I have an executable C program on a linux machine. The program is intended to reveal a "secret" once the password is entered. I found an exploit by using the backup function of the code which is not requiring me to enter the (correct) password. Also, I know where the backup is saved and that the backup name is generated randomly using the time as a seed. However, I have have difficulties writing a shell script which outputs the secret into the terminal.
My attempt was to make the C program create a backup. The problem however, is writing the random number generator in bash using the time as seed to get the file name of the backup. Also, using echo to output to the terminal does not seem to work.
Below is the code of the c program:
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include<stdlib.h>
#include <time.h>
// Execute any shell command
void execute(char *cmd)
{
execl("/bin/bash", "bash", "-p", "-c", cmd, NULL);
}
void sanitise(char *password)
{
int i,j;
char tmp[15];
// remove non-alphabet characters from passwords
j=0;
for(i=0; i < 15; ++i)
if(password[i] >= 'a' && password[i] <= 'z') { tmp[j]=password[I];
++j;
} else break; tmp[j] = '\0';
strcpy(password, tmp); }
int authenticate(char *str) {
char stored_password[15]="";
char pass[15];
char path[128] = "/etc/comp2700/bob/password"; int I;
FILE *fpp; int auth=0;
fpp = fopen(path, "r");
if(fpp == NULL) {
printf("Password file %s not found\n", path);
exit(1); }
fgets(stored_password, 15, fpp); sanitise(pass);
strcpy(pass, str); sanitise(pass);
if(strcmp(stored_password,pass) == 0) auth=1;
else {
auth=0;
}
fclose(fpp);
return auth; }
int main(int argc, char* argv[], char *envp[]) {
unsigned int seed=time(0);
// use current time as the seed for therandom number generator
char user[16];
int r;
char command[128];
int choice=0;
if(argc < 4) {
printf("Usage: %s choice user password\n", argv[0]);
printf("To display the secret, use choice=1, e.g. \n\n %s 1 bob password\n\n", argv[0]);
printf("To backup the secret, use choice=2, e.g., \n\n %s 2 bob password\n\n", argv[0]);
return 0; }
strcpy(user, argv[2]); printf("Welcome, %s!\n", user);
srand(seed); // change the seed for random number generator r = rand();
// generate a random number
choice = atoi(argv[1]);
if(choice == 1) { if(!authenticate(argv[3])) {
printf("Wrong password.\n");
return 0; }
execute("/bin/cat /etc/comp2700/bob/secret"); }
else if(choice == 2) {
// invoke the backup.sh script to copy the secret to the backup folder.
// the filename is randomly generated
sprintf(command, "/home/bob/Public/backup.sh f%d", r); execute(command);
}
else printf("Wrong choice.\n");
return 0; }
File: backup.sh
#!/bin/bash -p
/bin/echo "Copying secret..."
/bin/cat /etc/comp2700/bob/secret > /home/bob/Public/backup/$1
It would really help me if someone could tell me how I can get a shell script to output the secret to the terminal.
Thank you so much in advance!
Aucun commentaire:
Enregistrer un commentaire