gcc -shared -o libcustom.so -fPIC libcustom.c
sudo cp libcustom.so /usr/lib
(root privs)gcc sharedvuln.c -o sharedvuln -lcustom
ldconfig
(in case you can execute this binary as sudo or it has the suid bit you will be able to execute it yourself).sharevuln
executable loading the libcustom.so
library from:/home/ubuntu/lib
and if any user executes it, a shell will be executed:/etc/ld.so.conf.d/
.
But there are other misconfigurations that can cause the same vulnerability, if you have write permissions in some config file inside /etc/ld.so.conf.d
s, in the folder /etc/ld.so.conf.d
or in the file /etc/ld.so.conf
you can configure the same vulnerability and exploit it.ldconfig
.
You can indicate ldconfig
where to load the conf files from, so we can take advantage of it to make ldconfig
load arbitrary folders.
So, lets create the files and folders needed to load "/tmp":ldconfig
you can exploit the same vulnerability.ldconfig
is configured with the suid bit. The following error appear: /sbin/ldconfig.real: Can't create temporary cache file /etc/ld.so.cache~: Permission denied