C: IFS System() Vulnerability

2019-04-30 12:27发布

问题:

For educational reasons I have to exploit an C-Code

The Programm set the egid first, and then the vulnerability with the system("/usr/bin/..."); Command.

So I made an 'usr' executeable in my Home-Directory and set the Path to the Home PATH=$HOME:$PATH

And I want to change the IFS Variable in the bash to /: export IFS='/'

Unfortunatelly, when i call the C-Programm: my exploit doesn't work

Is anybody able to tell me what is wrong?

回答1:

I suppose we are studying at the same university, because I am currently confronted with the same problem. I don't want to give you the whole solution, because that would be too easy =)

Your IFS variable is not ignored, but it doesn't work as you might think. When you call the C-Programm there is an additional output in the shell, which refers to the lesspipe. With the information in this link and this german link you are able to solve the challenge1 ;)



回答2:

Add the IFS as part of your program's call to system(). System executes the code with /usr/bin/sh -c. So you can do similar to what you'd in the shell prompt.

system("export IFS='/'; /usr/bin/cmd");

Note that once the child process is terminated, the IFS set will no longer be available in the parent.



标签: c security ifs