Shellcraft Privilege Escalation -p

[Canuck317]

More a suggestion than an issue.

As currently implemented, shellcraft.i386.sh() produces shellcode that runs /bin/sh by setting registers to call just that command. While this does work and produces a shell, it is no longer effective when exploiting SUID programs to escalate privileges, as modern shells drop privs when UID and EUID don't match. (The last shell this worked on, Dash, removed that vulnerability in 5.8-2.6 or so)

Modfying shellcraft.i386.sh() to use the -p argument as in the attached example (which is NOT mine and I do not take credit for) allows us to launch a shell that takes advantage of SUID bits.

The example uses /bin/bash -p, but this appears to work with /bin/sh and /bin/dash.

http://shell-storm.org/shellcode/files/shellcode-606.php

[Arusekk]

That's a great idea! Could you make some pull request for that? It should be as easy as modifying the following files to just look like ['sh', '-p'] instead of ['sh']:

https://github.com/Gallopsled/pwntools/blob/c15afc592a94a5fd4c1255d2ce0137be38164a66/pwnlib/shellcraft/templates/amd64/linux/sh.asm#L11

https://github.com/Gallopsled/pwntools/blob/c15afc592a94a5fd4c1255d2ce0137be38164a66/pwnlib/shellcraft/templates/i386/linux/sh.asm#L11

https://github.com/Gallopsled/pwntools/blob/c15afc592a94a5fd4c1255d2ce0137be38164a66/pwnlib/shellcraft/templates/thumb/linux/sh.asm#L11

https://github.com/Gallopsled/pwntools/blob/c15afc592a94a5fd4c1255d2ce0137be38164a66/pwnlib/shellcraft/templates/arm/linux/sh.asm#L11

https://github.com/Gallopsled/pwntools/blob/c15afc592a94a5fd4c1255d2ce0137be38164a66/pwnlib/shellcraft/templates/mips/linux/sh.asm#L13

(this needs rewriting anyway, so if you could make it something like the examples above): https://github.com/Gallopsled/pwntools/blob/c15afc592a94a5fd4c1255d2ce0137be38164a66/pwnlib/shellcraft/templates/aarch64/linux/sh.asm#L11-L12