Vulnerability Development mailing list archives
Re: Why SUID Binary exploit does not yield root shell?
From: Shaun Clowes <shaun () securereality com au>
Date: Sun, 09 Mar 2003 18:56:58 +1100
Hi Kryptik,
I've managed to find a buffer overflow and exploit it to exeve a /bin/sh using my payload shellcode. However, whenever I run my exploit, I do get a shell but just that it is an ordinary shell under my account (as id would indicate).
It's quite likely that the program in question is dropping privileges before the buffer overflow occurs. To determine if that's the case try modifying your shellcode to perform a trap (INT3, 0xcc) and run the exploit under the debugger. When the shellcode executes the program should stop. Then you can just look in /proc/<pid>/status, the ids on the "Uid:" line represent the real, effective, saved and filesystem user ids respectively. If these are all no longer root, there is nothing you can do to restore privileges.
One other way to determine if the program is dropping privileges would be to run strace on the binary and see if set(re)uid has been called before the overflow point.
Cheers, Shaun
Current thread:
- Why SUID Binary exploit does not yield root shell? Kryptik Logik (Mar 08)
- Re: Why SUID Binary exploit does not yield root shell? Shaun Clowes (Mar 09)
- Re: Why SUID Binary exploit does not yield root shell? buzzdee (Mar 09)
- Re: Why SUID Binary exploit does not yield root shell? Brian Hatch (Mar 09)
- Re: Why SUID Binary exploit does not yield root shell? Andres Roldan (Mar 10)
- Re: Why SUID Binary exploit does not yield root shell? tony (Mar 09)