|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Why SUID Binary exploit does not yield root shell?
From: Brian Hatch (vuln-dev
ifokr.org)
Date: Sun Mar 09 2003 - 09:49:08 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> I've managed to find a buffer overflow and exploit it to exeve a /bin/sh
> using my payload shellcode. However, whenever I run my exploit, I do get a
> shell but just that it is an ordinary shell under my account (as id would
> indicate).
Some /bin/sh's will drop privs if uid != euid. Bash is one of these.
Instead of using /bin/sh during your test, try /usr/bin/id just to
see what uid and euid are. If euid is root yet /bin/sh is not yielding
root, that's the cause. You can always compile your own sh frontend
to fix uid too:
...
main () {
setuid(0); seteuid(0); setgid(0);
execve("/bin/sh",...)
}
Compile, install, and call that instead. You should probably just
include setuid(0) instructions into your shellcode to avoid the
middle man. Or you could call /bin/csh which usually doesn't drop
privs (but leaves folks stuck in the unpleasant world of C shell)
or any pretty much other shell-like program.
> What is the magic here (if any)?
Bash is being "smarter" than you want it to be.
--
Brian Hatch Is a book on
Systems and voyeurism a
Security Engineer peeping tome.
http://www.ifokr.org/bri/
Every message PGP signed
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+a2J0idaA3abfMooRAlNhAJ9OXndKtVQHrM2OkKgXxUc75sUtcQCfWmzJ
DCsn6xlb/Jv6GxpbVZhjgKk=
=B0/n
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]