[Fwd: anti-ptrace]

Sat, 05 Apr 2003 03:05:41 -0600 

  在 Debian 系統上,舊的核心還有 ptrace 的 bug,以下這個模組可以暫時的防止這
個問題。

-------- Original Message --------
Subject: anti-ptrace
Resent-Date: Tue,  1 Apr 2003 15:10:58 -0600 (CST)
Resent-From: [email protected]
Date: Tue, 01 Apr 2003 14:53:39 -0600
From: Steve Meyer <[EMAIL PROTECTED]>
To: [email protected]

Has anyone else beside me tried this anti-ptrace script?  I downloaded it
from packetstormsecurity.com and ran and loaded the module and it works like
a charm.  If anyone tries to use ptrace besides root it echo's that event to
the root terminal, and denies it.  Well here is a copy of the script

 #!/bin/sh
# MAKE ME EXECUTABLE !!!
#
# [EMAIL PROTECTED]:/home/sacrine/TEST# chmod +x anti-ptrace
# [EMAIL PROTECTED]:/home/sacrine/TEST# ./anti-ptrace
#  [+] making anti-ptrace.c: OK
#  [+] compiling the script: OK
#  [+] loading the module  : OK
#


echo -n " [+] making anti-ptrace.c: "
cat > anti-ptrace.c <<NETRIC

/*
* Noodoplossing voor de ptrace race vuln
* anti-ptrace.c by sacrine
* netric.org
*/

#define __KERNEL__
#define MODULE
#define LINUX

#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/types.h>
#include <linux/version.h>
#include <linux/slab.h>
#include <linux/sched.h>
#include <linux/fs.h>
#include <linux/ctype.h>
#include <linux/tty.h>
#include <sys/syscall.h>

#include <linux/ptrace.h>

long (*o_ptrace) ( pid_t pid,
                   void *addr,
                   void *data );

extern void* sys_call_table[];

int anti_ptrace( pid_t pid,
                 uid_t uid,
                 void *addr,
                 void *data )
{
  uid_t o_uid;

  if(current->uid == 0)
    {
        return(o_ptrace(pid,addr,data));
    }

  printk("warning: ptrace(); violation\n"
          "pid=[%i] uid=[%i]\n"
          ,current->pid
          ,current->uid);

  console_print("warning: non-root users are not allowed to use
ptrace();\n");
  return EPERM;
}

int init_module(void)
{
  o_ptrace=sys_call_table[SYS_ptrace];
  sys_call_table[SYS_ptrace]=anti_ptrace;

  printk("anti-ptrace kernel module loaded with pid=[%i]\n",
          current->pid);

  return(0);
}

void cleanup_module(void)
{
  sys_call_table[SYS_ptrace]=o_ptrace;
  printk("anti-ptrace kernel module ended with pid=[%i]\n",
          current->pid);
}

NETRIC
echo "OK";
echo -n " [+] compiling the script: ";
gcc -c anti-ptrace.c -I/lib/modules/$(uname -r)/build/include
echo "OK";
echo -n " [+] loading the module  : ";
/sbin/insmod anti-ptrace.o >/dev/null
echo "OK";

# sacrine [Netric Security]


-- 
-Rex, geek by nature linux by choice

回复