Results 1 to 6 of 6

Thread: exploiting the system() call in c?

  1. #1
    Just burned his ISO
    Join Date
    Jun 2007
    Posts
    6

    Default exploiting the system() call in c?

    Hi all,
    I'm doing a challenge-thing where you've got ssh-access to a box and you have to try to become root of it. Now, on one of them there is a file with sourcecode:

    Code:
    -bash-2.05b$ cat exploitme0.c
    #include <stdio.h>
    
    int main(int argc,char *argv[]) {
     system(argv[1]);
     return 0;
    }
    The system OS is NetBSD 3.1 and I have no privileges. The only thing I can run is the exploitme0 program. I've searched all over the net for any vulnerabilities in the system() call but with no succes.. Does anyone know where to look?

    ~Snuffeldog

  2. #2
    Just burned his ISO
    Join Date
    May 2006
    Posts
    11

    Default

    Well, system takes a string as an arg and executes it as a command. For instance,

    system("ls");

    would execute ls which lists everything in the directory.

    Think about that for a a bit and see what you can dome up with.

  3. #3
    Just burned his ISO
    Join Date
    Jun 2007
    Posts
    6

    Default

    I tried things like that, but the program hasn't the rights to execute commands i could use. Anyway, it should be exploitable and I can't find out how..

  4. #4
    Junior Member
    Join Date
    Dec 2007
    Posts
    44

    Default

    system() does not and will not grant you root access. It just starts a NEW shell which has the same privileges as the program that ran it.

    UNIX-like systems are mostly very secure, so i don't think you will be able to bypass it using simple methods like this one.

    Also, I hope you are not trying to gain access to a computer that has restricted you from using root. If so, just ask your admin to grand you root access if you need it.

  5. #5
    Just burned his ISO
    Join Date
    Feb 2006
    Posts
    11

    Default challenge

    Could the point be to overflow it? Maybe you should try running it with an exceedingly large string and see if you can cause an error.

    I have zilch programming experience but we did something similar in a foundstone class.

  6. #6
    Just burned his ISO madm0nk's Avatar
    Join Date
    Jul 2008
    Posts
    12

    Default

    What you are dealing with is input that is unchecked. Try reading Aleph One's "smashing the stack ...." (It's a little outdated but it's a start). Or try reading up on buffer overflow exploits.

    Of course since it's using system() you can do somethings directly. Try using quotes.

    Also I believe the only way you could attain root with this, is if the executable is set up with the right ownership and permissions. And unless this is a junk box used specifically for the purpose of letting people try and attain root access ......

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •