3

For educational reasons I have to exploit an C-Code

The Programm set the egid first, and then the vulnerability with the system("/usr/bin/..."); Command.

So I made an 'usr' executeable in my Home-Directory and set the Path to the Home PATH=$HOME:$PATH

And I want to change the IFS Variable in the bash to /: export IFS='/'

Unfortunatelly, when i call the C-Programm: my exploit doesn't work

Is anybody able to tell me what is wrong?

nikmaster
  • 421
  • 1
  • 6
  • 19
  • Welcome to Stack Overflow. This is one of those situations where you should show what you've tried as an SSCCE (a [Short, Self-Contained, Correct (Compiling) Example](http://sscce.org/)), both to demonstrate that you've put some effort into the question and to allow us to see what you're doing. Please read the [FAQ] soon. – Jonathan Leffler Oct 14 '12 at 20:28

2 Answers2

2

Add the IFS as part of your program's call to system(). System executes the code with /usr/bin/sh -c. So you can do similar to what you'd in the shell prompt.

system("export IFS='/'; /usr/bin/cmd");

Note that once the child process is terminated, the IFS set will no longer be available in the parent.

P.P
  • 117,907
  • 20
  • 175
  • 238
  • I cant change the String in the System Command. I have to exploit it. So i want the given system("/usr/bin/...") redirect to my usr executable. Similar it work with relative paths in system("./myProg"). i tought with changing the IFS Variable i can do this in this case too? Am I Wrong? – nikmaster Oct 13 '12 at 14:35
  • Can you post a complete code? Am not sure what exactly you want you achieve? – P.P Oct 13 '12 at 15:49
1

I suppose we are studying at the same university, because I am currently confronted with the same problem. I don't want to give you the whole solution, because that would be too easy =)

Your IFS variable is not ignored, but it doesn't work as you might think. When you call the C-Programm there is an additional output in the shell, which refers to the lesspipe. With the information in this link and this german link you are able to solve the challenge1 ;)

boindiil
  • 5,805
  • 1
  • 28
  • 31