strace

Description

System call tracer for Linux. Traces all system calls made by a process, which is useful for privilege escalation analysis, particularly for identifying missing shared object (.so) files in SUID binaries that can be exploited via shared object injection.

Usage 1: Trace system calls of a SUID binary to find missing shared objects

Run strace on a SUID binary and filter for file access calls to identify missing .so files from writable directories.

Command:

strace /usr/local/bin/suid-so 2>&1 | grep -i -E "open|access|no such file"

Usage 2: Find SUID binaries on the system

Locate all binaries with the SUID bit set for further analysis with strace.

Command:

find / -perm -u=s -type f 2>/dev/null

Alternative:

find / -type f -perm -04000 -ls 2>/dev/null

Find all SUID and SGID binaries:

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

Usage 3: Shared Object Injection exploitation workflow

After identifying a missing .so file from a writable directory using strace, compile a malicious shared object and execute the SUID binary.

Compile the malicious shared object:

gcc -shared -o /home/user/.config/libcalc.so -fPIC /home/user/.config/libcalc.c

Execute the SUID binary to trigger the injection:

/usr/local/bin/suid-so