add keml and ooofs

Neptune1729 · May 19, 2020 · 8747410 · 8747410
1 parent 9d3984e
commit 8747410
Show file tree

Hide file tree

Showing 6 changed files with 15 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -5,6 +5,8 @@ Some of my ctf pwn challenge collections.
 ## Index
 
 - [DEFCON Quals 2020 - fungez](./kernel/fungez)
+- [DEFCON Quals 2020 - ooofs](./kernel/ooofs)
+- [DEFCON Quals 2020 - keml](./kernel/keml)
 - [Secstore 1/2 - SpamAndFlags 2020](./kernel/secstore)
 - [Ipppc - Plaid CTF 2020](./escape/ipppc)
 - [Mojo - Plaid CTF 2020](./browser/mojo)

diff --git a/kernel/fungez/README.md b/kernel/fungez/README.md
@@ -13,4 +13,6 @@ To exploit this bug, basically we need to open 2 fds, one mmap 0x2000 memory are
 
 Since 0x2000 and 0x1000 bytes chunks are `kmalloc`ed, there are `fd` pointer when they are freed. So I choose to leverage this pointer to leak `kmalloc-4k` mem cache address. I searched this slab and found some pci related structure containing pointers to kernel base. Then I corrupted the `fd` pointer to get arbitrary write.
 
-The pitfall is `kmalloc`ed memory is filled with null bytes. When I try to modify `modprobe_path` variable, it also cleans other data around it, which messes the kernel state. To overcome this, I dump the memory when running without kaslr, and dynamically fix all pointers in this page after leaking kernel base. 
+The pitfall is `kmalloc`ed memory is filled with null bytes. When I try to modify `modprobe_path` variable, it also cleans other data around it, which messes the kernel state. To overcome this, I dump the memory when running without kaslr, and dynamically fix all pointers in this page after leaking kernel base. 
+
+Offical repo: https://github.com/o-o-overflow/dc2020q-fungez-public
diff --git a/kernel/keml/README.md b/kernel/keml/README.md
@@ -0,0 +1,9 @@
+# DEFCON Quals 2020 - keml
+
+Kernel emulator
+
+I didn't work on this challenge during competition.
+
+Basically, we could drain `kmalloc` slab and force it to call `get_free_page` for more memory space. Thus we get the chance to put `kmalloc`ed objects behind controlled pages (since they are all allocated by buddy system). Then out-of-bound write/read is able to modify pointer in these structures.
+
+Official repo: https://github.com/o-o-overflow/dc2020q-keml-public
diff --git a/kernel/keml/keml.tgz b/kernel/keml/keml.tgz
diff --git a/kernel/ooofs/README.md b/kernel/ooofs/README.md
@@ -0,0 +1 @@
+# DEFCON Quals 2020 - ooofs
diff --git a/kernel/ooofs/ooofs.tar.gz b/kernel/ooofs/ooofs.tar.gz