| Dmitry V. Levin | 4832134 | 2015-03-31 18:52:57 +0000 | [diff] [blame^] | 1 | #include <stdio.h> |
| 2 | #include <string.h> |
| 3 | #include <unistd.h> |
| 4 | #include <sys/mman.h> |
| 5 | |
| 6 | int |
| 7 | main(void) |
| 8 | { |
| 9 | const size_t page_len = sysconf(_SC_PAGESIZE); |
| 10 | const size_t work_len = page_len * 2; |
| 11 | const size_t tail_len = work_len - 1; |
| 12 | |
| 13 | void *p = mmap(NULL, page_len * 3, PROT_READ | PROT_WRITE, |
| 14 | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); |
| 15 | if (p == MAP_FAILED || mprotect(p + work_len, page_len, PROT_NONE)) |
| 16 | return 77; |
| 17 | |
| 18 | memset(p, 0, work_len); |
| 19 | char *addr = p + work_len - tail_len; |
| 20 | memset(addr, '0', tail_len - 1); |
| 21 | |
| 22 | char *argv[] = { NULL }; |
| 23 | char *envp[] = { addr, NULL }; |
| 24 | execve("", argv, envp); |
| 25 | |
| 26 | printf("execve\\(\"\", \\[\\], \\[\"%0*u\"\\]\\) = -1 .*\n", |
| 27 | (int) tail_len - 1, 0); |
| 28 | |
| 29 | return 0; |
| 30 | } |