Not getting root shell when doing buffer overflow exploitation

Question

I am learning buffer overflow exploits in Linux x86 binaries. I am doing a classic stack smashing to spawn a root shell in a Ubuntu 12.04 VM by disabling ASLR and compiling the binary by disabling NX bit and stack canaries.

During my execution the return address is getting overwritten and the shellcode is getting executed, but I am not getting root shell, instead it results in a bash shell.

To mitigate bash protection, I am using zsh shell and I have removed sh->bash symbolic link and created a symbolic link of sh with zsh shell in /bin directory

I have tried with a setuid enabled binary owned by root ( execute permission for other user), but still I am not getting root shell.

I have verified my shell code with C program and while by compiling the test program(of my shell code) and executing it after making it setuid enabled. so the test program is giving root shell. But I am not able to get the root shell when the same shellcode is used with buffer overflow..

When I am debugging this scenario in gdb, during overflow /bin/zsh4 is getting executed but results in a bash shell.

Even I am not able to get root shell with a return to libc attack also. That also results in a bash shell. I have tried these steps in Ubuntu 12.04, Ubuntu 11.04 and Ubuntu9 but still the result is same.

I am beginner in this area. So there might be some mistakes I have done in any of the above steps. So could any of you please advice what could be the possible issue and how to resolve it

Answer 1

Finally I figured out the reason for this error.

During my execution my root privilege was dropped because I had disabled ptrace of process system level to work on another tool. I had overwritten /proc/sys/kernel/yama/ptrace_scope value to 0. This was the reason for not getting root shell for me.

I found this information from the man page of execve ( which I was using for creating shellcode):

If the set-user-ID bit is set on the program file pointed to by filename, and the underlying file system is not mounted nosuid (the MS_NOSUID flag for mount(2)), and the calling process is not being ptraced, then the effective user ID of the calling process is changed to that of the owner of the program file. Similarly, when the set-group-ID bit of the program file is set the effective group ID of the calling process is set to the group of the program file.

So now when I am not disabling ptrace_scope , I am getting a root shell.

Thanks merlin2011 and naab for being part of this discussion.