3

I use linux and c.

First, I soft link bin/zsh to sh

Second, I login as root the run the following program.

#include <string.h>
#include <stdio.h>
#include <stdlib.h>
int main(int argc, char *argv[])
{
 char *v[3];
 if(argc < 2) {
  printf("Please type a file name.\n");
  return 1;
 }
 v[0] = "/bin/cat"; v[1] = argv[1]; v[2] = 0;
 /* Set q = 0 for system(), and q = 1 for execve */
 int q = 0;
 if (q == 0){
   char *command = malloc(strlen(v[0]) + strlen(v[1]) + 2);
   sprintf(command, "%s %s", v[0], v[1]);
   system(command);
 }
 else execve(v[0], v, 0);
 return 0 ; 
}

Third, I login as a normal user(not root). Now, I can remove or rewrite a file which I don't have write privilege by using the execute file of this program.

Like this:

./a.out text;\`echo \”Not right\”&gt;text\`”

Now I can write "Not right" into the file "text". I only have read privilege of this file

enter image description here

The read and write privilege of these files. enter image description here

Fourth, I change q to 1. That means, this time I use execve instead.

And do the same thing as above. But this time I cannot change the content of the file.

Why? I google in the internet, but I can not find the different between system and execve.

4

2 回答 2

3

system调用 shell 来解析字符串并处理引用和变量插值等。execve这些都不做。它用被调用的程序替换程序,并完全按照指定的方式传递参数字符串;IE。它不会解释引号。

于 2014-10-19T08:59:49.347 回答
2

你说你做到了chmod 4755 a.out。这意味着您正在设置该setuid位,然后程序将始终以 root 权限运行,并且对text. 带有反引号的字符串被传递给 shell,shell 将其解释为要写入的命令text

不写入文本的原因execve是它不会将其参数解释为 shell 命令并且 ` 没有任何特殊含义。

于 2014-10-19T09:54:49.083 回答