进行缓冲区溢出利用时未获得root shell [英] Not getting root shell when doing buffer overflow exploitation
问题描述
我正在学习Linux x86二进制文件中的缓冲区溢出漏洞利用。我正在执行经典的堆栈粉碎操作,通过禁用ASLR并通过禁用NX位和堆栈金丝雀来在Ubuntu 12.04 VM中生成根外壳。
I am learning buffer overflow exploits in Linux x86 binaries. I am doing a classic stack smashing to spawn a root shell in a Ubuntu 12.04 VM by disabling ASLR and compiling the binary by disabling NX bit and stack canaries.
在执行过程中返回地址被覆盖并且shellcode正在执行,但是我没有得到root shell,而是导致了bash shell。
During my execution the return address is getting overwritten and the shellcode is getting executed, but I am not getting root shell, instead it results in a bash shell.
为减轻bash保护,我我正在使用zsh shell,并且删除了sh-> bash符号链接,并在/ bin目录中使用zsh shell创建了sh的符号链接
To mitigate bash protection, I am using zsh shell and I have removed sh->bash symbolic link and created a symbolic link of sh with zsh shell in /bin directory
我尝试启用了setuid root拥有的二进制文件(对其他用户具有执行权限),但我仍然没有得到root shell。
I have tried with a setuid enabled binary owned by root ( execute permission for other user), but still I am not getting root shell.
我已经用C程序验证了我的shell代码,同时编译了测试(我的shell代码的)程序,并在启用setuid后执行它。因此测试程序提供了root shell。但是当在缓冲区溢出中使用相同的shellcode时,我无法获得根shell。
I have verified my shell code with C program and while by compiling the test program(of my shell code) and executing it after making it setuid enabled. so the test program is giving root shell. But I am not able to get the root shell when the same shellcode is used with buffer overflow..
当我在gdb中调试此方案时,在/ bin / zsh4正在执行,但会导致bash shell。
When I am debugging this scenario in gdb, during overflow /bin/zsh4 is getting executed but results in a bash shell.
即使我也无法通过返回libc攻击获得根shell。这也会导致bash shell。我已经在Ubuntu 12.04,Ubuntu 11.04和Ubuntu9中尝试了这些步骤,但结果仍然相同。
Even I am not able to get root shell with a return to libc attack also. That also results in a bash shell. I have tried these steps in Ubuntu 12.04, Ubuntu 11.04 and Ubuntu9 but still the result is same.
我是该领域的初学者。因此,在上述任何一个步骤中我都可能犯了一些错误。因此,请您提出任何可能的问题以及如何解决该问题
I am beginner in this area. So there might be some mistakes I have done in any of the above steps. So could any of you please advice what could be the possible issue and how to resolve it
推荐答案
最后我弄清楚了造成这种情况的原因这个错误。
Finally I figured out the reason for this error.
在执行过程中,我的root特权被删除了,因为我禁用了进程系统级别的ptrace来使用其他工具。
我已经将/ proc / sys / kernel / yama / ptrace_scope值重写为0。这就是没有为我提供root shell的原因。
During my execution my root privilege was dropped because I had disabled ptrace of process system level to work on another tool. I had overwritten /proc/sys/kernel/yama/ptrace_scope value to 0. This was the reason for not getting root shell for me.
我发现了该信息来自execve的手册页(我曾用于创建shellcode):
I found this information from the man page of execve ( which I was using for creating shellcode):
如果设置了设置用户ID位在
文件名指向的程序文件上,并且没有挂载基础文件系统nosuid
(mount(2)的MS_NOSUID标志),并且调用过程不是
被跟踪,那么调用过程的有效用户ID是
更改为程序文件所有者的ID。类似地,当
设置了程序文件的set-group-ID位时,调用过程的有效组ID
被设置为程序文件的组。
If the set-user-ID bit is set on the program file pointed to by filename, and the underlying file system is not mounted nosuid (the MS_NOSUID flag for mount(2)), and the calling process is not being ptraced, then the effective user ID of the calling process is changed to that of the owner of the program file. Similarly, when the set-group-ID bit of the program file is set the effective group ID of the calling process is set to the group of the program file.
所以现在当我不禁用ptrace_scope时,我得到的是root shell。
So now when I am not disabling ptrace_scope , I am getting a root shell.
感谢merlin2011和naab参与讨论。
Thanks merlin2011 and naab for being part of this discussion.
这篇关于进行缓冲区溢出利用时未获得root shell的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
