hello everyone !
i have a little problem for which i cannot find a solution.
im enabling core dumps for suid programs
echo '1' >> /proc/sys/fs/suid_dumpable
i have a suid vuln program and im exploiting it.
-rwsr-sr-x 1 root root 6741 2007-11-02 22:59 retlib

m00n@localhost:~/w0rk$ ./retlib 111111111111111111111111111111
Segmentation fault (core dumped)
now we have a core file with root priviliges
-rw------- 1 root root 147456 2007-11-02 23:42 core
how can i make this core file to be with the priviliges of a user
which executed the program? so i can open it with gdb
thnx in advance.

If you have root access, you can simply use

# chown user:group <filename>

But it looks like you are not the root user, so you might have to stop trying to crack that system. Before you get arrested.

please read it carefully especially for you David1357
im enabling core dumps for suid programs
echo '1' >> /proc/sys/fs/suid_dumpable
can a simple user do that without the root access?

im doing my coursework and im cracking my ubuntu 7.10 box ))
could i be arrested for this ?)
if i was cracking someone's else box why would i need the core dumps
if i simply get all registers from gdb
about chowning,
i already did that but the core that is dumping
is taking root priviliges when im executing the program from the user.
why its happening im trying to figure out but unsuccessfully
can anyone help me please

here are logs to make it clearer
m00n@crack3:~/w0rk$ ./retlib `perl -e 'print "\x42"x100'`
Exploiting via returnig into libc function
Segmentation fault (core dumped)
m00n@crack3:~/w0rk$ ls -ls core
148 -rw------- 1 root root 147456 2007-11-03 04:34 core
m00n@crack3:~/w0rk$ su
Password:
root@crack3:/home/m00n/w0rk# chown m00n:m00n core
root@crack3:/home/m00n/w0rk# exit
exit
m00n@crack3:~/w0rk$ ./retlib `perl -e 'print "\x41"x100'`
Exploiting via returnig into libc function
Segmentation fault (core dumped)
m00n@crack3:~/w0rk$ gdb -q -c core
(no debugging symbols found)
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
Core was generated by `./retlib BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB'.
Program terminated with signal 11, Segmentation fault.
#0 0x42424242 in ?? ()
(gdb) q

as we can see it doesnt change there is a 'B' character
while there should be an 'A'

setuid = the program, invoked as a user, runs as the owner of the program rather than the user that invoked it. So it only makes sense, given that the program is running as root, that the core file generated also ends up being root's.

If that weren't the case, then there'd be no point to the setuid bit, and no danger in having extraneous setuid programs on a system.

so as u are saying it is impossible for programs with suid bit
that has been ran by the user to produce core dump with the users rights
did i get u right ?
i think i have seen somewhere in advisory it has happened
please correct me if im wrong
thanks

i have one more question why does the core can not overwrite itself after?
once i get executed it writes core file and doesnt change it anymore
is there something to do with ulimit ?

Maybe you should find that advisory and see if it applies to your setup (i.e. kernel version, library versions, etc).

I believe you have to delete the core file before you can write a new one. At least that is the way it used to work on the Sun machines I used at work many m00ns ago.