KON-BOOT - ULTIMATE LINUX HACKING UTILITY :-)

:: About Kon-Boot

Kon-Boot is an prototype piece of software which allows to change contents of a linux kernel on the fly (while booting). In the current compilation state it allows to log into a linux system as 'root' user without typing the correct password or to elevate privileges from current user to root. It was acctually started as silly project of mine, which was born from my never-ending memory problems :) Secondly it was mainly created for Ubuntu, later i have made few add-ons to cover some other linux distributions. Finally, please consider this is my first linux project so far :) Entire Kon-Boot was written in pure x86 assembly, using old grandpa-geezer TASM 4.0.

:: Tested Linux'es

Current Kon-Boot release was tested with following Linux distributions:

Kernel	Grub
Gentoo 2.6.24-gentoo-r5	GRUB 0.97
Ubuntu 2.6.24.3-debug	GRUB 0.97
Debian 2.6.18-6-686¹	GRUB 0.97
Fedora 2.6.25.9-76.fc9.i686²	GRUB 0.97

Notes:
1 - setreuid attack example not working
2 - logging without a password not working (maybe because this SELinux issues?)

:: Using Kon-Boot - Attack type 1 - Logging In Without A Pass (LIWaP)

Typical usage scenario:

LIWaP usage scenario:

1. Boot with Kon-boot CD or Floppy

2. When Linux is fully booted go to the console mode

3. Type 'kon-usr' as login, if it works you should be now in the system

4. !Remember! to restore the system when you are leaving, you can do this by typing 'kon-fix' as login again.

Sample console output:

Ubuntu 8.04 torpeda tty1
torpeda login: kon-usr
# id
uid=0(root) gid=0(root)
# whoami
root

Logging problem?

torpeda login: kon-usr
/bin/sh: Can't open kon-usr

FIX: type 'kon-fix' as login

:: Using Kon-Boot - Attack type 2 - Setreuid privilege elevation

Use this instructions

:: Current Kon-Boot features

Feature	Supported
Disk access filtering (IVT)	Yes
System Address Map fixing for buggy BIOSES ('SMAP' entries)	Yes - basic
Multiple kernel signatures + no hardcoded kernel address	Yes
Deprotecting memory regions	Yes - basic through fixing cr0
Syscalls filtering	Yes
Finding kmalloc()	No - currenty omitted

:: Little video sample

Little video showing Kon-Boot subverting on the fly the debian kernel while booting (recorded under VMware):

:: Download

DISCLAIMER

Author takes no responsibility for any actions with provided informations or codes. The copyright for any material created by the author is reserved. Any duplication of codes or texts provided here in electronic or printed publications is not permitted without the author's agreement.

!!! NOTE: THE ISO's ARE NOT BLANK !!!

Kon-Boot Orange Themed

Download

Floppy image: DOWNLOAD

CD-ISO: DOWNLOAD

Kon-Boot Kickstart Themed	Download
	Floppy image: DOWNLOAD CD-ISO: DOWNLOAD

Note:
All CD-ISO's are working in so called Floppy Emulation mode, which should be handled correctly by 100% of Bioses which support the El-Torito bootable CD format. The ISO images were created by some really basic utilitty created by me, however you can convert the floopy images to iso's by using programs like mkisofs etc. etc.

:: Last words, greets and regarding source codes

Meanwhile after few discussions with Artur-the-techno-bmx and thorkill i've decided to keep the sources private (maybe just for now?), however i may consider sharing them via e-mail request, so if you feel you really need them drop me a line and i will run my rnd-number-generator and we will see what you will get. From the other hand, presented software was not obsfucated so at this point you probably know what to do :)

Actually i was planning to describe here all the hacking-voodoo i used, but again after doing this stuff i found it little boring - so i will simply leave it as it is. In the end i would like to greet some old DOS-time-gangstas i know (you may not realize it but they did a hella stuffs years before you have seen it at blackhat), also thanks to Artur Byszko (who spent his entire 2 cleans CDs to test Kon-Boot, later we will try this on vinyls man), >> yash ks, thorkill, ducer, mcb, << (who listens to my linux and not-linux babbling from time-to-time), Marek Białogłowy (wszystkiego najlepszego sic!) and all the guys im working with and used to work with, hits from the dongs :)

p - 17:05:11> gentoo zrobilem
thorkill - 17:07:47> fajnie, masz ciasteczko