Add decompiled kernel module line ctf pprofile

meowmeowxw · meowmeowxw · commit e34fdc115943 · 2021-03-21T17:59:26.000+01:00
diff --git a/ctf/line-2021-pprofile/README.md b/ctf/line-2021-pprofile/README.md
@@ -47,6 +47,8 @@ Commands:
 - FREE -> Free a `string` from storages
 - READ -> The module with the READ operation will put inside the `request.garbage` address 8 bytes of 0, the pid value and the len value
 
+[Kernel module decompiled](./pprofile-reversed.c)
+
 ## Exploitation
 
 I tried at first some heap exploitation stuff but it didn't work.
diff --git a/ctf/line-2021-pprofile/pprofile-reversed.c b/ctf/line-2021-pprofile/pprofile-reversed.c
@@ -0,0 +1,199 @@
+struct string {
+    char *str;
+    struct len_pid *info;
+}
+
+struct len_pid {
+    int64_t pad; // set always to 0
+    int32_t pid; // the pid of the process that add the following structure
+    int32_t len; // the length of str
+}
+
+struct string *storages[16]; // global
+__int64 __fastcall pprofile_ioctl(__int64 a1, __int64 a2)
+{
+  __int64 v2; // rdx
+  __int64 result; // rax
+  struct string **storages__; // rbx
+  struct string *found_string_ptr_; // rbp
+  __int64 v6; // rbx
+  struct pid_len *found_info; // rax
+  unsigned int found_pid; // ebp
+  unsigned int found_size_str; // er12
+  int len_copied; // eax
+  int len_copied_; // ebx
+  __int64 index_storage__; // rax
+  __int64 index_storage___; // r12
+  struct string **current_string__; // rbp
+  size_t len_str; // rbp
+  unsigned int len_str_plus_1; // er13
+  _DWORD *str_ptr; // r15
+  string *string_ptr; // r14
+  struct pid_len *leak_ptr_current_task; // rcx
+  unsigned __int64 current_task_; // rdi
+  int len_copied__; // eax
+  __int64 index_storage____; // rbp
+  struct string *current_string; // r12
+  __int64 current_string_ptr_str; // r13
+  unsigned int index_zeroize_; // eax
+  __int64 index_zeroize; // rdx
+  struct pid_len *leak_ptr_current_task_; // [rsp+0h] [rbp-60h]
+  __int64 local_buffer; // [rsp+8h] [rbp-58h] BYREF
+  __int64 v29; // [rsp+10h] [rbp-50h]
+  char str_copied[8]; // [rsp+1Fh] [rbp-41h] BYREF
+  char v31; // [rsp+27h] [rbp-39h]
+  unsigned __int64 v32; // [rsp+28h] [rbp-38h]
+
+  _fentry__(a1, a2);
+  *(_QWORD *)str_copied = 0LL;
+  v31 = 0;
+  v32 = __readgsqword(0x28u);
+  local_buffer = 0LL;
+  v29 = 0LL;
+  LODWORD(result) = copy_from_user(&local_buffer, v2, 16LL);
+  if ( (_DWORD)result )
+    return (int)result;
+  if ( (_DWORD)a2 == 32 )
+  {
+    len_copied = strncpy_from_user(str_copied, local_buffer, 8LL);
+    len_copied_ = len_copied;
+    if ( len_copied && len_copied != 9 )
+    {
+      if ( len_copied >= 0 )
+      {
+        index_storage__ = 0LL;
+        while ( 1 )
+        {
+          index_storage___ = (int)index_storage__;
+          if ( !storages[index_storage__] )
+            break;
+          if ( ++index_storage__ == 16 )
+            return -11LL;
+        }
+        current_string__ = storages;
+        while ( !*current_string__ || strcmp((const char *)(*current_string__)->str, str_copied) )
+        {
+          if ( &storages[16] == ++current_string__ )
+          {
+            len_str = strlen(str_copied);
+            if ( len_str - 1 > 7 )
+              return -11LL;
+            len_str_plus_1 = len_str + 1;
+            str_ptr = (_DWORD *)_kmalloc(len_str + 1, 6291648LL);
+            string_ptr = (string *)kmem_cache_alloc_trace(kmalloc_caches[4], 6291648LL, 16LL);
+            leak_ptr_current_task = (struct pid_len *)kmem_cache_alloc_trace(kmalloc_caches[4], 6291648LL, 16LL);
+            if ( string_ptr == 0LL || str_ptr == 0LL || !leak_ptr_current_task )
+              return -12LL;                     // 
+                                                // Zeroize the str_ptr (kmalloc) in 4 different way xD, at least
+                                                // from my understanding lol eheh
+                                                // ... they don't know about kzalloc or memset X'D
+            if ( len_str_plus_1 >= 8 )
+            {
+              *(_QWORD *)((char *)str_ptr + len_str_plus_1 - 8) = 0LL;
+              if ( (unsigned int)len_str >= 8 )
+              {
+                index_zeroize_ = 0;
+                do
+                {
+                  index_zeroize = index_zeroize_;
+                  index_zeroize_ += 8;
+                  *(_QWORD *)((char *)str_ptr + index_zeroize) = 0LL;
+                }
+                while ( index_zeroize_ < (len_str & 0xFFFFFFF8) );
+              }
+            }
+            else if ( (len_str_plus_1 & 4) != 0 )
+            {
+              *str_ptr = 0;
+              *(_DWORD *)((char *)str_ptr + len_str_plus_1 - 4) = 0;
+            }
+            else if ( (_DWORD)len_str != -1 )
+            {
+              *(_BYTE *)str_ptr = 0;
+              if ( (len_str_plus_1 & 2) != 0 )
+                *(_WORD *)((char *)str_ptr + len_str_plus_1 - 2) = 0;
+            }
+            leak_ptr_current_task->pad = 0LL;
+            *(_QWORD *)&leak_ptr_current_task->pid = 0LL;
+            string_ptr->str = 0LL;
+            string_ptr->info = 0LL;
+            leak_ptr_current_task_ = leak_ptr_current_task;
+            memcpy(str_ptr, str_copied, len_str);
+            string_ptr->str = (__int64)str_ptr;
+            current_task_ = __readgsqword((unsigned int)&current_task);
+            string_ptr->info = leak_ptr_current_task_;
+            leak_ptr_current_task_->pid = _task_pid_nr_ns(current_task_, 1LL, 0LL);
+            *((_DWORD *)string_ptr->info + 3) = len_copied_;
+            storages[index_storage___] = string_ptr;
+            return len_copied_;
+          }
+        }
+        return -11LL;
+      }
+      return len_copied_;
+    }
+    return -34LL;
+  }
+  if ( (_DWORD)a2 == 64 )
+  {
+    len_copied__ = strncpy_from_user(str_copied, local_buffer, 8LL);
+    len_copied_ = len_copied__;
+    if ( len_copied__ && len_copied__ != 9 )
+    {
+      if ( len_copied__ >= 0 )
+      {
+        index_storage____ = 0LL;
+        while ( 1 )
+        {
+          current_string = storages[index_storage____];
+          if ( current_string )
+          {
+            current_string_ptr_str = current_string->str;
+            if ( !strcmp((const char *)current_string->str, str_copied) )
+              break;
+          }
+          if ( ++index_storage____ == 16 )
+            return -11LL;
+        }                                       // current_string->str
+        kfree(current_string_ptr_str);
+        kfree(current_string->info);
+        current_string->str = 0LL;
+        current_string->info = 0LL;
+        kfree(current_string);
+        storages[(int)index_storage____] = 0LL;
+      }
+      return len_copied_;
+    }
+    return -34LL;
+  }
+  if ( (_DWORD)a2 != 16 )
+    return -11LL;
+  LODWORD(result) = strncpy_from_user(str_copied, local_buffer, 8LL);
+  if ( !(_DWORD)result || (_DWORD)result == 9 )
+    return -34LL;
+  if ( (int)result < 0 )
+    return (int)result;
+  storages__ = storages;
+  while ( 1 )
+  {
+    found_string_ptr_ = *storages__;
+    if ( *storages__ )
+    {
+      if ( !strcmp((const char *)found_string_ptr_->str, str_copied) )
+        break;
+    }
+    if ( ++storages__ == &storages[16] )
+      return -11LL;
+  }
+  v6 = v29;
+  found_info = (struct pid_len *)found_string_ptr_->info;
+  found_pid = found_info->pid;
+  found_size_str = *(_DWORD *)&found_info->size_str;
+  LODWORD(result) = ((__int64 (__fastcall *)(__int64, __int64, __int32))put_user_size)(0LL, v29, 4);
+  if ( (_DWORD)result )
+    return (int)result;
+  LODWORD(result) = put_user_size(found_pid, v6 + 8);
+  if ( (_DWORD)result )
+    return (int)result;
+  return (int)put_user_size(found_size_str, v6 + 12);
+}
