Created
December 2, 2018 21:45
-
-
Save ppmx/10dcd0804503affb92584e03718d17d6 to your computer and use it in GitHub Desktop.
sys_getdents filename extraction
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <dirent.h> | |
| #include <fcntl.h> | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <sys/stat.h> | |
| #include <sys/syscall.h> | |
| #include <unistd.h> | |
| struct linux_dirent { | |
| unsigned long d_ino; | |
| unsigned long d_off; | |
| unsigned short d_reclen; | |
| char d_name[]; | |
| }; | |
| int main() | |
| { | |
| int fd, syscall_rv; | |
| char buffer[1024]; | |
| if ((fd = open("./passwd/", O_RDONLY | O_DIRECTORY)) == -1) { | |
| printf("[!] open() failed\n"); | |
| return -1; | |
| } | |
| if ((syscall_rv = syscall(SYS_getdents, fd, buffer, 1024)) == -1) { | |
| printf("[!] syscall failed()\n"); | |
| return -1; | |
| } | |
| printf("[+] read %d bytes using SYS_getdents.\n", syscall_rv); | |
| printf("[+] start extraction of filenames.\n"); | |
| for (size_t buffer_index = 0; buffer_index < syscall_rv; ) { | |
| // jump above d_ino, d_off and d_reclen with the offset 18: | |
| printf("%s\n", buffer + buffer_index + 18); | |
| // increment with d_reclen: | |
| buffer_index += *((unsigned short *) (buffer + buffer_index + 16)); | |
| } | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment