buffer overflow cannot get a root shell?
 

Hi,

I am studying the buffer overflow mechanism, I wrote a test program with buffer overflow vulnerability, setuid this program to root.

I then tried to exploit this program to launch applications with root privilege. If I run a shellcode to launch a normal binary, it really runs as root, but if I tried to launch /bin/bash with buffer overflow, the launched shell can only run under the normal user priviledge. Why? Isn't starting a root shell an important goal for buffer overflow? Many paper said that we can start a root shell, but why I failed?

Can someone give me some ideas? Thanks.

" Isn't starting a root shell an important goal for buffer overflow?"
No. The opposite is true. The kernel developers put a lot of effort into making sure that a buffer overflow does not allow a user to gain root access. If you manage to use a buffer overflow to gain root access then you should report it as a bug to the kernel developers.


___________________________________
Be prepared. Create a LifeBoat CD.
http://users.rcn.com/srstites/LifeBo...home.page.html

Steve Stites

Sorry, I guess I didn't make myself clear enough.

I am researching on the techniques to prevent buffer overflow. But before I can get a reasonable solution, I have to know the details of buffer overflow. That's why I am doing some simulation. The final goal is still to prevent the computer systems.

Also, I believe that the best way to protect a system is to analyze it as deep as possible, not just hide all details. :)

So, if someone happens to know the answer of my question, please give a hand.

Now, realise it's 2:30 AM, so I could be talking gibberish...

It might be an issue with setuid versus seteuid. The euid context is being kept through the shellcode execution, but being lost via the alternative method you are using. Or something similar. You really cut the details a bit on the fine side, so this could be completely unrelated.

I am not sure what the second post in this thread is talking about, at all.

Thanks for kind reply.

But I even tried the following codes:

#include<stdio.h>
#include<stdlib.h>
#include<unistd.h>

int main(int argc,char *argv[]){

char *prog[]={"/bin/bash",NULL};
char *env[]={"HOME=/root",NULL};
execve("/bin/bash",prog,env);
getchar();
return 0;
}

after compiling it, I do:

chown root a.out
chgrp root a.out
chmod u+s a.out

Still doesn't work, why? I am totally lost. :(

Any ideas? Thanks.

Does the program get to the the getchar and the return statement? I know it is a long shot, but if it does then the execve is failing and you are probably back in your own shell ( that I presume is not a root shell... ).

No. The program did not reach the "getchar()" line. and I did get a new shell. The only trouble is that the new spawned shell is still under my name, not root. :(