Search code examples
securitybufferbuffer-overflowexploitshellcode

Shellcode as payload for buffer overflow (or other) exploits executed as root?


When I use shellcode such as the ones provided here* as payload to some vulnerable program, how is the shell executed as root? I am asking about how the privileges are elevated to root? The shellcode doesn't seem to call setuid or anything to change user.

* http://www.tenouk.com/Bufferoverflowc/Bufferoverflow5.html


Solution

  • Those examples include the following:

         mov $70, %al           #setreuid is syscall 70
    

    So they're using the setreuid(2) syscall, which sets both the real and effective user IDs of the process:

       int setreuid(uid_t ruid, uid_t euid);