API tools faq
paste
zzqq0103

Untitled

zzqq0103
Mar 15th, 2024
94
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 20.26 KB | None | 0 0
raw download clone embed print report
  1.  
  2. #define _GNU_SOURCE
  3.  
  4. #include <arpa/inet.h>
  5. #include <endian.h>
  6. #include <errno.h>
  7. #include <net/if.h>
  8. #include <netinet/in.h>
  9. #include <stdbool.h>
  10. #include <stdint.h>
  11. #include <stdio.h>
  12. #include <stdlib.h>
  13. #include <string.h>
  14. #include <sys/socket.h>
  15. #include <sys/syscall.h>
  16. #include <sys/types.h>
  17. #include <unistd.h>
  18.  
  19. #include <linux/genetlink.h>
  20. #include <linux/if_addr.h>
  21. #include <linux/if_link.h>
  22. #include <linux/in6.h>
  23. #include <linux/neighbour.h>
  24. #include <linux/net.h>
  25. #include <linux/netlink.h>
  26. #include <linux/rtnetlink.h>
  27. #include <linux/veth.h>
  28.  
  29. #define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
  30. #define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \
  31. *(type*)(addr) = \
  32. htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \
  33. (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))
  34.  
  35. struct csum_inet {
  36. uint32_t acc;
  37. };
  38.  
  39. static void csum_inet_init(struct csum_inet* csum)
  40. {
  41. csum->acc = 0;
  42. }
  43.  
  44. static void csum_inet_update(struct csum_inet* csum, const uint8_t* data,
  45. size_t length)
  46. {
  47. if (length == 0)
  48. return;
  49. size_t i = 0;
  50. for (; i < length - 1; i += 2)
  51. csum->acc += *(uint16_t*)&data[i];
  52. if (length & 1)
  53. csum->acc += le16toh((uint16_t)data[length - 1]);
  54. while (csum->acc > 0xffff)
  55. csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16);
  56. }
  57.  
  58. static uint16_t csum_inet_digest(struct csum_inet* csum)
  59. {
  60. return ~csum->acc;
  61. }
  62.  
  63. struct nlmsg {
  64. char* pos;
  65. int nesting;
  66. struct nlattr* nested[8];
  67. char buf[4096];
  68. };
  69.  
  70. static void netlink_init(struct nlmsg* nlmsg, int typ, int flags,
  71. const void* data, int size)
  72. {
  73. memset(nlmsg, 0, sizeof(*nlmsg));
  74. struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf;
  75. hdr->nlmsg_type = typ;
  76. hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
  77. memcpy(hdr + 1, data, size);
  78. nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size);
  79. }
  80.  
  81. static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data,
  82. int size)
  83. {
  84. struct nlattr* attr = (struct nlattr*)nlmsg->pos;
  85. attr->nla_len = sizeof(*attr) + size;
  86. attr->nla_type = typ;
  87. if (size > 0)
  88. memcpy(attr + 1, data, size);
  89. nlmsg->pos += NLMSG_ALIGN(attr->nla_len);
  90. }
  91.  
  92. static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type,
  93. int* reply_len, bool dofail)
  94. {
  95. if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting)
  96. exit(1);
  97. struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf;
  98. hdr->nlmsg_len = nlmsg->pos - nlmsg->buf;
  99. struct sockaddr_nl addr;
  100. memset(&addr, 0, sizeof(addr));
  101. addr.nl_family = AF_NETLINK;
  102. ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0,
  103. (struct sockaddr*)&addr, sizeof(addr));
  104. if (n != (ssize_t)hdr->nlmsg_len) {
  105. if (dofail)
  106. exit(1);
  107. return -1;
  108. }
  109. n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0);
  110. if (reply_len)
  111. *reply_len = 0;
  112. if (n < 0) {
  113. if (dofail)
  114. exit(1);
  115. return -1;
  116. }
  117. if (n < (ssize_t)sizeof(struct nlmsghdr)) {
  118. errno = EINVAL;
  119. if (dofail)
  120. exit(1);
  121. return -1;
  122. }
  123. if (hdr->nlmsg_type == NLMSG_DONE)
  124. return 0;
  125. if (reply_len && hdr->nlmsg_type == reply_type) {
  126. *reply_len = n;
  127. return 0;
  128. }
  129. if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) {
  130. errno = EINVAL;
  131. if (dofail)
  132. exit(1);
  133. return -1;
  134. }
  135. if (hdr->nlmsg_type != NLMSG_ERROR) {
  136. errno = EINVAL;
  137. if (dofail)
  138. exit(1);
  139. return -1;
  140. }
  141. errno = -((struct nlmsgerr*)(hdr + 1))->error;
  142. return -errno;
  143. }
  144.  
  145. static int netlink_query_family_id(struct nlmsg* nlmsg, int sock,
  146. const char* family_name, bool dofail)
  147. {
  148. struct genlmsghdr genlhdr;
  149. memset(&genlhdr, 0, sizeof(genlhdr));
  150. genlhdr.cmd = CTRL_CMD_GETFAMILY;
  151. netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr));
  152. netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name,
  153. strnlen(family_name, GENL_NAMSIZ - 1) + 1);
  154. int n = 0;
  155. int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail);
  156. if (err < 0) {
  157. return -1;
  158. }
  159. uint16_t id = 0;
  160. struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN +
  161. NLMSG_ALIGN(sizeof(genlhdr)));
  162. for (; (char*)attr < nlmsg->buf + n;
  163. attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) {
  164. if (attr->nla_type == CTRL_ATTR_FAMILY_ID) {
  165. id = *(uint16_t*)(attr + 1);
  166. break;
  167. }
  168. }
  169. if (!id) {
  170. errno = EINVAL;
  171. return -1;
  172. }
  173. recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0);
  174. return id;
  175. }
  176.  
  177. static long syz_genetlink_get_family_id(volatile long name,
  178. volatile long sock_arg)
  179. {
  180. int fd = sock_arg;
  181. if (fd < 0) {
  182. fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC);
  183. if (fd == -1) {
  184. return -1;
  185. }
  186. }
  187. struct nlmsg nlmsg_tmp;
  188. int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, false);
  189. if ((int)sock_arg < 0)
  190. close(fd);
  191. if (ret < 0) {
  192. return -1;
  193. }
  194. return ret;
  195. }
  196.  
  197. uint64_t r[8] = {0xffffffffffffffff, 0x0,
  198. 0xffffffffffffffff, 0xffffffffffffffff,
  199. 0xffffffffffffffff, 0xffffffffffffffff,
  200. 0xffffffffffffffff, 0xffffffffffffffff};
  201.  
  202. int main(void)
  203. {
  204. syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
  205. /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
  206. /*offset=*/0ul);
  207. syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul,
  208. /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
  209. /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
  210. /*offset=*/0ul);
  211. syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
  212. /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
  213. /*offset=*/0ul);
  214. intptr_t res = 0;
  215. res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul, /*proto=*/0x10);
  216. if (res != -1)
  217. r[0] = res;
  218. memcpy((void*)0x200000c0, "nl80211\000", 8);
  219. res = -1;
  220. res = syz_genetlink_get_family_id(/*name=*/0x200000c0, /*fd=*/-1);
  221. if (res != -1)
  222. r[1] = res;
  223. *(uint64_t*)0x20000900 = 0;
  224. *(uint32_t*)0x20000908 = 0;
  225. *(uint64_t*)0x20000910 = 0x200008c0;
  226. *(uint64_t*)0x200008c0 = 0x20000380;
  227. *(uint32_t*)0x20000380 = 0x24;
  228. *(uint16_t*)0x20000384 = r[1];
  229. *(uint16_t*)0x20000386 = 1;
  230. *(uint32_t*)0x20000388 = 0;
  231. *(uint32_t*)0x2000038c = 0;
  232. *(uint8_t*)0x20000390 = 0x31;
  233. *(uint8_t*)0x20000391 = 0;
  234. *(uint16_t*)0x20000392 = 0;
  235. *(uint16_t*)0x20000394 = 8;
  236. *(uint16_t*)0x20000396 = 1;
  237. *(uint32_t*)0x20000398 = 0;
  238. *(uint16_t*)0x2000039c = 8;
  239. *(uint16_t*)0x2000039e = 3;
  240. *(uint32_t*)0x200003a0 = 0;
  241. *(uint64_t*)0x200008c8 = 0x24;
  242. *(uint64_t*)0x20000918 = 1;
  243. *(uint64_t*)0x20000920 = 0;
  244. *(uint64_t*)0x20000928 = 0;
  245. *(uint32_t*)0x20000930 = 0;
  246. syscall(__NR_sendmsg, /*fd=*/r[0], /*msg=*/0x20000900ul, /*f=*/0ul);
  247. memcpy((void*)0x20000300, "ethtool\000", 8);
  248. syz_genetlink_get_family_id(/*name=*/0x20000300, /*fd=*/r[0]);
  249. syscall(__NR_ioctl, /*fd=*/-1, /*cmd=*/0x89f0, /*arg=*/0ul);
  250. memcpy((void*)0x20000040, "/proc/partitions\000", 17);
  251. res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000040ul,
  252. /*flags=*/0ul, /*mode=*/0ul);
  253. if (res != -1)
  254. r[2] = res;
  255. res = -1;
  256. res = syz_genetlink_get_family_id(/*name=*/0, /*fd=*/r[2]);
  257. if (res != -1)
  258. r[3] = res;
  259. memcpy((void*)0x20000540, "team0\000\000\000\000\000\000\000\000\000\000\000",
  260. 16);
  261. res = syscall(__NR_ioctl, /*fd=*/-1, /*cmd=*/0x8933, /*arg=*/0x20000540ul);
  262. if (res != -1)
  263. r[4] = *(uint32_t*)0x20000550;
  264. memcpy((void*)0x20000600, "syztnl2\000\000\000\000\000\000\000\000\000", 16);
  265. *(uint64_t*)0x20000610 = 0x20000580;
  266. memcpy((void*)0x20000580, "syztnl2\000\000\000\000\000\000\000\000\000", 16);
  267. *(uint32_t*)0x20000590 = 0;
  268. *(uint8_t*)0x20000594 = 4;
  269. *(uint8_t*)0x20000595 = -1;
  270. *(uint8_t*)0x20000596 = 0;
  271. *(uint32_t*)0x20000598 = htobe32(0x5fd23cba);
  272. *(uint32_t*)0x2000059c = 0x50;
  273. *(uint8_t*)0x200005a0 = 0xfe;
  274. *(uint8_t*)0x200005a1 = 0x88;
  275. memset((void*)0x200005a2, 0, 12);
  276. *(uint8_t*)0x200005ae = 1;
  277. *(uint8_t*)0x200005af = 1;
  278. *(uint64_t*)0x200005b0 = htobe64(0);
  279. *(uint64_t*)0x200005b8 = htobe64(1);
  280. *(uint16_t*)0x200005c0 = htobe16(0x8000);
  281. *(uint16_t*)0x200005c2 = htobe16(8);
  282. *(uint32_t*)0x200005c4 = htobe32(0x3f);
  283. *(uint32_t*)0x200005c8 = htobe32(3);
  284. res = syscall(__NR_ioctl, /*fd=*/r[2], /*cmd=*/0x89f0, /*arg=*/0x20000600ul);
  285. if (res != -1)
  286. r[5] = *(uint32_t*)0x20000590;
  287. memcpy((void*)0x20000700, "tunl0\000\000\000\000\000\000\000\000\000\000\000",
  288. 16);
  289. *(uint64_t*)0x20000710 = 0x20000640;
  290. memcpy((void*)0x20000640, "gretap0\000\000\000\000\000\000\000\000\000", 16);
  291. *(uint32_t*)0x20000650 = 0;
  292. *(uint16_t*)0x20000654 = htobe16(1);
  293. *(uint16_t*)0x20000656 = htobe16(0);
  294. *(uint32_t*)0x20000658 = htobe32(0);
  295. *(uint32_t*)0x2000065c = htobe32(0x100);
  296. STORE_BY_BITMASK(uint8_t, , 0x20000660, 0x19, 0, 4);
  297. STORE_BY_BITMASK(uint8_t, , 0x20000660, 4, 4, 4);
  298. STORE_BY_BITMASK(uint8_t, , 0x20000661, 1, 0, 2);
  299. STORE_BY_BITMASK(uint8_t, , 0x20000661, 7, 2, 6);
  300. *(uint16_t*)0x20000662 = htobe16(0x64);
  301. *(uint16_t*)0x20000664 = htobe16(0x68);
  302. *(uint16_t*)0x20000666 = htobe16(0);
  303. *(uint8_t*)0x20000668 = 0;
  304. *(uint8_t*)0x20000669 = 0x29;
  305. *(uint16_t*)0x2000066a = htobe16(0);
  306. *(uint32_t*)0x2000066c = htobe32(-1);
  307. *(uint32_t*)0x20000670 = htobe32(0x64010100);
  308. *(uint8_t*)0x20000674 = 0x44;
  309. *(uint8_t*)0x20000675 = 0x20;
  310. *(uint8_t*)0x20000676 = 0x14;
  311. STORE_BY_BITMASK(uint8_t, , 0x20000677, 0, 0, 4);
  312. STORE_BY_BITMASK(uint8_t, , 0x20000677, 4, 4, 4);
  313. *(uint32_t*)0x20000678 = htobe32(7);
  314. *(uint32_t*)0x2000067c = htobe32(9);
  315. *(uint32_t*)0x20000680 = htobe32(0xcdd);
  316. *(uint32_t*)0x20000684 = htobe32(9);
  317. *(uint32_t*)0x20000688 = htobe32(7);
  318. *(uint32_t*)0x2000068c = htobe32(0x81);
  319. *(uint32_t*)0x20000690 = htobe32(0x8000);
  320. *(uint8_t*)0x20000694 = 1;
  321. *(uint8_t*)0x20000695 = 0x44;
  322. *(uint8_t*)0x20000696 = 0x14;
  323. *(uint8_t*)0x20000697 = 0x2b;
  324. STORE_BY_BITMASK(uint8_t, , 0x20000698, 1, 0, 4);
  325. STORE_BY_BITMASK(uint8_t, , 0x20000698, 9, 4, 4);
  326. *(uint32_t*)0x20000699 = htobe32(0xe0000001);
  327. *(uint32_t*)0x2000069d = htobe32(0);
  328. *(uint32_t*)0x200006a1 = htobe32(0xa010101);
  329. *(uint32_t*)0x200006a5 = htobe32(0xfffff001);
  330. *(uint8_t*)0x200006a9 = 7;
  331. *(uint8_t*)0x200006aa = 0x1b;
  332. *(uint8_t*)0x200006ab = 0;
  333. *(uint32_t*)0x200006ac = htobe32(-1);
  334. *(uint8_t*)0x200006b0 = 0xac;
  335. *(uint8_t*)0x200006b1 = 0x14;
  336. *(uint8_t*)0x200006b2 = 0x14;
  337. *(uint8_t*)0x200006b3 = 0xaa;
  338. *(uint8_t*)0x200006b4 = 0xac;
  339. *(uint8_t*)0x200006b5 = 0x1e;
  340. *(uint8_t*)0x200006b6 = 0;
  341. *(uint8_t*)0x200006b7 = 1;
  342. *(uint32_t*)0x200006b8 = htobe32(-1);
  343. *(uint8_t*)0x200006bc = 0xac;
  344. *(uint8_t*)0x200006bd = 0x1e;
  345. *(uint8_t*)0x200006be = 0;
  346. *(uint8_t*)0x200006bf = 1;
  347. *(uint32_t*)0x200006c0 = htobe32(0xe0000001);
  348. struct csum_inet csum_1;
  349. csum_inet_init(&csum_1);
  350. csum_inet_update(&csum_1, (const uint8_t*)0x20000660, 100);
  351. *(uint16_t*)0x2000066a = csum_inet_digest(&csum_1);
  352. res = syscall(__NR_ioctl, /*fd=*/-1, /*cmd=*/0x89f0, /*arg=*/0x20000700ul);
  353. if (res != -1)
  354. r[6] = *(uint32_t*)0x20000650;
  355. syscall(__NR_ioctl, /*fd=*/r[2], /*cmd=*/0x89f3, /*arg=*/0ul);
  356. memcpy((void*)0x20000880, "team0\000\000\000\000\000\000\000\000\000\000\000",
  357. 16);
  358. res = syscall(__NR_ioctl, /*fd=*/r[2], /*cmd=*/0x8933, /*arg=*/0x20000880ul);
  359. if (res != -1)
  360. r[7] = *(uint32_t*)0x20000890;
  361. *(uint64_t*)0x20000ac0 = 0x200004c0;
  362. *(uint16_t*)0x200004c0 = 0x10;
  363. *(uint16_t*)0x200004c2 = 0;
  364. *(uint32_t*)0x200004c4 = 0;
  365. *(uint32_t*)0x200004c8 = 0x80000000;
  366. *(uint32_t*)0x20000ac8 = 0xc;
  367. *(uint64_t*)0x20000ad0 = 0x20000a80;
  368. *(uint64_t*)0x20000a80 = 0x20000b00;
  369. memcpy(
  370. (void*)0x20000b00,
  371. "\x94\x00\x00\x00\x19\xc7\x2c\xf3\xff\x14\x1d\x9c\xca\x7f\xb1\x2c\x9e\x74"
  372. "\xfc\xdb\x4b\x00\xdc\x36\x81\x09\x14\x14\x97\x7f\xa6\xd3\x5e\x7c\xc0\xee"
  373. "\x1a\xdd\xc0\x12\xc2\xb4\xb1\xe9\x7d\x14\x7e\x24\x99\x14\x4b\x03\xcb\x91"
  374. "\xc9\x2b\x74\x32\x93\x64\xe5\xab\x1d\xd2\x51\xcb\x87\xcf\x3f\x6f\x47\x6e"
  375. "\xfa\xf6\x5e\x63\xd9\xb1\x80\xed\xf6\x05\x00\x60\xad\x1b\x7d\xd6\x5a\xa6"
  376. "\x7a\xf8\x61\x69\x34\xac\x0d\x87\xd7\x7f\xbe\xa0\x9d\x7e\x89\x15\xcb\x25"
  377. "\xe3\x3d\xf2\x7b\xb7\x34\x9f\xad\xe2\xce\x14\x9f\x28\x83\xfb\x20\xb1\xea"
  378. "\xe0\xaa\xce\x7a\xb7\x45\x6b\x48\xb3\xe4\xbd\x81\x65\x5e\x78\x73\xa9\x66"
  379. "\x55\xcb\x93\x9d\xb7\x4f\x33\xa1\xd5\xe2\x51\x7d\xaf\xd6\x32\x22\xfd\x0d"
  380. "\x18\x5b\x79\xa5\xb7\x05\x27\xf4\x9e\xed\xa1\x44\xd3\x28\x93\x01\x2e\xc2"
  381. "\xb4\x99\xc3\x11\x89\xdd\x07\x98\x66",
  382. 189);
  383. *(uint16_t*)0x20000bbd = r[3];
  384. memcpy((void*)0x20000bbf,
  385. "\x02\x00\x26\xbd\x70\x00\xfe\xdb\xdf\x25\x00\x00\x00\x00\x08\x00\x01"
  386. "\x00",
  387. 18);
  388. *(uint32_t*)0x20000bd1 = r[4];
  389. memcpy((void*)0x20000bd5,
  390. "\xfc\x00\x02\x80\x3c\x00\x01\x00\x24\x00\x01\x00\x65\x6e\x61\x62\x6c"
  391. "\x65\x64\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  392. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x03\x00\x06\x00\x00"
  393. "\x00\x04\x00\x04\x00\x08\x00\x06\x00",
  394. 60);
  395. *(uint32_t*)0x20000c11 = r[5];
  396. memcpy((void*)0x20000c15,
  397. "\x40\x00\x01\x00\x24\x00\x01\x00\x70\x72\x69\x6f\x72\x69\x74\x79\x00"
  398. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  399. "\x00\x00\x00\x00\x00\x00\x05\x00\x03\x00\x0e\x00\x00\x00\x08\x00\x04"
  400. "\x00\x37\x0a\x00\x00\x08\x00\x06\x00",
  401. 60);
  402. *(uint32_t*)0x20000c51 = r[6];
  403. memcpy((void*)0x20000c55,
  404. "\x3c\x00\x01\x00\x24\x00\x01\x00\x65\x6e\x61\x62\x6c\x65\x64\x00\x00"
  405. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  406. "\x00\x00\x00\x00\x00\x00\x05\x00\x03\x00\x06\x00\x00\x00\x04\x00\x04"
  407. "\x00\x08\x00\x06\x00",
  408. 56);
  409. *(uint32_t*)0x20000c8d = -1;
  410. memcpy((void*)0x20000c91,
  411. "\x40\x00\x01\x00\x24\x00\x01\x00\x71\x75\x65\x75\x65\x5f\x69\x64\x00"
  412. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  413. "\x00\x00\x00\x00\x00\x00\x05\x00\x03\x00\x03\x00\x00\x00\x08\x00\x04"
  414. "\x00\x20\x00\x00\x00\x08\x00\x06\x00",
  415. 60);
  416. *(uint32_t*)0x20000ccd = 0;
  417. memcpy((void*)0x20000cd1, "\x08\x00\x01\x00", 4);
  418. *(uint32_t*)0x20000cd5 = r[7];
  419. memcpy((void*)0x20000cd9,
  420. "\x74\x00\x02\x80\x38\x00\x01\x00\x24\x00\x01\x00\x6e\x6f\x74\x69\x66"
  421. "\x79\x5f\x70\x65\x65\x72\x73\x5f\x69\x6e\x74\x65\x72\x76\x61\x6c\x00"
  422. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x03\x00\x03\x00\x00"
  423. "\x00\x08\x00\x04\x00\x00\x02\x00\x00\x38\x00\x01\x00\x24\x00\x01\x00"
  424. "\x6c\x62\x5f\x73\x74\x61\x74\x73\x5f\x72\x65\x66\x72\x65\x73\x68\x5f"
  425. "\x69\x6e\x74\x65\x72\x76\x61\x6c\x00\x00\x00\x00\x00\x00\x00\x05\x00"
  426. "\x03\x00\x03\x00\x00\x00\x08\x00\x04\x00\x02\x00\x00\x00",
  427. 116);
  428. *(uint64_t*)0x20000a88 = 0x194;
  429. *(uint64_t*)0x20000ad8 = 1;
  430. *(uint64_t*)0x20000ae0 = 0;
  431. *(uint64_t*)0x20000ae8 = 0;
  432. *(uint32_t*)0x20000af0 = 0x8000;
  433. syscall(__NR_sendmsg, /*fd=*/r[2], /*msg=*/0x20000ac0ul,
  434. /*f=MSG_FASTOPEN|MSG_MORE|MSG_EOR|MSG_CONFIRM*/ 0x20008880ul);
  435. memcpy((void*)0x20000540, "tunl0\000\000\000\000\000\000\000\000\000\000\000",
  436. 16);
  437. *(uint64_t*)0x20000550 = 0x20000480;
  438. memcpy((void*)0x20000480, "erspan0\000\000\000\000\000\000\000\000\000", 16);
  439. *(uint32_t*)0x20000490 = 0;
  440. *(uint16_t*)0x20000494 = htobe16(0x40);
  441. *(uint16_t*)0x20000496 = htobe16(0x10);
  442. *(uint32_t*)0x20000498 = htobe32(0xa4);
  443. *(uint32_t*)0x2000049c = htobe32(7);
  444. STORE_BY_BITMASK(uint8_t, , 0x200004a0, 0x1e, 0, 4);
  445. STORE_BY_BITMASK(uint8_t, , 0x200004a0, 4, 4, 4);
  446. STORE_BY_BITMASK(uint8_t, , 0x200004a1, 2, 0, 2);
  447. STORE_BY_BITMASK(uint8_t, , 0x200004a1, 9, 2, 6);
  448. *(uint16_t*)0x200004a2 = htobe16(0x78);
  449. *(uint16_t*)0x200004a4 = htobe16(0x66);
  450. *(uint16_t*)0x200004a6 = htobe16(0);
  451. *(uint8_t*)0x200004a8 = 1;
  452. *(uint8_t*)0x200004a9 = 4;
  453. *(uint16_t*)0x200004aa = htobe16(0);
  454. *(uint32_t*)0x200004ac = htobe32(0x64010102);
  455. *(uint32_t*)0x200004b0 = htobe32(0xe0000002);
  456. *(uint8_t*)0x200004b4 = 0x89;
  457. *(uint8_t*)0x200004b5 = 0xf;
  458. *(uint8_t*)0x200004b6 = 0xa6;
  459. *(uint8_t*)0x200004b7 = 0xac;
  460. *(uint8_t*)0x200004b8 = 0x14;
  461. *(uint8_t*)0x200004b9 = 0x14;
  462. *(uint8_t*)0x200004ba = 0xbb;
  463. *(uint32_t*)0x200004bb = htobe32(0);
  464. *(uint8_t*)0x200004bf = 0xac;
  465. *(uint8_t*)0x200004c0 = 0x1e;
  466. *(uint8_t*)0x200004c1 = 1;
  467. *(uint8_t*)0x200004c2 = 1;
  468. *(uint8_t*)0x200004c3 = 0x44;
  469. *(uint8_t*)0x200004c4 = 0xc;
  470. *(uint8_t*)0x200004c5 = 0x83;
  471. STORE_BY_BITMASK(uint8_t, , 0x200004c6, 0, 0, 4);
  472. STORE_BY_BITMASK(uint8_t, , 0x200004c6, 0xe, 4, 4);
  473. *(uint32_t*)0x200004c7 = htobe32(0x8001);
  474. *(uint32_t*)0x200004cb = htobe32(0);
  475. *(uint8_t*)0x200004cf = 0x44;
  476. *(uint8_t*)0x200004d0 = 0x14;
  477. *(uint8_t*)0x200004d1 = 0xc5;
  478. STORE_BY_BITMASK(uint8_t, , 0x200004d2, 1, 0, 4);
  479. STORE_BY_BITMASK(uint8_t, , 0x200004d2, 8, 4, 4);
  480. *(uint8_t*)0x200004d3 = 0xac;
  481. *(uint8_t*)0x200004d4 = 0x14;
  482. *(uint8_t*)0x200004d5 = 0x14;
  483. *(uint8_t*)0x200004d6 = 0xaa;
  484. *(uint32_t*)0x200004d7 = htobe32(0x1ff);
  485. *(uint32_t*)0x200004db = htobe32(0x7f000001);
  486. *(uint32_t*)0x200004df = htobe32(7);
  487. *(uint8_t*)0x200004e3 = 0x44;
  488. *(uint8_t*)0x200004e4 = 0xc;
  489. *(uint8_t*)0x200004e5 = 0x84;
  490. STORE_BY_BITMASK(uint8_t, , 0x200004e6, 0, 0, 4);
  491. STORE_BY_BITMASK(uint8_t, , 0x200004e6, 0, 4, 4);
  492. *(uint32_t*)0x200004e7 = htobe32(2);
  493. *(uint32_t*)0x200004eb = htobe32(0x100);
  494. *(uint8_t*)0x200004ef = 0x44;
  495. *(uint8_t*)0x200004f0 = 0xc;
  496. *(uint8_t*)0x200004f1 = 0x91;
  497. STORE_BY_BITMASK(uint8_t, , 0x200004f2, 1, 0, 4);
  498. STORE_BY_BITMASK(uint8_t, , 0x200004f2, 0xb, 4, 4);
  499. *(uint8_t*)0x200004f3 = 0xac;
  500. *(uint8_t*)0x200004f4 = 0x14;
  501. *(uint8_t*)0x200004f5 = 0x14;
  502. *(uint8_t*)0x200004f6 = 0x30;
  503. *(uint32_t*)0x200004f7 = htobe32(7);
  504. *(uint8_t*)0x200004fb = 0x44;
  505. *(uint8_t*)0x200004fc = 0x1c;
  506. *(uint8_t*)0x200004fd = 0x19;
  507. STORE_BY_BITMASK(uint8_t, , 0x200004fe, 3, 0, 4);
  508. STORE_BY_BITMASK(uint8_t, , 0x200004fe, 5, 4, 4);
  509. *(uint8_t*)0x200004ff = 0xac;
  510. *(uint8_t*)0x20000500 = 0x1e;
  511. *(uint8_t*)0x20000501 = 1;
  512. *(uint8_t*)0x20000502 = 1;
  513. *(uint32_t*)0x20000503 = htobe32(0x401);
  514. *(uint32_t*)0x20000507 = htobe32(0xe0000001);
  515. *(uint32_t*)0x2000050b = htobe32(0x1f);
  516. *(uint32_t*)0x2000050f = htobe32(-1);
  517. *(uint32_t*)0x20000513 = htobe32(0x81);
  518. struct csum_inet csum_2;
  519. csum_inet_init(&csum_2);
  520. csum_inet_update(&csum_2, (const uint8_t*)0x200004a0, 120);
  521. *(uint16_t*)0x200004aa = csum_inet_digest(&csum_2);
  522. syscall(__NR_ioctl, /*fd=*/-1, /*cmd=*/0x89f3, /*arg=*/0x20000540ul);
  523. memcpy((void*)0x20000600, "erspan0\000\000\000\000\000\000\000\000\000", 16);
  524. *(uint64_t*)0x20000610 = 0x20000580;
  525. memcpy((void*)0x20000580, "erspan0\000\000\000\000\000\000\000\000\000", 16);
  526. *(uint32_t*)0x20000590 = 0;
  527. *(uint16_t*)0x20000594 = htobe16(0x8091);
  528. *(uint16_t*)0x20000596 = htobe16(0x7800);
  529. *(uint32_t*)0x20000598 = htobe32(5);
  530. *(uint32_t*)0x2000059c = htobe32(5);
  531. STORE_BY_BITMASK(uint8_t, , 0x200005a0, 0xa, 0, 4);
  532. STORE_BY_BITMASK(uint8_t, , 0x200005a0, 4, 4, 4);
  533. STORE_BY_BITMASK(uint8_t, , 0x200005a1, 1, 0, 2);
  534. STORE_BY_BITMASK(uint8_t, , 0x200005a1, 0xb, 2, 6);
  535. *(uint16_t*)0x200005a2 = htobe16(0x28);
  536. *(uint16_t*)0x200005a4 = htobe16(0x64);
  537. *(uint16_t*)0x200005a6 = htobe16(0);
  538. *(uint8_t*)0x200005a8 = 8;
  539. *(uint8_t*)0x200005a9 = 0x29;
  540. *(uint16_t*)0x200005aa = htobe16(0);
  541. *(uint8_t*)0x200005ac = 0xac;
  542. *(uint8_t*)0x200005ad = 0x14;
  543. *(uint8_t*)0x200005ae = 0x14;
  544. *(uint8_t*)0x200005af = 0xaa;
  545. *(uint8_t*)0x200005b0 = 0xac;
  546. *(uint8_t*)0x200005b1 = 0x14;
  547. *(uint8_t*)0x200005b2 = 0x14;
  548. *(uint8_t*)0x200005b3 = 0xaa;
  549. *(uint8_t*)0x200005b4 = 0x44;
  550. *(uint8_t*)0x200005b5 = 0x14;
  551. *(uint8_t*)0x200005b6 = 0x93;
  552. STORE_BY_BITMASK(uint8_t, , 0x200005b7, 0, 0, 4);
  553. STORE_BY_BITMASK(uint8_t, , 0x200005b7, 6, 4, 4);
  554. *(uint32_t*)0x200005b8 = htobe32(0x10000);
  555. *(uint32_t*)0x200005bc = htobe32(0xfea);
  556. *(uint32_t*)0x200005c0 = htobe32(0x10001);
  557. *(uint32_t*)0x200005c4 = htobe32(9);
  558. struct csum_inet csum_3;
  559. csum_inet_init(&csum_3);
  560. csum_inet_update(&csum_3, (const uint8_t*)0x200005a0, 40);
  561. *(uint16_t*)0x200005aa = csum_inet_digest(&csum_3);
  562. syscall(__NR_ioctl, /*fd=*/-1, /*cmd=*/0x89f0, /*arg=*/0x20000600ul);
  563. return 0;
  564. }
  565.  
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!