LinuxQuestions.org - [SOLVED] Error in Shell prompt

- Programming (https://www.linuxquestions.org/questions/programming-9/)

- - Error in Shell prompt (https://www.linuxquestions.org/questions/programming-9/error-in-shell-prompt-4175450943/)

Error in Shell prompt

I have made a script in C which spawns a shell. Here it is

Code:

#include<stdio.h>



char shellcode[] = "\xeb\x18\x5e\x31\xc0\x88\x46\x09\x89\x76\x0a\x89\x46\x0e\xb0\x0b\x89\xf3\x8d\x4e\x0a\x8d\x56\x0e\xcd\x80\xe8\xe3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43\x43";



main()

{

        int *ret;



        ret = (int *)&ret + 2;



        (*ret) = (int)shellcode;

}

I have made it as root & set it as suid by

Code:

chmod +s mycode

Now i have copied this file to a normal user's location & executed as normal user. So i have expected a root shell for the normal user but i got the bash shell as a normal user.

I dont understand why i am not getting root shell ?

According to the definition of SUID, it is

Quote:

If the SUID bit is set for any application then your user ID would be set as that of the owner of application/file rather than the current user, while running that application.

So what wrong i am doing ?

My OS info

Code:

Linux bt 3.2.6 #1 SMP Fri Feb 17 10:40:05 EST 2012 i686 GNU/Linux

Thanks

Please try to avoid using machine code instead of proper C-source. It has no advantage, except make you look stupid.

I expect bash is starting with ruid of the user but euid of root and in response to this it sets euid=ruid.

setuid(0) in the program before it does the implicit return might get you what you want. In a more realistic/useful setting you'd have a shellcode that starts with setuid(0) to deal with this.

Or you could run an interpreter such as perl instead of bash, set the uid in perl and finally exec bash.

Obviously we're expecting you not to run these on any systems you don't own.

1. suid is not honoured by the kernel for 'scripts' ie non-compiled langs eg shell, Perl, Python etc
eg http://www.techrepublic.com/blog/ope...d-to-know/3785

2. as above 'Obviously we're expecting you not to run these on any systems you don't own.'

Quote:

Originally Posted by linosaurusroot (Post 4896022)

Thanks linosaurusroot, It worked.....
I got root from your solution.
Here is the final code which worked

Code:

#include<stdio.h>



char shellcode[] = "\xeb\x18\x5e\x31\xc0\x88\x46\x09\x89\x76\x0a\x89\x46\x0e\xb0\x0b\x89\xf3\x8d\x4e\x0a\x8d\x56\x0e\xcd\x80\xe8\xe3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43\x43";



main()

{

        int *ret;



        ret = (int *)&ret + 2;

        setuid(0);

        (*ret) = (int)shellcode;

}

Can you explain me what does setuid(0) does here ?
What is its use ?

Thanks

Quote:

Originally Posted by Arjun (Post 4896604)

Can you explain me what does setuid(0) does here ?

At a time when your process has euid=0 (meaning root) and ruid=50000 or whatever for your account calling setuid(0) will set ruid=0. After that both ruid and euid will be the same so when bash starts it won't change euid back to 50000.

Much more detail at http://www.cs.berkeley.edu/~daw/pape...d-usenix02.pdf
in fact it's good to have a look regularly at http://www.cs.berkeley.edu/~daw/papers/ where DAW posts educational stuff.

Quote:

Originally Posted by linosaurusroot (Post 4896620)

Thanks for explanation. Got it now