Easy kernel is still kernel right?

Information to connect to a TCP server and a file easy_kernel.tar.gz were given.
These files and some other files are extracted from easy_kernel.tar.gz:

• bzImage : A file used from QEMU
• initramfs.cpio.gz : A file that contains files to place in the VM
• launch.sh : A text file that has the options used on launching QEMU
• vuln.ko : A ELF file

Decompiling vuln.ko via Ghidra, I found some functions including these ones:

init_func

Call the function proc_create with the first argument "pwn_device".

sread

Copy data on the stack to the address specified by the argument. There are no limits on the length to copy.

swrite

Copy data on the address specified by the argument to the stack. The length to copy is limited by a variable.

sioctl

Set the maximum length to copy in the function swrite to the value of 3rd argument if the 2nd argument is 0x20.

There are no limits on the value to set in the function sioctl, so there virtually looks no limit on the length to copy in the function swrite.
Therefore, reading data from the return address of the function sread and writing data from the return address of the function swrite looks possible.

Also, I found that there are the canary at the 0x80 bytes ahead from the point on the stack where copying starts and the return address at the 0x90 bytes ahead in the functions sread and swrite.

Now I found functions that look vulnable, so nextly I searched for a way to execute these functions.

Connecting to the specified server using Tera Term, the server gave me a message like this:

I executed Hashcash with the specified command, copy-and-pasted its output except for hashcash stamp:, and pressed the Enter key to send LF. As a result, a shell started.

After some observation, I found these things:

• There is a file flag.txt in the root directory. Trying to read this file via cat command failed with a message "Permission denied".
• There is a file vuln.ko in the root directory. This file looks like the same as the file in easy_kernel.tar.gz.
• The files in /bin, /sbin, /usr/bin, and /usr/sbin are links to /bin/busybox. (except for /bin/busybox itself)
• There is a file /proc/pwn_device. The name of this file is the same as the string passed to the function proc_create.

Reading and writing this file /proc/pwn_device looks meaning to execute the functions sread and swrite.
Reading the file via cat /proc/pwn_device failed with a mesasge "Bad address", but I succeeded to read the file using dd command.
I set the number of blocks to read count to 1, and set the size of blocks bs as the size to read.
As a result, I succeeded to read 480 bytes like shown below, but trying to read more resulted in "Bad address".

Also, od command is useful to print the data read as text, but passing the output of dd command to od command directly via pipe resulted in a mixed output.
To avoid this, I saved the output of dd command to a file and printed the file via od command in this example.
Moreover, I used -v option for od command to prevent it from omitting duplicate lines and to make it clear.

The first part in the data read matches with the values I found set in the sread function using Ghidra.
Also, as the analysis suggested, there is a value that looks like the canary from the 0x80-th byte and one that looks like the return address from the 0x90-th byte.

I also found that the return address varies between each sessions.
The upper digits ffffffff and the last 3 digits 347 looked fixed, and the 5 digits between them changed.

From this article, I found that I should do these things to obtain the flag:

1. Call the function prepare_kernel_cred with an argument 0.
2. Using the return value as the argument, call the function commit_creds. This will result in gaining the root privilege.
3. Return to user-mode and do some operations to read /flag.txt.

I also found that the addresses of functions to call can be read from /proc/kallsyms,
and that we should execute swapgs instruction and then execute iretq instruction with data about where to return on the stack to return to user-mode.

Moreover, the article introduces a way to execute these things by setting an address of a function in the application as the return address.
Tweaking data to make operations on device files call functions in the application looks like what I did on xv6 before.

However, the printed addresses of each functions were 0000000000000000 and this looked useless.

I googled "/proc/kallsyms zero" and found this page:

According to this article, the user must be root to obtain addresses from /proc/kallsyms.

I checked the file init in the root directory, and found that the last part of the file is:

This should be standing for switching from the root to a normal user and launching the shell.
Seeing this, I decided to disable this switching by modifying the given file and have it launch the shell as the root.

I extracted a file initramfs.cpio from initramfs.cpio.gz and opened it with a binary editor. Then, I searched for a string su -l ctf and found that at 0x045e22.
After that, I changed su here to #u to disable the switching.

I compressed the modified file initramfs.cpio to create a new initramfs.cpio.gz, and launched QEMU using this new file.
As a result, the prompt of the shell, which was $, became # and I succeeded to obtain the addresses of functions from /proc/kallsyms.
Guessing that the differences of addresses won't change while the addresses change, I obtained the return address from /proc/pwn_device in the same session for calculating the differences.

Based on these information, I created a program attack.asm to try to launch a shell with the root privilege in these steps.
I decided to write in an assembly language because I couldn't find any libc on the server and thought that C program may be unable to be executed.

1. Save values of the segment registers and the flag register.
2. Open the file /proc/pwn_device.
3. Increase the write length limit for swrite enough via the system call ioctl.
4. Read the values of the canary and the return address via sread.
5. Write the canary and the address of the program to gain the root privilege via swrite.
6. Execute the program to gain the root privilege and return to user-mode.
7. Execute /bin/sh via the system call execve.

This operation created a file attack.
I executed chmod +x attack command to make this file executable, and executed the program using ./attack command.

Executing this program resulted in this error:

It looks like the way on the article that is specifying an address of an application code and having it jump there doesn't work in the environment for this challenge.

Not reaching to the goal, this try revealed that the system prints values of the registers when an error occurs while executing the function swrite.

Since specifying an address in an application program for execution looks failing,
It looks like the process to "call functions to gain the root privilege and return to user-mode" should be executed using ROP (Return-Oriented Programming).
Finding parts of what to do, which are called "ROP gadget", from existing program is required for ROP, so now I want to retrieve the data of the existing program.

To achieve this, I decided to modify the program of the function sread in vuln.ko to have it use the return address as the source of copying.
Specifically, I decided to put an instruction mov rsi, [rsp + 0x90] from 0010010a on Ghidra.
I searched for the program in this part from initramfs.cpio, and found from 0x232.
Therefore, considering the boundaries of instructions, I added some NOPs and modified 10 bytes from there to 48 8b b4 24 90 00 00 00 90 90.

I created new initramfs.cpio.gz from modified initramfs.cpio and launched QEMU using this.
I redirected the standard output of QEMU to a file, and executed this command:

I disassembled the obtained program using "objdump" in TDM-GCC with options -b binary -m i386 -M x86-64 -D.

I searched for 5f c3, which stands for pop rdi; ret, from the program data using a binary editor and found that at 0xac9.
I also searched for 48 cf, which stands for iretq, and found that at 0x5e19.
However, I coundn't found gadgets for copying the value of %rax (the return value) to %rdi (the first argument), nor 0f 01 f8, which stands for swapgs.

Looking at the contents of stack obtained from /proc/pwn_device via dd command in the early step again,
I found that the last part looks like values of registers for use with iretq, and that 0x130, which is near the part, also has a value that looks like a program address.
Seeing this, I changed 90 00 00 00 in the data written to initramfs.cpio in the previous step to 30 01 00 00, and obtained the program data from this address in the same way.
Investigating the obtained data, I found this part, which looks useful as a gadget to execute the swapgs instruction, from 0xe2e.

At this point, CS50 IDE started to show "403 Forbidden" after logging in and it stopped working for some reason.
Seeing this, I used an EC2 instance on AWS (t2.micro、Ubuntu 20.04 (ami-036d46416a34a611c)) instead to execute the ld command.
The ld command didn't work at first. It became available after executing a command sudo apt-get install binutils.

This is the result of executing this program:

My attempts to use the iretq instruction to return to user-mode by myself referring the article didn't succeed.
By the way, there should be the original program to return to user-mode after returning from the function swrite in the caller of the function swrite.
Considering this, I decided to try to return to user-mode using this original program.

Looking at the contents of stack obtained from /proc/pwn_device via dd command in the early step again,
I found a value that looks like a program address at 0xe0, and I guessed that this is a return address of a function that will lead to the call of sread.
Moreover, though this is the contents of the stack when sread is called, I guessed that the structure will also be like this when swrite is called.

Based on this, I created a program attack3.asm that executes functions to gain the root privilege using ROP and then executes pop rdi; ret to advance the stack to this value to return to user-mode.

I decided to perform some investigation using the feature that prints the values of registers when an error occurs while executing the function swrite.

Firstly, I executed this program to obtain the return address of the function swrite.
This program copies the return address of the function swrite to the RSI register, and then causes an error by divding by zero.
Therefore, the return address of the function swrite will be printed as RSI.

Executing this program several times, I found that the return value of prepare_kernel_cred(0) changes after re-launching QEMU, but it didn't change when I executed the program in a row.

Seeing this, I came up with a way where I use these two processes:

• A process to cause an error after calling prepare_kernel_cred(0) to have it print the return value
• A process to read the printed return value and call the function commit_creds to gain the root privilege

Note that ret isn't needed here because this gadget is for forcing to exit by being executed.

After that, I created a program attack4_reveal.asm that calls prepare_kernel_cred(0) and writes to the address 0 using this gadget.

The return value of prepare_kernel_cred(0) should be printed as RAX after executing this program.

To create a program that uses this return value, I decided to utilize existing commands because converting numbers represented as text to binary looks tough.
The xxd command can convert strings that represents sequences of bytes to sequences of bytes, but this will yield the number with the order of bytes reversed.
Therefore, I decided to use the bswap instruction to reverse the order of bytes and make it usable as a value.

Based on this, I created a program attack4_flag.asm that takes the return value of prepare_kernel_cred(0) and prints the flag.
I decided to read /flag.txt directly because trying to launch /bin/sh resulted in errors.