gcc -shared -o libcustom.so -fPIC libcustom.c
sudo cp libcustom.so /usr/lib(root privs)
gcc sharedvuln.c -o sharedvuln -lcustom
ldconfig(in case you can execute this binary as sudo or it has the suid bit you will be able to execute it yourself).
sharevulnexecutable loading the
/home/ubuntu/liband if any user executes it, a shell will be executed:
/etc/ld.so.conf.d/. But there are other misconfigurations that can cause the same vulnerability, if you have write permissions in some config file inside
/etc/ld.so.conf.ds, in the folder
/etc/ld.so.conf.dor in the file
/etc/ld.so.confyou can configure the same vulnerability and exploit it.
ldconfig. You can indicate
ldconfigwhere to load the conf files from, so we can take advantage of it to make
ldconfigload arbitrary folders. So, lets create the files and folders needed to load "/tmp":
ldconfigyou can exploit the same vulnerability.