security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

T1055 Test for LD_PRELOAD (#601)

Browse Source 
* T1055 Test for LD_PRELOAD

* Update T1055.yaml
This commit is contained in:
Tony M Lambert
2019-11-05 14:00:58 -05:00
committed by Michael Haag
parent 5a73c43cab
commit 6cf9c681fd
2 changed files with 41 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1055/T1055.yaml
+19 -1
View File
@@ -56,11 +56,29 @@ atomic_tests:
path_to_shared_library:
description: Path to a shared library object
type: Path
default: /tmp/evil_module.so
default: ../bin/T1055.so
executor:
name: bash
elevation_required: true # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false
command: |
echo #{path_to_shared_library} > /etc/ld.so.preload
- name: Shared Library Injection via LD_PRELOAD
description: |
This test injects a shared object library via the LD_PRELOAD environment variable to execute. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package.
supported_platforms:
- linux
input_arguments:
path_to_shared_library:
description: Path to a shared library object
type: Path
default: /opt/AtomicRedTeam/atomics/T1055/bin/T1055.so
executor:
name: bash
elevation_required: false # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false
command: |
LD_PRELOAD=#{path_to_shared_library} ls
- name: Process Injection via C#
description: |
Process Injection using C#
atomics/T1055/src/Linux/T1055.c
+22
View File
@@ -0,0 +1,22 @@
/*
Atomic Red Team Shared Object Library
Uses code inspired by Zombie Ant Farm (https://github.com/dsnezhkov/zombieant)
Compilation
-------------
gcc -shared -fPIC -o ../bin/T1055.so T1055.c
*/
#include <stdio.h>
static void init(int argc, char **argv, char **envp) {
printf("Loaded Atomic Red Team Library successfully!\n");
}
static void fini(void) {
printf("Unloading Atomic Red Team preload...\n");
}
__attribute__((section(".init_array"), used)) static typeof(init) *init_p = init;
__attribute__((section(".fini_array"), used)) static typeof(fini) *fini_p = fini;