suid peculiarities
 

After reading up on memory segmentation and C programming for a while now, I've finally gotten to the point where I can start writing my own programs in C and fool around with buffer overflows. Last night I started playing around with exploiting vulnerable suid C programs, and interestingly, I found that the suid bit I thought I knew so much about was actually more complicated then I thought. Setting /bin/bash to suid root and running it didn't change the euid, which was initially mind-boggling to me. After some research, I realized that this was because since version 2.0, bash drops the euid/uid privileges. This was interesting, but more interesting (actually becoming annoying) to me were the following findings.

After succesfully writing a C program vulnerable to a simple buffer overflow and an exploit program to go along with, I started testing. For fear that an attacker would use my research to root my machine, I made a new user "woot" on my box, so I could play around with suid programs without actually leaving my box vulnerable. I chowned the vulnerable program to woot:users and set the suid bit, but running my exploit didn't change my euid or uid at all! I thought it might have something to do with the shellcode dropping privileges (I didn't write the shellcode -- copied it out of a book), but this turned out to be false. After chowning the vulnerable program to root:root and setting the suid bit, I ran my exploit and I became root. I don't understand what's going on. When the vulnerable programe is suid root, I run the exploit and become root, but when it is suid any other user, I don't become the other user. Can anyone explain what's going on here??? Thanks in advance, and sorry if there's a repeat thread somewhere -- I couldn't find one.

I have some vague memory of reading that root must compile the program, and that the exploit only works with the user who compiled it. It doesn't make sense necessarily, but make sure you recompile it as root. What's weirder, is that I have an exploit I wrote a long time ago on Redhat 9, and I haven't ran it in months, but just now it doesn't work at all when I rebuild it for Slack 10. It runs a shell, but the shell doesn't SUID as root. Strangeness, as it's a basic C string exploit, nothing bash related.

I tried compiling the vulnerable program and the exploit as root and compiling one or the other as woot (normal user), but this still didn't change the fact that as long root didn't own the suid vulnerable program, I couldn't change my euid. I'm thinking that it could be the shellcode I'm using, but I'm skeptical. When I have more time I will try a different shellcode. Any other ideas, explanations, or general information related to this problem/topic would be greatly appreciated. I'm really perplexed.