Re: [Full-disclosure] Local suid files and buffer overflows

From: Fósforo (fosforo_at_gmail.com)
Date: 10/09/05

  • Next message: Martin Schulze: "[Full-disclosure] [SECURITY] [DSA 854-1] New tcpdump packages fix denial of service"
    Date: Sun, 9 Oct 2005 13:41:37 -0300
    To: full-disclosure@lists.grok.org.uk
    
    

    try copying /bin/bash to /tmp/ directory, setting suid for all

    t+

    2005/10/9, Joachim Schipper <j.schipper@math.uu.nl>:
    > On Sun, Oct 09, 2005 at 01:17:39AM +0200, Werner Schalk wrote:
    > > Hi,
    > >
    > > first of all apologies for asking such a newbie question but I am trying
    > > to learn how to exploit buffer overflows and therefore wrote a little
    > > program to exploit. This little program has the following permissions:
    > >
    > > $ ls -la test1
    > > -rwsr-sr-x 1 root root 17164 Oct 8 01:25 test1
    > >
    > > Now I exploited it using Aleph One's shellcode (see
    > > http://shellcode.org/shellcode/linux/null-free/) but I won't get a SUID
    > > shell afterwards (I know the exploit did work but I still have my normal
    > > user privleges). Why? I have tried a different shellcode to write a file
    > > and this file was root:root. Any ideas, hints, rtfm?
    > >
    > > Thank you.
    > >
    > > Best regards,
    > > Werner.
    >
    > Try the following:
    >
    > # mount
    > <snippity>
    > /dev/hdb2 on /home type ext3 (rw,nosuid,nodev)
    > <snippity>
    >
    > nosuid means that suid binaries lose their special properties here.
    > See mount(8). As you just proved, it's not completely useless.
    >
    > As an additional exercise, bypass the nosuid mount option. Or just copy
    > it somewhere without nosuid.
    >
    > (There are many, many other ways this behaviour could have happened, but
    > this one sounds most likely...)
    >
    > Joachim
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    > Hosted and sponsored by Secunia - http://secunia.com/
    >

    --
    ---------------------------------------------------------
    >>>Fósforo<<<
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/
    

  • Next message: Martin Schulze: "[Full-disclosure] [SECURITY] [DSA 854-1] New tcpdump packages fix denial of service"