/dev/shm/suid # cat setuid.c #include <stdio.h> #include <stdlib.h> main(int argc, char *argv[]) { setuid(0); system(argv[1]); }
/dev/shm/suid # gcc setuid.c -o /usr/bin/setuid /dev/shm/suid # chown root:root /usr/bin/setuid /dev/shm/suid # chmod 4755 /usr/bin/setuid /dev/shm/suid # ls -l /usr/bin|grep rws -rwsr-xr-x 1 root root 5480 Mar 27 19:51 setuid -rwsr-xr-x 2 root root 94144 Mar 12 2012 sudo -rwsr-xr-x 2 root root 94144 Mar 12 2012 sudoedit
/dev/shm/suid # whoami root /dev/shm/suid # setuid whoami root /dev/shm/suid # su user BusyBox v1.20.0.git (MeeGo 3:1.20-0.2+0m8) built-in shell (ash) Enter 'help' for a list of built-in commands. ~ $ whoami user ~ $ setuid whoami user
~ $ mount|grep nosuid | grep usr ~ $ sudo whoami Password: root