Injecting modules in Linux 05-06-2016, 03:26 AM
#1
I'm back bitches.
Today we're going to learn how to inject a dynamic library into any program on any Linux computer that uses glibc.
First off, what is the module we're injecting? Well, for now, let's keep it simple.
To compile, run "g++ -shared -fPIC module.cpp -o module.so"
Now, let's say we want to inject that l337 haxor module into "cat". We simply add "LD_PRELOAD=$(pwd)/module.so" before the command, making the whole command "LD_PRELOAD=$(pwd)/module.so cat module.cpp"
Look at that, the injection worked. It's almost like I've done this before. Now, let's have some fun with this. Let's change the injected code so it makes cat do nothing.
Now...
Look at that, I broke the cat. Someone tell the police, that's in the Macdonald triangle, I'm probably going to... continue to be a sociopath? I don't know.
ANYWAY. Fun fact for you, you can't inject using LD_PRELOAD into a setuid binary, such as sudo.
But, there's a lovely file, /etc/ld.so.preload. Drop the full path of your executable into that bitch, it'll get injected into all binaries whether or not they are setuid. Sounds like a fun way to inject into every running executable to me!
Note that after injection, our canary, FUCKSHIT, prints twice. once for running "sudo", and once for running "whoami"
That's all for now, hopefully you learned how to inject libraries in linux. There's a similar little setting in Windows called AppInit_DLLs, and I might edit in details on that later, but for now you can google that little slut.
Today we're going to learn how to inject a dynamic library into any program on any Linux computer that uses glibc.
First off, what is the module we're injecting? Well, for now, let's keep it simple.
Code:
#include <stdio.h>
__attribute__((constructor)) static void proof() // This is the equivalent of DLLMain for glibc
{
printf("SUH DUDE\r\n");
}Now, let's say we want to inject that l337 haxor module into "cat". We simply add "LD_PRELOAD=$(pwd)/module.so" before the command, making the whole command "LD_PRELOAD=$(pwd)/module.so cat module.cpp"
Code:
user@laptop:~/Documents/preload-poc$ LD_PRELOAD=$(pwd)/module.so cat module.cpp
SUH DUDE
#include <stdio.h>
__attribute__((constructor)) static void proof() // This is the equivalent of DLLMain for glibc
{
printf("SUH DUDE\r\n");
}Look at that, the injection worked. It's almost like I've done this before. Now, let's have some fun with this. Let's change the injected code so it makes cat do nothing.
Code:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
ssize_t write( int fd, const void *buf, size_t count )
{
return fd; // had to return something *shrugs*
}
__attribute__((constructor)) void _init()
{
//write(1, "FUCKSHIT\r\n", 10);
}Now...
Code:
user@laptop:~/Documents/preload-poc$ LD_PRELOAD=$(pwd)/module.so cat module.cpp
user@laptop:~/Documents/preload-poc$ LD_PRELOAD=$(pwd)/module.so cat module.cpp
user@laptop:~/Documents/preload-poc$ LD_PRELOAD=$(pwd)/module.so cat module.cpp
user@laptop:~/Documents/preload-poc$ LD_PRELOAD=$(pwd)/module.so cat module.cppLook at that, I broke the cat. Someone tell the police, that's in the Macdonald triangle, I'm probably going to... continue to be a sociopath? I don't know.
ANYWAY. Fun fact for you, you can't inject using LD_PRELOAD into a setuid binary, such as sudo.
But, there's a lovely file, /etc/ld.so.preload. Drop the full path of your executable into that bitch, it'll get injected into all binaries whether or not they are setuid. Sounds like a fun way to inject into every running executable to me!
Code:
user@laptop:~/Documents/preload-poc$ LD_PRELOAD=$(pwd)/module.so sudo whoami
root
user@laptop:~/Documents/preload-poc$ sudo su -c 'echo "$(pwd)/module.so" > /etc/ld.so.preload'
user@laptop:~/Documents/preload-poc$ sudo whoami
FUCKSHIT
FUCKSHIT
rootNote that after injection, our canary, FUCKSHIT, prints twice. once for running "sudo", and once for running "whoami"
That's all for now, hopefully you learned how to inject libraries in linux. There's a similar little setting in Windows called AppInit_DLLs, and I might edit in details on that later, but for now you can google that little slut.
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)
![[Image: fSEZXPs.png]](https://i.imgur.com/fSEZXPs.png)