I wasn't going to send this trick to the list, but since there is a
demand:
int
main() {
setuid(0);
seteuid(0);
execl("/bin/sh", "-sh", 0);
}
put this in filename.c, compile with gcc -o filename filename.c, set up
with chmod u+s filename, and run with ./filenam
I wrote:
>
> You can use this command in shell script `uidshell' like this:
>
> #!/bin/bash
>
> while true; do
> echo -n "[uid = $1] "`pwd`" $ "
> read a
> b=`echo $a | cut -d' ' -f1`
> if [ "$b" = "cd" ] || [ "$b" = "exit"
Joost Witteveen wrote:
>
> Note that this behaviour is new in bash-2.0 (1.4 didn't do it).
> I find it annoying, though. I don't really see the great advantage
> of this (its _very_ easy to get around for hackers), and it makes it
> more difficult for me to become UID 7483 (no such user exists on
> > so, logging into console as root
> >
> > $ cp /bin/bash /bin/somefile
> >
> > $ ls -l /bin/somefile
> > - -rwxr-x--- 1 root root 318612 Oct 14 22:44 /bin/somefile
> >
> > $ chmod a+xs /bin/somefile
> > - -rwsr-s--x 1 root root 318612 Oct 14 22:44 /bin/somefile
> You're just running into som
Garry Myers wrote:
> so, logging into console as root
>
> $ cp /bin/bash /bin/somefile
>
> $ ls -l /bin/somefile
> - -rwxr-x--- 1 root root 318612 Oct 14 22:44 /bin/somefile
>
> $ chmod a+xs /bin/somefile
> - -rwsr-s--x 1 root root 318612 Oct 14 22:44 /bin/somefile
>
> Presumably a hacker (or c
-BEGIN PGP SIGNED MESSAGE-
Ok..this is driving me mad and my curiosity is piqued...
A mate of mine (using RedHat) was hacked (probably from associating with
the wrong company on IRC, most likely) - cleaning up his system, we
found multiple backdoors, including the obvious series of SUID s
6 matches
Mail list logo
