DEV Community

Cover image for PrivEsc with LD_PRELOAD
fx2301
fx2301

Posted on • Edited on

1

PrivEsc with LD_PRELOAD

#ethicalhacking #redteam #cybersecurity #privesc

Why?

You need root access on a Linux host.

When?

You have write access to the file-system, can set environment variables for root, and root runs processes.

How?

  1. Craft a C program with an init function registered with .init_array.
  2. Compile the C program as an .so binary for the matching architecture.
  3. Write the binary to the target host's filesystem.
  4. Set the LD_PRELOAD environment variable.
  5. Wait for or trigger the root process execution.

Example 

#include <unistd.h>

void init(int argc, char **argv, char **envp) {
    // PrivEsc hook
}

__attribute__((section(".init_array"))) typeof(init) *__init = init;
Enter fullscreen mode Exit fullscreen mode

Top comments (0)

profile
Sentry
 Promoted

Sentry image

See why 4M developers consider Sentry, “not bad.”

Fixing code doesn’t have to be the worst part of your day. Learn how Sentry can help.

Learn more

Read next

tidefoundation profile image

It’s cybersecurity’s kryptonite: Why are you still holding it?

Tide Foundation -

vdelitz profile image

How to build a Passkey Product, a Strategy and Design for it?

vdelitz -

s3cloudhub profile image

Honeypot in Cybersecurity: Creating a Fake Access Point Honeypot 🚨

S3CloudHub -

pentest_testing_corp profile image

Preventing XML External Entity (XXE) Injection in Laravel Applications

Pentest Testing Corp -