ISCC2025-EBPF

Created2025-07-26|Updated2025-08-10

|Post Views:

to be continued…

PART I

unpack

allinone.sh

run.sh

#!/bin/sh

qemu-system-x86_64 \
        -m 512M \
        -cpu qemu64,+smep,+smap -smp 2 \
        -kernel bzImage \
        -append "console=ttyS0 quiet panic=-1 nokaslr" \
        -initrd rootfs.cpio \
        -drive file=./flag,if=virtio,format=raw,readonly=on \
        -nographic \
        -net nic,model=e1000 \
        -no-reboot \
        -monitor /dev/null

runable

#!/bin/sh

qemu-system-x86_64 \
        -m 512M \
        -cpu qemu64,+smep,+smap \
        -smp 2 \
        -kernel bzImage \
        -append "console=ttyS0 quiet panic=0 nokaslr" \
        -initrd rootfs.cpio \
        -drive file=./flag,if=virtio,format=raw,readonly=on \
        -nographic \
        -net nic,model=e1000 \
        -no-reboot \
        -monitor /dev/null \
        -s

-drive file=./flag,if=virtio,format=raw,readonly=on \要求在启动run.sh的目录下存放一个flag文件

1 2	# -chardev stdio,id=char0,signal=off \ # -serial chardev:char0 \

加上这两行可以直接将qemu中的ctrl+cban掉，但用起来很不舒服

init

#!/bin/sh

mount -t proc none /proc
mount -t sysfs none /sys
mount -t tmpfs tmpfs /tmp
mount -t devtmpfs none /dev

echo -e "\nBoot took $(cut -d' ' -f1 /proc/uptime) seconds\n"

chmod 600 /flag

ifconfig eth0 10.0.2.15
route add default gw 10.0.2.2

su ctf -c /bin/bash

poweroff -f

#!/bin/sh

mount -t proc none /proc
mount -t sysfs none /sys
mount -t tmpfs tmpfs /tmp
mount -t devtmpfs none /dev

echo -e "\nBoot took $(cut -d' ' -f1 /proc/uptime) seconds\n"

chmod 600 /flag

ifconfig eth0 10.0.2.15
route add default gw 10.0.2.2

su root -c /bin/bash

poweroff -f

su是用来切换用户的

-c 表示执行一条命令

PART II

PRAT III

op

gdb -x ./gdb.sh

Author: John Doe

Link: http://example.com/2025/07/26/ISCC2025-EBPF/

Copyright Notice: All articles on this blog are licensed under CC BY-NC-SA 4.0 unless otherwise stated.

kernel pwn ebpf

Related Articles

MINI-LCTF2022 - kgadget

PART Iunpack1234567loo@localhost:~/ctf/kernel/xiaozaiya/kernel-PWN/kgadget/try$ tar -xvf ./kgadget.tar.xzbzImageREADME.mdrootfs.cpiorun.shloo@localhost:~/ctf/kernel/xiaozaiya/kernel-PWN/kgadget/try$ lsREADME.md bzImage kgadget.tar.xz rootfs.cpio run.sh 12loo@localhost:~/ctf/kernel/xiaozaiya/kernel-PWN/kgadget$ file rootfs.cpiorootfs.cpio: ASCII cpio archive (SVR4 with no CRC) md core && cd ./core && cpio -idv <...

CISCN2017-babydriver

PART Iunpack12loo@localhost:~/ctf/kernel/xiaozaiya/kernel-PWN/CISCN2017-babydriver/try$ file ./rootfs.cpio./rootfs.cpio: ASCII cpio archive (SVR4 with no CRC) md core && cd ./core && cpio -idv < ../rootfs.cpio start.sh12345678910111213#!/bin/bashqemu-system-x86_64 \-initrd rootfs.cpio \-kernel bzImage \-cpu kvm64,+smep \-append 'console=ttyS0 root=/dev/ram kpti=1 nokaslr oops=panic panic=1' \-monitor /dev/null \-enable-kvm \-m 256M \--nographic \-smp...

“少上网多读书” – arttnba3 结构体，函数以及变量结构体多起来之后有点乱，整理在这里 struct cred 4.4.72 12345678910111213141516171819202122232425262728293031323334353637383940struct cred { atomic_t usage; /* 0 4 */ kuid_t uid; /* 4 4 */ //不知道什么用，参考作用 kgid_t gid; /* 8 4 */ kuid_t suid; /* 12 4 */ ...

PART Iunpack12loo@localhost:~/ctf/kernel/xiaozaiya/kernel-PWN/QWB2018-core/tar/try$ lsbzImage core.cpio.gz core.tar.gz exp.c exp.sh start.sh vmlinux 12loo@localhost:~/ctf/kernel/xiaozaiya/kernel-PWN/QWB2018-core/tar/try$ file core.cpio.gzcore.cpio.gz: gzip compressed data, was "core.cpio", last modified: Sat Sep 23 02:42:27 2023, from Unix, original size modulo 2^32 120943104 gzip -> gunzip ./core.cpio.gz -> ./core.cpio md core && cd core && cpio -idv...

2021QWB--notebook

知LLVM(Low Level Virtual Machine)的设计理念统一（LLVM IR）编译器通常分成三部分：前端：对源码进行不完全处理 -> 中端：对前端产物优化后端：得到机器码 llvm passllvm pass -> llvm IR 处理 pass的基本类型：分析型pass 转换型pass 实用型pass * pass的处理单位：处理函数：FounctionPass 处理模块：ModulePass 处理单个基本块：BasicBlockPass 处理循环：LoopPass clang和llvm123456# Ubuntu-18.04sudo apt install clang-8sudo apt install llvm-8sudo apt install clang-10sudo apt install llvm-10 编译123456789101112131415161718# pass# 编译clang-10 -g -c -fPIC -fno-rtti ./Hello.cpp -o Hello.o...