Vulnerability Development mailing list archives
Re: Why SUID Binary exploit does not yield root shell?
From: Brian Hatch <vuln-dev () ifokr org>
Date: Sun, 9 Mar 2003 07:49:08 -0800
I've managed to find a buffer overflow and exploit it to exeve a /bin/sh using my payload shellcode. However, whenever I run my exploit, I do get a shell but just that it is an ordinary shell under my account (as id would indicate).
Some /bin/sh's will drop privs if uid != euid. Bash is one of these. Instead of using /bin/sh during your test, try /usr/bin/id just to see what uid and euid are. If euid is root yet /bin/sh is not yielding root, that's the cause. You can always compile your own sh frontend to fix uid too: ... main () { setuid(0); seteuid(0); setgid(0); execve("/bin/sh",...) } Compile, install, and call that instead. You should probably just include setuid(0) instructions into your shellcode to avoid the middle man. Or you could call /bin/csh which usually doesn't drop privs (but leaves folks stuck in the unpleasant world of C shell) or any pretty much other shell-like program.
What is the magic here (if any)?
Bash is being "smarter" than you want it to be. -- Brian Hatch Is a book on Systems and voyeurism a Security Engineer peeping tome. http://www.ifokr.org/bri/ Every message PGP signed
Attachment:
_bin
Description:
Current thread:
- Why SUID Binary exploit does not yield root shell? Kryptik Logik (Mar 08)
- Re: Why SUID Binary exploit does not yield root shell? Shaun Clowes (Mar 09)
- Re: Why SUID Binary exploit does not yield root shell? buzzdee (Mar 09)
- Re: Why SUID Binary exploit does not yield root shell? Brian Hatch (Mar 09)
- Re: Why SUID Binary exploit does not yield root shell? Andres Roldan (Mar 10)
- Re: Why SUID Binary exploit does not yield root shell? tony (Mar 09)