13Ara
How can I exploit the following code using string format vulnerabilities, Global offset table & GDB?
The following code should be exploited and I need to exploit it in such a way that it runs my command (l33t) and there should be shellcode and exploit included, so that it runs my command. I believe I need to use GDB and it has something to do with the global offset table and is potentially a string format vulnerability (although I could be wrong). It is the C code shown below.
include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
int sudoexec(char *command)
{
FILE *f = NULL;
char log_entry[64];
char line[256];
f = fopen("sudolog", "a");
if (f == NULL)
{
fprintf(stderr, "Can't open sudolog file\n");
return -1;
}
snprintf(log_entry, 64, "%d: %s\n", getuid(), command);
fprintf(f, log_entry, NULL);
fclose(f);
f = fopen("sudoers", "r");
if (f == NULL)
{
fprintf(stderr, "Can't open sudoers file\n");
return -1;
}
while(fgets(line, 256, f) != NULL)
{
if (atoi(line) == getuid())
{
if (setuid(0) == 0) {
system(command);
} else {
fprintf(stderr, "Setting the UID to root failed: check permissions\n");
}
fclose(f);
return 0;
}
}
fprintf(stderr, "User not listed in the sudoers file\n");
return -1;
}
int main (int argc, char** argv)
{
if (argv[1] == NULL)
{
fprintf(stderr, "Missing args\n");
return -1;
}
if (sudoexec(argv[1]) != 0)
{
fprintf(stderr, "Cannot execute your command\n");
return -1;
}
return 0;
}
Please share the exploit and shellcode and please explain the procedure used to exploit this code so that it ran my command (l33t).
