This is a small program and tutorial to make backdooring ELF binaries by pointing the linker at malicious shared object files (libraries) quite a bit easier than it has been in the past.

This should enable post-exploitation persistence with an increased burden on whichever poor soul has to figure out why a normal binary is doing strange things. You always give someone a shell when you call find(1), right?

In a nutshell, a legitimate binary is edited to point to a malicious shared object file, which in turn loads the legitimate shared object file.

This has been tested on Linux x86_64, but in theory should work on other architectures, as well as the BSDs.

For a quick start, please see QUICKSTART.

For legal use only.

When the linker loads the libraries for a given ELF file, it hunts for the libraries in predictable places. By editing a commonly-called binary (vim or a hex editor work great), we can point the binary at a malicious library which calls the real library as well as doing whatever malicious things we want. The end result is by changing a few bytes and putting a file on disk, we get a shell every time someone checks the victim's uptime (or lists files, or whatever).

A slightly less brief theory of what's going on can be found in THEORY.

In this repository is the source for dynelfsymbols. Please run it with -h for basic usage instructions.

The original libkitten source in included in lib/libkitten, and the source for a library generated by dynelfsymbols to be used to backdoor find(1) is in lib/libM.