question regarding execl() in a C program (relates to buffer overflows)

[BASHful]

Hi. New here. I read the rules. I have a question regarding something involving something for a lab assignment in my computer security(hacking) class... don't worry, I'm not asking for solutions -- just help with a small portion of something... I wanted to clarify that first.

I have a program in C (I am still learning the C language btw) and I don't fully understand what is going on with the execl() function. Yes, I read the man page, web pages and also a post on this forum and understand that execl is part of the family of functions that can be used in place of the system() command and replaces the current process image, etc.... but something is still not clear to me, as I will ask about further down this post.

So this is just a simplistic fakey program meant for us to learn how buffer overflows work, and we are supposed to basically run a command called 'chkscore' (owned by games group) (which asks for a name) to get it to overflow the str variable and overwrite other variables to make the program cat the /etc/games.passwd file instead of the /etc/games.highscore file.

(This program works properly as is)
My code:

Code:

#include <stdio.h>
#include <strings.h>
#include <stdlib.h>

int main (int argc, char* argv[])
        {
        char cmd[1000];
        int loop;
        char str[10];
        char fixer[100];

        strcpy(cmd, "/bin/cat");
        strcpy(fixer, "/etc/games.hiscore");

        printf("This is the High Score Checker for some game\n");
        printf("Please enter your name\n");

        fgets(str, 1014, stdin);

        printf("About to execute >%s<\n", cmd);

        execl(cmd, cmd, fixer, NULL);

        perror("Exec");
        printf("Abnormal Error.  Exiting High Score Checker\n");
        }

Now I am trying to look at the code (have been for 2 days now) and fully understand what is going on in the program as well as in memory.

My MAIN question for this post is that I dont understand what this command is doing:

Code:

execl(cmd, cmd, fixer, NULL);

I get that the program is using the execl() function and its executing those variables...i think... It looks like its calling cmd which will execute '/bin/cat, but why is cmd in there twice? Then is specifying fixer which holds the /etc/games.highscore path, then the whole command is terminated with NULL.

Any help is appreciated.

[Bayint Naung]

The initial argument for these functions is the pathname of a file
which is to be executed.

The const char *arg and subsequent ellipses in the execl(), execlp(),
and execle() functions can be thought of as arg0, arg1, ..., argn.
Together they describe a list of one or more pointers to null-termi‐
nated strings that represent the argument list available to the exe‐
cuted program. The first argument, by convention, should point to the

Remeber int argc,char *argv[]?

[Salem]

NAME
execl, execlp, execle, execv, execvp - execute a file

SYNOPSIS
#include <unistd.h>

extern char **environ;

int execl(const char *path, const char *arg, ...);
int execlp(const char *file, const char *arg, ...);
int execle(const char *path, const char *arg,
..., char * const envp[]);
int execv(const char *path, char *const argv[]);
int execvp(const char *file, char *const argv[]);

DESCRIPTION
The exec() family of functions replaces the current process image with a new process image. The functions described in this manual page are front-
ends for execve(2). (See the manual page for execve(2) for further details about the replacement of the current process image.)

The initial argument for these functions is the pathname of a file which is to be executed.

The const char *arg and subsequent ellipses in the execl(), execlp(), and execle() functions can be thought of as arg0, arg1, ..., argn. Together
they describe a list of one or more pointers to null-terminated strings that represent the argument list available to the executed program. The
first argument, by convention, should point to the filename associated with the file being executed. The list of arguments must be terminated by a
NULL pointer, and, since these are variadic functions, this pointer must be cast (char *) NULL.

By convention, argv[0] is the command name you're executing.

[BASHful]

still not 100% sure if I understand that... I mean I sort of understand what all that argv stuff is about... accepting character input from the user's input and storing it into an array...

so in "execl(cmd, cmd, fixer, NULL);", is the first cmd basically not ignored and the second one gets read and executed?


EDIT:

Also, how are the variables allocated in memory? I have been reading a lot of stuff but its not exactly clear to me as there are a lot of little abstract things involved with every example.

For this particular program, cmd[1000] is allocated first right? Then loop; then str[10]; then fixer[100]; correct?

So is this an accurate representation?:

Code:

----------------------------------------
Start of memory 0 - bytes
----------------------------------------
1. 1000 bytes allocated for cmd
----------------------------------------
2. whatever for loop
----------------------------------------
3. 10 bytes allocated for str
----------------------------------------
4. 100 bytes for fixer
----------------------------------------
End of memory - 1110+ bytes
----------------------------------------

so... if I were to overflow str, it would only spill over into fixer, right?

[Salem]

No, try this program

Code:

int main ( int argc, char *argv[] ) {
  int i;
  for ( i = 0 ; i < argc ; i++ ) printf("%d: %s\n", i, argv[i] );
  return 0;
}

Notice what argv[0] is when you run it from your shell, and from the normal shell you're using.

[BASHful]

No, try this program

Code:

int main ( int argc, char *argv[] ) {
  int i;
  for ( i = 0 ; i < argc ; i++ ) printf("%d: %s\n", i, argv[i] );
  return 0;
}

Notice what argv[0] is when you run it from your shell, and from the normal shell you're using.

I compiled that to arg and when I run it, argv[0] is "./arg". So in my program in the original post, argv[0] will be whatever I put in for str wont it?