This is my full PoC exploit code for the abyss challenge in HITCON'18. This was the code also used in a recent DHA presentation.
Link to all the slides here.
First you should have KVM installed (on Ubuntu, the package name is qemu-kvm,
I believe). Another thing you should do is replace the ld.so.2 file with your
own 64-bit ld linker library. It is typically located at
/lib64/ld-linux-x86-64.so.2.
You should have make tools and gcc installed (to build the stage 3 exploit
code). Credits to david942j's
kvm-kernel-example for
reference on some kernel boilerplate code. You should also have pwntools
installed on python as this code makes extensive use of it.
To run the exploit, simply run the following command:
python exp3.pyAnd it should just give you shell.
Want proof that this works? Make hypervisor.elf a setuid binary with the
following commands (requires sudo):
sudo useradd hypervisor_exp
sudo chown hypervisor_exp hypervisor.elf
sudo chmod u+s hypervisor.elfThen if you run the exploit, you will get something like this:
$ whoami
user
$ python exp3.py
[+] Starting local process '/usr/bin/make': pid 5552
[*] Process '/usr/bin/make' stopped with exit code 0 (pid 5552)
[+] Starting local process './hypervisor.elf': pid 5554
[*] Switching to interactive mode
0000555fa9966743
Got shell!
$ whoami
hypervisor_exp
$This exploit PoC code should work on any linux distro; if it doesn't please send a issue and/or pull-request. Thanks.
* Oh yeah one other note... You will have to change a line in
exp_kernel/kernel_main.c called libc_sect to match your particular libc
version!