This is a small program and tutorial to make backdooring ELF binaries by pointing the linker at malicious shared object files (libraries) quite a bit easier than it has been in the past.
This should enable post-exploitation persistence with an increased burden on
whichever poor soul has to figure out why a normal binary is doing strange
things. You always give someone a shell when you call find(1), right?
In a nutshell, a legitimate binary is edited to point to a malicious shared object file, which in turn loads the legitimate shared object file.
This has been tested on Linux x86_64, but in theory should work on other architectures, as well as the BSDs.
For a quick start, please see QUICKSTART.
For legal use only.
When the linker loads the libraries for a given ELF file, it hunts for the libraries in predictable places. By editing a commonly-called binary (vim or a hex editor work great), we can point the binary at a malicious library which calls the real library as well as doing whatever malicious things we want. The end result is by changing a few bytes and putting a file on disk, we get a shell every time someone checks the victim's uptime (or lists files, or whatever).
A slightly less brief theory of what's going on can be found in THEORY.
In this repository is the source for dynelfsymbols.
Please run it with -h for basic usage instructions.
The original libkitten source in included in lib/libkitten,
and the source for a library generated by dynelfsymbols to be used to
backdoor find(1) is in lib/libM.