Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Local suid files and buffer overflows
From: Fósforo <fosforo () gmail com>
Date: Sun, 9 Oct 2005 13:41:37 -0300

try copying /bin/bash to /tmp/ directory, setting suid for all

t+

2005/10/9, Joachim Schipper <j.schipper () math uu nl>:
On Sun, Oct 09, 2005 at 01:17:39AM +0200, Werner Schalk wrote:
Hi,

first of all apologies for asking such a newbie question but I am trying
to learn how to exploit buffer overflows and therefore wrote a little
program to exploit. This little program has the following permissions:

$ ls -la test1
-rwsr-sr-x  1 root root 17164 Oct  8 01:25 test1

Now I exploited it using Aleph One's shellcode (see
http://shellcode.org/shellcode/linux/null-free/) but I won't get a SUID
shell afterwards (I know the exploit did work but I still have my normal
user privleges). Why? I have tried a different shellcode to write a file
and this file was root:root. Any ideas, hints, rtfm?

Thank you.

Best regards,
Werner.

Try the following:

# mount
<snippity>
/dev/hdb2 on /home type ext3 (rw,nosuid,nodev)
<snippity>

nosuid means that suid binaries lose their special properties here.
See mount(8). As you just proved, it's not completely useless.

As an additional exercise, bypass the nosuid mount option. Or just copy
it somewhere without nosuid.

(There are many, many other ways this behaviour could have happened, but
this one sounds most likely...)

                Joachim
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



--

---------------------------------------------------------
Fósforo<<<
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault