Portfolio GitHub

Blog

ethicalhacking |redteam |cybersecurity |privesc

PrivEsc with LD_PRELOAD

fx2301

fx2301

Posted on October 15, 2022

PrivEsc with LD_PRELOAD

Why?

You need root access on a Linux host.

When?

You have write access to the file-system, can set environment variables for root, and root runs processes.

How?

Craft a C program with an init function registered with .init_array.
Compile the C program as an .so binary for the matching architecture.
Write the binary to the target host's filesystem.
Set the LD_PRELOAD environment variable.
Wait for or trigger the root process execution.

Example

#include <unistd.h>

void init(int argc, char **argv, char **envp) {
    // PrivEsc hook
}

__attribute__((section(".init_array"))) typeof(init) *__init = init;

💖 💪 🙅 🚩

fx2301

Posted on October 15, 2022

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related

PrivEsc with LD_PRELOAD

ethicalhacking PrivEsc with LD_PRELOAD

October 15, 2022