05b# whoami
root
sh-2.05b# exit
exit
$
It worked! Notice how we compiled the program as root and set it as a SUID program.
Next we switched privileges to a normal user and ran the exploit. We got a root
shell, and it worked well. Notice that the program did not crash with a buffer at size 600
as it did when we were playing with perl in the previous section. This is because we
called the vulnerable program differently this time, from within the exploit. In general,
this is a more tolerant way to call the vulnerable program; your mileage may vary.
Exploiting Small Buffers
What happens when the vulnerable buffer is too small to use an exploit buffer as previously
described? Most pieces of shellcode are 21??“50bytes in size. What if the vulnerable
buffer you find is only 10 bytes long? For example, let??™s look at the following vulnerable
code with a small buffer:
#
# cat smallbuff.c
//smallbuff.c This is a sample vulnerable program with a small buf
int main(int argc, char * argv[]){
char buff[10]; //small buffer
strcpy( buff, argv[1]); //problem: vulnerable function call
}
Now compile it and set it as SUID:
# gcc -o smallbuff smallbuff.c
# chmod u+s smallbuff
# ls -l smallbuff
-rwsr-xr-x 1 root root 4192 Apr 23 00:30 smallbuff
# su joe
$
Now that we have such a program, how would we exploit it? The answer lies in the use of
environment variables.
Pages:
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334