-
Notifications
You must be signed in to change notification settings - Fork 1.7k
/
pidmax.asm
41 lines (40 loc) · 1.21 KB
/
pidmax.asm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
<% from pwnlib.shellcraft.i386 import push, mov %>
<% from pwnlib.shellcraft.i386.linux import syscall %>
<% from pwnlib.shellcraft import common %>
<%docstring>
Retrieves the highest numbered PID on the system, according to
the sysctl kernel.pid_max.
</%docstring>
<%
CTL_KERN=1
KERN_PIDMAX=55
"""
struct __sysctl_args {
int *name; /* integer vector describing variable */
int nlen; /* length of this vector */
void *oldval; /* 0 or address where to store old value */
size_t *oldlenp; /* available room for old value,
overwritten by actual size of old value */
void *newval; /* 0 or address of new value */
size_t newlen; /* size of new value */
};
"""
%>
push ebp
${push(0xffff)}
mov ebp, esp /* ebp = oldval and frame pointer R*/
${push(4)}
mov eax, esp /* eax = oldlenp */
${push(CTL_KERN)}
${push(KERN_PIDMAX)}
mov ecx, esp /* ecx = name */
${push(0)} /* newlen */
${push(0)} /* newval */
${push('eax')} /* oldlenp */
${push('ebp')} /* oldval */
${push(2)} /* nlen */
${push('ecx')} /* name */
${syscall('SYS__sysctl', 'esp')}
mov esp, ebp
pop eax
pop ebp