Better explaination of line pprofile

meowmeowxw · meowmeowxw · commit 75caf291c4db · 2021-03-22T11:50:26.000+01:00
diff --git a/ctf/line-2021-pprofile/README.md b/ctf/line-2021-pprofile/README.md
@@ -53,11 +53,13 @@ Commands:
 
 I tried at first some heap exploitation stuff but it didn't work.
 The easier thing to do is to use the READ operation to write inside the address of
-`modprobe_path` a different binary to execute. To write the value you use
-the pid of the process.
+`modprobe_path` a different string (which is the name of the program to be executed
+when a binary format file is not recognized). To write the value you use
+the pid of the process. From my understanding this works because the module uses
+`copy_user_generic_unrolled` instead of `copy_to_user` to copy the value.
 
 I tried to set instead of `/tmp/a` `~/aa`, but `modprobe_path` doesn't seem to understand
 the `~` (in this way it could be possible to write two consecutive write without looping 
 through all the possible pid three times)
 
-At the moment the exploit is without `KASLR`.
+At the moment the exploit works without `KASLR`.
diff --git a/ctf/line-2021-pprofile/pprofile-reversed.c b/ctf/line-2021-pprofile/pprofile-reversed.c
@@ -10,6 +10,18 @@ struct len_pid {
 }
 
 struct string *storages[16]; // global
+
+__int64 __fastcall put_user_size(__int64 a1, __int64 a2)
+{
+  int v3; // [rsp+0h] [rbp-Ch] BYREF
+  unsigned __int64 v4; // [rsp+4h] [rbp-8h]
+
+  _fentry__(a1, a2);
+  v3 = a1;
+  v4 = __readgsqword(0x28u);
+  return copy_user_generic_unrolled(a2, &v3);
+}
+
 __int64 __fastcall pprofile_ioctl(__int64 a1, __int64 a2)
 {
   __int64 v2; // rdx
