Skip to content

Instantly share code, notes, and snippets.

@theKidOfArcrania

theKidOfArcrania/gs_poc_bug.c

Created February 5, 2021 23:02
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save theKidOfArcrania/cdba7c7ff42f95a0cfa2be897ca928db to your computer and use it in GitHub Desktop.
Save theKidOfArcrania/cdba7c7ff42f95a0cfa2be897ca928db to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gs_poc_bug.c
// gcc -m32 -masm=intel -ffreestanding -nostdlib -static test.c -o test
#ifndef __i386__
#define __i386__
#endif
#include <syscall.h>
#include <stdio.h>
#include <asm/ldt.h>
#include <errno.h>
#include <sys/mman.h>
int syscall(int syscall, ...);
int __errno;
int *__errno_location() {
return &__errno;
}
asm(
"syscall:\n"
" push ebp\n"
" push ebx\n"
" push esi\n"
" push edi\n"
" mov eax, [esp + 0x14]\n"
" mov ebx, [esp + 0x18]\n"
" mov ecx, [esp + 0x1c]\n"
" mov edx, [esp + 0x20]\n"
" mov esi, [esp + 0x24]\n"
" mov edi, [esp + 0x28]\n"
" mov ebp, [esp + 0x2c]\n"
" int 0x80\n"
" cmp eax, 0xfffff000\n"
" ja .Lerr\n"
".Lret:\n"
" pop edi\n"
" pop esi\n"
" pop ebx\n"
" pop ebp\n"
" ret\n"
".Lerr:\n"
" mov esi, eax\n"
" call __errno_location\n"
" mov [eax], esi\n"
" mov eax, -1\n"
" jmp .Lret\n"
);
void _start() {
void *addr = (void*)syscall(SYS_mmap2, 0, 0x1000, 7, 0x22, -1, 0);
if (addr == MAP_FAILED) syscall(SYS_exit, 1);
struct user_desc u_info = {
.entry_number = -1,
.base_addr = (int)addr,
.limit = 0xfff,
.seg_32bit=1,
.contents=0,
.read_exec_only=0,
.limit_in_pages=1,
.seg_not_present=0,
.useable=1
};
if (syscall(SYS_set_thread_area, &u_info) < 0) syscall(SYS_exit, 1);
asm volatile("mov gs, %0" :: "r"(u_info.entry_number * 8 + 3));
*(int*)(addr + 0x14) = 0xdeadbeef;
int ret;
asm volatile("mov %0, gs:0x14" : "=r"(ret));
if (ret != 0xdeadbeef) syscall(SYS_exit, 2);
syscall(SYS_exit, 0);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment