INTRO
In today’s blog, we are going to do something different from our regular tutorials. we are going to run VLC as root. now, you must be thinking that I am going to remove some lines from some bash script or something else. but let me tell you, we are going to use reverse engineering to run VLC as root.
Latest Kali Linux comes with various tools and system utilities. although, Kali has Parole Media Player as a default media player. but it has the VLC media player too. VLC has its own place in all media players. you can run almost every video format with VLC. believe me, it will never let you down.
VLC has some other cool features that Parole doesn’t have. for example, you can stream any video directly from URL via VLC. but in Parole, you don’t have this feature. I am not saying that we should not use Parole. you can take it as a lightweight media player because Parole doesn’t have extra features. I prefer using VLC in Linux and Windows both because I am using it since I was 11.
EXPLOIT
I saw that VLC doesn’t have any bash or python file which checks if the VLC is being run as the root user. so, what do we change in some file, or what do we do to run VLC with the root user? well, if you type this command:
which vlc
Screenshot:
It will show you the executable file which executes when you try to run the VLC from the terminal. what I am trying to say is whenever you type the vlc in the terminal, you are basically running that binary file that you get via this command. the result may be /bin/vlc. but it doesn’t matter.
Now let’s try to run VLC with root user. type this command:
sudo vlc
Screenshot:
Now, we are going to run it as root. so let’s download the tool that I prefer. actually, I prefer radare2 but to edit assembly code, I like to use Cutter. The Cutter is basically the GUI version of radare2.
They have such a beautiful documentation. you can take a look at that too. but let’s open the binary file (/usr/bin/vlc) of VLC with the Cutter.
Screenshot:
once you will press “OK” you will see the assembly and some other things.
Screenshot:
Now, if you remember the error message we were getting while try to run VLC with the root user. search for that message in strings. I mean we will search string “root” in the strings section. because we were getting the “root” word in that error message.
Screenshot:
so we have the address of the string. address of that string is “0x2088“. let’s keep that in mind for now. After this, we will search for syscalls. we may find some syscalls related to getting current users somehow. we can do this by strings command. type this command:
strings vlc
Screenshot:
you can even take a look at the function section of the Cutter.
Screenshot:
so, now we are sure that it is getting UID of the user who is running VLC. now we need to find this syscall in main. a better way to do it is to find it via the graph. just click right in the main function and show in > graph.
Screenshot:
You can see that clearly now. it is using the syscall geteuid . if the UID is equal to 0 (root). you will print is see that error message. it is basically jumping to the error message of we are root. look at the error message, Cutter is showing you the message because it already analyzed the bin file. but if you look at the end of the string. you will the same address which I told you to keep in mind (0x2088).
There are many methods to bypass this jump. we can use nops (no operation) or we can edit this to jump next instruction. let’s make it jump to the right instruction so, we will never jump again to the error message.
To do that copy the next instruction (correct one) which is 0x000012da. and click right on jump instruction (je      0x15b4) > edit > instruction.
you may get some warning if you didn’t open it with write mode. Click on enable cache mode.
Screenshot:
Paste this value jmp 0x000012da in that input field and click ok. Now click on file>commit changes (top-left).
Screenshot:
Now, let’s try to run it with root user.
Screenshot:
and that’s it. you didn’t just learn to run the VLC with root but also you learnt some basics of Reverse Engineering.
Thanks For Visiting.
