See the complaint on #4039. This doesn't fix that particular
issue (it's somewhat unrelated), but does solve around
a file parsing problem reported by @void-in
* Random filename
* Stop shipping debug strings to the exploit executable
Also makes the writable path configurable, so we don't always have to
use /tmp in case it is mounted noexec, etc.
Unfortunately, adds a dep on bionic for runtime compilation.
Gets ring0, sets the (res)uid to 0 and jumps to the payload. Still some
payload issues because linux stagers don't mprotect(2) the buffer they
read(2) into. Single payloads work fine, though.
Also cleans up and improves local exploits' ability to compile C.
[SEERM #3038]
Something is still broken, my socket() is returning EAFNOSUPPORT whereas
what looks like the same syscall in wunderbar_emporium's exploit.c is
returning a socket. Similarly, my __mmap2() is returning EFAULT when
trying to map anything, not just NULL.
This can currently build an executable that creates a socket, opens a
temporary file, truncates that file with ftruncate(2) and calls
sendfile. Still needs to mmap NULL and figure out ring0 shellcode.
Baby steps.
wchen-r7
Christian Mehlmauer
Brent Cook
jvazquez-r7
URI Assassin
James Lee
Tod Beardsley
William Vu
Steve Tornio
sinn3r