mailing list archives
Re: Local suid files and buffer overflows
From: Joachim Schipper <j.schipper () math uu nl>
Date: Sun, 9 Oct 2005 17:26:51 +0200
On Sun, Oct 09, 2005 at 01:17:39AM +0200, Werner Schalk wrote:
first of all apologies for asking such a newbie question but I am trying
to learn how to exploit buffer overflows and therefore wrote a little
program to exploit. This little program has the following permissions:
$ ls -la test1
-rwsr-sr-x 1 root root 17164 Oct 8 01:25 test1
Now I exploited it using Aleph One's shellcode (see
http://shellcode.org/shellcode/linux/null-free/) but I won't get a SUID
shell afterwards (I know the exploit did work but I still have my normal
user privleges). Why? I have tried a different shellcode to write a file
and this file was root:root. Any ideas, hints, rtfm?
Try the following:
/dev/hdb2 on /home type ext3 (rw,nosuid,nodev)
nosuid means that suid binaries lose their special properties here.
See mount(8). As you just proved, it's not completely useless.
As an additional exercise, bypass the nosuid mount option. Or just copy
it somewhere without nosuid.
(There are many, many other ways this behaviour could have happened, but
this one sounds most likely...)
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/