I want to show, with a concrete example, how powerful is the exploitation of a buffer overflow.
To achive this goal i prepared this simple C program, called "bo":
#include <stdio.h>
#include <string.h>
void function(char* input) {
char buffer[128];
strcpy(buffer, input);
printf("Your input is: %s\n", buffer);
}
void main(int argc, char **argv) {
function(argv[1]);
}
that i compiled with options: -fno-stack-protector and execstack.
Everything works fine and i'm able to lauch my shellcode that opens a new bash.
In my system (Ubuntu MATE 15.10 32bit) i have 2 users: "user" (group: user) and "admin" (group: admin), both having sudo privileges.
What i want to do is to enable "user" to execute "bo" with the privileges of "admin" such that when the buffer overflow happens and the shellcode is executed i have a shell that runs with "admin" privileges (and from this shell, if i run the commands "id" or "whoami" i want to show that now we are "admin").
I've seen that i need to chmod SUID/SGID privileges to "bo". I tried in many ways, but when the shellcode runs i always have a shell lauched from "user".
Finally i figured out that i had not only a permission problem but my shellcode did not spawn a root shell.
By the way, thanks to the suggestions of Cwissy, to fully exploit this vulnerability i had to set some privileges on my bo file:
sudo -i
chown 0:0 bo
chmod 4755 bo
exit
Then with the right shellcode (now i use the one from https://www.exploit-db.com/docs/21013.pdf) i'm able to spawn a root shell.
It is slightly different from my original idea (spawn a shell with "admin" privileges) but this is a good example to show too.