Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Local suid files and buffer overflows
From: Joachim Schipper <j.schipper () math uu nl>
Date: Sun, 9 Oct 2005 17:26:51 +0200

On Sun, Oct 09, 2005 at 01:17:39AM +0200, Werner Schalk wrote:
first of all apologies for asking such a newbie question but I am trying 
to learn how to exploit buffer overflows and therefore wrote a little 
program to exploit. This little program has the following permissions: 
$ ls -la test1 
-rwsr-sr-x  1 root root 17164 Oct  8 01:25 test1 
Now I exploited it using Aleph One's shellcode (see  
http://shellcode.org/shellcode/linux/null-free/) but I won't get a SUID 
shell afterwards (I know the exploit did work but I still have my normal 
user privleges). Why? I have tried a different shellcode to write a file 
and this file was root:root. Any ideas, hints, rtfm? 
Thank you. 
Best regards, 

Try the following:

# mount
/dev/hdb2 on /home type ext3 (rw,nosuid,nodev)

nosuid means that suid binaries lose their special properties here.
See mount(8). As you just proved, it's not completely useless.

As an additional exercise, bypass the nosuid mount option. Or just copy
it somewhere without nosuid.

(There are many, many other ways this behaviour could have happened, but
this one sounds most likely...)

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]