I’m trying to learn and solve some ‘kernel related’ ctf challenges (reading writups to try to run same environment and achieve root using one of the kernel-pwn technique…).
I’m using Ubuntu 20 VM and (for example) this challenge:
Unfortunately only results I can see (no matter if I’m trying to solve mentioned challenge or any other) is (similar to the one) presented below:
input: ImExPS/2 Generic Explorer Mouse as /devices/platform/i8042/serio1/input/input3
mount: mounting devpts on /dev/pts failed: No such file or directory
random: fast init done
kernel_baby: loading out-of-tree module taints kernel.
flux_baby says hi there!
flux_baby opened
—– Menu —–
- Call
- Show me my uid
- Read file
- Any hintz?
- Bye!
1
I need a kernel address to call. Be careful, though or we will crash horribly…
18446744071579168336
There is a good chance we will want to pass an argument. Which one is it?
0
Got call address: 0xffffffff8104ee50, argument: 0x0000000000000000
flux_baby ioctl nr 900 called
flux_baby ioctl nr 900 called
flux_baby ioctl extracted param ffffffff8104ee50 as function ptr, calling it
A miracle happened. We came back without crashing! I even got a return value for you…
It is: ffff88000212ca80
—– Menu —–
- Call
- Show me my uid
- Read file
- Any hintz?
- Bye!
1
I need a kernel address to call. Be careful, though or we will crash horribly…
18446612132349004608
There is a good chance we will want to pass an argument. Which one is it?
18446612132349004608
Got call address: 0xffff88000212cb40, argument: 0xffff88000212cb40
flux_baby ioctl nr 900 called
flux_baby ioctl nr 900 called
flux_baby ioctl extracted param ffff88000212cb40 as function ptr, calling it
kernel tried to execute NX-protected page – exploit attempt? (uid: 1000)
BUG: unable to handle kernel paging request at ffff88000212cb40
PGD 1b34067 P4D 1b34067 PUD 1b35067 PMD 21fd063 PTE 800000000212c163
Oops: 0011 (#1) PREEMPT NOPTI
CPU: 0 PID: 58 Comm: client_kernel_b Tainted: G O 4.18.0 #11
RIP: 0010:0xffff88000212cb40
Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RSP: 0018:ffffc900000b3e00 EFLAGS: 00000246
RAX: 000000000000004c RBX: 0000000000000384 RCX: 0000000000000001
RDX: 0000000000000000 RSI: 00000000000000e4 RDI: ffff88000212cb40
RBP: ffffc900000b3e30 R08: ffffffff811b1ca0 R09: 00000000000000e4
R10: 636e756620736120 R11: 727470206e6f6974 R12: 00007fffadad3bf0
R13: ffff8800001a3300 R14: 0000000000000384 R15: 00007fffadad3bf0
FS: 000000000205a880(0000) GS:ffffffff81a35000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88000212cb40 CR3: 00000000021c8000 CR4: 00000000000006b0
Call Trace:
? 0xffffffffa0000040
0xffffffffa0000116
0xffffffff810db790
? 0xffffffff811220f7
? 0xffffffff810148b2
0xffffffff810dbd3c
0xffffffff810dbd95
0xffffffff81001134
0xffffffff81400075
RIP: 0033:0x000000000043f1eb
Code: 0f 97 c0 84 c0 75 af 48 8d 3c 2b e8 df dd 02 00 85 c0 78 b0 48 83 c4 08 48 89 d8 5b 5d c3 90 f3 0f
RSP: 002b:00007fffadad3bc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000400488 RCX: 000000000043f1eb
RDX: 00007fffadad3bf0 RSI: 0000000000000384 RDI: 0000000000000003
RBP: 00007fffadad3c10 R08: 0000000000000000 R09: 0000000000000043
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402e80
R13: 0000000000000000 R14: 00000000004c1018 R15: 0000000000000000
Modules linked in: kernel_baby(O)
CR2: ffff88000212cb40
—( end trace 960bcbc99b521658 )—
RIP: 0010:0xffff88000212cb40
Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RSP: 0018:ffffc900000b3e00 EFLAGS: 00000246
RAX: 000000000000004c RBX: 0000000000000384 RCX: 0000000000000001
RDX: 0000000000000000 RSI: 00000000000000e4 RDI: ffff88000212cb40
RBP: ffffc900000b3e30 R08: ffffffff811b1ca0 R09: 00000000000000e4
R10: 636e756620736120 R11: 727470206e6f6974 R12: 00007fffadad3bf0
R13: ffff8800001a3300 R14: 0000000000000384 R15: 00007fffadad3bf0
FS: 000000000205a880(0000) GS:ffffffff81a35000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88000212cb40 CR3: 00000000021c8000 CR4: 00000000000006b0
flux_baby closed
Killed
ACPI: Preparing to enter system sleep state S5
reboot: Power down
acpi_power_off called
root@u20:/home/c/kernelz/baby_kernel_3460960b6fc99f8a90fba7397b5e4c46/public#
(In case you’d say “dude try the value(s) for your OS” – like I said, any kernel-related challenge will present ‘the same’ results, means: exploitation is killed (and I don’t know why)).
Thank you for all the hints.