API tools faq
paste
Advertisement
BillEvansAtMariposa

20170222-01

BillEvansAtMariposa
Feb 22nd, 2017
610
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.03 KB | None | 0 0
raw download clone embed print report
  1. #include <sys/stat.h>
  2. #include <sys/types.h>
  3. #include <stdio.h>
  4. #include <stdlib.h>
  5. #include <string.h>
  6. #include <unistd.h>
  7.  
  8. int
  9. main(int ar_argc,
  10. char **ar_argv
  11. )
  12. {
  13. int lo_found_executable;
  14.  
  15. ssize_t lo_path_alpha;
  16. ssize_t lo_path_omega;
  17.  
  18. char *lo_candidate;
  19. char *lo_env_path;
  20.  
  21. struct stat lo_st;
  22.  
  23. if(geteuid()!=0)
  24. {
  25. fprintf(stderr,
  26. "%s is not setuid root yet\n",
  27. ar_argv[0]
  28. );
  29.  
  30. return 1; /* <--------- */
  31. }
  32.  
  33. if(ar_argc<2)
  34. {
  35. fprintf(stderr,
  36. "no program name was passed to %s\n",
  37. ar_argv[0]
  38. );
  39.  
  40. return 1; /* <--------- */
  41. }
  42.  
  43. lo_env_path=getenv("PATH");
  44.  
  45. if((lo_env_path==NULL) || (strlen(lo_env_path)==0))
  46. {
  47. lo_env_path=".";
  48. }
  49. if(ar_argv[1][0]=='/')
  50. {
  51. lo_env_path="/";
  52. }
  53. else
  54. if(strchr(ar_argv[1],'/'))
  55. {
  56. lo_env_path=".";
  57. }
  58.  
  59. lo_candidate=malloc(strlen(lo_env_path)+strlen(ar_argv[1])+5 /* or so */ );
  60.  
  61. if(lo_candidate==NULL)
  62. {
  63. fprintf(stderr,
  64. "%s: malloc() fail\n",
  65. ar_argv[0]
  66. );
  67.  
  68. return 1; /* <--------- */
  69. }
  70.  
  71. lo_found_executable=0;
  72. lo_path_alpha =-1;
  73.  
  74. for(;;)
  75. {
  76. if((lo_path_alpha>=0) &&
  77. (lo_env_path[lo_path_alpha]==0)
  78. )
  79. {
  80. break; /* <--------- */
  81. }
  82.  
  83. lo_path_alpha++;
  84.  
  85. lo_path_omega=lo_path_alpha;
  86.  
  87. while((lo_env_path[lo_path_omega]!=':') &&
  88. (lo_env_path[lo_path_omega]!=0)
  89. )
  90. {
  91. lo_path_omega++;
  92. }
  93.  
  94. memmove(lo_candidate,
  95. lo_env_path+lo_path_alpha,
  96. lo_path_omega-lo_path_alpha
  97. );
  98.  
  99. lo_candidate[lo_path_omega-lo_path_alpha]=0;
  100.  
  101. if(strlen(lo_candidate)==0)
  102. {
  103. strcpy(lo_candidate,
  104. "."
  105. );
  106. }
  107.  
  108. strcat(lo_candidate,
  109. "/"
  110. );
  111.  
  112. strcat(lo_candidate,
  113. ar_argv[1]
  114. );
  115.  
  116. lo_path_alpha=lo_path_omega;
  117.  
  118. /* Could we execute this guy if euid were not root? */
  119.  
  120. if(access(lo_candidate,
  121. X_OK
  122. )==0
  123. )
  124. {
  125. lo_found_executable=1;
  126.  
  127. break; /* <--------- */
  128. }
  129. }
  130.  
  131. if(!lo_found_executable)
  132. {
  133. fprintf(stderr,
  134. "%s is not executable",
  135. ar_argv[1]
  136. );
  137.  
  138. return 1; /* <--------- */
  139. }
  140.  
  141. if(lstat(lo_candidate,&lo_st))
  142. {
  143. perror("lstat()");
  144.  
  145. return 1; /* <--------- */
  146. }
  147.  
  148. if(!S_ISREG(lo_st.st_mode))
  149. {
  150. fprintf(stderr,
  151. "file %s is not a regular file\n",
  152. ar_argv[1]
  153. );
  154.  
  155. return 1; /* <--------- */
  156. }
  157.  
  158. if(lo_st.st_uid!=9999)
  159. {
  160. fprintf(stderr,
  161. "file %s is not owned by 9999\n",
  162. ar_argv[1]
  163. );
  164.  
  165. return 1; /* <--------- */
  166. }
  167.  
  168. ar_argv[1]=lo_candidate;
  169.  
  170. setreuid(0,0);
  171.  
  172. execv(ar_argv[1],ar_argv+1);
  173.  
  174. perror("execv");
  175.  
  176. return 1; /* <--------- */
  177.  
  178. } /* main() */
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!