💾 Archived View for thrig.me › software › assembly › slab-of-code › actual.c captured on 2024-12-17 at 11:51:00.

View Raw

More Information

⬅️ Previous capture (2023-12-28)

-=-=-=-=-=-=-

#include <sys/mman.h>

#include <err.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

typedef void (*fn)(int *); // NOTE the signature change!

#define SLABSIZE 4096

int
main(int argc, char *argv[])
{
	int value = 41;

	unsigned char *slab = malloc(SLABSIZE);
	if (!slab) err(1, "malloc");
	memset(slab, 0xC3, SLABSIZE);
	memcpy(slab, &(unsigned char[]){0xf3, 0xf,  0x1e, 0xfa, 0x55, 0x48,
	                                0x89, 0xe5, 0x48, 0x89, 0x7d, 0xf8,
	                                0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x8,
	                                0x83, 0xc1, 0x1,  0x89, 0x8,  0x5d},
	       24);
	int fd = open("slab", O_WRONLY | O_CREAT, 0666);
	if (fd <= 0) err(1, "open");
	write(fd, slab, SLABSIZE);
	close(fd);

	if (mprotect(slab, SLABSIZE, PROT_EXEC) != 0) err(1, "mprotect");
#ifdef __OpenBSD__
	if (pledge("stdio", NULL) == -1) err(1, "pledge");
#endif
	fn call = (fn) slab;

	call(&value);

	printf("%d\n", value);
}