1 /* enlightenment 200909092307
2
3 To create your own exploit module for enlightenment, just name it
4 exp_whatever.c
5 It will be auto−compiled by the run_exploits.sh script and thrown into
6 the list of loaded exploit modules
7
8 Each module must have the following features:
9 It must include this header file, exp_framework.h
10 A description of the exploit, the variable being named "desc"
11 A "prepare" function: int prepare(unsigned char *ptr)
12 where ptr is the ptr to the NULL mapping, which you are able to write to
13 This function can return the flags described below for prepare_the_exploit
14 Return 0 for failure otherwise
15 A "trigger" function: int trigger(void)
16 Return 0 for failure, nonzero for success
17 A "post" function: int post(void)
18 This function can return the flags described below for post_exploit
19 A "get_exploit_state_ptr" function:
20 int get_exploit_state_ptr(struct exploit_state *ptr)
21 Generally this will always be implemented as:
22 struct *exp_state;
23 int get_exploit_state_ptr(struct exploit_state *ptr)
24 {
25 exp_state = ptr;
26 return 0;
27 }
28 It gives you access to the exploit_state structure listed below,
29 get_kernel_sym allows you to resolve symbols
30 own_the_kernel is the function that takes control of the kernel
31 (in case you need its address to set up your buffer)
32 the other variables describe the exploit environment, so you can
33 for instance, loop through a number of vulnerable socket domains
34 until you detect ring0 execution has occurred.
35
36 That’s it!
37 */
38
39 http://www.grsecurity.net/~spender/enlightenment.tgz
40 back: http://milw0rm.com/sploits/2009−enlightenment.tgz
41
42 # milw0rm.com [2009−09−10]
Page 1/1
Enlightenment Linux Null PTR Dereference Exploit Framework
spender
09/10/2009