pip install clang
pip install libclang
In IDAPython,
typedef struct _ioctl_t | |
{ | |
const char* ioctl_name; | |
uint64_t ctl_code; | |
} ioctl_t; | |
// This would likely be better used in some unordered map. This is just a temporary data structure for testing resolution. | |
// | |
// Results from NtDeviceIoControlFile hook: | |
// utweb.exe (14916) :: NtDeviceIoControlFile( 0x65c (\Device\Afd), 0x694, 0x0000000000000000, 0x0000000000000000, 0x00000000044DEE90, 0x12024 (IOCTL_AFD_SELECT), 0x0000000004A3FC18, 0x34, 0x0000000004A3FC18, 0x34 ) |
#!/usr/bin/env python | |
#-*- coding: utf-8 -*- | |
from pwn import * | |
import re | |
import sys | |
import string | |
import itertools | |
# UAF in IndexCursor |
#include <stdio.h> | |
#include <string.h> | |
#include <stdlib.h> | |
#include <unistd.h> | |
#include <fcntl.h> | |
#include <sys/wait.h> | |
#include <sys/ioctl.h> | |
#include <pthread.h> | |
#define ALLOC_CTX _IO('t', 1) |
// | |
// Quick and dirty exploit for the "roll a d8" challenge of PlaidCTF 2018. | |
// N-day exploit for https://chromium.googlesource.com/v8/v8/+/b5da57a06de8791693c248b7aafc734861a3785d | |
// | |
// Scroll down do "BEGIN EXPLOIT" to skip the utility functions. | |
// | |
// Copyright (c) 2018 Samuel Groß | |
// | |
// |
from pwn import * | |
context.bits = 64 | |
#libc = ELF('./libc-2.23.so') | |
libc = ELF('./libc-2.24.so') | |
main = ELF('./babyheap.dbg') | |
#main = ELF('./babyheap') | |
#dbg_file = './libc-2.23.debug' | |
def gdb_load_symbols_cmd(sym_file, elf, base): |
/* | |
config: KASLR + SMEP + RANDOM_STRUCT | |
In llseek, I only check whether the offset is smaller than file_size or not. | |
However, the image can be crafted by the attacker. After reversing the disk | |
layout of the image, the attacker can mount an image which contains a normal | |
file having file size 0x7fffffffffffffff. | |
With llseek, kernel memory read and write can be achieved. | |
But the implemented llseek only supports positive seeking, which means that | |
the attacker cannot access the data before the buffer of the file. | |
This creates certain difficulties. |