A simple SUID tool written in C++

Kos

A simple SUID tool written in C++

kos logo

Requirements

Third party software support

  • Bash completion (Install completions/kos.bash into /usr/share/bash-completion/completions/kos)

Known issues

  • Only supported on Linux
shadow.h is one of the requirements of kos which is a "linux thing",
so automatically won't work on something like OpenBSD, MacOS, SerenityOS or
any other OSes.

Kos will not work on any non-unix OSes as kos uses a lot of
unix stuff, for example pwd.h, meaning will not work on stuff
like Windows and other non-unix OSes.

Though this is not really a big issue, this app is meant to
be ran on linux and was made with the intention to be used on
and with linux...
  • Overcomplicated input_no_echo() function
I used that function because it's literally the only
way I know how to disable eching of STDIN in linux with
C++ without using some huge lib like GNU readline or something...

People packaging kos for non-corporate use

I, the creator of kos, permit you to use any of these licenses:

- GPLv3
- BSD 3-clause
- ArAr2

If you do not want to bundle ArAr2 license together you are free
to use any of the other ones

Building and installing

If you are root you do not need to use su, just run commands directly

Manual

Building

CXXFLAGS='-D_KOS_VERSION="1"' CXX=g++ ./scripts/build.sh  # Compiles with GCC instead of Clang (default)

CXXFLAGS='-D_KOS_VERSION="1"' is important as it will define version argument

Installing

./scripts/strip.sh kos
su -c 'mkdir -p /usr/local/bin'
su -c 'chown root:root ./kos'
su -c 'install -Dm4711 ./kos /usr/local/bin'

Man page installation

su -c 'mkdir -p /usr/share/man/man1'
su -c 'install -Dm0644 kos.1 /usr/share/man/man1/kos.1'
su -c 'mandb -qf /usr/share/man/man1/kos.1'

Automated

Before running the script you can optionally:

  • Set the DO_STRIP environment variable to strip the binary after compilation
  • Set the INSTALL_MAN environment variable to also install man page
chmod a+rx ./scripts/setup.sh
su -c './scripts/setup.sh'

Logic

Compile program linking the libxcrypt lib, then
give it suid privelages using 4711 permissions,
the program executable should also be owned by the root
user and group, program should first check
if a command is supplied as not to
trigger any bugs, then we validate that the
user is in a master, by default kos, group and if
that passes we go on to validate the password using passwd
struct for getting the username of current logged in user,
getuid() for getting uid of current user and then getting
/etc/shadow entry using <shadow.h> for that specific user
after that we ask for the user to enter their password
and we do not echo STDIN, we wait for the user to hit enter and then
we hash the password using crypt() function of libxcrypt
and compare it to pw->sp_pwdp where pw is the spwd struct
which is the shadow entry of currently logged in user, if everything
is okay return true, else return false, if it passes we continue
and call setuid() and setgid(), we check if they fail,
if no, continue, else notify the user, then we
increment the argv pointer array to ignore argv[0] which
is the program name and call run_command() on it,
then in that function we fork the current process
and check if it succeeded, if no we notify the user,
else we contnue, if the currect process is in child we call
execvp() and run the command, if in parent we waitpid() the
child and get the exit code, which we return and then
finally we just exit with the code the child process
exited with

Note for packagers

  • Arch Linux
Permission issues (ERROR: Failed getting groups for user ...)
    The issue can be solved with one install command:
    $ install -Dm4755 -o root "$srcdir/$pkgname-$pkgver/kos" "$pkgdir/usr/bin/kos"

Packages

Tips

  • If you're building for size make sure to build with -Os or -Oz in CXXFLAGS as it barely touches start times but it decreases the size largely, stripping can help too
  • By default kos has modifying of the environment (I.e. USER, HOME, ...) enabled, this increases the size by 39KB (no optimisation), if you want to not set the env and have a smaller binary, disable that in config.h by commenting out the definition
  • If you every want to debug kos use -g -Og CXXFLAGS

Testing

There are two scripts in the testing scripts directory, one is noroot.sh and other root.sh, *.lib.sh are just libs.

If you want to test it you just run the scripts, though which ones?

  • If you have access to root run: root.sh
  • If you have access to a non-privileged user run: noroot.sh
  • If you have access to both run.. Well both

Highly recommended

CXXFLAGS='-Og -g' ./scripts/build.sh
valgrind ./kos
valgrind -s ./kos

Or run valgrind.sh testing script, will test all compilers, tools and stuff, in general a much more in-depth test

Returns code 127 on failure (detection of a memory leak) and you can see the log file in valgrind.log

Requirements

  • Clang
  • GCC
  • Coreutils
  • Bash
  • Net-tools (or a hostname command)

Net-tools is not a thing for me!

You can easily make your own hostname command which is the only thing testing depends on:

#!/usr/bin/env sh
cat /etc/hostname

Add this to /usr/bin/hostname and make it executable:

su -c 'chmod 755 /usr/bin/hostname'

Using as a header

Just define KOS_H before including the main.cpp file

Inputting password from external sources

This section only applies if HAVE_PIPE is set

Kos supports piping to STDIN so you can easily just pipe (|) the password to STDIN :)

For example:

echo 'Top-secret-passw0rd' | kos id

Or even

printf '' | dmenu -l 0 -p 'Password: ' | kos id
Owner
TruncatedDinosour
Segmentation fault (core dumped)
TruncatedDinosour
Similar Resources

King Hamlet is a simple tool, which allows you to perform a Process Ghosting Attack

KingHamlet Process Ghosting Tool - 64 bits Only! King Hamlet is a simple tool, which allows you to perform a Process Ghosting Attack

May 2, 2022

A Simple LSASS Credential Injection Tool

CredInject Hello Dear Reader! Welcome to the CredInject repo -- This project is based on HoneyCred and uses the same method to inject credentials into

May 9, 2022

A simple tool using PC mouse via USART to control MCU and LCD/OLED (with LVGL library), if your screen cannot be controlled by touch.

A simple tool using PC mouse via USART to control MCU and LCD/OLED (with LVGL library), if your screen cannot be controlled by touch.

LVGL_USB_Mouse A simple tool using PC mouse via USART to control MCU and LCD/OLED (with LVGL library), if your screen cannot be controlled by touch. 如

May 5, 2022

A simple directory bookmarking tool for my machine using C++

A simple directory bookmarking tool for my machine using C++

Oct 31, 2021

A simple proxyless tool that checks if a linktr.ee handle is available.

A simple proxyless tool that checks if a linktr.ee handle is available.

linktree_checker A simple proxyless tool that checks if a linktr.ee handle is available. Installation Use g++ to build the program. g++ main.cpp -o li

Nov 11, 2021

This is a simple tool for automatically changing accent color based on wallpaper for kde plasma.

This is a simple tool for automatically changing accent color based on wallpaper for kde plasma.

kde-plasma-adaptive-wallpaper-accent-color This is a simple tool for automatically changing accent color based on wallpaper for kde plasma. How to use

Mar 3, 2022

A simple tool used to upgrade things quicker in the online game Rust.

A simple tool used to upgrade things quicker in the online game Rust.

ex0 Rust Tool 🖥️ What is this? ⚡ This is a simple script with multiple tools such as a code enterer and a auto upgrade feature! 🖥️ Features ⚡ Any se

Jan 1, 2022

Icopack - A simple command line tool to create multi-frame ICO files from PNG source images

Icopack - A simple command line tool to create multi-frame ICO files from PNG source images

Optidash is a modern, AI-powered image optimization and processing API. We will drastically speed-up your websites and save you money on bandwidth and

Apr 1, 2022

Simple Pacman clone written in Zig.

pacman.zig Like https://github.com/floooh/pacman.c, but in Zig Zig bindings for the sokol headers are here: https://github.com/floooh/sokol-zig Build

Apr 30, 2022
Comments
  • [ImgBot] Optimize images

    [ImgBot] Optimize images

Stack-based texture generation tool written in C99!
Stack-based texture generation tool written in C99!

Stack-based texture generation tool written in C99! Brought to you by @zaklaus and contributors Introduction zpl.texed is a cross-platform stack-based

May 1, 2022
Free,Open-Source,Cross-platform agent and Post-exploiton tool written in Golang and C++, the architecture and usage like Cobalt Strike
Free,Open-Source,Cross-platform agent and Post-exploiton tool written in Golang and C++, the architecture and usage like Cobalt Strike

Khepri Free,Open-Source,Cross-platform agent and Post-exploiton tool written in Golang and C++ Description Khepri is a Cross-platform agent, the archi

May 11, 2022
A fast Perforce to Git conversion tool written in C++ using Perforce Helix Core C++ API and Libgit2

P4 Fusion A fast Perforce depot to Git repository converter using the Helix Core C/C++ API as an attempt to mitigate the performance bottlenecks in gi

Apr 19, 2022
CLI note-taking tool written in C
CLI note-taking tool written in C

Nota Nota, which means small note in arabic, is a simple note-taking CLI tool written entirely in C. It's written in only one file without the headach

Dec 14, 2021
Sysfex - Another system information tool written in C++
Sysfex - Another system information tool written in C++

Sysfex Another neofetch-like system information fetching tool for linux-based systems written in C++ Installation To install this program using the pr

May 9, 2022
EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections and LSASS protections

EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.

May 13, 2022
Simple tool to visualize and amplify mouse movements
Simple tool to visualize and amplify mouse movements

mousemic Simple tool to visualize and amplify mouse movements. This utility uses a high-level X11 Api so is not really more sensitive than your screen

Dec 21, 2021
A Simple tool to execute shellcode with the ability to detect mouse movement
A Simple tool to execute shellcode with the ability to detect mouse movement

Noobi A Simple tool to execute shellcode with the ability to detect mouse movement Features: Sandbox evasion through detecting mouse movement and chec

Feb 20, 2022
sent is a simple plaintext presentation tool.

sent is a simple plaintext presentation tool. sent does not need latex, libreoffice or any other fancy file format, it uses plaintext files and png im

Jun 13, 2021
A simple tool that aims to efficiently and quickly parse the outputs of web scraping tools like gau

massurl is a simple tool that aims to parse the outputs of tools like gau, and extract the parameters for each URL, remove duplicates and do it all very quickly. Because web scraping tools' outputs can get very large very quickly, it is nice to have a tool that parses them and and outputs something clean and easy to read.

Mar 22, 2022