November 28th, 2001, 05:58 PM
Doubt In Setuid And Buffer Overflwo Programs
i was experimenting with setuid programs tried out the following code on my linux machine..
suppose the filename is exploit.c
main(int argc,char **argv)
i compiled the program as root and made it setuid using
chmod u+s exploit and then put it in the bin section...
then i logged in as an ordinary user and ran exploit from my command
prompt..i got a shell however i did not get a root shell as i expected..what is it that went wrong???
further i would also like to know the way the stack works in Red Hat Linux 7.1..i have tried several tutorials that teach about stack overflow ..i followed the instructions to the point..however when i execute the program all that i get is a segmentation fault and not a root shell..
December 3rd, 2001, 03:25 PM
The two things that you are describing are older *n*x exploits. They affected earlier versions of Linux, Solaris, *BSD, and others, HP-UX, IRIX, AIX etc.. etc..
Although they could resurface some day, any day for that matter, most of the Flavors and Distro's have taken steps to correct this. A tut on writting buffer overflows can be found at http://www.insecure.org/stf/mudge_bu..._tutorial.html.
The ipstack in Red Hat is the same as in any linux Ditro running that version of the kernel or class of kernel ( 2.2.x, 2.4.x etc.).
I haven't messed around with tripping off a setuid binary locally so I really don't have much advice on doing this. To find out what is setuid and setgrpid on a system do:
# find / \( -perm -02000 -o -perm -04000 \) - ls
-- or to redirect it to a file --
# find / \( -perm -02000 -o -perm -04000 \) - ls > setXid.txt