Exploiting c - linux setuid and system commands












0















I have the following code as an executable that I want to exploit for a course in order to spawn a shell with elevated privileges. I am a user of levelX and the executable has setgid of levelX+1. I am not allowed to alter any of the code.
As I do not have root privileges, setguid(0) fails. I was not able to change the return address of the function or main function. Could anyone point to the right direction?



int main (int argc, char** argv)

{

  if (exec(argv[1]) != 0)

    {

      fprintf(stderr, "Cannot execute your commandn");

      return -1;

    }

  return 0;

}



int exec(char *command)

{

  FILE *f = NULL;

  char entry[64];

  char line[256];



  f = fopen("log", "a");

  if (f == NULL)

    {

      fprintf(stderr, "Can't open filen");

      return -1;

    }

  snprintf(entry, 64, "%d: %sn", getuid(), command);



  fprintf(f, entry, NULL);

  fclose(f);



  f = fopen("sudoers", "r");

  if (f == NULL)

    {

      fprintf(stderr, "Can't openn");

      return -1;

    }



  while(fgets(line, 256, f) != NULL)

    {

      if (atoi(line) == getuid())

        {

          if (setuid(0) == 0) {

            system(command);

          } else {

            fprintf(stderr, "check permissionsn");

          }



          fclose(f);

          return 0;

        }

    }

  fprintf(stderr, "Errorn");

  fclose(f);

  return -1;

}





c linux security buffer-overflow







share|improve this question

























  • Post complete code with appropriate headers.

    – EsmaeelE
    Nov 22 '18 at 12:26











  • This looks like you have partially sanitized/anonymized the code, or tried to? Please provide a working code, which you can build yourself. For example, what is log_entry?

    – hyde
    Nov 22 '18 at 12:28











  • Both correct! Edited the code. It compiles and runs

    – NotApplicable
    Nov 22 '18 at 12:32











  • What do you exactly mean with LevelX and LevelX+1. What's the role of levels in your explanation? In plain UNIX, there's only two levels, user and root level, the first is subject to permissions, the later isn't. Not n levels up, sorry.

    – Luis Colorado
    Nov 27 '18 at 8:33











  • I mean different levels without any of the levels being root.

    – NotApplicable
    Dec 11 '18 at 20:24
















0















I have the following code as an executable that I want to exploit for a course in order to spawn a shell with elevated privileges. I am a user of levelX and the executable has setgid of levelX+1. I am not allowed to alter any of the code.
As I do not have root privileges, setguid(0) fails. I was not able to change the return address of the function or main function. Could anyone point to the right direction?



int main (int argc, char** argv)

{

  if (exec(argv[1]) != 0)

    {

      fprintf(stderr, "Cannot execute your commandn");

      return -1;

    }

  return 0;

}



int exec(char *command)

{

  FILE *f = NULL;

  char entry[64];

  char line[256];



  f = fopen("log", "a");

  if (f == NULL)

    {

      fprintf(stderr, "Can't open filen");

      return -1;

    }

  snprintf(entry, 64, "%d: %sn", getuid(), command);



  fprintf(f, entry, NULL);

  fclose(f);



  f = fopen("sudoers", "r");

  if (f == NULL)

    {

      fprintf(stderr, "Can't openn");

      return -1;

    }



  while(fgets(line, 256, f) != NULL)

    {

      if (atoi(line) == getuid())

        {

          if (setuid(0) == 0) {

            system(command);

          } else {

            fprintf(stderr, "check permissionsn");

          }



          fclose(f);

          return 0;

        }

    }

  fprintf(stderr, "Errorn");

  fclose(f);

  return -1;

}





c linux security buffer-overflow







share|improve this question

























  • Post complete code with appropriate headers.

    – EsmaeelE
    Nov 22 '18 at 12:26











  • This looks like you have partially sanitized/anonymized the code, or tried to? Please provide a working code, which you can build yourself. For example, what is log_entry?

    – hyde
    Nov 22 '18 at 12:28











  • Both correct! Edited the code. It compiles and runs

    – NotApplicable
    Nov 22 '18 at 12:32











  • What do you exactly mean with LevelX and LevelX+1. What's the role of levels in your explanation? In plain UNIX, there's only two levels, user and root level, the first is subject to permissions, the later isn't. Not n levels up, sorry.

    – Luis Colorado
    Nov 27 '18 at 8:33











  • I mean different levels without any of the levels being root.

    – NotApplicable
    Dec 11 '18 at 20:24














0












0








0


1






I have the following code as an executable that I want to exploit for a course in order to spawn a shell with elevated privileges. I am a user of levelX and the executable has setgid of levelX+1. I am not allowed to alter any of the code.
As I do not have root privileges, setguid(0) fails. I was not able to change the return address of the function or main function. Could anyone point to the right direction?



int main (int argc, char** argv)

{

  if (exec(argv[1]) != 0)

    {

      fprintf(stderr, "Cannot execute your commandn");

      return -1;

    }

  return 0;

}



int exec(char *command)

{

  FILE *f = NULL;

  char entry[64];

  char line[256];



  f = fopen("log", "a");

  if (f == NULL)

    {

      fprintf(stderr, "Can't open filen");

      return -1;

    }

  snprintf(entry, 64, "%d: %sn", getuid(), command);



  fprintf(f, entry, NULL);

  fclose(f);



  f = fopen("sudoers", "r");

  if (f == NULL)

    {

      fprintf(stderr, "Can't openn");

      return -1;

    }



  while(fgets(line, 256, f) != NULL)

    {

      if (atoi(line) == getuid())

        {

          if (setuid(0) == 0) {

            system(command);

          } else {

            fprintf(stderr, "check permissionsn");

          }



          fclose(f);

          return 0;

        }

    }

  fprintf(stderr, "Errorn");

  fclose(f);

  return -1;

}





c linux security buffer-overflow







share|improve this question
















I have the following code as an executable that I want to exploit for a course in order to spawn a shell with elevated privileges. I am a user of levelX and the executable has setgid of levelX+1. I am not allowed to alter any of the code.
As I do not have root privileges, setguid(0) fails. I was not able to change the return address of the function or main function. Could anyone point to the right direction?



int main (int argc, char** argv)

{

  if (exec(argv[1]) != 0)

    {

      fprintf(stderr, "Cannot execute your commandn");

      return -1;

    }

  return 0;

}



int exec(char *command)

{

  FILE *f = NULL;

  char entry[64];

  char line[256];



  f = fopen("log", "a");

  if (f == NULL)

    {

      fprintf(stderr, "Can't open filen");

      return -1;

    }

  snprintf(entry, 64, "%d: %sn", getuid(), command);



  fprintf(f, entry, NULL);

  fclose(f);



  f = fopen("sudoers", "r");

  if (f == NULL)

    {

      fprintf(stderr, "Can't openn");

      return -1;

    }



  while(fgets(line, 256, f) != NULL)

    {

      if (atoi(line) == getuid())

        {

          if (setuid(0) == 0) {

            system(command);

          } else {

            fprintf(stderr, "check permissionsn");

          }



          fclose(f);

          return 0;

        }

    }

  fprintf(stderr, "Errorn");

  fclose(f);

  return -1;

}





c linux security buffer-overflow




c linux security buffer-overflow






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 22 '18 at 13:18







NotApplicable

















asked Nov 22 '18 at 12:12









NotApplicableNotApplicable

366




366













  • Post complete code with appropriate headers.

    – EsmaeelE
    Nov 22 '18 at 12:26











  • This looks like you have partially sanitized/anonymized the code, or tried to? Please provide a working code, which you can build yourself. For example, what is log_entry?

    – hyde
    Nov 22 '18 at 12:28











  • Both correct! Edited the code. It compiles and runs

    – NotApplicable
    Nov 22 '18 at 12:32











  • What do you exactly mean with LevelX and LevelX+1. What's the role of levels in your explanation? In plain UNIX, there's only two levels, user and root level, the first is subject to permissions, the later isn't. Not n levels up, sorry.

    – Luis Colorado
    Nov 27 '18 at 8:33











  • I mean different levels without any of the levels being root.

    – NotApplicable
    Dec 11 '18 at 20:24



















  • Post complete code with appropriate headers.

    – EsmaeelE
    Nov 22 '18 at 12:26











  • This looks like you have partially sanitized/anonymized the code, or tried to? Please provide a working code, which you can build yourself. For example, what is log_entry?

    – hyde
    Nov 22 '18 at 12:28











  • Both correct! Edited the code. It compiles and runs

    – NotApplicable
    Nov 22 '18 at 12:32











  • What do you exactly mean with LevelX and LevelX+1. What's the role of levels in your explanation? In plain UNIX, there's only two levels, user and root level, the first is subject to permissions, the later isn't. Not n levels up, sorry.

    – Luis Colorado
    Nov 27 '18 at 8:33











  • I mean different levels without any of the levels being root.

    – NotApplicable
    Dec 11 '18 at 20:24

















Post complete code with appropriate headers.

– EsmaeelE
Nov 22 '18 at 12:26





Post complete code with appropriate headers.

– EsmaeelE
Nov 22 '18 at 12:26













This looks like you have partially sanitized/anonymized the code, or tried to? Please provide a working code, which you can build yourself. For example, what is log_entry?

– hyde
Nov 22 '18 at 12:28





This looks like you have partially sanitized/anonymized the code, or tried to? Please provide a working code, which you can build yourself. For example, what is log_entry?

– hyde
Nov 22 '18 at 12:28













Both correct! Edited the code. It compiles and runs

– NotApplicable
Nov 22 '18 at 12:32





Both correct! Edited the code. It compiles and runs

– NotApplicable
Nov 22 '18 at 12:32













What do you exactly mean with LevelX and LevelX+1. What's the role of levels in your explanation? In plain UNIX, there's only two levels, user and root level, the first is subject to permissions, the later isn't. Not n levels up, sorry.

– Luis Colorado
Nov 27 '18 at 8:33





What do you exactly mean with LevelX and LevelX+1. What's the role of levels in your explanation? In plain UNIX, there's only two levels, user and root level, the first is subject to permissions, the later isn't. Not n levels up, sorry.

– Luis Colorado
Nov 27 '18 at 8:33













I mean different levels without any of the levels being root.

– NotApplicable
Dec 11 '18 at 20:24





I mean different levels without any of the levels being root.

– NotApplicable
Dec 11 '18 at 20:24












2 Answers
2






active

oldest

votes


















1














From the code you posted, it appears you are supposed to write your own sudoers file to any directory you have write access to, then run this program in that directory, so it reads your file.



So, simply write your own UID to this fake sudoers file, and then give a command parameter such as bash to get a shell. There's no need to do any buffer overflow exploitation.



Presumably the real exploitable program has suid bit set in the file permissions, so it can perform the setuid(0) call. I guess the purpose of the exercise is to demonstrate how all input needs to be sanitized when you are dealing with suid programs, including things like relative paths (which effectively take current working directory as input) like any user-supplied paths and other input.




But, since the program only has setgid bit (as said in comment), you need find something you do with just the group id. That something could be that log file write. You could create a symbolic link with file name log, pointing to whatever file you want to append to, which that group has write permissions for. Also, that file needs to have format such, that the log line format does not make the file corrupted. Remember, you can put newlines etc into command line arguments!






share|improve this answer


























  • I did create a file with my guid and bypassed this check. The exploitable program has sgid: -rwxr-sr-x but the file's group is not the root

    – NotApplicable
    Nov 22 '18 at 12:37













  • Ah, then you need a way to make something happen before setuid call... Hint: you program writes to a log with the group of the binary... That's what you are supposed to exploit then, probably.

    – hyde
    Nov 22 '18 at 12:41













  • Perfect! Thanks!

    – NotApplicable
    Nov 22 '18 at 13:05






  • 1





    If you have trouble finding possible exploitable files, checkout out find command, it has option to search for files with certain group.

    – hyde
    Nov 22 '18 at 16:42






  • 1





    @NotApplicable: Since the program does not work for anyone as intended (unless the executable group is root), I suspect the solution sought after is much simpler than you're thinking: it is probably just ln -s sudoers log && /path/to/that/executable bash, to give you the privileged shell based on a sudoers file under your own control; even if it is privileged by default, having the log output directed to the sudoers ensures the current uid will be listed there. You could ask your lecturer whether the group ownership of the executable is as designed, or just an oversight.

    – Nominal Animal
    Nov 23 '18 at 12:37



















0














After all it was a format string exploit on fprintf(f, entry, NULL); inside int exec(char *command) where you overwrite the return address with %n format.






share|improve this answer























    Your Answer






    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "1"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53430763%2fexploiting-c-linux-setuid-and-system-commands%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1














    From the code you posted, it appears you are supposed to write your own sudoers file to any directory you have write access to, then run this program in that directory, so it reads your file.



    So, simply write your own UID to this fake sudoers file, and then give a command parameter such as bash to get a shell. There's no need to do any buffer overflow exploitation.



    Presumably the real exploitable program has suid bit set in the file permissions, so it can perform the setuid(0) call. I guess the purpose of the exercise is to demonstrate how all input needs to be sanitized when you are dealing with suid programs, including things like relative paths (which effectively take current working directory as input) like any user-supplied paths and other input.




    But, since the program only has setgid bit (as said in comment), you need find something you do with just the group id. That something could be that log file write. You could create a symbolic link with file name log, pointing to whatever file you want to append to, which that group has write permissions for. Also, that file needs to have format such, that the log line format does not make the file corrupted. Remember, you can put newlines etc into command line arguments!






    share|improve this answer


























    • I did create a file with my guid and bypassed this check. The exploitable program has sgid: -rwxr-sr-x but the file's group is not the root

      – NotApplicable
      Nov 22 '18 at 12:37













    • Ah, then you need a way to make something happen before setuid call... Hint: you program writes to a log with the group of the binary... That's what you are supposed to exploit then, probably.

      – hyde
      Nov 22 '18 at 12:41













    • Perfect! Thanks!

      – NotApplicable
      Nov 22 '18 at 13:05






    • 1





      If you have trouble finding possible exploitable files, checkout out find command, it has option to search for files with certain group.

      – hyde
      Nov 22 '18 at 16:42






    • 1





      @NotApplicable: Since the program does not work for anyone as intended (unless the executable group is root), I suspect the solution sought after is much simpler than you're thinking: it is probably just ln -s sudoers log && /path/to/that/executable bash, to give you the privileged shell based on a sudoers file under your own control; even if it is privileged by default, having the log output directed to the sudoers ensures the current uid will be listed there. You could ask your lecturer whether the group ownership of the executable is as designed, or just an oversight.

      – Nominal Animal
      Nov 23 '18 at 12:37
















    1














    From the code you posted, it appears you are supposed to write your own sudoers file to any directory you have write access to, then run this program in that directory, so it reads your file.



    So, simply write your own UID to this fake sudoers file, and then give a command parameter such as bash to get a shell. There's no need to do any buffer overflow exploitation.



    Presumably the real exploitable program has suid bit set in the file permissions, so it can perform the setuid(0) call. I guess the purpose of the exercise is to demonstrate how all input needs to be sanitized when you are dealing with suid programs, including things like relative paths (which effectively take current working directory as input) like any user-supplied paths and other input.




    But, since the program only has setgid bit (as said in comment), you need find something you do with just the group id. That something could be that log file write. You could create a symbolic link with file name log, pointing to whatever file you want to append to, which that group has write permissions for. Also, that file needs to have format such, that the log line format does not make the file corrupted. Remember, you can put newlines etc into command line arguments!






    share|improve this answer


























    • I did create a file with my guid and bypassed this check. The exploitable program has sgid: -rwxr-sr-x but the file's group is not the root

      – NotApplicable
      Nov 22 '18 at 12:37













    • Ah, then you need a way to make something happen before setuid call... Hint: you program writes to a log with the group of the binary... That's what you are supposed to exploit then, probably.

      – hyde
      Nov 22 '18 at 12:41













    • Perfect! Thanks!

      – NotApplicable
      Nov 22 '18 at 13:05






    • 1





      If you have trouble finding possible exploitable files, checkout out find command, it has option to search for files with certain group.

      – hyde
      Nov 22 '18 at 16:42






    • 1





      @NotApplicable: Since the program does not work for anyone as intended (unless the executable group is root), I suspect the solution sought after is much simpler than you're thinking: it is probably just ln -s sudoers log && /path/to/that/executable bash, to give you the privileged shell based on a sudoers file under your own control; even if it is privileged by default, having the log output directed to the sudoers ensures the current uid will be listed there. You could ask your lecturer whether the group ownership of the executable is as designed, or just an oversight.

      – Nominal Animal
      Nov 23 '18 at 12:37














    1












    1








    1







    From the code you posted, it appears you are supposed to write your own sudoers file to any directory you have write access to, then run this program in that directory, so it reads your file.



    So, simply write your own UID to this fake sudoers file, and then give a command parameter such as bash to get a shell. There's no need to do any buffer overflow exploitation.



    Presumably the real exploitable program has suid bit set in the file permissions, so it can perform the setuid(0) call. I guess the purpose of the exercise is to demonstrate how all input needs to be sanitized when you are dealing with suid programs, including things like relative paths (which effectively take current working directory as input) like any user-supplied paths and other input.




    But, since the program only has setgid bit (as said in comment), you need find something you do with just the group id. That something could be that log file write. You could create a symbolic link with file name log, pointing to whatever file you want to append to, which that group has write permissions for. Also, that file needs to have format such, that the log line format does not make the file corrupted. Remember, you can put newlines etc into command line arguments!






    share|improve this answer















    From the code you posted, it appears you are supposed to write your own sudoers file to any directory you have write access to, then run this program in that directory, so it reads your file.



    So, simply write your own UID to this fake sudoers file, and then give a command parameter such as bash to get a shell. There's no need to do any buffer overflow exploitation.



    Presumably the real exploitable program has suid bit set in the file permissions, so it can perform the setuid(0) call. I guess the purpose of the exercise is to demonstrate how all input needs to be sanitized when you are dealing with suid programs, including things like relative paths (which effectively take current working directory as input) like any user-supplied paths and other input.




    But, since the program only has setgid bit (as said in comment), you need find something you do with just the group id. That something could be that log file write. You could create a symbolic link with file name log, pointing to whatever file you want to append to, which that group has write permissions for. Also, that file needs to have format such, that the log line format does not make the file corrupted. Remember, you can put newlines etc into command line arguments!







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited Nov 22 '18 at 12:47

























    answered Nov 22 '18 at 12:33









    hydehyde

    31.6k1588131




    31.6k1588131













    • I did create a file with my guid and bypassed this check. The exploitable program has sgid: -rwxr-sr-x but the file's group is not the root

      – NotApplicable
      Nov 22 '18 at 12:37













    • Ah, then you need a way to make something happen before setuid call... Hint: you program writes to a log with the group of the binary... That's what you are supposed to exploit then, probably.

      – hyde
      Nov 22 '18 at 12:41













    • Perfect! Thanks!

      – NotApplicable
      Nov 22 '18 at 13:05






    • 1





      If you have trouble finding possible exploitable files, checkout out find command, it has option to search for files with certain group.

      – hyde
      Nov 22 '18 at 16:42






    • 1





      @NotApplicable: Since the program does not work for anyone as intended (unless the executable group is root), I suspect the solution sought after is much simpler than you're thinking: it is probably just ln -s sudoers log && /path/to/that/executable bash, to give you the privileged shell based on a sudoers file under your own control; even if it is privileged by default, having the log output directed to the sudoers ensures the current uid will be listed there. You could ask your lecturer whether the group ownership of the executable is as designed, or just an oversight.

      – Nominal Animal
      Nov 23 '18 at 12:37



















    • I did create a file with my guid and bypassed this check. The exploitable program has sgid: -rwxr-sr-x but the file's group is not the root

      – NotApplicable
      Nov 22 '18 at 12:37













    • Ah, then you need a way to make something happen before setuid call... Hint: you program writes to a log with the group of the binary... That's what you are supposed to exploit then, probably.

      – hyde
      Nov 22 '18 at 12:41













    • Perfect! Thanks!

      – NotApplicable
      Nov 22 '18 at 13:05






    • 1





      If you have trouble finding possible exploitable files, checkout out find command, it has option to search for files with certain group.

      – hyde
      Nov 22 '18 at 16:42






    • 1





      @NotApplicable: Since the program does not work for anyone as intended (unless the executable group is root), I suspect the solution sought after is much simpler than you're thinking: it is probably just ln -s sudoers log && /path/to/that/executable bash, to give you the privileged shell based on a sudoers file under your own control; even if it is privileged by default, having the log output directed to the sudoers ensures the current uid will be listed there. You could ask your lecturer whether the group ownership of the executable is as designed, or just an oversight.

      – Nominal Animal
      Nov 23 '18 at 12:37

















    I did create a file with my guid and bypassed this check. The exploitable program has sgid: -rwxr-sr-x but the file's group is not the root

    – NotApplicable
    Nov 22 '18 at 12:37







    I did create a file with my guid and bypassed this check. The exploitable program has sgid: -rwxr-sr-x but the file's group is not the root

    – NotApplicable
    Nov 22 '18 at 12:37















    Ah, then you need a way to make something happen before setuid call... Hint: you program writes to a log with the group of the binary... That's what you are supposed to exploit then, probably.

    – hyde
    Nov 22 '18 at 12:41







    Ah, then you need a way to make something happen before setuid call... Hint: you program writes to a log with the group of the binary... That's what you are supposed to exploit then, probably.

    – hyde
    Nov 22 '18 at 12:41















    Perfect! Thanks!

    – NotApplicable
    Nov 22 '18 at 13:05





    Perfect! Thanks!

    – NotApplicable
    Nov 22 '18 at 13:05




    1




    1





    If you have trouble finding possible exploitable files, checkout out find command, it has option to search for files with certain group.

    – hyde
    Nov 22 '18 at 16:42





    If you have trouble finding possible exploitable files, checkout out find command, it has option to search for files with certain group.

    – hyde
    Nov 22 '18 at 16:42




    1




    1





    @NotApplicable: Since the program does not work for anyone as intended (unless the executable group is root), I suspect the solution sought after is much simpler than you're thinking: it is probably just ln -s sudoers log && /path/to/that/executable bash, to give you the privileged shell based on a sudoers file under your own control; even if it is privileged by default, having the log output directed to the sudoers ensures the current uid will be listed there. You could ask your lecturer whether the group ownership of the executable is as designed, or just an oversight.

    – Nominal Animal
    Nov 23 '18 at 12:37





    @NotApplicable: Since the program does not work for anyone as intended (unless the executable group is root), I suspect the solution sought after is much simpler than you're thinking: it is probably just ln -s sudoers log && /path/to/that/executable bash, to give you the privileged shell based on a sudoers file under your own control; even if it is privileged by default, having the log output directed to the sudoers ensures the current uid will be listed there. You could ask your lecturer whether the group ownership of the executable is as designed, or just an oversight.

    – Nominal Animal
    Nov 23 '18 at 12:37













    0














    After all it was a format string exploit on fprintf(f, entry, NULL); inside int exec(char *command) where you overwrite the return address with %n format.






    share|improve this answer




























      0














      After all it was a format string exploit on fprintf(f, entry, NULL); inside int exec(char *command) where you overwrite the return address with %n format.






      share|improve this answer


























        0












        0








        0







        After all it was a format string exploit on fprintf(f, entry, NULL); inside int exec(char *command) where you overwrite the return address with %n format.






        share|improve this answer













        After all it was a format string exploit on fprintf(f, entry, NULL); inside int exec(char *command) where you overwrite the return address with %n format.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Dec 11 '18 at 20:27









        NotApplicableNotApplicable

        366




        366






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53430763%2fexploiting-c-linux-setuid-and-system-commands%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Can a sorcerer learn a 5th-level spell early by creating spell slots using the Font of Magic feature?

            Image
            28 6 $begingroup$ Per the Font of Magic feature, sorcerer can use Flexible Casting to create 5th-level spell slots at level 7, even though they are not typically available until level 9. You can transform unexpended sorcery points into one spell slot as a bonus action on your turn. The Creating Spell Slots table shows the cost of creating a spell slot of [5th level is 7] If such a sorcerer levels up while still having this 5th-level spell slot, can they choose a 5th-level spell as the spell they gain upon levelling up? The Spellcasting feature states: Additionally, when you gain a level in this class, you can choose one of the sorcerer spells you know and replace it with another spell from the sorcerer spell list, which also must be of a level for which you have spell slots.
            Read more

            Does disintegrating a polymorphed enemy still kill it after the 2018 errata?

            Image
            up vote 13 down vote favorite 1 After the 2018 errata, the disintegrate spell description now reads: A creature targeted by this spell must make a Dexterity saving throw. On a failed save, the target takes 10d6 + 40 force damage. The target is disintegrated if this damage leaves it with 0 hit points. If you were to polymorph an enemy into a rat and then disintegrate it, would the enemy be disintegrated or would it just return to its original form? I know that for Druids, it’s not an instant kill anymore, but is this the case for polymorph as well? dnd-5e spells polymorph errata share | improve this question edited 18 hours ago
            Read more

            A Topological Invariant for $pi_3(U(n))$

            Image
            3 3 $begingroup$ Recently, I saw a construction of topological invariant for $pi_3(U(n))$ with $ngeq 2$ : $$ N=frac{1}{24pi^2}int_{S^3} d^3x epsilon^{ijk} Tr[(U^{-1}partial_{x_i}U)(U^{-1}partial_{x_j}U)(U^{-1}partial_{x_k}U)] , $$ where $Uin U(n)$ depends on $boldsymbol{x}=(x_1,x_2,x_3)in S^3$ , $epsilon^{ijk}$ is the Levi-Civita symbol, $i,j,k=1,2,3$ , and the duplicated indexes are summed over. It is claimed that $N$ is an integer, but why? Update 02/02/2019 I think I got an argument for $n=2$ . In this case, $U=e^{i varphi} q$ with $qin SU(2)$ . Due to the trace and the Levi-Civita symbol in $N$ , $varphi$ does not contribute to $N$ . As $Tr[q^{dagger}partial_i q]=0$ and $(q^{dagger}partial_i q)^{dagger}=-q^{dagger}partial_i q$ , $q^{dagger}partial_i q$ in geneeral has the form $q^{dagger}partia
            Read more