Sunday, 10 November 2013

Subverting library calls with LD_PRELOAD

LD_PRELOAD is a dandy environment variable which, when set, allows us to override functions in shared libraries. Consider the following program:

[adam@localhost code]$ ./secret
Usage: ./secret password
[adam@localhost code]$ ./secret abc123
ERROR: Incorrect password
[adam@localhost code]$ 

Well crap. What to do. Lets have a look at the functions called:

[adam@localhost code]$ nm -D secret
                 w __gmon_start__
                 U __libc_start_main
                 U printf
                 U puts
                 U strlen
                 U strncmp

If only we knew what parameters were being passed to strncmp!.. Oh wait this is a tutorial:

Creating our own strncmp:

[adam@localhost code]$ cat load_me_first.c
#include <stdio.h>
#include <stdlib.h>

int strncmp(const char *cs, const char *ct, size_t count){
    printf("[ Non-offical strncmp hit ]\n"
           "\tcs = %s\n"
           "\tct = %s\n",
            cs, ct);

Compiling the object:

[adam@localhost code]$ gcc -shared -o -fPIC load_me_first.c
[adam@localhost code]$ ls -la *.so
-rwxrwxr-x. 1 adam adam 8065 Nov 10 22:58

And finally calling using LD_PRELOAD:

[adam@localhost code]$ LD_PRELOAD=./ ./secret "if only this was the password"
[ Non-offical strncmp hit ]
    cs = qwerty
    ct = if only this was the password
[adam@localhost code]$

Whayy. We can see that the user password is being compared against "qwerty", we would have never been able to brute that!

[adam@localhost code]$ ./secret qwerty

        )\               (__)
       /  \              (oo)
     Cow trying out for a part
       in the new JAWS movie

(p.s. This is not the answer for Don't forget to return!)

No comments:

Post a Comment