search

Shared Libraries

hashtag
2 types of library in linux

  • Static libraries (ends in .a extension)

  • Dynamically linked shared object libraries (.so extension)

hashtag
Methods of specifying the location of dynamic libraries

  • -rpath or -rpath-link flags when compiling a program

  • using the environmental variables LD_RUN_PATH or LD_LIBRARY_PATH

  • placing libraries in the /lib or /usr/lib default directories

  • specifying another directory containing the libraries within the /etc/ld.so.conf configuration file

  • LD_PRELOAD environtment variable

hashtag
Viewing the shared objects required by a binary

$ ldd /bin/ls

	linux-vdso.so.1 =>  (0x00007fff03bc7000)
	libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007f4186288000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f4185ebe000)
	libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007f4185c4e000)
	libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f4185a4a000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f41864aa000)
	libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f418582d000)

hashtag
Sample Exploitation

  1. Use sudo -l to check the LD_PRELOAD

  2. Under normal circumstances, apache2 is NOT included in the GTFObins so we can't use it for privilege escalation. However, since LD_PRELOAD is enabled, we can exploit this.

  3. Create a root.c file

  4. Compile the root.c

  5. Run the apache2 as sudo and include the root.so in the LD_PRELOAD

PreviousKernel ExploitsNextShared Object Hijacking

Last updated