App - System

Tuesday 20 September 2016, 11:45  #1
ELF32 - Stack buffer overflow basic 4
pon4ik
pon4ik
  • 4 posts

I managed to jump to shellcode and spawn the shell.
But after that I have problems - s-bit doesnt work and I cannot read .passwd. Cannot figure out the reason.

app-systeme-ch8@challenge02: $ ./ch8
[+] Getting env...
bash-4.2$ id
uid=1108(app-systeme-ch8) gid=1108(app-systeme-ch8) groups=1108(app-systeme-ch8),100(users)
bash-4.2$ cat .passwd
cat: .passwd: Permission denied

Friday 23 September 2016, 12:03  #2
ELF32 - Stack buffer overflow basic 4
pon4ik
pon4ik
  • 4 posts

I have managed to read .passwd file.
My problem is quite interesting - I modified my shellcode to call "/bin/dash" instead of "/bin/bash" and it started working fine. Also "/bin/sh" is not working.
Can anyone explain my why my effective user id is changed only if I use /bin/dash shell?

Friday 23 September 2016, 12:41  #3
ELF32 - Stack buffer overflow basic 4
poz
poz
  • 1 posts

Take a look at bash -p.

Sunday 15 October 2017, 15:17  #4
ELF32 - Stack buffer overflow basic 4
Yandros
Yandros
  • 9 posts

TL,DR: Both /bin/sh and /bin/bash drop the privileged euid unless they’re called with the "-p" flag.

New reply New reply   New topic New topic