Why?
You need root access on a Linux host.
When?
You have write access to the file-system, can set environment variables for root, and root runs processes.
How?
- Craft a C program with an
init
function registered with.init_array
. - Compile the C program as an .so binary for the matching architecture.
- Write the binary to the target host's filesystem.
- Set the LD_PRELOAD environment variable.
- Wait for or trigger the root process execution.
Example
#include <unistd.h>
void init(int argc, char **argv, char **envp) {
// PrivEsc hook
}
__attribute__((section(".init_array"))) typeof(init) *__init = init;
Top comments (0)