1 /* 2 * Copyright (c) 2015 Dmitry V. Levin <ldv (at) altlinux.org> 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. The name of the author may not be used to endorse or promote products 14 * derived from this software without specific prior written permission. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 #include <stdio.h> 29 #include <string.h> 30 #include <unistd.h> 31 #include <sys/mman.h> 32 33 int 34 main(void) 35 { 36 const size_t page_len = sysconf(_SC_PAGESIZE); 37 const size_t work_len = page_len * 2; 38 const size_t tail_len = work_len - 1; 39 40 void *p = mmap(NULL, page_len * 3, PROT_READ | PROT_WRITE, 41 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); 42 if (p == MAP_FAILED || mprotect(p + work_len, page_len, PROT_NONE)) 43 return 77; 44 45 memset(p, 0, work_len); 46 char *addr = p + work_len - tail_len; 47 memset(addr, '0', tail_len - 1); 48 49 char *argv[] = { NULL }; 50 char *envp[] = { addr, NULL }; 51 execve("", argv, envp); 52 53 printf("execve(\"\", [], [\"%0*u\"]) = -1 ENOENT (No such file or directory)\n", 54 (int) tail_len - 1, 0); 55 puts("+++ exited with 0 +++"); 56 57 return 0; 58 } 59