SUID Binary GID Change via Shellcode

TL;DR

This guide shows how to change the Group ID (GID) of a Set User ID (SUID) binary using shellcode. This is a common technique in binary exploitation, often used for privilege escalation.

Prerequisites

• A vulnerable SUID binary.
• Basic understanding of assembly language and shellcode.
• A Linux environment (e.g., Ubuntu).
• Debugging tools like GDB.

Steps

1. Identify the Vulnerable Binary: First, locate a binary with the SUID bit set. Use ls -l to check file permissions:

   ls -l /path/to/binary

   Look for ‘s’ in the permission string (e.g., ‘-rwsr-xr-x’). This indicates the SUID bit is set.

2. Understand the Vulnerability: The binary must be vulnerable to buffer overflows or similar issues that allow arbitrary code execution. For this example, we assume a stack buffer overflow exists.
3. Craft Shellcode: We need shellcode to change the GID of the binary.

   #include <stdio.h>
   #include <stdlib.h&gt>
   
   int main() {
     uid_t gid = 1000; // Replace with desired GID
     char shellcode[] = "x31xc0xb8x35x00x00x00xbfx00x00x00x00x2fx62x69x6ex2fx73x68x00xcdx80";
     // The shellcode above is a simplified example and may not work directly.
     // It attempts to set the GID using system("chgrp 1000 /path/to/binary")
     printf("Shellcode: %sn", shellcode);
     return 0;
   }
   

   Important Note: This is a simplified example. A more robust solution would involve directly calling the setgid() system call with appropriate arguments.

4. Determine Overflow Offset: Use a debugger (GDB) to find the offset to overwrite the return address on the stack. Send input to trigger the overflow and observe where the return address is being overwritten.

   gdb /path/to/binary

   Set a breakpoint just before the return of the vulnerable function, then send your input until you see the return address change.

5. Create Exploit Payload: Construct the payload. This will consist of:
   • Padding to reach the return address.
   • The address of a ‘pop-ret’ gadget (if needed for ROP). If not using ROP, directly overwrite with shellcode entry point.
   • Shellcode itself.
   • NOP sled before the shellcode (optional but recommended).
6. Execute Exploit: Run the binary with the crafted payload as input.

   ./path/to/binary < payload_file

7. Verify GID Change: After execution, check if the GID of the binary has been changed using ls -l:

   ls -l /path/to/binary

   The group ownership should now reflect the new GID.

Important Considerations

• Address Space Layout Randomization (ASLR): ASLR randomizes memory addresses, making it harder to predict shellcode execution. Techniques like Return-Oriented Programming (ROP) are often needed to bypass ASLR.
• Non-Executable Stack: If the stack is non-executable, you’ll need to use ROP or other techniques to execute your shellcode.
• Shellcode Complexity: The example shellcode provided is very basic. More complex shellcode might be required for specific scenarios.
• System Call Numbers: Ensure you are using the correct system call numbers for your architecture and kernel version.