0x0e.org | pentesting perspective

braindump on pentesting, QA, metasploit, constant learning

exploiting suid binaries

with one comment

just had a quick refresher on exploiting suid bits (and why they’re so darn evil):

jcran@aldatmak:/usr/bin$ ls -la id
-rwxr-xr-x 1 root root 35232 2008-06-26 20:31 id

jcran@aldatmak:/usr/bin$ id
uid=1000(jcran) gid=1000(jcran) groups=30(dip),127(vboxusers),1000(jcran)

jcran@aldatmak:/usr/bin$ sudo chmod u+s id

jcran@aldatmak:/usr/bin$ ls -la id
-rwxr-xr-x 1 root root 35232 2008-06-26 20:31 id

jcran@aldatmak:/usr/bin$ id
uid=1000(jcran) gid=1000(jcran) euid=0(root) groups=30(dip),127(vboxusers),1000(jcran)

jcran@aldatmak:/usr/bin$ sudo chmod u-s id

The first time it’s executed (no suid bit) – the euid is 1000, jcran. the second time, after the suid bit has been set, i’m effectively root.

finding all suid binaries on a system:

 find / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls -lg {} \;

note, this technique doesn’t work on bash if it’s been set SUID.

Advertisements

Written by jcran

October 14, 2009 at 7:44 PM

Posted in Uncategorized

One Response

Subscribe to comments with RSS.

  1. In both cases ls returns the same result. Is that correct?

    Martin Rakhmanov

    May 22, 2012 at 4:19 AM


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: