function `main':
bin/logmon.c:198: warning: passing arg 2 of `setup' makes integer from pointer without a cast
bin/logmon.c:199: warning: passing arg 2 of `setup' makes integer from pointer without a cast
bin/logmon.c: In function `my_thread':
bin/logmon.c:232: warning: return makes pointer from integer without a cast
Enable Module..

Enable Logmon.. ^^a

root@testbed:~/wrap_en#
-------------------------------------
| SYS-WATCH SECURITY MODULE ||
-------------------------------------
Mod.RaceConditon = 1
Mod.Ptrace = 1
Mod.Rootshell = 1
Mod.Chrootbreak = 1
Mod.SocketListen = 1
-------------------------------------
Module Use Count = 0
Non-SERVER-GROUP = 3333
-------------------------------------
Log Daemon ( 1 ) Started.

root@testbed:~/wrap_en# cat /etc/group | grep 3333
NSG:x:3333:pt
root@testbed:~/wrap_en# ps
PID TTY TIME CMD
289 pts/0 00:00:01 bash
509 pts/0 00:00:00 mysqld
565 pts/0 00:00:00 logmon
567 pts/0 00:00:00 logmon
568 pts/0 00:01:21 logmon
576 pts/0 00:00:00 ps
root@testbed:~/wrap_en#

----------------------------------------------------------------
STEP 4) Testing Module

root@testbed:~/wrap_en# lsmod
Module Size Used by Not tainted
syswatch 5164 0 (unused) <- it's me..
ip_tables 14496 0 (unused)
pcnet32 14848 1
root@testbed:~/wrap_en#

root@testbed:~/wrap_en# cd /home
root@testbed:/home# ls -al bash
-rwsr-sr-x 1 root root 628684 2004-02-14 09:41 bash
root@testbed:/home# su pt
pt@testbed:/home$ id
uid=1001(pt) gid=1001(pt) groups=1001(pt),3333(NSG),101(wheel)
pt@testbed:/home$ ./bash -p
pt@testbed:/home# ls
Segmentation fault
pt@testbed:/home# id
Segmentation fault
pt@testbed:/home# w
Segmentation fault
pt@testbed:/home#

pt@testbed:/home$ id
uid=1001(pt) gid=1001(pt) groups=1001(pt),3333(NSG),101(wheel)
pt@testbed:/home$ gdb /bin/bash -q
gdb: Symbol `emacs_ctlx_keymap' has different size in shared object, consider re-linking
(no debugging symbols found)...(gdb) r
Starting program: /bin/bash

Program terminated with signal SIGKILL, Killed.
The program no longer exists.
You can't do that without a process to debug.
(gdb) r
Starting program: /bin/bash

Program terminated with signal SIGKILL, Killed.
The program no longer exists.
You can't do that without a process to debug.
(gdb) q
pt@testbed:/home$

root@testbed:/tmp# ln -s /bin/bash ./
~~~Delay 3 Seconds..
root@testbed:/tmp# rm -rf bash

root@testbed:/tmp# cd /
root@testbed:/# ls -al /chroot
Total 44
drwxr-xr-x 5 root root 4096 2004-02-16 21:52 .
drwxr-xr-x 23 root root 4096 2004-02-17 07:57 ..
drwxr-xr-x 3 root root 4096 2004-02-16 22:00 bin
-rwxr-xr-x 1 root root 12264 2004-02-16 21:51 brk
-rwxr-xr-x 1 root root 11416 2004-02-16 21:49 chroot
drwxr-xr-x 2 root root 4096 2004-02-16 07:29 lib
drwxr-xr-x 2 root root 4096 2004-02-16 21:52 waterbuffalo
root@testbed:/# chroot /chroot bash
I have no name!@testbed:/# ls
bin brk chroot lib waterbuffalo
I have no name!@testbed:/# ls -al brk
-rwxr-xr-x 1 0 0 12264 Feb 16 12:51 brk
I have no name!@testbed:/# ./brk
Killed
I have no name!@testbed:/# ./brk
Killed
I have no name!@testbed:/# cd lib
I have no name!@testbed:/lib# ../brk
Killed
I have no name!@testbed:/lib# cd ..
I have no name!@testbed:/# cd bin
I have no name!@testbed:/bin# ../brk
Killed
I have no name!@testbed:/bin# cd ..
I have no name!@testbed:/# exit
exit
root@testbed:/#

pt@testbed:/$ nc -l -p 7777
local listen fuxored : Operation not permitted
pt@testbed:/$ nc -l -p 2352
local listen fuxored : Operation not permitted
pt@testbed:/$ nc -l -p 6421
local listen fuxored : Operation not permitted
pt@testbed:/$

~~ Edit /etc/group ..

root@testbed:/# cat /etc/group | grep 3333
NSG:x:3333:
root@testbed:/#
pt@testbed:/$ nc -l -p 8231 -v
listening on [any] 8231 ...

Listen Ok... ^^a

----------------------------------------------------------------
STEP 5) VIEW LOG OF ATTEMPT TO HACK

root@testbed:~# cd /root/wrap_en
root@testbed:~/wrap_en# ls
CHANGELOG README bin inst syswatch.c syswatch.o
root@testbed:~/wrap_en# cd bin
root@testbed:~/wrap_en/bin# ./lshack
SYSWATCH-Log View

-----------------------------------------------------------------------------------------------------
ID | Type | Event Timeline | User | UID | GID | EUID | EGID | PID | ACT
-----------------------------------------------------------------------------------------------------
1 | symlink() | Wed Feb 18 09:35:30 2004 | root | 0 | 0 | 0 | 0 | 380 | NULL
2 | execve() | Wed Feb 18 23:06:50 2004 | pt | 1001 | 1001 | 0 | 0 | 584 | SEGV
3 | execve() | Wed Feb 18 23:06:51 2004 | pt | 1001 | 1001 | 0 | 0 | 585 | SEGV
4 | execve() | Wed Feb 18 23:06:52 2004 | pt | 1001 | 1001 | 0 | 0 | 586 | SEGV
5 | ptrace() | Wed Feb 18 23:07:52 2004 | pt | 1001 | 1001 | 1001 | 1001 | 594 | KILL
6 | ptrace() | Wed Feb 18 23:07:53 2004 | pt | 1001 | 1001 | 1001 | 1001 | 595 | KILL
7 | symlink() | Wed Feb 18 23:08:24 2004 | root | 0 | 0 | 0 | 0 | 598 | NULL
8 | chroot() | Wed Feb 18 23:09:35 2004 | root | 0 | 0 | 0 | 0 | 604 | KILL
9 | chroot() | Wed Feb 18 23:09:37 2004 | root | 0 | 0 | 0 | 0 | 605 | KILL
10 | chroot() | Wed Feb 18 23:09:42 2004 | root | 0 | 0 | 0 | 0 | 606 | KILL
11 | chroot() | Wed Feb 18 23:09:47 2004 | root | 0 | 0 | 0 | 0 | 607 | KILL
12 | listen() | Wed Feb 18 23:10:19 2004 | pt | 1001 | 1001 | 1001 | 1001 | 615 | NSG
13 | listen() | Wed Feb 18 23:10:22 2004 | pt | 1001 | 1001 | 1001 | 1001 | 616 | NSG
14 | listen() | Wed Feb 18 23:10:25 2004 | pt | 1001 | 1001 | 1001 | 1001 | 617 | NSG
-----------------------------------------------------------------------------------------------------
SYSWATCH-Log Viewing Finish.
root@testbed:~/wrap_en/bin#

Oh Good :=)~

----------------------------------------------------------------
STEP 5) CLEAN LOG TABLE

root@testbed:~/wrap_en/bin# ./drop_db
SYSWATCH-Clear Log Table..
SYSWATCH-Log Clear Finish!
SYSWATCH-Log Table re-build!!
SYSWATCH-Log Table Creating
SYSWATCH-Log Table Created.
SYSWATCH-Restart Logmon!!
root@testbed:~/wrap_en/bin#
-------------------------------------
| SYS-WATCH SECURITY MODULE ||
-------------------------------------
Mod.RaceConditon = 1
Mod.Ptrace = 1
Mod.Rootshell = 1
Mod.Chrootbreak = 1
Mod.SocketListen = 1
-------------------------------------
Module Use Count = 0
Non-SERVER-GROUP = 3333
-------------------------------------
Log Daemon ( 1 ) Started.

root@testbed:~/wrap_en/bin# ./lshack
SYSWATCH-Log View

-----------------------------------------------------------------------------------------------------
ID | Type | Event Timeline | User | UID | GID | EUID | EGID | PID | ACT
-----------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------
SYSWATCH-Log Viewing Finish.
root@testbed:~/wrap_en/bin#