Created
June 4, 2025 18:47
-
-
Save cr0nx/fe91d3e012c5d537d527bca2e9d751ab to your computer and use it in GitHub Desktop.
bpftrace commit_creds from user + kill_action
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bpftrace | |
| kprobe:commit_creds | |
| { | |
| // Check if the calling process has UID 1007 | |
| if (uid == 1007) { | |
| // Get the struct cred pointer from arg0 | |
| $cred = (struct cred *)arg0; | |
| // Read UID and GID fields from the struct cred | |
| $uid_val = $cred->uid.val; | |
| $euid_val = $cred->euid.val; | |
| $suid_val = $cred->suid.val; | |
| $fsuid_val = $cred->fsuid.val; | |
| $gid_val = $cred->gid.val; | |
| $egid_val = $cred->egid.val; | |
| $sgid_val = $cred->sgid.val; | |
| $fsgid_val = $cred->fsgid.val; | |
| // Check if all UID and GID fields are set to 0 (root) | |
| if ($uid_val == 0 && $euid_val == 0 && $suid_val == 0 && $fsuid_val == 0 && | |
| $gid_val == 0 && $egid_val == 0 && $sgid_val == 0 && $fsgid_val == 0) { | |
| printf("commit_creds escalating to root: PID=%d, UID=%d, Comm=%s\n", | |
| pid, uid, comm); | |
| // Send SIGKILL to the process | |
| signal(9); // 9 is SIGKILL | |
| } | |
| } | |
| } |
Author
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Find more interesting stuff here: https://edu.defensive-security.com/