Daemon02 is a classic example of command injection vulnerability. It is a daemon listening on five ports from 2221 to 2225 which receives input from users, parse it into command, then execute that command on the host system. Available commands are:
* help: print help banner
* status
* procs
The interesting one is procs. When receiving "procs
Vulnerability
As you can see, part of the input string is used at the end of the command line string, so there's maybe a chance for command injection here, if somehow we can bypass the metacharacters checking. Indeed we can ;).
daemon02 checks for metacharacters using strchr(3) whose prototype is "char *strchr(const char *s, int c);". Basically it returns a pointer to the first occurrence of the character c in the string s. As you may already know, strchr(3) performs on NULL-terminated string which means it stops processing if it encounters a NULL byte in the input string s.
daemon02 got its input from the network by calling fgets(3) which means we can throw NULL bytes to it. What if we gives it something like "procs\x00;id"? ;). strchr(3) will fail to see ";" which eventually allows us to execute something like this in the host system: "proc ax | grep -v root | grep -v nobody | grep -v apache | grep -v ;id". How about changing "id" to something more relevant like reading a flag?
Exploit
Exploit is very easy, just a couple of python lines:
sock.send('procs\x00;cat /etc/flags/flag02\n')
s = sock.recv(1024)
print s
