which is smaller witch?
Small cute utils for CTF kernel pwn challenges.
Just exec install.sh, which installs required dependencies. All the deps are listed in build/pkglist.required.
git clone https://github.com/smallkirby/lysithea.git
cd ./lysithea
./install.sh
bash # to enable bash completionpwning is a repeat of rewriting exploit & testing it on local. lysithea logs all pwn tries and helps you search QEMU output and associated exploit.
$ lysithea local
[+] starting exploit localy...
SeaBIOS (version 1.13.0-1ubuntu1.1)
Booting from ROM..
.
/ $ exit
reboot: System halted
qemu-system-x86_64: terminating on signal 2
[+] saving exploit log...
[master cc01254] [lysithea]
1 file changed, 2 insertions(+), 7 deletions(-)
$ lysithea logs
0 : Sat Nov 13 23:24:47 2021 +0900
1 : Sat Nov 13 22:43:53 2021 +0900
2 : Sat Nov 13 22:41:57 2021 +0900
$ lysithea log 0
[+] starting exploit localy...
SeaBIOS (version 1.13.0-1ubuntu1.1)
Booting from ROM..
.
/ $ exit
reboot: System halted
$ lysithea fetch 2 --no-pager | head
/****************
*
* Full exploit of hogehoge.
*
****************/
#define _GNU_SOURCE
#include <string.h>
#include <stdio.h>
#include <fcntl.h>lysithea runs drothea on target host to check kernel exploitable configuration.
drothea can be executed by POSIX shell such as ash (default shell in busybox). drothea uses its survent ingrid, to check some configurations from point of C-view.
lysithea automates execution of drothea using QEMU server and named pipes, so you can check configurations just by lysithea drothea command in host machine.
Tests are now under construction 🚧.
$ lysithea drothea --verbose
[.] creating temporary QEMU script...
[.] editing QEMU script...
[.] creating pipes for Drothea
[+] starting QEMU...
[.] waiting boot finishes...
[+] Boot confirmed.
[.] clearing pipe...
[.] success clearing pipe
===============================
Drothea v1.0.0
[!] mmap_min_addr is not 0x10000: 4096
[!] SMEP is disabled.
[!] SMAP is disabled.
[!] unprivileged ebpf installation is enabled.
Ingrid v1.0.0
[.] userfaultfd is not disabled.
===============================
[.] END of drothea
[.] cleaning Drothea...lysithea helps you extract filesystem, re-compress it, prepare template files on a directory, build exploit for remote execution, and test exploit on local by simple commands.
For all up-to-date commands, do lysithea help on your host.
$ lysithea help
[-] config file not found.
Lysithea v1.0.0
Usage:
local : run QEMU script locally
remote : run exploit on remote host
help : show this help
version : show version info
init : init the pwn workspace
extract : extract filesystem
build : compile exploit for local usage
compress : compress filesystem
error : show error description
exploit : synonym of local
logs : show list of logs
log : show QEMU log of given time
fetch : fetch given time of exploit
drothea : run kernel configuration checker in QEMU
config : configure default options interactively
memo : leave memo for latest exploit log
clean : clean current directoryCheck TUTORIAL.md for actual usage example.
tested only on Ubuntu.