sunwayforever/test.c

## test.c
#include <sys/auxv.h>
#include <elf.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <dlfcn.h>

void my_abort() {
    printf("abort hijacked\n");
    exit(-1);
}

int main(int argc, char *argv[]) {
    Elf32_Phdr * phdr = (Elf32_Phdr *)getauxval(AT_PHDR);
    int phnum = getauxval(AT_PHNUM);
    printf("%d\n", phnum);
    int i = 0;
    int load_bias = 0;
    Elf32_Dyn * p_dynamic = 0;
    for (i = 0; i < phnum; i++) {
        Elf32_Phdr curr_phdr = phdr[i];
        printf("program header type: %d\n", curr_phdr.p_type);
        if (curr_phdr.p_type == PT_PHDR) {
            load_bias = (int) (phdr) - (int)(curr_phdr.p_vaddr);
            continue;
        }

        if (curr_phdr.p_type == PT_DYNAMIC) {
            printf("found PT_DYNAMIC, vaddr: %x\n", curr_phdr.p_vaddr);
            p_dynamic = (Elf32_Dyn *)(load_bias + (int)curr_phdr.p_vaddr);
            break;
        }
    }
    printf(".dynamic at %p\n", p_dynamic);
    printf("libc::abort is at %p\n", &abort);
    void *abort2 = dlsym(RTLD_DEFAULT, "abort");
    printf("libc::abort using dlsym is at %p\n", abort2);
    printf("d_tag: %d\n", p_dynamic->d_tag);
    int *got = 0;
    while (p_dynamic->d_tag != DT_NULL) {
        printf("d_tag: %d\n", p_dynamic->d_tag);
        if (p_dynamic->d_tag == DT_PLTGOT) {
            got = (int *)(p_dynamic->d_un.d_ptr + load_bias);
            printf("found GOT at %p\n", got);
            break;
        }
        p_dynamic++;
    }

    while (*got != (int)&abort) {
        got++;
    }
    printf("abort is at %p\n", got);
    *got = (int)&my_abort;
    printf("abort is hijacked using %x\n", *got);
    abort();
}

/* Android.mk */
/*
 * LOCAL_PATH:= $(call my-dir)
 *
 * include $(CLEAR_VARS)
 *
 * LOCAL_SRC_FILES:= test.c
 * LOCAL_CFLAGS := -Wno-error-unused-parameter
 * LOCAL_MODULE:= hello
 * LOCAL_MULTILIB := 32
 * LOCAL_LDFLAGS := -Wl,-z,norelro
 * include $(BUILD_EXECUTABLE)
 */
	#include <sys/auxv.h>
	#include <elf.h>
	#include <stdio.h>
	#include <unistd.h>
	#include <stdlib.h>
	#include <dlfcn.h>

	void my_abort() {
	printf("abort hijacked\n");
	exit(-1);
	}

	int main(int argc, char *argv[]) {
	Elf32_Phdr * phdr = (Elf32_Phdr *)getauxval(AT_PHDR);
	int phnum = getauxval(AT_PHNUM);
	printf("%d\n", phnum);
	int i = 0;
	int load_bias = 0;
	Elf32_Dyn * p_dynamic = 0;
	for (i = 0; i < phnum; i++) {
	Elf32_Phdr curr_phdr = phdr[i];
	printf("program header type: %d\n", curr_phdr.p_type);
	if (curr_phdr.p_type == PT_PHDR) {
	load_bias = (int) (phdr) - (int)(curr_phdr.p_vaddr);
	continue;
	}

	if (curr_phdr.p_type == PT_DYNAMIC) {
	printf("found PT_DYNAMIC, vaddr: %x\n", curr_phdr.p_vaddr);
	p_dynamic = (Elf32_Dyn *)(load_bias + (int)curr_phdr.p_vaddr);
	break;
	}
	}
	printf(".dynamic at %p\n", p_dynamic);
	printf("libc::abort is at %p\n", &abort);
	void *abort2 = dlsym(RTLD_DEFAULT, "abort");
	printf("libc::abort using dlsym is at %p\n", abort2);
	printf("d_tag: %d\n", p_dynamic->d_tag);
	int *got = 0;
	while (p_dynamic->d_tag != DT_NULL) {
	printf("d_tag: %d\n", p_dynamic->d_tag);
	if (p_dynamic->d_tag == DT_PLTGOT) {
	got = (int *)(p_dynamic->d_un.d_ptr + load_bias);
	printf("found GOT at %p\n", got);
	break;
	}
	p_dynamic++;
	}

	while (*got != (int)&abort) {
	got++;
	}
	printf("abort is at %p\n", got);
	*got = (int)&my_abort;
	printf("abort is hijacked using %x\n", *got);
	abort();
	}

	/* Android.mk */
	/*
	* LOCAL_PATH:= $(call my-dir)
	*
	* include $(CLEAR_VARS)
	*
	* LOCAL_SRC_FILES:= test.c
	* LOCAL_CFLAGS := -Wno-error-unused-parameter
	* LOCAL_MODULE:= hello
	* LOCAL_MULTILIB := 32
	* LOCAL_LDFLAGS := -Wl,-z,norelro
	* include $(BUILD_EXECUTABLE)
	*/