Looney Tunables

To test directly whether the target is vulnerable, we can use the following command (vulnerable if there is a segmentation error):

$ env -i "GLIBC_TUNABLES=glibc.malloc.mxfast=glibc.malloc.mxfast=A" "Z=`printf '%08192x' 1`" /usr/bin/su --help
Segmentation fault (core dumped)

If glibc version is greater or equal than 2.34, target may be vulnerable

$ ldd --version
ldd (Ubuntu GLIBC 2.27-3ubuntu1.6) 2.27
Copyright (C) 2018 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Or we can retreive the version of glibc using the following C++ code

#include <stdio.h>
#include <stdlib.h>
#include <gnu/libc-version.h>

int main(int argc, char *argv[])
{
    // Print glibc version
    printf("GNU libc version: %s\n", gnu_get_libc_version());
    exit(EXIT_SUCCESS);
}

Compile the above code using the following command:

And execute it

Using gnu-acme.py (python) from bl4sty, we can abuse CVE-2023-4911 and easily adapt it to different ld.so build versions.

If the build identifier of your ld.so target matches one of the script's targets. The exploit will work straight away.

If not, we have to find usable offsets for the ld.so build id. First you will have to find the target build identifier.

Now, on a similar environement (obviously with the same ld.so build version), disable ASLR and run gnu-acme.py. It will find usable offsets.

Take one of the working offset and add it to the TARGETS array of the gnu-acme.py script

Now, on the target run exploit again !

Using this exploit from leesh3288, we can abuse CVE-2023-4911.

First we need to execute the Python script to generate the malicious libc.so.6

Compile the exploit

Finally, you can launch the exploit and be patient since the exploitation may take some time (5 to 20 mins).