Skip to content
/ lib2shell-privesc Public

Privilege escalation via SUID ssh-keygen abusing the -D flag to load a malicious shared object and spawn a shell with elevated privileges.

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

m0rd3caii/lib2shell-privesc

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

ย 

History

4 Commits
README.md
README.md
ย 
ย 
lib.so
lib.so
ย 
ย 

Repository files navigation

lib2shell-privesc

Privilege escalation via SUID ssh-keygen abusing the -D flag to load a malicious shared object and spawn a shell with elevated privileges.

lib2shell-privesc

This project demonstrates a simple privilege escalation technique by abusing a SUID ssh-keygen binary and the -D option, which loads a shared library as a PKCS#11 provider. By crafting a malicious shared object, we can spawn a shell with elevated privileges.

Requirements

  • A system where ssh-keygen is SUID (with effective UID 0 or a higher-privileged user).
  • GCC or compatible C compiler.

๐Ÿ› ๏ธ Compilation

Compile the shared object with:

gcc -fPIC -shared -o lib.so lib.c

Make sure the output file is named lib.so (or match whatever you want to load with -D).

๐Ÿš€ Usage

Run the vulnerable ssh-keygen binary with:

./ssh-keygen -D ./lib.so

This will load the shared library, triggering the constructor function and spawning a root shell (if the effective UID of ssh-keygen is root).

About

Privilege escalation via SUID ssh-keygen abusing the -D flag to load a malicious shared object and spawn a shell with elevated privileges.

Topics

suidsploit suid-binaries ssh-keygen-suid

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published