I am a student and in one of the tasks of the workshop I have to take advantage of the vulnerability in the binary.

Having decompiled the binary, I found out that the program, after starting, reads the line from the standard input and copies it to the buffer. This buffer is a part of the structure, in which there is a flag, after checking for equality to zero, the shell is started with a new euid, with which I can read the protected file.

If you give a sequence of characters of the required length (64 bytes) to the program after it starts, the flag will be zeroed (due to the use of strncat in the program), and the program will launch a shell with the required eiud and I can enter for example cat flag_1.txt to read it content, which I could not do under normal conditions.

Manually everything turns out well, but I need to write an exploit either in the form of a bashcript or a script in python.

Using bash, I created a file with the following contents:

#! / bin / sh

echo aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa | ./task_1

when you run this script, the program gets the required string for input, the flag is clogged with 0, and I get access (because the program also writes Access granted, so I’m sure I got access) However, I’ll use the shell I do not have time, because I see the message stack smashing detected or Abort (core dumped)

On the python, I tried to use subprocess.call or subprocess.popen, but this also did nothing, because I understand that at the moment I don’t manage to NOT wait for the process to complete, which means I cannot use the shell with the new euid, although Access granted is also output, i.e. I get to the right section of the code.

Why does not work bashskript do not understand.

I have very little experience; in fact, we were simply given the assignment without any explanation. Can you please tell me how to write an exploit, or even more likely as a whole, a script that would do the following: 1) run the program 2) give it a read (not as a command line parameter, but to standard input) line 3) let it be used from of this program, a new shell for reading some kind of text file

  • I don’t understand that the python has nothing to do with it, and I don’t try to start a shell from it, only I launch the program itself. The problem is that I can not give anything to the input of the child shell to read the file, because the program quits, as I understand it. - Nikita Malyshev

1 answer 1

Just change your sh-script a little.
Enter the data for the shell launched in ./task_1 second echo command, connecting the stdout both echo commands with a pause between them:

 #!/bin/sh (echo aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; sleep 0; echo cat flag_1.txt) | ./task_1

(you may need sleep 1 (I have an experimental program from 0 in my Ubuntu from bash), but I’m afraid I should look at the place)

The point here is that in your script the program reads all the data output by echo and the shell immediately receives EOF .
When you enter data manually, the stdin ( /dev/tty ) read by the program remains open and the shell successfully reads the second input string.

  • Thank you very much, the script has earned. I am not familiar with working with sh scripts and would have understood for a long time without your help. - Nikita Malyshev
  • These are not only scripts, this is how unix works. - avp