forked from RPISEC/MBE
-
Notifications
You must be signed in to change notification settings - Fork 0
/
lab10C.c
127 lines (95 loc) · 2.75 KB
/
lab10C.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
/*
Unix-Dude sux at writing rootkits.
He forgot the get_r00t code q_q.
*/
#include <linux/module.h> // included for all kernel modules
#include <linux/kernel.h> // included for KERN_INFO
#include <linux/init.h> // included for __init and __exit macros
#include <linux/fs.h> // included for filesystem structs
#include <linux/miscdevice.h>// included for device driver stuff :
#include <linux/string.h> // Because memcpy :)
#include <linux/random.h> // get_random_bytes()
#include <asm/uaccess.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick Biernat");
MODULE_DESCRIPTION("MBE Lab 10 C");
unsigned int secret;
typedef struct key_material {
char key[1024];
void (*algo)(char *);
int auth;
}da_keyz;
struct key_material * sekret;
static ssize_t pwn_write(struct file* file, const char * buf, size_t count, loff_t *ppos)
{ // Here we check for the password
printk(KERN_INFO "%s\n",buf);
if( count == 0x31337) {
if (sekret->auth) {
// Do the root thing here.
printk(KERN_INFO "Nice privs bro.\n");
}
return 0x31337;
}
if(buf[0] == '\x01') {
printk("Flag is @ /root/flag");
}
if ( ( *(unsigned int *)buf ^ 0xcafebabe) == 0) {
printk(KERN_INFO "Performing Key Authentication now...\n");
sekret->algo(buf);
}
return count;
}
static const struct file_operations pwnops = {
.owner = THIS_MODULE,
.write = pwn_write,
};
static struct miscdevice pwn_dev = {
MISC_DYNAMIC_MINOR, "pwn" , &pwnops
};
void algo_xor(char * buf) {
/*
Secure One-Time Pad Authentication Function.
*/
int i;
int sum;
sum = 0;
printk(KERN_INFO "Inside algo_xor!\n");
for(i=0; i <= 1024; i++) {
sekret->key[i] ^= buf[i];
}
for(i=0; i <= 1024; i++) {
sum += sekret->key[i];
}
if(sum == 0) {
sekret->auth = 1;
}
else {
printk(KERN_INFO "Authentication Failed!\n");
memset(sekret, 0 , sizeof(struct key_material));
get_random_bytes(&(sekret->key),1024);
}
return;
}
//Think of this as the familiar "main" function
static int __init mod_init(void)
{
int ret;
// Register Device to /dev
ret = misc_register(&pwn_dev);
// Allocate Space for the key
sekret = kmalloc(sizeof(struct key_material), GFP_KERNEL);
get_random_bytes(&sekret->key, 1024);
// Set the algorithm to a sane default
sekret->algo = algo_xor;
printk(KERN_INFO "Finished Init\n");
printk(KERN_INFO "Can u get r00t?\n");
return 0;
}
static void __exit mod_cleanup(void)
{
printk(KERN_INFO "Cleaning up module.\n");
misc_deregister(&pwn_dev);
}
//We're "registering" our module with the rest of the Kernel here.
module_init(mod_init);
module_exit(mod_cleanup);