getpwnam preload injection example

console

[openswitch]$ gcc -shared -fPIC getpwnam-preload.c -o getpwnam.so -ldl                                            [~]
[openswitch]$ gcc getpwnam.c -o getpwnam                                                                          [~]
[openswitch]$ ./getpwnam bluecmd                                                                                  [~]
name: bluecmd
uid:  1000
[openswitch]$ ./getpwnam bluecmd-test                                                                             [~]
getpwnam: Success
[openswitch]$ LD_PRELOAD=$PWD/getpwnam.so ./getpwnam bluecmd                                                      [~]
name: bluecmd
uid:  1000
[openswitch]$ LD_PRELOAD=$PWD/getpwnam.so ./getpwnam bluecmd-test                                                 [~]
name: bluecmd-test
uid:  1000

getpwnam-preload.c

#define _GNU_SOURCE
#include <string.h>
#include <sys/types.h>
#include <pwd.h>
#include <dlfcn.h>

typedef struct passwd *(*getpwnam_type)(const char *name);

struct passwd *getpwnam(const char *name) {
  struct passwd *pw;
  getpwnam_type orig_getpwnam;
  orig_getpwnam = (getpwnam_type)dlsym(RTLD_NEXT, "getpwnam");
  pw = orig_getpwnam("bluecmd");
  if (pw == NULL) {
    return pw;
  }
  pw->pw_name = strdup(name);
  return pw;
}

getpwnam.c

#include <stdio.h>
#include <sys/types.h>
#include <pwd.h>
#include <errno.h>


int main(int argc, char *argv[]) {
  errno = 0;
  struct passwd *pw = getpwnam(argv[1]);
  if (pw == NULL) {
    perror("getpwnam");
    return 1;
  }

  printf("name: %s\n", pw->pw_name);
  printf("uid:  %d\n", pw->pw_uid);
  return 0;
}

This is really cool ! Thanks for posting this.