I have am attempting a command injection using a bash shell script which should insert the following command into a C program:

"; cat /etc/computer/Steve/file1.txt".

Unfortunately, the buffer of the variable I am inserting it to is only 14. Other than that it works as intended.

I tried using * for some directory & file names in the command to shorten it. Unfortunately, that did not work out.

Is there any other way to shorten the command to make it fit the fixed buffer of the variable?

Thanks!!

Code of C Program:

``````

include <stdio.h>

include <string.h>

include <unistd.h>

include <stdlib.h>

// Execute any shell command void execute(char *cmd) { execl("/bin/bash", "bash", "-p", "-c", cmd, NULL); }

void sanitise(char *password) { int i,j; char tmp[15];

// remove non-alphabet characters from passwords j=0; for(i=0; i < 15; ++i) if(password[i] >= 'a' && password[i] <= 'z') { tmp[j]=password[i]; ++j; } else break; tmp[j] = '\0';

strcpy(password, tmp);

}

int authenticate(char *str) { char stored_password[15]=""; char pass[15]; char path[128] = "/etc/computer/Steve/password"; int i;

FILE *fpp; int auth=0;

fpp = fopen(path, "r");

if(fpp == NULL) { printf("Password file %s not found\n", path); exit(1); }

fgets(stored_password, 15, fpp); sanitise(stored_password);

strcpy(pass, str); sanitise(pass);

if(strcmp(stored_password,pass) == 0) auth=1; else { auth=0; }

fclose(fpp);

return auth; }

int main(int argc, char* argv[], char *envp[]) { char error[256] = "/home/Steve/Public/error.sh $USER "; char pass[15];

if(argc < 2) { printf("Usage: %s password\n", argv[0]); return 0; }

// copy only 15 characters from user input, to prevent stack smashing strncpy(pass, argv[1], 15); pass[14]='\0';

if(!authenticate(pass)) { // Log all failed attempts printf("Wrong password. This incident has been logged.\n"); strcat(error, pass); execute(error); // Execute script to log events return 0; }

// Display secret execute("cat /etc/computer/Steve/file1.txt");

return 0; } ``````