Question: Your first task is to exploit vulnerabilities in three programs that have their set-guid (i.e. set group identification) bit enabled. The programs are installed under
Your first task is to exploit vulnerabilities in three programs that have their set-guid (i.e. set group identification) bit enabled. The programs are installed under /usr/local/bin/prog[1-3]. The source for the programs can be obtained here (not necessarily listed in order):
cat.c
#include#include #include int main(int argc, char **argv) { gid_t egid = getegid(); setregid(egid, egid); system("cat /etc/passwd"); return 0; }
less.c
// Copyright iSecLab -- www.iseclab.org #include#include #include int main(int argc, char **argv) { FILE *file = fopen("/etc/passwd","r"); if (file==NULL) { printf("Oh no, first open failed! "); system("less /usr/local/share/error.txt"); /* Mayday mayday! Bailing out */ exit(1); } FILE *file2 = fopen("/etc/passwd","r"); if (file2==NULL) { fclose(file); printf("Oh no, second open failed! "); system("less /usr/local/share/error.txt"); /* Mayday mayday! Bailing out */ exit(1); } FILE *file3 = fopen("/etc/passwd","r"); if (file3==NULL) { fclose(file); fclose(file2); printf("Oh no, third open failed! "); system("less /usr/local/share/error.txt"); /* Mayday mayday! Bailing out */ exit(1); } FILE *file4 = fopen("/etc/passwd","r"); if (file4==NULL) { fclose(file); fclose(file2); fclose(file3); printf("Oh no, fourth open failed! "); system("less /usr/local/share/error.txt"); /* Mayday mayday! Bailing out */ exit(1); } /* Imagine we are doing something very important and useful here... */ printf("I managed to successfully open the /etc/passwd file 4 times! I am the king yeahaaaa! "); printf("Never think you've seen the last of anything. Eudora Welty "); return 0; }
signal.c
#include#include #include #include #include char cmdbuf[128] = "echo interrupt signal caught, terminating "; char *progname; void handle_signal(int sig) { int len = sizeof(cmdbuf) - (strlen(cmdbuf) + 1); if (strlen(progname) > len) progname[len] = '\0'; strcat(cmdbuf, progname); system(cmdbuf); exit(1); } void usage() { printf("%s where 0 < n <= 1000 ", progname); exit(1); } /* * The program takes one argument line parameter n (which has to be a * positive integer input parameter) and then prints out the first n * prime numbers. */ int main(int argc, char **argv) { struct sigaction sa; int cnt, N, found; unsigned long candidate, divisor; gid_t egid = getegid(); setregid(egid, egid); /* set up signal handling */ memset(&sa, sizeof(struct sigaction), 0); sa.sa_handler = handle_signal; sigaction(SIGALRM, &sa, NULL); /* process argument */ progname = argv[0]; if (argc != 2) usage(); N = strtol(argv[1], NULL, 10); if ((N <= 0) || (N > 1000)) usage(); /* calculate prime numbers -- simple sieve */ candidate = 1; for (cnt = 0; cnt < N; ++cnt) { for (;;) { found = 1; divisor = 2; candidate += 1; while (divisor <= candidate/2) { if ((candidate % divisor) == 0) { found = 0; break; } else ++divisor; } if (found) break; } printf("%ld ", candidate); } return 0; }
Step by Step Solution
There are 3 Steps involved in it
1 Expert Approved Answer
Step: 1 Unlock
Question Has Been Solved by an Expert!
Get step-by-step solutions from verified subject matter experts
Step: 2 Unlock
Step: 3 Unlock
Study Help