C: IFS System() Vulnerability - c

For educational reasons I have to exploit an C-Code
The Programm set the egid first, and then the vulnerability with the system("/usr/bin/..."); Command.
So I made an 'usr' executeable in my Home-Directory and set the Path to the Home PATH=$HOME:$PATH
And I want to change the IFS Variable in the bash to /: export IFS='/'
Unfortunatelly, when i call the C-Programm: my exploit doesn't work
Is anybody able to tell me what is wrong?

Add the IFS as part of your program's call to system(). System executes the code with /usr/bin/sh -c. So you can do similar to what you'd in the shell prompt.
system("export IFS='/'; /usr/bin/cmd");
Note that once the child process is terminated, the IFS set will no longer be available in the parent.

I suppose we are studying at the same university, because I am currently confronted with the same problem. I don't want to give you the whole solution, because that would be too easy =)
Your IFS variable is not ignored, but it doesn't work as you might think. When you call the C-Programm there is an additional output in the shell, which refers to the lesspipe. With the information in this link and this german link you are able to solve the challenge1 ;)

Related

(LLDB on MacOs Catalina) Shell Expansion Failed

When trying to use the r or run commands in lldb I get an error like this: error: shell expansion failed (reason: invalid JSON). consider launching with 'process launch'.
It works when I just use process launch but I really do not feel like doing that.
Is there any way I could make either an alias or make shell expansions not fail?
The way lldb does shell expansion is to run a little tool called lldb-argdumper (it is in Xcode.app/Contents/SharedFrameworks/LLDB.framework/Resources on macOS) with the command arguments that you passed. lldb-argdumper wraps the contents of argv as JSON, and writes that to stdout. lldb then parses the JSON back into args and inserts the args one by oneinto the argc/argv array when it launches the process.
Something in the output is not getting properly wrapped. You can probably see what it is by looking at the output of lldb-argdumper with your arguments. Whatever it is, it's a bug, so if you can reproduce it please file with your example with http://bugs.llvm.org.
(lldb) command alias run-no-shell process launch -X 0 --
will produce an alias that doesn't do shell expansion. You can also put this in your ~/.lldbinit.
I ran into this recently. TL;DR: make sure your shell does not echo anything during initialization. Run <your-shell> -c date to confirm; only the date should be printed.
The problem was that my shell's initialization file was echoing some stuff, which was getting prepended to lldb-argdumper's JSON output. (lldb doesn't run lldb-argdumper directly; it invokes your default shell to run lldb-argdumper.)
Specifically, I use fish as my shell, which does not have separate initialization paths for interactive and non-interactive sessions. (See this issue for discussion of whether this is good.) bash and zsh have separate init files for interactive/non-interactive sessions, which makes avoiding this problem slightly easier.

How do I copy everything from my terminal to a file including the stdout and the prompt using C?

I know how to get the stdout into a file using dup/dup2 system calls, but how do I get the entire output that would be normally shown on my terminal(including the prompt that says my username along with the $ symbol and the current working directory) to a file?
Yes you can, but this may be difficult in many details (depending on your expert level). For the shell to behave normally (I would mean exactly as in a terminal), then it needs to interact with a terminal (special system object). So you need to create a program that behave like a terminal, this what pseudo-terminals devices (/dev) are intended for. Read documentation about this to implement it but roughly, your application should behave like the user so should be connected to the slave side of the pseudo-terminal, and the shell to the master side of the pseudo-terminal. Then you can easily log real inputs made by the user and catch outputs made by the shell.
Can't comment cause of low reputation.
I would say there is no way to do that inside a code in C. Instead, you could use bash for example to redirect everything to a file, and leave the code in C as it is.
In this way you have all the info you want to save: prompt, current directory, call to the program (including flags), and of course the output of the program.
Well, you can do:
-For bash prompt PS1: Echo expanded PS1 (in case you want it expanded, if not there is a simple way to do it just echong PS1)
- For executed command: https://unix.stackexchange.com/questions/169259/how-to-capture-command-line-input-into-logfile-and-execute-it-at-the-same-time
- Standard output and error output: Redirect stderr and stdout in a Bash script
And that's all you want to capture, I think.
Look up the script command in Unix systems. If you want to capture all keyboard and std in/out for a command, use the script executable. If you want to see how it's done, look up the source.

Executing command through a c program on Windows

I want to know how to execute a command from a c program,on windows os.
To be more specific how to write a c program whose output will not be printed but directly goes to command prompt and get executed there? please help me
I think you need to use system() command in your C code.
For example:
system("pause");
where "pause" is the command to be executed in cmd.
reference: http://www.cplusplus.com/reference/cstdlib/system/
I hope i got your question right.
I'm not sure I understand the question correctly. But if I do, you're looking for the system() function.
I suspect what you are describing is the the back-ticks in shells in Linux/Unix.
However, I don't know how to do that in Windows.
Unix way
myprompt> `./a.out`
If the C program was basically: printf("ls -l .\n");, then this should list the files.
Is that what you wanted?
Like I said, I don't know how to do that in the Win Cmd Prompt, but maybe this clarifies your question.
Looks like you could try:
C:\MyDir> MyProgram.exe | cmd.exe /C

using the Unix alias command in C program

So I'm not exactly sure if this is possible, but I would like to use unix's alias command for creating aliases of commands I have created inside of my C program.
So far the only idea I have had to try is system(alias ='someCommand');
This resulted in nothing happening
Is this even possible? Or do I have to essentially create my own alias function for my c program (which is a simple shell program)
Thanks, I'm new to this and would appreciate any insight!
Aliases are meant as shortcuts that you create to reduce your typing when working inside the shell. When you execute a program that you created by compiling your C source code, the shell forks and execs the program. Any changes that you intend to make to the shell happen inside that execed code. As soon as the program is terminated, your changes disappear with it. Hence, what you observe: "Nothing happens".

Hooks on terminal. Can I call a method before a command is run in the terminal?

I am wanting to make a terminal app that stores information about files/directories. I want a way to keep the information if the file is moved or renamed.
What I thought I could do is have a function execute before any command is run. I found this:
http://www.twistedmatrix.com/users/glyph/preexec.bash.txt
But I was wondering if this would be a good way to go about it. Or should I do something else?
I would like to call that function from a C program whenever mv is entered I suppose.
If what you're trying to do is attach some sort of metadata to files, there's a much better supported way to do that -- extended attributes.
Another solution might be to use the file's inode number as an index into a database you maintain yourself.
Can you alias the mv command? in .profile or .bashrc
alias mv=/usr/bin/local/mymv
where mymv is a compiled executable that runs your C code function and calls /usr/bin/mv.
precmd and preeexec add some overhead to every bash script that gets run, even if the script never calls mv. The downside to alias is that it requires new code in /usr/local and if scripts or users employ /usr/bin/mv instead of mv it will not do what you want. Generally doing something like this often means there is a better way to handle the problem with some kind of service (daemon) or driver. Plus, what happens if your C code cannot correctly handle interesting input like
mv somefille /dev/null
If you want to run command each time after some command was executed in the terminal, just put the following in ~/.bashrc:
PROMPT_COMMAND="your_command;$PROMPT_COMMAND"
If you want your command to be executed each time before mv is executing, put the following in ~/.bashrc:
alias mv="your_script"
Make sure that your script will execute real mv if needed.
You can use inotify library to track filesystem changes. It's good solution, but once user remove file, it's already gone.
You might be able to make use of the DEBUG trap in Bash.
From man bash:
If a sigspec is DEBUG, the command arg is executed before every
simple command, for command, case command, select command, every
arithmetic for command, and before the first command executes in
a shell function
I found this article when I was forced to work in tcsh and wanted to ensure a specific environemtn variable was present when the user ran a program from a certain folder (without setting that variable globally)
tcsh can do this.
tcsh has special alias, one of which is precmd
This can be used to run a script just before the shell prompt is printed.
e.g. I used set precmd 'bash $HOME/.local/bin/on_cd.sh'
This might be one of the very few useful features in csh.
It is a shame but I don't think the same or similar feature is in bash or other sh derivites (ash, dash etc). Related answer.

Resources