/*
 * Copyright (C) January 1999, Matt Conover & w00w00 Security Development
 *
 * This is a typical vulnerable program.  It will store user input in a
 * temporary file.  argv[1] of the program is will have some value used
 * somewhere else in the program.  However, we can overflow our user input
 * string (i.e. the gets()), and have it overwrite the temporary file
 * pointer, to point to argv[1] (where we can put something such as
 * "/root/.rhosts", and after our garbage put a '#' so that our overflow
 * is ignored in /root/.rhosts as a comment).  We'll assume this is a
 * setuid program.
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <errno.h>

#define ERROR -1
#define BUFSIZE 16

/* 
 * Run this vulprog as root or change the "vulfile" to something else.
 * Otherwise, even if the exploit works it won't have permission to
 * overwrite /root/.rhosts (the default "example").
 */

int main(int argc, char **argv)
{
   FILE *tmpfd;
   static char buf[BUFSIZE], *tmpfile;

   if (argc <= 1)
   {
      fprintf(stderr, "Usage: %s <garbage>\n", argv[0]);
      exit(ERROR);
   }

   tmpfile = "/tmp/vulprog.tmp"; /* no, this is no a temp file vul */
   printf("before: tmpfile = %s\n", tmpfile);

   /* okay, now the program thinks that we have access to argv[1] */
   printf("Enter one line of data to put in %s: ", tmpfile);
   gets(buf);

   printf("\nafter: tmpfile = %s\n", tmpfile);

   tmpfd = fopen(tmpfile, "w");
   if (tmpfd == NULL)
   {
      fprintf(stderr, "error opening %s: %s\n", tmpfile, strerror(errno));
      exit(ERROR);
   }

   fputs(buf, tmpfd);
   fclose(tmpfd);
}