0x0e.org | pentesting perspective

braindump on pentesting, QA, metasploit, constant learning

Archive for October 2009

exploiting suid binaries

with one comment

just had a quick refresher on exploiting suid bits (and why they’re so darn evil):

jcran@aldatmak:/usr/bin$ ls -la id
-rwxr-xr-x 1 root root 35232 2008-06-26 20:31 id

jcran@aldatmak:/usr/bin$ id
uid=1000(jcran) gid=1000(jcran) groups=30(dip),127(vboxusers),1000(jcran)

jcran@aldatmak:/usr/bin$ sudo chmod u+s id

jcran@aldatmak:/usr/bin$ ls -la id
-rwxr-xr-x 1 root root 35232 2008-06-26 20:31 id

jcran@aldatmak:/usr/bin$ id
uid=1000(jcran) gid=1000(jcran) euid=0(root) groups=30(dip),127(vboxusers),1000(jcran)

jcran@aldatmak:/usr/bin$ sudo chmod u-s id

The first time it’s executed (no suid bit) – the euid is 1000, jcran. the second time, after the suid bit has been set, i’m effectively root.

finding all suid binaries on a system:

 find / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls -lg {} \;

note, this technique doesn’t work on bash if it’s been set SUID.

Written by jcran

October 14, 2009 at 7:44 PM

Posted in Uncategorized

exception has been thrown by the target of an invocation (bing + mono = fail)

leave a comment »

if an app crashes on the internet, and no one is around to hear it....

if an app crashes on the internet, and no one is around to hear it....

Written by jcran

October 4, 2009 at 2:31 AM

Posted in Uncategorized

Tagged with , , , ,