For school I need to use the buffer overflow in the program below to get the shell to launch. For this exercise we need to perform a data-only attack, i.e. the stack is non-executable and stack canaries are enabled.
#include <stdio.h>
#include <unistd.h>
#include <string.h>
int enableGlobalAdmin = 0;
int enableFullAdmin = 0;
struct role_t {
char rolename[32];
int authority;
} defaultRole = { .rolename = "regular user", .authority = 0 };
struct user_t {
char name[777];
struct role_t *role;
};
void inputUser(struct user_t *u, char *s) {
strcpy(u->name, s);
}
void greetUser(struct user_t *u) {
printf("Hello %s, you have role '%s'\n", u->name, u->role->rolename);
}
int main(int argc, char **argv) {
struct user_t thisUser;
thisUser.role = &defaultRole;
if (argc < 2) {
printf("ERROR\n");
}
inputUser(&thisUser, argv[1]);
greetUser(&thisUser);
if((thisUser.role)->authority == 1) {
printf("Congratulations! You are an admin\n");
setresuid(geteuid(), geteuid(), geteuid());
execl("/bin/xh", "/bin/xh", NULL);
}
return 0;
}
My idea was to overwrite the role pointer such that it points to the beginning of the buffer and that I put 1 in this buffer. However, as we are using strcpy, the \x00 characters are ignored and so this method can not succeed.
However, as some sort of hint, they provided us with the env shell command. The problem is now that I don't really have an idea how I can use the environment variables to my advantage with my problem
