
			   ___    ___        
                          / _ \  / _ \     
                   __  __| (_) || | | |  ___ 
                   \ \/ / \__. || | | | / __| 
                    >  <    / / | |_| || (__ 
                   /_/\_\  /_/   \___/  \___|


I designed the syswatch LKM that host-based intrusion protection
system that LKM in 2004-2005. It's a linux kernel protection to 
support userland security from kernelland. The LKM protects race
condtion bug ptrace, gain root shell, chroot break, socketcall 
listen ACL

the LKM support to protect general hacking attacks on userland, for 
instance buffer overflow, heap overflow, and other local privilege 
escalation exploits to gain root shell

I also tested isec's linux kernel exploits within do_brk exploit to be 
protected by the LKM. It protected as well. In the meantime, the kernel 
exploits are favorite to the script kiddies in the underground

The design goal is -to reduce the linux boxes security risk 
via protect all general hacking attacks, to make the linux boxes
similar with secure OS-


x90c


STEP 1) MySQL Server Install..
STEP 2) Create Databases of "syswatch"
STEP 3) Editing Source
----------------------------------------------------------------
root@testbed:~/wrap_en# ls
CHANGELOG  README  bin  inst  syswatch.c
root@testbed:~/wrap_en# cd bin
root@testbed:~/wrap_en/bin# ls
build_ldev  drop_db.c  logmon.c  lshack.c  make_db.c  start

root@testbed:~/wrap_en/bin# head -n 4 drop_db.c  
#define DB_HOST "127.0.0.1"
#define DB_USER "root"
#define DB_PASS "1234"
#define DB_NAME "syswatch"
root@testbed:~/wrap_en/bin# 

root@testbed:~/wrap_en/bin# head -n 4 lshack.c
#define DB_HOST "127.0.0.1"
#define DB_USER "root"
#define DB_PASS "1234"
#define DB_NAME "syswatch"

root@testbed:~/wrap_en/bin# head -n 4 make_db.c
#define DB_HOST "127.0.0.1"
#define DB_USER "root"
#define DB_PASS "1234"
#define DB_NAME "syswatch"
root@testbed:~/wrap_en/bin# 


Editing DB information..

----------------------------------------------------------------
STEP 4) Mysqld start..

root@testbed:~/wrap_en# mysqld &
[1] 509
root@testbed:~/wrap_en# Starting mysqld daemon with databases from /usr/local/mysql/data

root@testbed:~/wrap_en# ps
  PID TTY          TIME CMD
  289 pts/0    00:00:01 bash
  509 pts/0    00:00:00 mysqld
  533 pts/0    00:00:00 ps
root@testbed:~/wrap_en# 


----------------------------------------------------------------
STEP 4) Main Program Compile & Execute..

root@testbed:~/wrap_en# ./inst
Clean State..

logmon: no process killed
syswatch.c:399: warning: initialization from incompatible pointer type
syswatch.c:400: warning: initialization from incompatible pointer type
syswatch.c:404: warning: initialization from incompatible pointer type
Log Character Device (/dev/logwatch) Special Object Created.

Compiling..

bin/logmon.c: In function `main':
bin/logmon.c:198: warning: passing arg 2 of `setup' makes integer from pointer without a cast
bin/logmon.c:199: warning: passing arg 2 of `setup' makes integer from pointer without a cast
bin/logmon.c: In function `my_thread':
bin/logmon.c:232: warning: return makes pointer from integer without a cast
Enable Module..

Enable Logmon.. ^^a

root@testbed:~/wrap_en# 
-------------------------------------
|    SYS-WATCH SECURITY MODULE     ||
-------------------------------------
 Mod.RaceConditon = 1
 Mod.Ptrace = 1
 Mod.Rootshell = 1
 Mod.Chrootbreak = 1
 Mod.SocketListen = 1
-------------------------------------
 Module Use Count = 0
 Non-SERVER-GROUP = 3333
-------------------------------------
Log Daemon ( 1 ) Started.


root@testbed:~/wrap_en# cat /etc/group | grep 3333          
NSG:x:3333:pt
root@testbed:~/wrap_en# ps
  PID TTY          TIME CMD
  289 pts/0    00:00:01 bash
  509 pts/0    00:00:00 mysqld
  565 pts/0    00:00:00 logmon
  567 pts/0    00:00:00 logmon
  568 pts/0    00:01:21 logmon
  576 pts/0    00:00:00 ps
root@testbed:~/wrap_en# 


----------------------------------------------------------------
STEP 4) Testing Module

root@testbed:~/wrap_en# lsmod
Module                  Size  Used by    Not tainted
syswatch                5164   0  (unused)	<- it's me..
ip_tables              14496   0  (unused)
pcnet32                14848   1 
root@testbed:~/wrap_en# 





root@testbed:~/wrap_en# cd /home
root@testbed:/home# ls -al bash
-rwsr-sr-x    1 root     root       628684 2004-02-14 09:41 bash
root@testbed:/home# su pt
pt@testbed:/home$ id
uid=1001(pt) gid=1001(pt) groups=1001(pt),3333(NSG),101(wheel)
pt@testbed:/home$ ./bash -p
pt@testbed:/home# ls
Segmentation fault
pt@testbed:/home# id
Segmentation fault
pt@testbed:/home# w
Segmentation fault
pt@testbed:/home# 




pt@testbed:/home$ id
uid=1001(pt) gid=1001(pt) groups=1001(pt),3333(NSG),101(wheel)
pt@testbed:/home$ gdb /bin/bash -q
gdb: Symbol `emacs_ctlx_keymap' has different size in shared object, consider re-linking
(no debugging symbols found)...(gdb) r
Starting program: /bin/bash 

Program terminated with signal SIGKILL, Killed.
The program no longer exists.
You can't do that without a process to debug.
(gdb) r
Starting program: /bin/bash 

Program terminated with signal SIGKILL, Killed.
The program no longer exists.
You can't do that without a process to debug.
(gdb) q
pt@testbed:/home$ 



root@testbed:/tmp# ln -s /bin/bash ./
~~~Delay 3 Seconds..
root@testbed:/tmp# rm -rf bash




root@testbed:/tmp# cd /
root@testbed:/# ls -al /chroot
Total 44
drwxr-xr-x    5 root     root         4096 2004-02-16 21:52 .
drwxr-xr-x   23 root     root         4096 2004-02-17 07:57 ..
drwxr-xr-x    3 root     root         4096 2004-02-16 22:00 bin
-rwxr-xr-x    1 root     root        12264 2004-02-16 21:51 brk
-rwxr-xr-x    1 root     root        11416 2004-02-16 21:49 chroot
drwxr-xr-x    2 root     root         4096 2004-02-16 07:29 lib
drwxr-xr-x    2 root     root         4096 2004-02-16 21:52 waterbuffalo
root@testbed:/# chroot /chroot bash
I have no name!@testbed:/# ls
bin  brk  chroot  lib  waterbuffalo
I have no name!@testbed:/# ls -al brk
-rwxr-xr-x    1 0        0           12264 Feb 16 12:51 brk
I have no name!@testbed:/# ./brk
Killed
I have no name!@testbed:/# ./brk
Killed
I have no name!@testbed:/# cd lib
I have no name!@testbed:/lib# ../brk
Killed
I have no name!@testbed:/lib# cd ..
I have no name!@testbed:/# cd bin
I have no name!@testbed:/bin# ../brk
Killed
I have no name!@testbed:/bin# cd ..
I have no name!@testbed:/# exit
exit
root@testbed:/# 



pt@testbed:/$ nc -l -p 7777
local listen fuxored : Operation not permitted
pt@testbed:/$ nc -l -p 2352
local listen fuxored : Operation not permitted
pt@testbed:/$ nc -l -p 6421
local listen fuxored : Operation not permitted
pt@testbed:/$ 

~~ Edit /etc/group ..

root@testbed:/# cat /etc/group | grep 3333
NSG:x:3333:
root@testbed:/# 
pt@testbed:/$ nc -l -p 8231 -v
listening on [any] 8231 ...

Listen Ok... ^^a




----------------------------------------------------------------
STEP 5) VIEW LOG OF ATTEMPT TO HACK

root@testbed:~# cd /root/wrap_en
root@testbed:~/wrap_en# ls
CHANGELOG  README  bin  inst  syswatch.c  syswatch.o
root@testbed:~/wrap_en# cd bin
root@testbed:~/wrap_en/bin# ./lshack
SYSWATCH-Log View

-----------------------------------------------------------------------------------------------------
   ID |    Type    |      Event Timeline      |  User |  UID  |  GID  |  EUID |  EGID |  PID  |  ACT 
-----------------------------------------------------------------------------------------------------
    1 |  symlink() | Wed Feb 18 09:35:30 2004 |  root |     0 |     0 |     0 |     0 |   380 |  NULL
    2 |   execve() | Wed Feb 18 23:06:50 2004 |    pt |  1001 |  1001 |     0 |     0 |   584 |  SEGV
    3 |   execve() | Wed Feb 18 23:06:51 2004 |    pt |  1001 |  1001 |     0 |     0 |   585 |  SEGV
    4 |   execve() | Wed Feb 18 23:06:52 2004 |    pt |  1001 |  1001 |     0 |     0 |   586 |  SEGV
    5 |   ptrace() | Wed Feb 18 23:07:52 2004 |    pt |  1001 |  1001 |  1001 |  1001 |   594 |  KILL
    6 |   ptrace() | Wed Feb 18 23:07:53 2004 |    pt |  1001 |  1001 |  1001 |  1001 |   595 |  KILL
    7 |  symlink() | Wed Feb 18 23:08:24 2004 |  root |     0 |     0 |     0 |     0 |   598 |  NULL
    8 |   chroot() | Wed Feb 18 23:09:35 2004 |  root |     0 |     0 |     0 |     0 |   604 |  KILL
    9 |   chroot() | Wed Feb 18 23:09:37 2004 |  root |     0 |     0 |     0 |     0 |   605 |  KILL
   10 |   chroot() | Wed Feb 18 23:09:42 2004 |  root |     0 |     0 |     0 |     0 |   606 |  KILL
   11 |   chroot() | Wed Feb 18 23:09:47 2004 |  root |     0 |     0 |     0 |     0 |   607 |  KILL
   12 |   listen() | Wed Feb 18 23:10:19 2004 |    pt |  1001 |  1001 |  1001 |  1001 |   615 |   NSG
   13 |   listen() | Wed Feb 18 23:10:22 2004 |    pt |  1001 |  1001 |  1001 |  1001 |   616 |   NSG
   14 |   listen() | Wed Feb 18 23:10:25 2004 |    pt |  1001 |  1001 |  1001 |  1001 |   617 |   NSG
-----------------------------------------------------------------------------------------------------
SYSWATCH-Log Viewing Finish.
root@testbed:~/wrap_en/bin# 

Oh Good :=)~




----------------------------------------------------------------
STEP 5) CLEAN LOG TABLE

root@testbed:~/wrap_en/bin# ./drop_db
SYSWATCH-Clear Log Table..
SYSWATCH-Log Clear Finish!
SYSWATCH-Log Table re-build!!
SYSWATCH-Log Table Creating
SYSWATCH-Log Table Created.
SYSWATCH-Restart Logmon!!
root@testbed:~/wrap_en/bin# 
-------------------------------------
|    SYS-WATCH SECURITY MODULE     ||
-------------------------------------
 Mod.RaceConditon = 1
 Mod.Ptrace = 1
 Mod.Rootshell = 1
 Mod.Chrootbreak = 1
 Mod.SocketListen = 1
-------------------------------------
 Module Use Count = 0
 Non-SERVER-GROUP = 3333
-------------------------------------
Log Daemon ( 1 ) Started.

root@testbed:~/wrap_en/bin# ./lshack
SYSWATCH-Log View

-----------------------------------------------------------------------------------------------------
   ID |    Type    |      Event Timeline      |  User |  UID  |  GID  |  EUID |  EGID |  PID  |  ACT 
-----------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------
SYSWATCH-Log Viewing Finish.
root@testbed:~/wrap_en/bin# 





Thx for your interesting..


