Tuesday, August 24, 2010

DLL hijacking in linux

The last few days i been seeing lots and lots of buzz about DLL injection on windows, which is cool but i dont use windows so i decided to join the hype wagon and make a stink about it on linux :P "both have existed for a very very long time so i cant really understand all the hype all of a sudon" Anyway linux has stuff like DLL files but its called Shared Objects, so rather then Dynamic Linked Librarys ".dll" we use Shared Objects ".so".

Now i dont know about windows but in linux this is almost to easy. Almost all apps in linux one time or another call strlen() so all we have to do is hijack that function with our own shared object. Basiclly we are going to rewrite the strlen function and force apps to use our version. Lets look at our hijacking code:


#include < stdio.h >
#include < string.h >
size_t strlen(const char *str)
printf("\n\nWe have just hijacked strlen() xD\n\n");
return 5;

Now we just have to compile it as a shared object, we do that with these commands:

gcc -fPIC -c hijack_strlen.c -o hijack_strlen.o
gcc -shared -o hijack_strlen.so hijack_strlen.o

And now we are ready to start injecting our shared object to hijack strlen(). We will be using the LD_PRELOAD trick to do this. For our target app lets use nmap :D We just run this command:

LD_PRELOAD=/home/$user/hijack_strlen.so nmap

When you run the above we should see something like this:

We have just hijacked strlen() xD

We have just hijacked strlen() xD

Nmap 5.00 ( http://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}

And there you have it! We just hijacked strlen in nmap!! We are 1337 :P

Now that you have your killer hijacker SO try these commands as well:

LD_PRELOAD=/home/$user/hijack_strlen.so ifconfig

LD_PRELOAD=/home/$user/hijack_strlen.so ssh

LD_PRELOAD=/home/$user/hijack_strlen.so scp

And yes there are tons more :D Ok thats all for now, laters.

No comments:

Post a Comment