Sunday 10 November 2013

Subverting library calls with LD_PRELOAD

LD_PRELOAD is a dandy environment variable which, when set, allows us to override functions in shared libraries. Consider the following program:

[adam@localhost code]$ ./secret
Usage: ./secret password
[adam@localhost code]$ ./secret abc123
ERROR: Incorrect password
[adam@localhost code]$ 


Well crap. What to do. Lets have a look at the functions called:

[adam@localhost code]$ nm -D secret
                 w __gmon_start__
                 U __libc_start_main
                 U printf
                 U puts
                 U strlen
                 U strncmp



If only we knew what parameters were being passed to strncmp!.. Oh wait this is a tutorial:

Creating our own strncmp:

[adam@localhost code]$ cat load_me_first.c
#include <stdio.h>
#include <stdlib.h>

int strncmp(const char *cs, const char *ct, size_t count){
   
    printf("[ Non-offical strncmp hit ]\n"
           "\tcs = %s\n"
           "\tct = %s\n",
            cs, ct);
                   
    exit(0);
}



Compiling the object:

[adam@localhost code]$ gcc -shared -o load_me_first.so -fPIC load_me_first.c
[adam@localhost code]$ ls -la *.so
-rwxrwxr-x. 1 adam adam 8065 Nov 10 22:58 load_me_first.so



And finally calling using LD_PRELOAD:

[adam@localhost code]$ LD_PRELOAD=./load_me_first.so ./secret "if only this was the password"
[ Non-offical strncmp hit ]
    cs = qwerty
    ct = if only this was the password
[adam@localhost code]$



Whayy. We can see that the user password is being compared against "qwerty", we would have never been able to brute that!

[adam@localhost code]$ ./secret qwerty

        )\               (__)
       /  \              (oo)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Cow trying out for a part
       in the new JAWS movie





(p.s. This is not the answer for Don't forget to return!)

No comments:

Post a Comment