Reputation: 11
Setting SUID/SGID permissions to an executable
I want to show, with a concrete example, how powerful is the exploitation of a buffer overflow.
To achive this goal i prepared this simple C program, called "bo":
#include <stdio.h>
#include <string.h>
void function(char* input) {
char buffer[128];
strcpy(buffer, input);
printf("Your input is: %s\n", buffer);
}
void main(int argc, char **argv) {
function(argv[1]);
}
that i compiled with options: -fno-stack-protector and execstack.
Everything works fine and i'm able to lauch my shellcode that opens a new bash.
In my system (Ubuntu MATE 15.10 32bit) i have 2 users: "user" (group: user) and "admin" (group: admin), both having sudo privileges.
What i want to do is to enable "user" to execute "bo" with the privileges of "admin" such that when the buffer overflow happens and the shellcode is executed i have a shell that runs with "admin" privileges (and from this shell, if i run the commands "id" or "whoami" i want to show that now we are "admin").
I've seen that i need to chmod SUID/SGID privileges to "bo". I tried in many ways, but when the shellcode runs i always have a shell lauched from "user".
Upvotes: 1
Views: 1285
Answers (2)
Reputation: 11
Finally i figured out that i had not only a permission problem but my shellcode did not spawn a root shell.
By the way, thanks to the suggestions of Cwissy, to fully exploit this vulnerability i had to set some privileges on my bo file:
sudo -i
chown 0:0 bo
chmod 4755 bo
exit
Then with the right shellcode (now i use the one from https://www.exploit-db.com/docs/21013.pdf) i'm able to spawn a root shell.
It is slightly different from my original idea (spawn a shell with "admin" privileges) but this is a good example to show too.
Upvotes: 0
Reputation: 2156
sudo gives the calling user root user privileges and runs any process as root. the su process is used to switch user
To ensure the process runs with the admin user privs. the bo binary will need to be chown admin:admin and chmod u+s as admin.
e.g. if your binary currently looks like this:
ls -l bo
drwxrwxr-x user user <size> bo
if you become root, then become admin then change the permissions you should get:
sudo -i # become root
chown admin: bo # change ownership
su - admin # become admin
chmod u+s bo # set sticky bit
then <ctrl-d> twice to come back to being user and you should see:
ls -l bo
drwSrwxr-x admin admin bo
of course, you could do away with all the sudo and su nonsense by compiling the code as the admin user in the first place, and then chmod'ing it (also still as the admin user) before becoming the user user.
Upvotes: 2
Related Questions
- Change all files and folders permissions of a directory to 644/755
- PostgreSQL: Give all permissions to a user on a PostgreSQL database
- Setting an environment variable before a command in Bash is not working for the second command in a pipe
- Setting environment variables on OS X
- How to create file execute mode permissions in Git on Windows?
- List of valid suid/sgid executables on Linux?
- suid bit script perl