2 comments

Good Bad Attitude
by Joel R. Voss aka. Javantea
jvoss@altsci.com
jvoss@myuw.net
May 26 - June 2, 2006

Bad Attitude 0.2 Source [sig]

DESCRIPTION

This program grabs a list of good processes from /proc, then it monitors /proc and kills any new process. It is meant to be used in extremely hostile environments. It is a general use tool, but it can and should be modified as necessary. Obviously it should be modified to allow the user to re-login in case s/he loses shell.

It's original use is for Defcon 14 ACTF. If a vulnerable server gives non-root access (quite likely), attackers that re-attack the server will be able to kill the original attacker. This means that the original attacker should put up defenses quickly to ensure that attackers are ejected. One way is to fix the vulnerability in the server. If this is not possible, this script is a simple solution.

A non-automated or automated attacker will start a new process to attack the server (usually /bin/sh or wget). This script will kill that process if the process does not end quick enough. Many processes are fast enough to get by this, but any medium amount of i/o will be caught and killed.

Note that Good Bad Attitude uses 100% CPU. This is bad for a server. Vulnerabilities are bad for a server, too. I take no responsibility for what happens to anything you run this on.

METHOD

The first version is a python script that took the output of ps and killed anything new. It works. But not every box has python available. Thus version 0.2 is written in C and uses /proc. This requires a unix-style system obviously. Both version are a simple while loop and is very processor intensive. The C program doesn't require any external programs, while the python script requires ps and kill.

USAGE

python bad_att1.py &
gcc -o bad_att2 bad_att2.c -Wall
./bad_att2 &

If you are interested in developing Good Bad Attitude, feel free to e-mail me.

Back

Permalink

Comments: 2

Leave a reply »

 
  • opzionibinariestrategie

    I ddo not even know how I stopped up here, but
    I believed thos publish used too be great. I don't understand whoo
    you're but certainly you arre going to a well-known blogger in case you are not
    already. Cheers!

     
     
  • Javantea

    Thanks for the encouragement opzionibinariestrategie. I need it.

     
     
  • Leave a Reply
    Your gravatar
    Your Name