DEV Community

Cover image for PrivEsc with LD_PRELOAD
fx2301
fx2301

Posted on • Edited on

1

PrivEsc with LD_PRELOAD

Why?

You need root access on a Linux host.

When?

You have write access to the file-system, can set environment variables for root, and root runs processes.

How?

  1. Craft a C program with an init function registered with .init_array.
  2. Compile the C program as an .so binary for the matching architecture.
  3. Write the binary to the target host's filesystem.
  4. Set the LD_PRELOAD environment variable.
  5. Wait for or trigger the root process execution.

Example

#include <unistd.h>

void init(int argc, char **argv, char **envp) {
    // PrivEsc hook
}

__attribute__((section(".init_array"))) typeof(init) *__init = init;
Enter fullscreen mode Exit fullscreen mode

Top comments (0)

Sentry image

See why 4M developers consider Sentry, “not bad.”

Fixing code doesn’t have to be the worst part of your day. Learn how Sentry can help.

Learn more