Reputation: 3461
Exploit system() call in C
I have the following code in a file named vulnerable.c:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main() {
gid_t egid = getegid();
setregid(egid, egid);
system("echo testing");
return 0;
}
Here are the permissions on the vulnerable executable:
-rwxr-sr-x 1 test cool 8192 Sep 28 2016 vulnerable
In my home directory, I created a new directory called "echotest" and put in a echo.c file and compiled it. The echo.c file just prints out "Exploited!!". I also changed my PATH environment variable to include $HOME/echotest.
Now, when I run vulnerable it should print out "Exploited!" but its not. What am I missing here?
I did a similar test with "cat" and it worked but no luck with echo. Any help would be appreciated.
Thanks
Upvotes: 0
Views: 3033
Answers (1)
Reputation: 249153
The problem is that echo is often a shell builtin. If you want it to be exploitable you can change the vulnerable code to this:
int main() {
gid_t egid = getegid();
setregid(egid, egid);
system("env echo testing");
return 0;
}
For more about this, see: How do I prevent bash to use a builtin command?
Upvotes: 2
Related Questions
- Passing argument to system() in C
- Is system() call in C program safe?
- C: IFS System() Vulnerability
- system() function in C
- Unable to understand behaviour of "system" function call in C program
- Running a program using system()
- calling commands using 'system()' from inside a program
- calling system() from c
- Using a Single system() Call to Execute Multiple Commands in C
- system calls in C