nbareil · October 18, 2011 09:28
diff --git a/cloner.c b/cloner.c
 #define _GNU_SOURCE             /* See feature_test_macros(7) */
 #include <sched.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/mman.h>
 #include <fcntl.h>
 #include <sys/syscall.h>
 #include <sys/types.h>
 #include <sys/prctl.h>

 #include "xtools.h"

 char dummy_stack[4096];
 char junk[4];
 extern void handler_in_seccomp(void);


 struct sharepoint {
        char space[512];          /* mm0 */
        char syscall_dropbox[28]; /* mm1 */
        char junk[4];             /* mm2 */
        char retarray[256];       /* mm3 */
        sigset_t sigset;
 } __attribute__ ((packed));


 int trustee(void *v)
 {
        int fd;
        struct sharepoint *sharedmemory;
        void *ptr;

        do
        {
                fd = xopen("/dev/shm/seccomp-nurse", O_RDONLY|O_CREAT, 277);
        }
        while (0 && fd < 0);

        xwrite(1, "Hello world\n", 12);
        sharedmemory = (struct sharepoint *)xmmap(NULL, sizeof sharedmemory, PROT_READ, MAP_SHARED, fd, 0);
        ptr = sharedmemory;
        xwrite(3, &ptr, 4);

        asm("pxor %mm0, %mm0\n"
            "pxor %mm1, %mm1\n"
            "pxor %mm2, %mm2\n"
            "pxor %mm3, %mm3\n");

        ptr = (void *)sharedmemory->space;
        asm("movd %0, %%mm0\n" : : "m" (ptr));

        ptr = (void *)sharedmemory->syscall_dropbox;
        asm("movd %0, %%mm1\n" : : "m" (ptr));

        ptr = (void *)junk;
        asm("movd %0, %%mm2\n" : : "m" (ptr));

        ptr = (void *)sharedmemory->retarray;
        asm("movd %0, %%mm3\n" : : "m" (ptr));

 	if (xprctl(PR_SET_SECCOMP, 1, 0, 0, 0) == -1)
                xexit(4);

        /* hijack VDSO now */
        asm("mov %0, %%ebx\n"
            "mov %%ebx, %%gs:0x10\n"
            :
            : "r" (handler_in_seccomp)
            : "ebx");
 }


 int main(void)
 {

        int ret;

        xmmap(0xaaaaaaaa, 0xbbbbbbbb, 0xcccccccc, 0xdddddddd, 0xeeeeeeee, 0xffffffff);
        trustee(NULL);

        /* ret = xclone(trustee, dummy_stack+sizeof dummy_stack, CLONE_FILES |CLONE_VM, NULL); */

        xwrite(2, "toto\n", 5);
        xexit(3);
 }
diff --git a/xmmap.c b/xmmap.c
 #define _GNU_SOURCE             /* See feature_test_macros(7) */
 #include <sched.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/mman.h>
 #include <fcntl.h>
 #include <sys/syscall.h>
 #include <sys/types.h>
 #include <sys/prctl.h>

 void * xmmap(void *addr, size_t length, int prot,
              int flags, int fd, off_t offset)
 /* static inline void * __attribute__((always_inline)) xmmap(void *addr, size_t length, int prot, */
 /*                                                           int flags, int fd, off_t offset) */
 {
        asm(/* "int3\n" */ 
            "push %%ebx\n"
            "push %%ecx\n"
            "push %%edx\n"
            "push %%esi\n"
            "push %%edi\n"
            "push %%ebp\n"
            "mov %0, %%eax\n"
            "mov %1, %%ebx\n"
            "mov %2, %%ecx\n"
            "mov %3, %%edx\n"
            "mov %4, %%esi\n"
            "mov %5, %%edi\n"
            "mov %6, %%ebp\n"
            "int $0x80\n"
            "pop %%ebp\n"
            "pop %%edi\n"
            "pop %%esi\n"
            "pop %%edx\n"
            "pop %%ecx\n"
            "pop %%ebx\n"
            :
            : "r" (SYS_mmap2),
              "m" (addr),
              "m" (length),
              "m" (prot),
              "m" (flags),
              "m" (fd),
              "m" (offset));
        /* printf("ret=%p\n", ret); */
 }

 int main(void)
 {
        int fd = open("/tmp/tata", O_CREAT|O_RDWR, 066);
        if (fd == -1)
                _exit(1);
        
        void *v = xmmap(NULL, 4096, PROT_READ, MAP_SHARED, fd, 0);

        printf("v=%p\n", v);

        return 0;
 }
diff --git a/xtools.h b/xtools.h
 #define _GNU_SOURCE             /* See feature_test_macros(7) */
 #include <sched.h>
 #include <stdio.h>
 #include <sys/syscall.h>
 #include <asm/ptrace.h>
 #include <sys/types.h>
 #include <sys/prctl.h>

 #define xstr(x) "$"#x
 #define ivalue(x) xstr(x)


 static inline int __attribute__((always_inline)) xopen(const char *pathname, int flags, int mode)
 {
        asm("int $0x80"
            : /* output */
            : "a" (SYS_open),
              "b" (pathname),
              "c" (flags),
              "d" (mode));
 }

 static inline int __attribute__((always_inline)) xprctl(int option, unsigned long arg2, unsigned long arg3,
                 unsigned long arg4, unsigned long arg5)

 {
        asm("int $0x80"
            : /* output */
            : "a" (SYS_prctl),
              "b" (option),
              "c" (arg2),
              "d" (arg3),
              "S" (arg4),
              "D" (arg5));
 }


 static inline void __attribute__((always_inline)) xexit(int status)
 {
        asm("int $0x80"
            : /* output */
            : "a" (SYS_exit),
              "b" (status));
 }

 static inline size_t __attribute__((always_inline)) xwrite(int fd, void *buf, size_t count) {
        asm("int $0x80"
            :
            : "a" (SYS_write)
              , "b" (fd)
              , "c" (buf)
              , "d" (count)
            : "memory");

 }

 static inline void * __attribute__((always_inline)) xmmap(void *addr, size_t length, int prot,
                           int flags, int fd, off_t offset)
 {
        asm("push %0" : : "m" (offset));
        asm("pop %%ebp\n"
            "int $0x80\n"
            :
            : "a" (SYS_mmap),
              "b" (addr),
              "c" (length),
              "d" (prot),
              "S" (flags),
              "D" (fd));
 }

 static inline int __attribute__((always_inline)) xclone(int (*fn)(void *), void *child_stack,
           int flags, void *arg)
 {
        int ret;
        child_stack -= 4;
        *((unsigned int *)child_stack) = fn;

        asm("int $0x80\n"
            "test %%eax, %%eax\n"
            "jnz 1f\n"
            "pop %%ebx\n"
            "jmp *%%ebx\n"
            "1: nop\n"

            : "=a" (ret)
            : "a" (SYS_clone),
              "b" (flags),
              "c" (child_stack),
              "d" (0),
              "S" (0),
              "D" (0));
        return ret;
 }
	#define _GNU_SOURCE /* See feature_test_macros(7) */
	#include <sched.h>
	#include <stdio.h>
	#include <stdlib.h>
	#include <unistd.h>
	#include <sys/types.h>
	#include <sys/stat.h>
	#include <sys/mman.h>
	#include <fcntl.h>
	#include <sys/syscall.h>
	#include <sys/types.h>
	#include <sys/prctl.h>

	#include "xtools.h"

	char dummy_stack[4096];
	char junk[4];
	extern void handler_in_seccomp(void);


	struct sharepoint {
	char space[512]; /* mm0 */
	char syscall_dropbox[28]; /* mm1 */
	char junk[4]; /* mm2 */
	char retarray[256]; /* mm3 */
	sigset_t sigset;
	} __attribute__ ((packed));


	int trustee(void *v)
	{
	int fd;
	struct sharepoint *sharedmemory;
	void *ptr;

	do
	{
	fd = xopen("/dev/shm/seccomp-nurse", O_RDONLY\|O_CREAT, 277);
	}
	while (0 && fd < 0);

	xwrite(1, "Hello world\n", 12);
	sharedmemory = (struct sharepoint *)xmmap(NULL, sizeof sharedmemory, PROT_READ, MAP_SHARED, fd, 0);
	ptr = sharedmemory;
	xwrite(3, &ptr, 4);

	asm("pxor %mm0, %mm0\n"
	"pxor %mm1, %mm1\n"
	"pxor %mm2, %mm2\n"
	"pxor %mm3, %mm3\n");

	ptr = (void *)sharedmemory->space;
	asm("movd %0, %%mm0\n" : : "m" (ptr));

	ptr = (void *)sharedmemory->syscall_dropbox;
	asm("movd %0, %%mm1\n" : : "m" (ptr));

	ptr = (void *)junk;
	asm("movd %0, %%mm2\n" : : "m" (ptr));

	ptr = (void *)sharedmemory->retarray;
	asm("movd %0, %%mm3\n" : : "m" (ptr));

	if (xprctl(PR_SET_SECCOMP, 1, 0, 0, 0) == -1)
	xexit(4);

	/* hijack VDSO now */
	asm("mov %0, %%ebx\n"
	"mov %%ebx, %%gs:0x10\n"
	:
	: "r" (handler_in_seccomp)
	: "ebx");
	}


	int main(void)
	{

	int ret;

	xmmap(0xaaaaaaaa, 0xbbbbbbbb, 0xcccccccc, 0xdddddddd, 0xeeeeeeee, 0xffffffff);
	trustee(NULL);

	/* ret = xclone(trustee, dummy_stack+sizeof dummy_stack, CLONE_FILES \|CLONE_VM, NULL); */

	xwrite(2, "toto\n", 5);
	xexit(3);
	}