I am exploring buffer overflow exploits in Linux x86 binaries. I am doing a classic stack break to create a root shell in the Ubuntu 12.04 VM by disabling ASLR and compiling the binary, disabling NX bits and channel stackers.
During my execution, the return address is rewritten and the shellcode is executed, but I do not get the root shell, instead, the bash shell is obtained.
To reduce the protection of bash, I use the zsh shell and I removed the symlink sh -> bash and created a sh symbolic link with the zsh shell in the / bin directory
I tried using the setuid binary owned by root (grant permission for another user), but still I don't get the root shell.
I checked my shell code using a C program, and then compiling a test program (my shell code) and executing it after turning on setuid. therefore, the test program gives the root shell. But I can’t get the root shell when the same shellcode is used with buffer overflows.
When I debug this script in gdb, during / bin / zsh 4 overflow, execution is executed, but the result is a bash shell.
Even I cannot get the root shell with a return to the libc attack. This also leads to the bash shell. I tried these steps in Ubuntu 12.04, Ubuntu 11.04 and Ubuntu9, but the result is the same.
. , . - , ?