In Linux the file under the directory says /bin/* are nothing but binary
executable that allows the user to do day to day tasks. All these binaries are
not stored in one location only but many. To see the set of all the locations
where the system binaries are present, you print your $PATH variable.
export $PATH
/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin
There is the list of locations we have.
#include <stdio.h>
#include <stdlib.h>
int main()
{
system("ls /tmp/file.dat");
return 0;
}Suppose you are asked that what this program does? You would answer that, it check if file exits or not, if exists, it will print the name again. We are interested to exploit this, but to exploit we need to understand the execution flow about how this program is working.
When this program is started, then it will call the system() system call to
execute ls /tmp/file.dat. System is one of the Linux system calls that
would execute the shell and in the same shell it would execute the command
provided.
Since system("ls ..") is executing ls Linux utility, it would be easy to
guess that, it will start searching the shells $PATH variable and will start
exploring the directories in the same variable. If it finds it in the first one
will execute that ls if not keep it search for the next directory.
$PATH is a shells environment variable and it can be manipulated by the user of that
shell.
Suppose I create one binary file in the $PWD, make it name as ls and then
tell the $PATH about the current $PWD as the first location to search for,
then if the system start searching for ls it will end up with my ls. 🆒
We have exploited this as well.
- Update the
$PATHto point to current directory first.export PATH=$PWD:$PATH - Copy some binary say
catto as name oflsin current directory.cp `which cat` ls - [Optional] to check if the path is updated.
which lsand you should get something like :/home/vagrantwhich is my current directory. - Run the binary. 🤘
You will notice that binary instead of running the ls will run the cat.
:smile: