https://github.com/m0rd3caii/lib2shell-privesc

Privilege escalation via SUID ssh-keygen abusing the -D flag to load a malicious shared object and spawn a shell with elevated privileges.
https://github.com/m0rd3caii/lib2shell-privesc

ssh-keygen-suid suid-binaries suidsploit

Last synced: 5 months ago
JSON representation

Privilege escalation via SUID ssh-keygen abusing the -D flag to load a malicious shared object and spawn a shell with elevated privileges.

• Host: GitHub
• URL: https://github.com/m0rd3caii/lib2shell-privesc
• Owner: m0rd3caii
• Created: 2025-08-04T12:14:49.000Z (11 months ago)
• Default Branch: main
• Last Pushed: 2025-08-04T12:18:57.000Z (11 months ago)
• Last Synced: 2025-09-04T16:21:40.815Z (10 months ago)
• Topics: ssh-keygen-suid, suid-binaries, suidsploit
• Homepage:
• Size: 3.91 KB
• Stars: 0
• Watchers: 0
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# lib2shell-privesc

Privilege escalation via SUID ssh-keygen abusing the -D flag to load a malicious shared object and spawn a shell with elevated privileges.

# lib2shell-privesc

This project demonstrates a simple privilege escalation technique by abusing a SUID `ssh-keygen` binary and the `-D` option, which loads a shared library as a PKCS#11 provider. By crafting a malicious shared object, we can spawn a shell with elevated privileges.

## Requirements

- A system where `ssh-keygen` is SUID (with effective UID 0 or a higher-privileged user).

- GCC or compatible C compiler.

## 🛠️ Compilation

Compile the shared object with:

```bash

gcc -fPIC -shared -o lib.so lib.c

```

Make sure the output file is named lib.so (or match whatever you want to load with -D).

## 🚀 Usage

Run the vulnerable ssh-keygen binary with:

```bash

./ssh-keygen -D ./lib.so

```

This will load the shared library, triggering the constructor function and spawning a root shell (if the effective UID of ssh-keygen is root).