Skip to content

Latest commit

 

History

History
60 lines (47 loc) · 1.74 KB

README.md

File metadata and controls

60 lines (47 loc) · 1.74 KB

Exploit for Abyss

This is my full PoC exploit code for the abyss challenge in HITCON'18. This was the code also used in a recent DHA presentation.

Link to all the slides here.

Running exploit

First you should have KVM installed (on Ubuntu, the package name is qemu-kvm, I believe). Another thing you should do is replace the ld.so.2 file with your own 64-bit ld linker library. It is typically located at /lib64/ld-linux-x86-64.so.2.

You should have make tools and gcc installed (to build the stage 3 exploit code). Credits to david942j's kvm-kernel-example for reference on some kernel boilerplate code. You should also have pwntools installed on python as this code makes extensive use of it.

To run the exploit, simply run the following command:

python exp3.py

And it should just give you shell.

Exploit PoC

Want proof that this works? Make hypervisor.elf a setuid binary with the following commands (requires sudo):

sudo useradd hypervisor_exp
sudo chown hypervisor_exp hypervisor.elf
sudo chmod u+s hypervisor.elf

Then if you run the exploit, you will get something like this:

$ whoami
user
$ python exp3.py
[+] Starting local process '/usr/bin/make': pid 5552
[*] Process '/usr/bin/make' stopped with exit code 0 (pid 5552)
[+] Starting local process './hypervisor.elf': pid 5554
[*] Switching to interactive mode
0000555fa9966743
Got shell!
$ whoami
hypervisor_exp
$

This exploit PoC code should work on any linux distro; if it doesn't please send a issue and/or pull-request. Thanks.

* Oh yeah one other note... You will have to change a line in exp_kernel/kernel_main.c called libc_sect to match your particular libc version!