Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #define _GNU_SOURCE
- #include <endian.h>
- #include <fcntl.h>
- #include <stdint.h>
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
- #include <sys/stat.h>
- #include <sys/syscall.h>
- #include <sys/types.h>
- #include <unistd.h>
- static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2)
- {
- if (a0 == 0xc || a0 == 0xb) {
- char buf[128];
- sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1,
- (uint8_t)a2);
- return open(buf, O_RDWR, 0);
- } else {
- char buf[1024];
- char* hash;
- strncpy(buf, (char*)a0, sizeof(buf) - 1);
- buf[sizeof(buf) - 1] = 0;
- while ((hash = strchr(buf, '#'))) {
- *hash = '0' + (char)(a1 % 10);
- a1 /= 10;
- }
- return open(buf, a2, 0);
- }
- }
- uint64_t r[1] = {0xffffffffffffffff};
- int main(void)
- {
- syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
- /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
- /*offset=*/0ul);
- syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul,
- /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
- /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
- /*offset=*/0ul);
- syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
- /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
- /*offset=*/0ul);
- intptr_t res = 0;
- res = -1;
- res = syz_open_dev(/*dev=*/0xc, /*major=*/4, /*minor=*/1);
- if (res != -1)
- r[0] = res;
- *(uint16_t*)0x20000000 = 0x5d06;
- *(uint16_t*)0x20000002 = 0;
- *(uint16_t*)0x20000004 = 0;
- *(uint16_t*)0x20000006 = 0;
- syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0x5414, /*arg=*/0x20000000ul);
- return 0;
- }
Advertisement
Add Comment
Please, Sign In to add comment
