Sanket Deshpande Sanket Deshpande - 2 months ago 6
C Question

Exploit system() call in C

I have the following code in a file named vulnerable.c:

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main() {
gid_t egid = getegid();
setregid(egid, egid);
system("echo testing");

return 0;
}


Here are the permissions on the vulnerable executable:

-rwxr-sr-x 1 test cool 8192 Sep 28 2016 vulnerable

In my home directory, I created a new directory called "echotest" and put in a echo.c file and compiled it. The echo.c file just prints out "Exploited!!". I also changed my PATH environment variable to include $HOME/echotest.

Now, when I run vulnerable it should print out "Exploited!" but its not. What am I missing here?

I did a similar test with "cat" and it worked but no luck with echo.
Any help would be appreciated.

Thanks

Answer

The problem is that echo is often a shell builtin. If you want it to be exploitable you can change the vulnerable code to this:

int main() {
   gid_t egid = getegid();
   setregid(egid, egid);
   system("env echo testing");

   return 0;
}

For more about this, see: How do I prevent bash to use a builtin command?