From 3a706c3f6ad27bbc905ac40f11fab7e170244f7e Mon Sep 17 00:00:00 2001
From: takeshix <takeshix@adversec.com>
Date: Thu, 7 Jan 2016 22:03:50 +0100
Subject: [PATCH] Automatically defuse malicious components

This script will run all the steps that are required to disable
malicious Red Star OS components like "virus scanning" and watermarking
of media files. This makes it easier for everyone to further research the system.
---
 defuse.sh | 129 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 129 insertions(+)
 create mode 100644 defuse.sh

diff --git a/defuse.sh b/defuse.sh
new file mode 100644
index 0000000..bc92ef9
--- /dev/null
+++ b/defuse.sh
@@ -0,0 +1,129 @@
+#!/bin/bash
+
+# This is a precompiled libos.so used as a drop-in replacement because default
+# installations of Red Star OS 3.0 Desktop do not include GCC.
+#
+# sha256sum: 8661c311a18cb7a8be4624a9930c88b3a0f43d734bcafb26f9ea15651cda2800
+LIBOS="f0VMRgEBAQAAAAAAAAAAAAMAAwABAAAAIAMAADQAAABUBgAAAAAAADQAIAAFACgAGgAXAAEAAAAA
+AAAAAAAAAAAAAABYBAAAWAQAAAUAAAAAEAAAAQAAAFgEAABYFAAAWBQAAPgAAAAAAQAABgAAAAAQ
+AAACAAAAcAQAAHAUAABwFAAAwAAAAMAAAAAGAAAABAAAAAQAAADUAAAA1AAAANQAAAAkAAAAJAAA
+AAQAAAAEAAAAUeV0ZAAAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAQAAAAEAAAAFAAAAAMAAABHTlUA
+G13eo0DDAAwZfo2/FLPAMjzpIAgDAAAABAAAAAIAAAAGAAAAiAAhAQDEQAkEAAAABgAAAAkAAAC6
+45J8Q0XV7BCOFvTYcVgcuY3xDuvT7w4AAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAIAAAACsA
+AAAAAAAAAAAAACAAAAAcAAAAAAAAAAAAAAAiAAAAaAAAAFgVAAAAAAAAEADx/1UAAABQFQAAAAAA
+ABAA8f8/AAAA8AMAAAoAAAASAAsAXAAAAFAVAAAAAAAAEADx/xAAAAC0AgAAAAAAABIACQAWAAAA
+OAQAAAAAAAASAAwAAF9fZ21vbl9zdGFydF9fAF9pbml0AF9maW5pAF9fY3hhX2ZpbmFsaXplAF9K
+dl9SZWdpc3RlckNsYXNzZXMAdmFsaWRhdGVfb3MAbGliYy5zby42AF9lZGF0YQBfX2Jzc19zdGFy
+dABfZW5kAEdMSUJDXzIuMS4zAAAAAAAAAAACAAEAAQABAAEAAQABAAAAAQABAEsAAAAQAAAAAAAA
+AHMfaQkAAAIAbQAAAAAAAABsFAAACAAAADAVAAAGAQAANBUAAAYCAAA4FQAABgMAAEgVAAAHAQAA
+TBUAAAcDAABVieVTg+wE6AAAAABbgcN8EgAAi5P0////hdJ0BegeAAAA6NUAAADoIAEAAFhbycP/
+swQAAAD/owgAAAAAAAAA/6MMAAAAaAAAAADp4P////+jEAAAAGgIAAAA6dD///8AAAAAAAAAAAAA
+AABVieVWU+i/AAAAgcMSEgAAjWQk8IC7FAAAAAB1XIuD/P///4XAdA6NgzD///+JBCTor////42z
+KP///42TJP///ynWi4MYAAAAwf4Cg+4BOfBzH5CNdCYAg8ABiYMYAAAA/5SDJP///4uDGAAAADnw
+cubGgxQAAAABjWQkEFteXcPrDZCQkJCQkJCQkJCQkJBVieVT6DAAAACBw4MRAACNZCTsi5Ms////
+hdJ0FYuD+P///4XAdAuNkyz///+JFCT/0I1kJBRbXcOLHCTDkJCQVYnluAEAAABdw5CQkJCQkFWJ
+5VZT6N////+BwzIRAACLgxz///+D+P90GY2zHP///420JgAAAACNdvz/0IsGg/j/dfRbXl3DVYnl
+U4PsBOgAAAAAW4HD+BAAAOjQ/v//WVvJwwAAAAD/////AAAAAP////8AAAAAAAAAAGwUAAABAAAA
+SwAAAAwAAAC0AgAADQAAADgEAAD1/v9v+AAAAAUAAADUAQAABgAAADQBAAAKAAAAeQAAAAsAAAAQ
+AAAAAwAAADwVAAACAAAAEAAAABQAAAARAAAAFwAAAKQCAAARAAAAhAIAABIAAAAgAAAAEwAAAAgA
+AAD+//9vZAIAAP///28BAAAA8P//b04CAAD6//9vAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABwFAAAAAAAAAAAAAD6AgAACgMAAEdDQzogKEdO
+VSkgNC40LjcgMjAxMjAzMTMgKFJlZCBIYXQgNC40LjctMTYpAAAuc3ltdGFiAC5zdHJ0YWIALnNo
+c3RydGFiAC5ub3RlLmdudS5idWlsZC1pZAAuZ251Lmhhc2gALmR5bnN5bQAuZHluc3RyAC5nbnUu
+dmVyc2lvbgAuZ251LnZlcnNpb25fcgAucmVsLmR5bgAucmVsLnBsdAAuaW5pdAAudGV4dAAuZmlu
+aQAuZWhfZnJhbWUALmN0b3JzAC5kdG9ycwAuamNyAC5kYXRhLnJlbC5ybwAuZHluYW1pYwAuZ290
+AC5nb3QucGx0AC5ic3MALmNvbW1lbnQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAABsAAAAHAAAAAgAAANQAAADUAAAAJAAAAAAAAAAAAAAABAAAAAAAAAAuAAAA9v//bwIA
+AAD4AAAA+AAAADwAAAADAAAAAAAAAAQAAAAEAAAAOAAAAAsAAAACAAAANAEAADQBAACgAAAABAAA
+AAEAAAAEAAAAEAAAAEAAAAADAAAAAgAAANQBAADUAQAAeQAAAAAAAAAAAAAAAQAAAAAAAABIAAAA
+////bwIAAABOAgAATgIAABQAAAADAAAAAAAAAAIAAAACAAAAVQAAAP7//28CAAAAZAIAAGQCAAAg
+AAAABAAAAAEAAAAEAAAAAAAAAGQAAAAJAAAAAgAAAIQCAACEAgAAIAAAAAMAAAAAAAAABAAAAAgA
+AABtAAAACQAAAAIAAACkAgAApAIAABAAAAADAAAACgAAAAQAAAAIAAAAdgAAAAEAAAAGAAAAtAIA
+ALQCAAAwAAAAAAAAAAAAAAAEAAAAAAAAAHEAAAABAAAABgAAAOQCAADkAgAAMAAAAAAAAAAAAAAA
+BAAAAAQAAAB8AAAAAQAAAAYAAAAgAwAAIAMAABgBAAAAAAAAAAAAABAAAAAAAAAAggAAAAEAAAAG
+AAAAOAQAADgEAAAcAAAAAAAAAAAAAAAEAAAAAAAAAIgAAAABAAAAAgAAAFQEAABUBAAABAAAAAAA
+AAAAAAAABAAAAAAAAACSAAAAAQAAAAMAAABYFAAAWAQAAAgAAAAAAAAAAAAAAAQAAAAAAAAAmQAA
+AAEAAAADAAAAYBQAAGAEAAAIAAAAAAAAAAAAAAAEAAAAAAAAAKAAAAABAAAAAwAAAGgUAABoBAAA
+BAAAAAAAAAAAAAAABAAAAAAAAAClAAAAAQAAAAMAAABsFAAAbAQAAAQAAAAAAAAAAAAAAAQAAAAA
+AAAAsgAAAAYAAAADAAAAcBQAAHAEAADAAAAABAAAAAAAAAAEAAAACAAAALsAAAABAAAAAwAAADAV
+AAAwBQAADAAAAAAAAAAAAAAABAAAAAQAAADAAAAAAQAAAAMAAAA8FQAAPAUAABQAAAAAAAAAAAAA
+AAQAAAAEAAAAyQAAAAgAAAADAAAAUBUAAFAFAAAIAAAAAAAAAAAAAAAEAAAAAAAAAM4AAAABAAAA
+MAAAAAAAAABQBQAALQAAAAAAAAAAAAAAAQAAAAEAAAARAAAAAwAAAAAAAAAAAAAAfQUAANcAAAAA
+AAAAAAAAAAEAAAAAAAAAAQAAAAIAAAAAAAAAAAAAAGQKAAAwAwAAGQAAACoAAAAEAAAAEAAAAAkA
+AAADAAAAAAAAAAAAAACUDQAAeAEAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+ANQAAAAAAAAAAwABAAAAAAD4AAAAAAAAAAMAAgAAAAAANAEAAAAAAAADAAMAAAAAANQBAAAAAAAA
+AwAEAAAAAABOAgAAAAAAAAMABQAAAAAAZAIAAAAAAAADAAYAAAAAAIQCAAAAAAAAAwAHAAAAAACk
+AgAAAAAAAAMACAAAAAAAtAIAAAAAAAADAAkAAAAAAOQCAAAAAAAAAwAKAAAAAAAgAwAAAAAAAAMA
+CwAAAAAAOAQAAAAAAAADAAwAAAAAAFQEAAAAAAAAAwANAAAAAABYFAAAAAAAAAMADgAAAAAAYBQA
+AAAAAAADAA8AAAAAAGgUAAAAAAAAAwAQAAAAAABsFAAAAAAAAAMAEQAAAAAAcBQAAAAAAAADABIA
+AAAAADAVAAAAAAAAAwATAAAAAAA8FQAAAAAAAAMAFAAAAAAAUBUAAAAAAAADABUAAAAAAAAAAAAA
+AAAAAwAWAAEAAAAAAAAAAAAAAAQA8f8MAAAAWBQAAAAAAAABAA4AGgAAAGAUAAAAAAAAAQAPACgA
+AABoFAAAAAAAAAEAEAA1AAAAIAMAAAAAAAACAAsASwAAAFAVAAABAAAAAQAVAFoAAABUFQAABAAA
+AAEAFQBoAAAAsAMAAAAAAAACAAsAAQAAAAAAAAAAAAAABADx/3QAAABcFAAAAAAAAAEADgCBAAAA
+VAQAAAAAAAABAA0AjwAAAGgUAAAAAAAAAQAQAJsAAAAABAAAAAAAAAIACwCxAAAAAAAAAAAAAAAE
+APH/uQAAADwVAAAAAAAAAQDx/88AAABsFAAAAAAAAAEAEQDcAAAAZBQAAAAAAAABAA8A6QAAAOkD
+AAAAAAAAAgALAAABAABwFAAAAAAAAAEA8f8JAQAA8AMAAAoAAAASAAsAFQEAAAAAAAAAAAAAIAAA
+ACQBAAAAAAAAAAAAACAAAAA4AQAAOAQAAAAAAAASAAwAPgEAAFAVAAAAAAAAEADx/0oBAABYFQAA
+AAAAABAA8f9PAQAAUBUAAAAAAAAQAPH/VgEAAAAAAAAAAAAAIgAAAHIBAAC0AgAAAAAAABIACQAA
+Y3J0c3R1ZmYuYwBfX0NUT1JfTElTVF9fAF9fRFRPUl9MSVNUX18AX19KQ1JfTElTVF9fAF9fZG9f
+Z2xvYmFsX2R0b3JzX2F1eABjb21wbGV0ZWQuNTk3NABkdG9yX2lkeC41OTc2AGZyYW1lX2R1bW15
+AF9fQ1RPUl9FTkRfXwBfX0ZSQU1FX0VORF9fAF9fSkNSX0VORF9fAF9fZG9fZ2xvYmFsX2N0b3Jz
+X2F1eABsaWJvcy5jAF9HTE9CQUxfT0ZGU0VUX1RBQkxFXwBfX2Rzb19oYW5kbGUAX19EVE9SX0VO
+RF9fAF9faTY4Ni5nZXRfcGNfdGh1bmsuYngAX0RZTkFNSUMAdmFsaWRhdGVfb3MAX19nbW9uX3N0
+YXJ0X18AX0p2X1JlZ2lzdGVyQ2xhc3NlcwBfZmluaQBfX2Jzc19zdGFydABfZW5kAF9lZGF0YQBf
+X2N4YV9maW5hbGl6ZUBAR0xJQkNfMi4xLjMAX2luaXQA"
+
+check_euid(){
+    if [ "$(id -u)" != 0 ]; then
+    	echo "You need root privileges to run this script!"
+		exit 1
+    fi
+}
+
+disable_selinux(){
+	setenforce 0
+    sed -i'.bak' '/kernel \/boot\/vmlinuz-2.6.38.8-24.rs3.0.i686/ s/$/ selinux=0/' /boot/grub/grub.conf
+}
+
+disable_rtscan(){
+    echo -e "import fcntl\nfcntl.ioctl(open('/dev/res', 'wb'), 29187)" | python
+}
+
+replace_libos(){
+	echo "$LIBOS" | base64 -d > /usr/lib/libos.so.0.0.0
+	rm /usr/lib/libos.so.0
+	ln -s /usr/lib/libos.so.0.0.0 /usr/lib/libos.so.0
+}
+
+remove_autostarts(){
+	mv /usr/share/autostart/scnprc.desktop /usr/share/autostart/scnprc.desktop.bak 2>/dev/null
+    mv /etc/init/ctguard.conf /etc/init/ctguard.conf.bak 2>/dev/null
+}
+
+main(){
+	check_euid
+
+    echo "Disabling SELinux"
+	disable_selinux
+	
+    echo "Killing securityd"
+	killall -9 securityda 2>/dev/null
+    
+    echo "Disabling rtscan"
+	disable_rtscan
+
+    echo "Killing scnprc and opprc"
+	killall scnprc opprc 2>/dev/null
+
+    echo "Replacing libos"
+	replace_libos
+
+    echo "Disabling scnprc autostart"
+    remove_autostarts
+
+	echo "Done. Please press Return to reboot the system."
+	read -r
+	reboot
+}
+
+main