Creating signatures for newer Ubuntu versions

[JelteF]

I would like to create new signatures for newer Ubuntu versions than currently supported. Is there any documentation and help on figuring out what these values are?

[carmaa]

I haven't really written a howto, but if you download one of the versions of Ubuntu that inception currently supports, you can search for the signature in the libpam module if you load it into IDA, for instance.

The signatures are at line 398 here:

https://github.com/carmaa/inception/blob/master/inception/modules/unlock.py

From there it should be pretty clear what function and code structure you need to look for in newer versions of Ubuntu.

[carmaa]

And to add: Pull requests with new signatures are most welcome!

[galaris]

@JelteF Check out this issue: #109, it might help you to figure out how to find new patterns for Ubuntu.

[blunden]

I found the offset (0x648) for Ubuntu 14.04 x64 but was unable to successfully bypass the login screen. It just flashes once and restarts the login screen. However, after patching I noticed that it did allow me to escalate to root using 'sudo su -' with an incorrect password so it was at least partially successful. The pam_authenticate function looks very similar between 14.04 libpam.so and 13.10 libpam.so so it's probably not an issue there. Could it be LightDM getting in the way somehow?