Command injection
At first sight the input arguments seem to be parsed correctly, and an arbitrary command injection does not seem possible. However, when looking at the cmd_ping() method on line 388 of the Commands.cpp file, one can see that on line 400 the hostname is compared to a hard-coded char array. After looking up ASCII tables one realizes that this string is actually "pong".
Indeed if the command received by the server was "ping pong", using a system call "system("/usr/bin/xcalc")" a calculator is opened.
Exploit
To open a calculator one can run a server and client and type the following input on the client:
Where
https://github.com/xavierpantet/my_ass_on_your_grass/blob/5ebeb6c98d689621444de3275847f134462da9b7/src/commands/Commands.cpp#L399-L412
What
Command injection At first sight the input arguments seem to be parsed correctly, and an arbitrary command injection does not seem possible. However, when looking at the cmd_ping() method on line 388 of the Commands.cpp file, one can see that on line 400 the hostname is compared to a hard-coded char array. After looking up ASCII tables one realizes that this string is actually "pong".
Indeed if the command received by the server was "ping pong", using a system call "system("/usr/bin/xcalc")" a calculator is opened.
Exploit
To open a calculator one can run a server and client and type the following input on the client: