This post is short and sweet. Here’s the code:

#include      /* setuid, .. */
#include   /* setuid, .. */
#include         /* setgroups */
#include       /* perror */

int main (int argc, char** argv) {

  gid_t newGrp = 0;
  /** gcc -Os -Wall -o whatever r.c
    if you installed programming manual pages, you can get the
    man page for execve 'man execvp'. Same goes for all the
    other system calls that we're using here.
   */

  /* this will tattoo the suid bit so that bash won't see that
     we're not really root. we also drop all other memberships
     just in case we're running with PAGs (in AFS) */
  if (setuid(0) != 0) {
    perror("Setuid failed, no suid-bit set?");
    return 1;
  }
  setgid(0);
  seteuid(0);
  setegid(0);
  /* we also drop all the groups that the old user had
     (verify with id -tool afterwards)
     this is not strictly necessary but we want to get rid of the
     groups that the original user was part of. */
  setgroups(1, &newGrp);

  /* load the default shell on top of this program
     to exit from the shell, use 'exit' :-) */
  execvp("/bin/bash", argv);

  return 0;
}

Source: http://koltsoff.com/pub/getroot/

Simple, straight-forward script. Compile it using gcc -Os -Wall -o getroot r.c

The arguments to gcc are simple. From the man pages:

 -Os Optimize for size.  -Os enables all -O2 optimizations that do not typically increase code size.  It also performs further optimizations designed to
           reduce code size.

           -Os disables the following optimization flags: -falign-functions  -falign-jumps  -falign-loops -falign-labels  -freorder-blocks
           -freorder-blocks-and-partition -fprefetch-loop-arrays  -ftree-vect-loop-version

 -Wall
           Turns on all optional warnings which are desirable for normal code.  At present this is -Wcomment, -Wtrigraphs, -Wmultichar and a warning about integer
           promotion causing a change of sign in "#if" expressions.  Note that many of the preprocessor's warnings are on by default and have no options to control
           them.

Assuming the location of the file is: ~/getroot

chmod 4755 ~/getroot

I’m going to assume youre familiar with the normal 755 usage of chmod. The 4 is to set the suid bit:

root@mcremove:~# chmod 4755 test
root@mcremove:~# ls -al
total 132
-rwsr-xr-x  1 root root  1766 Nov  1 22:35 test

You see the little s? That means that the file has the suid bit set, and that its executable. If you saw a “S”, it would mean the suid bit is set but it is not executable.

That’s it!

Elevate to Root With a Simple Program
Tagged on:             

Leave a Reply

Your email address will not be published.