Re: Why SUID Binary exploit does not yield root shell?

• Previous message: Kryptik Logik: "Why SUID Binary exploit does not yield root shell?"
• In reply to: Kryptik Logik: "Why SUID Binary exploit does not yield root shell?"
• Next in thread: buzzdee: "Re: Why SUID Binary exploit does not yield root shell?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 09 Mar 2003 18:56:58 +1100
To: Kryptik Logik <kryptiklogik@hushmail.com>, vuln-dev@securityfocus.com
From: Shaun Clowes <shaun@securereality.com.au>

Hi Kryptik,

>I've managed to find a buffer overflow and exploit it to exeve a /bin/sh
>using my payload shellcode. However, whenever I run my exploit, I do get a
>shell but just that it is an ordinary shell under my account (as id would
>indicate).

It's quite likely that the program in question is dropping privileges
before the buffer overflow occurs. To determine if that's the case try
modifying your shellcode to perform a trap (INT3, 0xcc) and run the exploit
under the debugger. When the shellcode executes the program should stop.
Then you can just look in /proc/<pid>/status, the ids on the "Uid:" line
represent the real, effective, saved and filesystem user ids respectively.
If these are all no longer root, there is nothing you can do to restore
privileges.

One other way to determine if the program is dropping privileges would be
to run strace on the binary and see if set(re)uid has been called before
the overflow point.

Cheers,
Shaun

• Previous message: Kryptik Logik: "Why SUID Binary exploit does not yield root shell?"
• In reply to: Kryptik Logik: "Why SUID Binary exploit does not yield root shell?"
• Next in thread: buzzdee: "Re: Why SUID Binary exploit does not yield root shell?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]