TL;DR
This guide shows how to change the Group ID (GID) of a Set User ID (SUID) binary using shellcode. This is a common technique in binary exploitation, often used for privilege escalation.
Prerequisites
- A vulnerable SUID binary.
- Basic understanding of assembly language and shellcode.
- A Linux environment (e.g., Ubuntu).
- Debugging tools like GDB.
Steps
- Identify the Vulnerable Binary: First, locate a binary with the SUID bit set. Use
ls -lto check file permissions:ls -l /path/to/binaryLook for ‘s’ in the permission string (e.g., ‘-rwsr-xr-x’). This indicates the SUID bit is set.
- Understand the Vulnerability: The binary must be vulnerable to buffer overflows or similar issues that allow arbitrary code execution. For this example, we assume a stack buffer overflow exists.
- Craft Shellcode: We need shellcode to change the GID of the binary.
#include <stdio.h> #include <stdlib.h>> int main() { uid_t gid = 1000; // Replace with desired GID char shellcode[] = "x31xc0xb8x35x00x00x00xbfx00x00x00x00x2fx62x69x6ex2fx73x68x00xcdx80"; // The shellcode above is a simplified example and may not work directly. // It attempts to set the GID using system("chgrp 1000 /path/to/binary") printf("Shellcode: %sn", shellcode); return 0; }Important Note: This is a simplified example. A more robust solution would involve directly calling the
setgid()system call with appropriate arguments. - Determine Overflow Offset: Use a debugger (GDB) to find the offset to overwrite the return address on the stack. Send input to trigger the overflow and observe where the return address is being overwritten.
gdb /path/to/binarySet a breakpoint just before the return of the vulnerable function, then send your input until you see the return address change.
- Create Exploit Payload: Construct the payload. This will consist of:
- Padding to reach the return address.
- The address of a ‘pop-ret’ gadget (if needed for ROP). If not using ROP, directly overwrite with shellcode entry point.
- Shellcode itself.
- NOP sled before the shellcode (optional but recommended).
- Execute Exploit: Run the binary with the crafted payload as input.
./path/to/binary < payload_file - Verify GID Change: After execution, check if the GID of the binary has been changed using
ls -l:ls -l /path/to/binaryThe group ownership should now reflect the new GID.
Important Considerations
- Address Space Layout Randomization (ASLR): ASLR randomizes memory addresses, making it harder to predict shellcode execution. Techniques like Return-Oriented Programming (ROP) are often needed to bypass ASLR.
- Non-Executable Stack: If the stack is non-executable, you’ll need to use ROP or other techniques to execute your shellcode.
- Shellcode Complexity: The example shellcode provided is very basic. More complex shellcode might be required for specific scenarios.
- System Call Numbers: Ensure you are using the correct system call numbers for your architecture and kernel version.