ld.so PrivEsc Example

ld.so exploit exampleHackTricks

Key Assumptions:

1. Someone has created a vulnerable entry inside a file in /etc/ld.so.conf/, and the vulnerable folder is /home/ubuntu/lib (where we have writable access)

sudo echo "/home/ubuntu/lib" > /etc/ld.so.conf.d/privesc.conf

2. We can wait for a reboot or for the root user to execute ldconfig ike cron (in case you can execute this binary as sudo or it has the suid bit you will be able to execute it yourself) through.

3. Even you do not find any info under /etc/ld.so.conf or /etc/ld.so/conf.d/, run 'strace' to see if you have any missing shared library. You might find some missing so library.

Use an exploit.c in LD_PRELOAD section in Sudo, complie it with the same command with the filename above, and run the program. The program automatically loads the library and execute the library.