Full Disclosure mailing list archives
Re: Local suid files and buffer overflows
From: Joachim Schipper <j.schipper () math uu nl>
Date: Sun, 9 Oct 2005 17:26:51 +0200
On Sun, Oct 09, 2005 at 01:17:39AM +0200, Werner Schalk wrote:
Hi, first of all apologies for asking such a newbie question but I am trying to learn how to exploit buffer overflows and therefore wrote a little program to exploit. This little program has the following permissions: $ ls -la test1 -rwsr-sr-x 1 root root 17164 Oct 8 01:25 test1 Now I exploited it using Aleph One's shellcode (see http://shellcode.org/shellcode/linux/null-free/) but I won't get a SUID shell afterwards (I know the exploit did work but I still have my normal user privleges). Why? I have tried a different shellcode to write a file and this file was root:root. Any ideas, hints, rtfm? Thank you. Best regards, Werner.
Try the following: # mount <snippity> /dev/hdb2 on /home type ext3 (rw,nosuid,nodev) <snippity> nosuid means that suid binaries lose their special properties here. See mount(8). As you just proved, it's not completely useless. As an additional exercise, bypass the nosuid mount option. Or just copy it somewhere without nosuid. (There are many, many other ways this behaviour could have happened, but this one sounds most likely...) Joachim _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Local suid files and buffer overflows Werner Schalk (Oct 09)
- Re: Local suid files and buffer overflows Joachim Schipper (Oct 09)
- Re: Local suid files and buffer overflows Fósforo (Oct 09)
- Re: Local suid files and buffer overflows Pieter de Boer (Oct 09)
- Re: Local suid files and buffer overflows Eduardo Tongson (Oct 09)
- Re: Local suid files and buffer overflows Joachim Schipper (Oct 09)