Guild icon
Project Sekai
🔒 UIUCTF 2023 / ✅-pwn-mock-kernel
Avatar
Sutx BOT 06/30/2023 5:15 PM
Mock Kernel - 500 points
Category: Pwn Description: We found my brother's old iMac but forgot the password, maybe you can help me get in? He said he was working on something involving "pointer authentication codes" and "a custom kernel"? I can't recall... Attached is the original Snow Leopard kernel macho as well as the kernel running on the iMac.

Notes

Note that we have backported patches for several known Snow Leopard N-Days! It is our belief that the easiest way to solve this challenge is the intended solution. If you want to create an image for local testing, follow the instructions here: 1. https://github.com/jprx/how-to-install-snow-leopard-in-qemu 1. Make sure you disable journaling so that you can edit the filesystem from your host if something breaks! 1. Inside the VM, rename /System/Library/Extensions/AppleProfileFamily.kext to AppleProfileFamily.kext.bak. 1. Delete /mach_kernel and replace it with the attached mach_kernel.sigpwny file (saved as /mach_kernel). 1. Reboot the VM and then run uname -v, you should see the version string of sigpwny:xnu-1456.1.2.6/BUILD/obj//RELEASE_X86_64. 1. Install Xcode 3.2 (xcode3210a432.dmg) inside the VM to get gcc.

Connecting to Our Instance

Password for the user user is user. Flag is ravi's password. The flag is also at /flag. You can also ssh into the remote machine by (inst-1234567890123456 is the ID of your instance): ssh user@inst-1234567890123456 -J user@mock-bastion.chal.uiuc.tf:1337 -oHostKeyAlgorithms=+ssh-rsa -oUserKnownHostsFile=/dev/null -oStrictHostKeyChecking=no Instancer: https://mock.chal.uiuc.tf/

Credits

author: ravi (https://twitter.com/0xjprx) Infrastructure and Deployment: YiFei Zhu Files:Tags: kernel, extreme
06/30/2023 5:15 PM
Sutx pinned a message to this channel. 06/30/2023 5:15 PM
Avatar
Sutx BOT 06/30/2023 6:07 PM
@Piers wants to collaborate 🤝
Avatar
Sutx BOT 06/30/2023 6:36 PM
@Violin wants to collaborate 🤝
Avatar
Piers 06/30/2023 6:37 PM
heres the original mach_kernel
mach_kernel.orig86_64
5.32 MB
18:37
and heres the modified
mach_kernel.sigpwny
5.31 MB
18:37
somebody should try to ida diff them
Avatar
Piers 06/30/2023 7:09 PM
seems like something is added to getsockopt
19:09
and getclassopt?
Avatar
Sutx BOT 06/30/2023 7:18 PM
@Zafirr wants to collaborate 🤝
Avatar
Piers 06/30/2023 7:19 PM
seems like getsockopt and setsockopt has something added to them
19:19
related to pac
19:19
dont know how to setup debug environment though :/
19:21
the original xnu kernel version is xnu-1456.1.26
Avatar
Piers 06/30/2023 7:32 PM
there is a added sopt_name 0x1337
Avatar
Zafirr 06/30/2023 7:33 PM
i'll check this in a bit, have something to do
Avatar
Piers 06/30/2023 7:33 PM
yeah i will document a few things
19:33
i need to sleep soon
Avatar
Piers 06/30/2023 7:43 PM
this is such an old kernel version
19:43
probably has next to zero mitigation
19:45
this is from setsockopt with opt_name 0x1337
Image attachment
Avatar
Piers 06/30/2023 7:56 PM
seems like with setsockopt it will allocate a sotag struct like this
19:56
0x40 byte of user input and 0x8 byte is a ptr pointing to a heap chunk of 0x100 byte contains the function to call during getsockopt syscall for 0x1337 (edited)
19:56
the function is pac-protected
19:58
getsockopt will call that function with 2 argument(outbuf_buffer - to give back the data to user, pointer to sotag_struct)
19:58
the default function is just memcpy(a1,a2, 0x40)
19:58
so it only copy back the data we input with setsockopt
Avatar
Piers 06/30/2023 8:15 PM
this kernel version has a much simpler zone allocator
20:15
seems like we just have to deal with object size
Avatar
Piers 06/30/2023 8:25 PM
the pac signing seems to have 3 arg
20:26
a1: 0 or 1 - a data pointer or a function pointer a2: context - the heap address where the ptr is stored a3: the pointer (edited)
20:28
the upper 2 bytes of the pointer is pac signature
20:28
the pac signing doesn't have any secret value like normal pac
Avatar
Sutx BOT 06/30/2023 8:29 PM
@Utaha wants to collaborate 🤝
Avatar
Piers 06/30/2023 8:29 PM
so we can forge any pointer because the signing algorithm seems simple
20:29
Image attachment
20:30
im not sure about the signing alg
Avatar
Utaha 06/30/2023 8:34 PM
idk if it's related, but one of my friends is the author and his paper matches pac and kernel lol
20:35
https://pacmanattack.com/
The PACMAN Attack
PACMAN: Attacking ARM Pointer Authentication with Speculative Execution
Thumbnail
20:35
he really wants me to try the challenge but me too weak
Avatar
Piers 06/30/2023 8:36 PM
oh yeah seems really related 👀
20:37
but i fell like the author gave such a strong vulnerability
20:37
that there will be some unintended solution
Avatar
Piers 06/30/2023 9:04 PM
oh and the hint all the cOOL kids are sending MSGs to each other these days
21:04
seems to be refering to out of line port (edited)
21:04
or something like that
Avatar
Sutx BOT 07/01/2023 1:06 AM
@nyancat0131 wants to collaborate 🤝
Avatar
Zafirr 07/01/2023 1:36 AM
solve it please
Avatar
sahuang 07/01/2023 5:31 AM
maple bacon strong
Avatar
Sutx BOT 07/01/2023 7:00 AM
@IceCreamMan wants to collaborate 🤝
Avatar
Piers 07/01/2023 2:40 PM
can anyone try to compile my exploit code on remote instance
Avatar
sahuang 07/01/2023 3:05 PM
maybe ask @Zafirr im outside, but i can also try later if its just to connect compile and run sth
Avatar
Piers 07/01/2023 3:39 PM
some infra issue causing qemu to crash 👀
15:40
so yeah it boots up for a few seconds then crash
15:40
i thought it was my network problem
Avatar
sahuang 07/01/2023 3:41 PM
lol
Avatar
Piers 07/01/2023 3:43 PM
these kind of challenges seem like a nightmare for infra team
Avatar
sahuang 07/01/2023 3:44 PM
yeah
15:44
beyond ctf infra
Avatar
Piers 07/01/2023 3:44 PM
yeah basically cloud provider now 💀
Avatar
sahuang 07/01/2023 3:44 PM
if you are making such chal let our infra guy know 🤣
Avatar
Piers 07/01/2023 3:45 PM
nah im good 💀
💀 1
Avatar
sahuang 07/01/2023 6:09 PM
Mock is back up! Sorry for the semi-downtime (though I don't think anyone started any instance anyways) The challenge has been updated to not use snapshot restore, but rather go though a full boot. However, there's a cheese solution (to enter single user mode) if one can send keys in early boot, so VNC has been made view-only. Please run your exploit through SSH. To compensate for the boot time, the challenge instance timeout has been increased from 15 minutes to 20 minutes lmao there was a cheese? (edited)
Avatar
Piers 07/01/2023 6:45 PM
im not sure but iirc before maple bacon solve i wasnt able to ssh into it
18:45
was it a cheese 💀
Avatar
sahuang 07/01/2023 6:46 PM
no idea
18:47
they didnt patch it, i assume they didnt solve with cheese
Avatar
Piers 07/01/2023 6:47 PM
ok how to scp the file now
Avatar
nyancat0131 07/01/2023 7:13 PM
scp like you normally do?
Avatar
Piers 07/01/2023 7:30 PM
yeah i got it
Avatar
Piers 07/01/2023 7:51 PM
i just realized heap stack kernel is all rwx
Avatar
nyancat0131 07/01/2023 7:53 PM
lol
19:53
why you know
Avatar
Piers 07/01/2023 7:54 PM
some ios security from 2011
19:54
before that time
19:54
everything is rwx in kernel 💀
19:54
and probably no kaslr too
Avatar
Piers 07/01/2023 8:01 PM
yeah no kaslr
Avatar
Piers 07/01/2023 10:07 PM
finally something 👀
Image attachment
22:07
everytime the kernel panic i have to spend like 5 minutes again for another instance
Avatar
sahuang 07/01/2023 10:14 PM
👀
Avatar
Avatar
Piers
used /ctf solve
Sutx BOT 07/02/2023 1:08 AM
✅ Challenge solved.
Avatar
Zafirr 07/02/2023 1:08 AM
pro
Avatar
Piers 07/02/2023 1:09 AM
kernel with no mitigation 🥹
01:09
no kaslr every page is rwx
01:09
heap is entirely predictable
01:11
the hardest part is probably doing everything without a debugger peepoo
Avatar
nyancat0131 07/02/2023 1:12 AM
vippppppppppppppppp
Exported 88 message(s)