home *** CD-ROM | disk | FTP | other *** search
- /*
- * Copyright (C) January 1999, Matt Conover & w00w00 Security Development
- *
- * This is a typical vulnerable program. It will store user input in a
- * temporary file. argv[1] of the program is will have some value used
- * somewhere else in the program. However, we can overflow our user input
- * string (i.e. the gets()), and have it overwrite the temporary file
- * pointer, to point to argv[1] (where we can put something such as
- * "/root/.rhosts", and after our garbage put a '#' so that our overflow
- * is ignored in /root/.rhosts as a comment). We'll assume this is a
- * setuid program.
- */
-
- #include <stdio.h>
- #include <stdlib.h>
- #include <unistd.h>
- #include <string.h>
- #include <errno.h>
-
- #define ERROR -1
- #define BUFSIZE 16
-
- /*
- * Run this vulprog as root or change the "vulfile" to something else.
- * Otherwise, even if the exploit works it won't have permission to
- * overwrite /root/.rhosts (the default "example").
- */
-
- int main(int argc, char **argv)
- {
- FILE *tmpfd;
- static char buf[BUFSIZE], *tmpfile;
-
- if (argc <= 1)
- {
- fprintf(stderr, "Usage: %s <garbage>\n", argv[0]);
- exit(ERROR);
- }
-
- tmpfile = "/tmp/vulprog.tmp"; /* no, this is no a temp file vul */
- printf("before: tmpfile = %s\n", tmpfile);
-
- /* okay, now the program thinks that we have access to argv[1] */
- printf("Enter one line of data to put in %s: ", tmpfile);
- gets(buf);
-
- printf("\nafter: tmpfile = %s\n", tmpfile);
-
- tmpfd = fopen(tmpfile, "w");
- if (tmpfd == NULL)
- {
- fprintf(stderr, "error opening %s: %s\n", tmpfile, strerror(errno));
- exit(ERROR);
- }
-
- fputs(buf, tmpfd);
- fclose(tmpfd);
- }
-
