Command Injection Vulnerability
iosifache opened this issue · comments
Hi there,
As I want to integrate ropstar
in OpenCRS, I analyzed the code to better understand the implemented exploitation techniques. Despite the program is meant to be used locally, I want to address a security issue that I discovered.
Description
Command injection is possible while exploiting a statically linked binary with a malicious filename.
Steps to Reproduce
- Download the source code of an exploitable binary:
wget https://raw.githubusercontent.com/TechSecCTF/pwn_challs/master/stack/bof/bof.c -o /tmp
. - Compile:
gcc -m32 -static -fno-stack-protector /tmp/bof.c -o "/tmp/bin/bof;touch here;"
. - Run
ropstar
:python3 ropstar.py -o 1 -state 1,1,1 "/tmp/bin/bof;touch here;"
. - Observe the creation of the
here
file (due to command injection):ls here
.
Patch
I already forked the repository and proposed a patch. Please see #11.